当前位置: 首页 > news >正文

Cilium动手实验室: 精通之旅---6.Cilium IPv6 Networking and Observability - Lab

news 来源:原创 2025/6/7 10:56:51

Cilium动手实验室: 精通之旅---6.Cilium IPv6 Networking and Observability - Lab

  • 1. 验证环境
  • 2. 安装Cilium
    • 2.1 安装Cilium
    • 2.2 安装hubble
  • 3. 部署应用程序并验证 IPv6 连接
    • 3.1 部署测试pod
    • 3.2 测试Pod间的IPv6
    • 3.3 测试Pod IPv6到服务
    • 3.4 验证IPv6 DNS
  • 4. 可视化架构
    • 4.1 流量观测
    • 4.2 IPv6可观测性
    • 4.3 小测验
  • 5. 考试
    • 5.1 题目
    • 5.2 解题

1. 验证环境

LAB环境地址

https://isovalent.com/labs/cilium-ipv6/

kind环境中1 个control 3个 worker

root@server:~# yq /etc/kind/nocni_3workers_dual.yaml
---
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:- role: control-planeextraPortMappings:# Hubble relay- containerPort: 31234hostPort: 31234# Hubble UI- containerPort: 31235hostPort: 31235- role: worker- role: worker- role: worker
networking:disableDefaultCNI: trueipFamily: dual

确认节点

root@server:~# yq /etc/kind/nocni_3workers_dual.yaml
---
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:- role: control-planeextraPortMappings:# Hubble relay- containerPort: 31234hostPort: 31234# Hubble UI- containerPort: 31235hostPort: 31235- role: worker- role: worker- role: worker
networking:disableDefaultCNI: trueipFamily: dual
root@server:~# kubectl get nodes
NAME                 STATUS     ROLES           AGE    VERSION
kind-control-plane   NotReady   control-plane   105s   v1.31.0
kind-worker          NotReady   <none>          89s    v1.31.0
kind-worker2         NotReady   <none>          89s    v1.31.0
kind-worker3         NotReady   <none>          89s    v1.31.0

2. 安装Cilium

2.1 安装Cilium

让我们从 Kind 集群上安装 Cilium 开始。
我们使用 --set ipv6.enabled=true 启用 IPv6 选项(默认情况下是禁用的):

初始化Cilium 并等待状态正常

root@server:~# cilium install \--version 1.17.1 \--set kubeProxyReplacement=true \--set k8sServiceHost=kind-control-plane \--set k8sServicePort=6443 \--set ipv6.enabled=true
🔮 Auto-detected Kubernetes kind: kind
ℹ️  Using Cilium version 1.17.1
🔮 Auto-detected cluster name: kind-kind
🔮 Auto-detected kube-proxy has been installed
root@server:~# cilium status --wait/¯¯\/¯¯\__/¯¯\    Cilium:             OK\__/¯¯\__/    Operator:           OK/¯¯\__/¯¯\    Envoy DaemonSet:    OK\__/¯¯\__/    Hubble Relay:       disabled\__/       ClusterMesh:        disabledDaemonSet              cilium                   Desired: 4, Ready: 4/4, Available: 4/4
DaemonSet              cilium-envoy             Desired: 4, Ready: 4/4, Available: 4/4
Deployment             cilium-operator          Desired: 1, Ready: 1/1, Available: 1/1
Containers:            cilium                   Running: 4cilium-envoy             Running: 4cilium-operator          Running: 1clustermesh-apiserver    hubble-relay             
Cluster Pods:          3/3 managed by Cilium
Helm chart version:    1.17.1
Image versions         cilium             quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866: 4cilium-envoy       quay.io/cilium/cilium-envoy:v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae@sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521: 4cilium-operator    quay.io/cilium/operator-generic:v1.17.1@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97: 1
root@server:~# cilium config view | grep ipv6
enable-ipv6                                       true
enable-ipv6-big-tcp                               false
enable-ipv6-masquerade                            true
k8s-require-ipv6-pod-cidr                         false
root@server:~# kubectl get nodes
NAME                 STATUS   ROLES           AGE     VERSION
kind-control-plane   Ready    control-plane   3m57s   v1.31.0
kind-worker          Ready    <none>          3m41s   v1.31.0
kind-worker2         Ready    <none>          3m41s   v1.31.0
kind-worker3         Ready    <none>          3m41s   v1.31.0
root@server:~# kubectl describe nodes | grep PodCIDRs
PodCIDRs:                     10.244.0.0/24,fd00:10:244::/64
PodCIDRs:                     10.244.2.0/24,fd00:10:244:2::/64
PodCIDRs:                     10.244.1.0/24,fd00:10:244:1::/64
PodCIDRs:                     10.244.3.0/24,fd00:10:244:3::/64

