Kubernetes Prow Robot
GitHub
commit
43a323fcd4
content/zh-cn/docs/concepts/services-networking
|
|
@ -7,7 +7,8 @@ description: Kubernetes 网络背后的概念和资源。
|
|||
<!--
|
||||
## The Kubernetes network model
|
||||
|
||||
Every [`Pod`](/docs/concepts/workloads/pods/) in a cluster gets its own unique cluster-wide IP address.
|
||||
Every [`Pod`](/docs/concepts/workloads/pods/) in a cluster gets its own unique cluster-wide IP address
|
||||
(one address per IP address family).
|
||||
This means you do not need to explicitly create links between `Pods` and you
|
||||
almost never need to deal with mapping container ports to host ports.
|
||||
This creates a clean, backwards-compatible model where `Pods` can be treated
|
||||
|
|
@ -18,7 +19,7 @@ application configuration, and migration.
|
|||
## Kubernetes 网络模型 {#the-kubernetes-network-model}
|
||||
|
||||
集群中每一个 [`Pod`](/zh-cn/docs/concepts/workloads/pods/) 都会获得自己的、
|
||||
独一无二的 IP 地址,
|
||||
独一无二的 IP 地址(每个 IP 地址族一个地址),
|
||||
这就意味着你不需要显式地在 `Pod` 之间创建链接,你几乎不需要处理容器端口到主机端口之间的映射。
|
||||
这将形成一个干净的、向后兼容的模型;在这个模型里,从端口分配、命名、服务发现、
|
||||
[负载均衡](/zh-cn/docs/concepts/services-networking/ingress/#load-balancing)、
|
||||
|
|
@ -41,11 +42,9 @@ Kubernetes 强制要求所有网络设施都满足以下基本要求(从而排
|
|||
* 节点上的代理(比如:系统守护进程、kubelet)可以和节点上的所有 Pod 通信
|
||||
|
||||
<!--
|
||||
Note: For those platforms that support `Pods` running in the host network (e.g.
|
||||
Linux), when pods are attached to the host network of a node they can still communicate
|
||||
with all pods on all nodes without NAT.
|
||||
For those platforms that support `Pods` running in the host network (such as Linux), when pods are attached to the host network of a node they can still communicate with all pods on all nodes without NAT.
|
||||
-->
|
||||
说明:对于支持在主机网络中运行 `Pod` 的平台(比如:Linux),
|
||||
对于支持在主机网络中运行 `Pod` 的平台(比如:Linux),
|
||||
当 Pod 挂接到节点的宿主网络上时,它们仍可以不通过 NAT 和所有节点上的 Pod 通信。
|
||||
|
||||
<!--
|
||||
|
|
|
|||
|
|
@ -179,16 +179,16 @@ Service 的地址族默认为第一个服务集群 IP 范围的地址族(通
|
|||
using the first configured service cluster IP range.
|
||||
* `PreferDualStack`:Allocates both IPv4 and IPv6 cluster IPs for the Service when dual-stack is enabled. If dual-stack is not enabled or supported, it falls back to single-stack behavior.
|
||||
* `RequireDualStack`: Allocates Service `.spec.clusterIPs` from both IPv4 and IPv6 address ranges when dual-stack is enabled. If dual-stack is not enabled or supported, the Service API object creation fails.
|
||||
* Selects the `.spec.ClusterIP` from the list of `.spec.ClusterIPs` based on the address family
|
||||
* Selects the `.spec.clusterIP` from the list of `.spec.clusterIPs` based on the address family
|
||||
of the first element in the `.spec.ipFamilies` array.
|
||||
-->
|
||||
* `SingleStack`:单栈 Service。控制面使用第一个配置的服务集群 IP 范围为 Service 分配集群 IP。
|
||||
* `PreferDualStack`:启用双栈时,为 Service 同时分配 IPv4 和 IPv6 集群 IP 地址。
|
||||
如果双栈未被启用或不被支持,则会返回到单栈行为。
|
||||
* `RequireDualStack`:启用双栈时,同时从 IPv4 和 IPv6 的地址范围中分配 Service 的 `.spec.ClusterIPs`。
|
||||
* `RequireDualStack`:启用双栈时,同时从 IPv4 和 IPv6 的地址范围中分配 Service 的 `.spec.clusterIPs`。
|
||||
如果双栈未被启用或不被支持,则 Service API 对象创建失败。
|
||||
* 从基于在 `.spec.ipFamilies` 数组中第一个元素的地址族的 `.spec.ClusterIPs`
|
||||
列表中选择 `.spec.ClusterIP`
|
||||
* 从基于在 `.spec.ipFamilies` 数组中第一个元素的地址族的 `.spec.clusterIPs`
|
||||
列表中选择 `.spec.clusterIP`
|
||||
|
||||
<!--
|
||||
If you would like to define which IP family to use for single stack or define the order of IP
|
||||
|
|
@ -224,9 +224,9 @@ You can set `.spec.ipFamilies` to any of the following array values:
|
|||
- `["IPv6","IPv4"]` (双栈)
|
||||
|
||||
<!--
|
||||
The first family you list is used for the legacy `.spec.ClusterIP` field.