2.2 安装hubble

安装 Cilium 后,激活 Hubble:

root@server:~# cilium hubble enable --ui
root@server:~# cilium status --wait/¯¯\/¯¯\__/¯¯\    Cilium:             OK\__/¯¯\__/    Operator:           OK/¯¯\__/¯¯\    Envoy DaemonSet:    OK\__/¯¯\__/    Hubble Relay:       OK\__/       ClusterMesh:        disabledDaemonSet              cilium                   Desired: 4, Ready: 4/4, Available: 4/4
DaemonSet              cilium-envoy             Desired: 4, Ready: 4/4, Available: 4/4
Deployment             cilium-operator          Desired: 1, Ready: 1/1, Available: 1/1
Deployment             hubble-relay             Desired: 1, Ready: 1/1, Available: 1/1
Deployment             hubble-ui                Desired: 1, Ready: 1/1, Available: 1/1
Containers:            cilium                   Running: 4cilium-envoy             Running: 4cilium-operator          Running: 1clustermesh-apiserver    hubble-relay             Running: 1hubble-ui                Running: 1
Cluster Pods:          5/5 managed by Cilium
Helm chart version:    1.17.1
Image versions         cilium             quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866: 4cilium-envoy       quay.io/cilium/cilium-envoy:v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae@sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521: 4cilium-operator    quay.io/cilium/operator-generic:v1.17.1@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97: 1hubble-relay       quay.io/cilium/hubble-relay:v1.17.1@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc: 1hubble-ui          quay.io/cilium/hubble-ui-backend:v0.13.1@sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b: 1hubble-ui          quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6: 1

3. 部署应用程序并验证 IPv6 连接

3.1 部署测试pod

使用以下命令部署几个 Pod。我们将在两者之间运行一些 ping,以验证流量是否通过 IPv6 发送:

root@server:~# yq pod1.yaml 
---
apiVersion: v1
kind: Pod
metadata:name: pod-workerlabels:app: pod-worker
spec:nodeName: kind-workercontainers:- name: netshootimage: nicolaka/netshoot:latestcommand: ["sleep", "infinite"]
root@server:~# yq pod2.yaml 
---
apiVersion: v1
kind: Pod
metadata:name: pod-worker2labels:app: pod-worker2
spec:nodeName: kind-worker2containers:- name: netshootimage: nicolaka/netshoot:latestcommand: ["sleep", "infinite"]
root@server:~# kubectl apply -f pod1.yaml -f pod2.yaml
pod/pod-worker created
pod/pod-worker2 created

我们将 Pod 固定在不同的节点上(将 spec.nodeName 设置为 kind-workerkind-worker2),以便进行实验(这不一定是常见的做法)。

3.2 测试Pod间的IPv6

检查 Pod 是否已成功部署。请注意,它分配了两个 IP 地址 – IPv4 和 IPv6。

root@server:~# kubectl describe pod pod-worker | grep -A 2 IPs
kubectl describe pod pod-worker2 | grep -A 2 IPs
IPs:IP:  10.244.2.26IP:  fd00:10:244:2::a98f
IPs:IP:  10.244.1.175IP:  fd00:10:244:1::ac0f

让我们用这个命令直接从 pod-worker2 获取 IPv6 地址。

root@server:~# IPv6=$(kubectl get pod pod-worker2 -o jsonpath='{.status.podIPs[1].ip}')
echo $IPv6
fd00:10:244:1::ac0f

让我们运行从 pod-workerpod-worker2 的 IPv6 ping。由于 Pod 被固定到不同的节点,因此它应该显示不同节点上的 Pod 之间的 IPv6 连接成功。

root@server:~# IPv6=$(kubectl get pod pod-worker2 -o jsonpath='{.status.podIPs[1].ip}')
echo $IPv6
fd00:10:244:1::ac0f
root@server:~# kubectl exec -it pod-worker -- ping6 -c 5 $IPv6
PING fd00:10:244:1::ac0f (fd00:10:244:1::ac0f) 56 data bytes
64 bytes from fd00:10:244:1::ac0f: icmp_seq=1 ttl=63 time=0.373 ms
64 bytes from fd00:10:244:1::ac0f: icmp_seq=2 ttl=63 time=0.146 ms
64 bytes from fd00:10:244:1::ac0f: icmp_seq=3 ttl=63 time=0.130 ms
64 bytes from fd00:10:244:1::ac0f: icmp_seq=4 ttl=63 time=0.199 ms
64 bytes from fd00:10:244:1::ac0f: icmp_seq=5 ttl=63 time=0.127 ms--- fd00:10:244:1::ac0f ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4127ms
rtt min/avg/max/mdev = 0.127/0.195/0.373/0.092 ms

3.3 测试Pod IPv6到服务

测试 Pod 到 Service 的连接。

root@server:~# yq echo-kube-ipv6.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: echoserver
spec:replicas: 5selector:matchLabels:app: echoservertemplate:metadata:labels:app: echoserverspec:containers:- image: ealen/echo-server:latestimagePullPolicy: IfNotPresentname: echoserverports:- containerPort: 80env:- name: PORTvalue: "80"
---
apiVersion: v1
kind: Service
metadata:name: echoserver
spec:ipFamilyPolicy: PreferDualStackipFamilies:- IPv6- IPv4ports:- port: 80targetPort: 80protocol: TCPtype: ClusterIPselector:app: echoserver
root@server:~# kubectl apply -f echo-kube-ipv6.yaml
deployment.apps/echoserver created
service/echoserver created