|
||||
The first family you list is used for the legacy `.spec.clusterIP` field.
|
||||
-->
|
||||
你所列出的第一个地址族用于原来的 `.spec.ClusterIP` 字段。
|
||||
你所列出的第一个地址族用于原来的 `.spec.clusterIP` 字段。
|
||||
|
||||
<!--
|
||||
### Dual-stack Service configuration scenarios
|
||||
|
|
@ -262,13 +262,13 @@ These examples demonstrate the behavior of various dual-stack Service configurat
|
|||
1. This Service specification explicitly defines `PreferDualStack` in `.spec.ipFamilyPolicy`. When
|
||||
you create this Service on a dual-stack cluster, Kubernetes assigns both IPv4 and IPv6
|
||||
addresses for the service. The control plane updates the `.spec` for the Service to record the IP
|
||||
address assignments. The field `.spec.ClusterIPs` is the primary field, and contains both assigned
|
||||
IP addresses; `.spec.ClusterIP` is a secondary field with its value calculated from
|
||||
`.spec.ClusterIPs`.
|
||||
address assignments. The field `.spec.clusterIPs` is the primary field, and contains both assigned
|
||||
IP addresses; `.spec.clusterIP` is a secondary field with its value calculated from
|
||||
`.spec.clusterIPs`.
|
||||
|
||||
* For the `.spec.ClusterIP` field, the control plane records the IP address that is from the
|
||||
* For the `.spec.clusterIP` field, the control plane records the IP address that is from the
|
||||
same address family as the first service cluster IP range.
|
||||
* On a single-stack cluster, the `.spec.ClusterIPs` and `.spec.ClusterIP` fields both only list
|
||||
* On a single-stack cluster, the `.spec.clusterIPs` and `.spec.clusterIP` fields both only list
|
||||
one address.
|
||||
* On a cluster with dual-stack enabled, specifying `RequireDualStack` in `.spec.ipFamilyPolicy`
|
||||
behaves the same as `PreferDualStack`.
|
||||
|
|
@ -276,12 +276,12 @@ These examples demonstrate the behavior of various dual-stack Service configurat
|
|||
2. 此 Service 规约显式地将 `.spec.ipFamilyPolicy` 设置为 `PreferDualStack`。
|
||||
当你在双栈集群上创建此 Service 时,Kubernetes 会为此 Service 分配 IPv4 和 IPv6 地址。
|
||||
控制平面更新 Service 的 `.spec` 以记录 IP 地址分配。
|
||||
字段 `.spec.ClusterIPs` 是主要字段,包含两个分配的 IP 地址;`.spec.ClusterIP` 是次要字段,
|
||||
其取值从 `.spec.ClusterIPs` 计算而来。
|
||||
字段 `.spec.clusterIPs` 是主要字段,包含两个分配的 IP 地址;`.spec.clusterIP` 是次要字段,
|
||||
其取值从 `.spec.clusterIPs` 计算而来。
|
||||
|
||||
* 对于 `.spec.ClusterIP` 字段,控制面记录来自第一个服务集群 IP
|
||||
* 对于 `.spec.clusterIP` 字段,控制面记录来自第一个服务集群 IP
|
||||
范围对应的地址族的 IP 地址。
|
||||
* 对于单协议栈的集群,`.spec.ClusterIPs` 和 `.spec.ClusterIP` 字段都
|
||||
* 对于单协议栈的集群,`.spec.clusterIPs` 和 `.spec.clusterIP` 字段都
|
||||
仅仅列出一个地址。
|
||||
* 对于启用了双协议栈的集群,将 `.spec.ipFamilyPolicy` 设置为
|
||||
`RequireDualStack` 时,其行为与 `PreferDualStack` 相同。
|
||||
|
|
@ -291,13 +291,13 @@ These examples demonstrate the behavior of various dual-stack Service configurat
|
|||
<!--
|
||||
1. This Service specification explicitly defines `IPv6` and `IPv4` in `.spec.ipFamilies` as well
|
||||
as defining `PreferDualStack` in `.spec.ipFamilyPolicy`. When Kubernetes assigns an IPv6 and
|
||||
IPv4 address in `.spec.ClusterIPs`, `.spec.ClusterIP` is set to the IPv6 address because that is
|
||||
the first element in the `.spec.ClusterIPs` array, overriding the default.
|
||||
IPv4 address in `.spec.clusterIPs`, `.spec.clusterIP` is set to the IPv6 address because that is
|
||||
the first element in the `.spec.clusterIPs` array, overriding the default.
|
||||
-->
|
||||
3. 下面的 Service 规约显式地在 `.spec.ipFamilies` 中指定 `IPv6` 和 `IPv4`,并将
|
||||
`.spec.ipFamilyPolicy` 设定为 `PreferDualStack`。
|
||||
当 Kubernetes 为 `.spec.ClusterIPs` 分配一个 IPv6 和一个 IPv4 地址时,
|
||||
`.spec.ClusterIP` 被设置成 IPv6 地址,因为它是 `.spec.ClusterIPs` 数组中的第一个元素,
|
||||
当 Kubernetes 为 `.spec.clusterIPs` 分配一个 IPv6 和一个 IPv4 地址时,
|
||||
`.spec.clusterIP` 被设置成 IPv6 地址,因为它是 `.spec.clusterIPs` 数组中的第一个元素,
|
||||
覆盖其默认值。
|
||||
|
||||
{{% code_sample file="service/networking/dual-stack-preferred-ipfamilies-svc.yaml" %}}
|
||||
|
|
@ -319,7 +319,7 @@ dual-stack.)
|
|||
1. When dual-stack is enabled on a cluster, existing Services (whether `IPv4` or `IPv6`) are
|
||||
configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set
|
||||
`.spec.ipFamilies` to the address family of the existing Service. The existing Service cluster IP
|
||||
will be stored in `.spec.ClusterIPs`.
|
||||
will be stored in `.spec.clusterIPs`.
|
||||
-->
|
||||
1. 在集群上启用双栈时,控制面会将现有 Service(无论是 `IPv4` 还是 `IPv6`)配置
|
||||
`.spec.ipFamilyPolicy` 为 `SingleStack` 并设置 `.spec.ipFamilies`
|
||||
|
|
@ -366,14 +366,14 @@ dual-stack.)
|
|||
[headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors are
|
||||
configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set
|
||||
`.spec.ipFamilies` to the address family of the first service cluster IP range (configured via the
|
||||
`--service-cluster-ip-range` flag to the kube-apiserver) even though `.spec.ClusterIP` is set to
|
||||
`--service-cluster-ip-range` flag to the kube-apiserver) even though `.spec.clusterIP` is set to
|
||||
`None`.
|
||||
-->
|
||||
2. 在集群上启用双栈时,带有选择算符的现有
|
||||
[无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)
|
||||
由控制面设置 `.spec.ipFamilyPolicy` 为 `SingleStack`
|
||||
并设置 `.spec.ipFamilies` 为第一个服务集群 IP 范围的地址族(通过配置 kube-apiserver 的
|
||||
`--service-cluster-ip-range` 参数),即使 `.spec.ClusterIP` 的设置值为 `None` 也如此。
|
||||
`--service-cluster-ip-range` 参数),即使 `.spec.clusterIP` 的设置值为 `None` 也如此。
|
||||
|
||||
{{% code_sample file="service/networking/dual-stack-default-svc.yaml" %}}
|
||||
|
||||
|
|
@ -455,15 +455,15 @@ Service 可以从单栈更改为双栈,也可以从双栈更改为单栈。
|
|||
<!--
|
||||
1. To change a Service from dual-stack to single-stack, change `.spec.ipFamilyPolicy` from
|
||||
`PreferDualStack` or `RequireDualStack` to `SingleStack`. When you change this Service from
|
||||
dual-stack to single-stack, Kubernetes retains only the first element in the `.spec.ClusterIPs`
|
||||
array, and sets `.spec.ClusterIP` to that IP address and sets `.spec.ipFamilies` to the address
|
||||
family of `.spec.ClusterIPs`.
|
||||
dual-stack to single-stack, Kubernetes retains only the first element in the `.spec.clusterIPs`
|
||||
array, and sets `.spec.clusterIP` to that IP address and sets `.spec.ipFamilies` to the address
|
||||
family of `.spec.clusterIPs`.
|
||||
-->
|
||||
2. 要将 Service 从双栈更改为单栈,请将 `.spec.ipFamilyPolicy` 从 `PreferDualStack` 或
|
||||
`RequireDualStack` 改为 `SingleStack`。
|
||||
当你将此 Service 从双栈更改为单栈时,Kubernetes 只保留 `.spec.ClusterIPs`
|
||||
数组中的第一个元素,并设置 `.spec.ClusterIP` 为那个 IP 地址,
|
||||
并设置 `.spec.ipFamilies` 为 `.spec.ClusterIPs` 地址族。
|
||||
当你将此 Service 从双栈更改为单栈时,Kubernetes 只保留 `.spec.clusterIPs`
|
||||
数组中的第一个元素,并设置 `.spec.clusterIP` 为那个 IP 地址,
|
||||
并设置 `.spec.ipFamilies` 为 `.spec.clusterIPs` 地址族。
|
||||
|
||||
<!--
|
||||
### Headless Services without selector
|
||||
|
|
|
|||
|
|
@ -224,7 +224,7 @@ read [Virtual IPs and Service Proxies](/docs/reference/networking/virtual-ips/).
|
|||
[服务类型](#publishing-services-service-types)默认为 ClusterIP 的 Service。
|
||||
该 Service 指向带有标签 `app.kubernetes.io/name: MyApp` 的所有 Pod 的 TCP 端口 9376。
|
||||
|
||||
Kubernetes 为该服务分配一个 IP 地址(称为 “集群 IP”),供虚拟 IP 地址机制使用。
|
||||
Kubernetes 为该 Service 分配一个 IP 地址(称为 “集群 IP”),供虚拟 IP 地址机制使用。
|
||||
有关该机制的更多详情,请阅读[虚拟 IP 和服务代理](/zh-cn/docs/reference/networking/virtual-ips/)。
|
||||
|
||||
<!--
|
||||
|
|
@ -317,7 +317,7 @@ Each port definition can have the same `protocol`, or a different one.
|
|||
Service 的默认协议是 [TCP](/zh-cn/docs/reference/networking/service-protocols/#protocol-tcp);
|
||||
你还可以使用其他[受支持的任何协议](/zh-cn/docs/reference/networking/service-protocols/)。
|
||||
|
||||
由于许多 Service 需要公开多个端口,所以 Kubernetes 为同一服务定义[多个端口](#multi-port-services)。
|
||||
由于许多 Service 需要公开多个端口,所以 Kubernetes 为同一 Service 定义[多个端口](#multi-port-services)。
|
||||
每个端口定义可以具有相同的 `protocol`,也可以具有不同协议。
|
||||
|
||||
<!--
|
||||
|
|
@ -408,14 +408,14 @@ endpoints:
|
|||
apiVersion: discovery.k8s.io/v1
|
||||
kind: EndpointSlice
|
||||
metadata:
|
||||
name: my-service-1 # 按惯例将服务的名称用作 EndpointSlice 名称的前缀
|
||||
name: my-service-1 # 按惯例将 Service 的名称用作 EndpointSlice 名称的前缀
|
||||
labels:
|
||||
# 你应设置 "kubernetes.io/service-name" 标签。
|
||||
# 设置其值以匹配服务的名称
|
||||
# 设置其值以匹配 Service 的名称
|
||||
kubernetes.io/service-name: my-service
|
||||
addressType: IPv4
|
||||
ports:
|
||||
- name: '' # 应与上面定义的服务端口的名称匹配
|
||||
- name: '' # 应与上面定义的 Service 端口的名称匹配
|
||||
appProtocol: http
|
||||
protocol: TCP
|
||||
port: 9376
|
||||
|
|
@ -539,7 +539,7 @@ See [EndpointSlices](/docs/concepts/services-networking/endpoint-slices/) for mo
|
|||
information about this API.
|
||||
-->
|
||||
[EndpointSlice](/zh-cn/docs/concepts/services-networking/endpoint-slices/)
|
||||
对象表示某个服务的后端网络端点的子集(**切片**)。
|
||||
对象表示某个 Service 的后端网络端点的子集(**切片**)。
|
||||
|
||||
你的 Kubernetes 集群会跟踪每个 EndpointSlice 所表示的端点数量。
|
||||
如果 Service 的端点太多以至于达到阈值,Kubernetes 会添加另一个空的
|
||||
|
|
@ -737,14 +737,14 @@ Kubernetes Service 类型允许指定你所需要的 Service 类型。
|
|||
-->
|
||||
`ClusterIP`
|
||||
: 通过集群的内部 IP 公开 Service,选择该值时 Service 只能够在集群内部访问。
|
||||
这也是你没有为服务显式指定 `type` 时使用的默认值。
|
||||
这也是你没有为 Service 显式指定 `type` 时使用的默认值。
|
||||
你可以使用 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/)
|
||||
或者 [Gateway API](https://gateway-api.sigs.k8s.io/) 向公共互联网公开服务。
|
||||
|
||||
[`NodePort`](#type-nodeport)
|
||||
: 通过每个节点上的 IP 和静态端口(`NodePort`)公开 Service。
|
||||
为了让 Service 可通过节点端口访问,Kubernetes 会为 Service 配置集群 IP 地址,
|
||||
相当于你请求了 `type: ClusterIP` 的服务。
|
||||
相当于你请求了 `type: ClusterIP` 的 Service。
|
||||
|
||||
<!--
|
||||
[`LoadBalancer`](#loadbalancer)
|
||||
|
|
@ -775,7 +775,7 @@ define a `LoadBalancer` Service by
|
|||
-->
|
||||
服务 API 中的 `type` 字段被设计为层层递进的形式 - 每层都建立在前一层的基础上。
|
||||
但是,这种层层递进的形式有一个例外。
|
||||
你可以在定义 `LoadBalancer` 服务时[禁止负载均衡器分配 `NodePort`](/zh-cn/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation)。
|
||||
你可以在定义 `LoadBalancer` Service 时[禁止负载均衡器分配 `NodePort`](/zh-cn/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation)。
|
||||
|
||||
<!--
|
||||
### `type: ClusterIP` {#type-clusterip}
|
||||
|
|
@ -861,7 +861,7 @@ endpoints associated with that Service. You'll be able to contact the `type: Nod
|
|||
Service, from outside the cluster, by connecting to any node using the appropriate
|
||||
protocol (for example: TCP), and the appropriate port (as assigned to that Service).
|
||||
-->
|
||||
对于 NodePort 服务,Kubernetes 额外分配一个端口(TCP、UDP 或 SCTP 以匹配 Service 的协议)。
|
||||
对于 NodePort 类型 Service,Kubernetes 额外分配一个端口(TCP、UDP 或 SCTP 以匹配 Service 的协议)。
|
||||
集群中的每个节点都将自己配置为监听所分配的端口,并将流量转发到与该 Service 关联的某个就绪端点。
|
||||
通过使用合适的协议(例如 TCP)和适当的端口(分配给该 Service)连接到任何一个节点,
|
||||
你就能够从集群外部访问 `type: NodePort` 服务。
|
||||
|
|
@ -1300,7 +1300,7 @@ Select one of the tabs.
|
|||
metadata:
|
||||
name: my-service
|
||||
annotations:
|
||||
networking.gke.io/load-balancer-type: "Internal"
|
||||
networking.gke.io/load-balancer-type: "Internal"
|
||||
```
|
||||
|
||||
{{% /tab %}}
|
||||
|
|
@ -1308,9 +1308,9 @@ metadata:
|
|||
|
||||
```yaml
|
||||
metadata:
|
||||
name: my-service
|
||||
annotations:
|
||||
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
|
||||
name: my-service
|
||||
annotations:
|
||||
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
|
||||
```
|
||||
|
||||
{{% /tab %}}
|
||||
|
|
@ -1320,7 +1320,7 @@ metadata:
|
|||
metadata:
|
||||
name: my-service
|
||||
annotations:
|
||||
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
|
||||
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
|
||||
```
|
||||
|
||||
{{% /tab %}}
|
||||
|
|
@ -1330,7 +1330,7 @@ metadata:
|
|||
metadata:
|
||||
name: my-service
|
||||
annotations:
|
||||
service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private"
|
||||
service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private"
|
||||
```
|
||||
|
||||
{{% /tab %}}
|
||||
|
|
@ -1809,7 +1809,7 @@ Kubernetes 所配置的规则和路由会确保流量被路由到该 Service 的
|
|||
|
||||
定义 Service 时,你可以为任何[服务类型](#publishing-services-service-types)指定 `externalIPs`。
|
||||
|
||||
在下面的例子中,名为 `my-service` 的服务可以在 "`198.51.100.32:80`"
|
||||
在下面的例子中,名为 `my-service` 的 Service 可以在 "`198.51.100.32:80`"
|
||||
(根据 `.spec.externalIPs[]` 和 `.spec.ports[].port` 得出)上被客户端使用 TCP 协议访问。
|
||||
|
||||
```yaml
|
||||
|
|
|
|||
Loading…
Reference in New Issue