检查 echoserver 服务:您应该会看到分配的 IPv4 和 IPv6 地址。提取IPv6地址

root@server:~# kubectl describe svc echoserver
Name:                     echoserver
Namespace:                default
Labels:                   <none>
Annotations:              <none>
Selector:                 app=echoserver
Type:                     ClusterIP
IP Family Policy:         PreferDualStack
IP Families:              IPv6,IPv4
IP:                       fd00:10:96::6138
IPs:                      fd00:10:96::6138,10.96.221.127
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
Endpoints:                10.244.1.40:80,10.244.2.156:80,10.244.3.195:80 + 7 more...
Session Affinity:         None
Internal Traffic Policy:  Cluster
Events:                   <none>
root@server:~# ServiceIPv6=$(kubectl get svc echoserver -o jsonpath='{.spec.clusterIP}')
echo $ServiceIPv6
fd00:10:96::6138

对 IPv6 服务 IP 运行 curl

root@server:~# kubectl exec -i -t pod-worker -- curl -6 http://[$ServiceIPv6]/ | jq
{"host": {"hostname": "[fd00:10:96::6138]","ip": "fd00:10:244:2::a98f","ips": []},"http": {"method": "GET","baseUrl": "","originalUrl": "/","protocol": "http"},"request": {"params": {"0": "/"},"query": {},"cookies": {},"body": {},"headers": {"host": "[fd00:10:96::6138]","user-agent": "curl/8.7.1","accept": "*/*"}},"environment": {"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME": "echoserver-6c45798fdc-v7j6l","NODE_VERSION": "20.11.0","YARN_VERSION": "1.22.19","PORT": "80","KUBERNETES_PORT": "tcp://10.96.0.1:443","KUBERNETES_PORT_443_TCP_PROTO": "tcp","ECHOSERVER_SERVICE_HOST": "fd00:10:96::6138","ECHOSERVER_SERVICE_PORT": "80","ECHOSERVER_PORT_80_TCP": "tcp://[fd00:10:96::6138]:80","ECHOSERVER_PORT_80_TCP_PORT": "80","KUBERNETES_PORT_443_TCP": "tcp://10.96.0.1:443","KUBERNETES_PORT_443_TCP_PORT": "443","KUBERNETES_PORT_443_TCP_ADDR": "10.96.0.1","ECHOSERVER_PORT_80_TCP_PROTO": "tcp","ECHOSERVER_PORT": "tcp://[fd00:10:96::6138]:80","ECHOSERVER_PORT_80_TCP_ADDR": "fd00:10:96::6138","KUBERNETES_SERVICE_HOST": "10.96.0.1","KUBERNETES_SERVICE_PORT": "443","KUBERNETES_SERVICE_PORT_HTTPS": "443","HOME": "/root"}
}

验证了使用 ICMPv6 的节点间 IPv6 连接以及通过 HTTP 的 Pod 到服务 IPv6 连接。

3.4 验证IPv6 DNS

到目前为止,我们只对 IP 地址进行作。但我们也可以使用 DNS,因为 AAAA 记录会自动分配给服务。
为了验证这一点,让我们使用 pod-worker Pod 中的 nslookup

root@server:~# kubectl exec -i -t pod-worker -- nslookup -q=AAAA echoserver.default
Server:         10.96.0.10
Address:        10.96.0.10#53Name:   echoserver.default.svc.cluster.local
Address: fd00:10:96::6138

让我们通过对 Service name 运行 curl 命令来验证连接是否成功:

root@server:~# kubectl exec -i -t pod-worker -- curl -6 'http://echoserver.default.svc' | jq
{"host": {"hostname": "echoserver.default.svc","ip": "fd00:10:244:2::a98f","ips": []},"http": {"method": "GET","baseUrl": "","originalUrl": "/","protocol": "http"},"request": {"params": {"0": "/"},"query": {},"cookies": {},"body": {},"headers": {"host": "echoserver.default.svc","user-agent": "curl/8.7.1","accept": "*/*"}},"environment": {"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME": "echoserver-6c45798fdc-hp58p","NODE_VERSION": "20.11.0","YARN_VERSION": "1.22.19","PORT": "80","ECHOSERVER_SERVICE_HOST": "fd00:10:96::6138","ECHOSERVER_PORT_80_TCP_PROTO": "tcp","KUBERNETES_PORT_443_TCP_PROTO": "tcp","ECHOSERVER_SERVICE_PORT": "80","ECHOSERVER_PORT_80_TCP_PORT": "80","KUBERNETES_PORT_443_TCP_ADDR": "10.96.0.1","ECHOSERVER_PORT_80_TCP": "tcp://[fd00:10:96::6138]:80","ECHOSERVER_PORT_80_TCP_ADDR": "fd00:10:96::6138","KUBERNETES_SERVICE_HOST": "10.96.0.1","KUBERNETES_SERVICE_PORT_HTTPS": "443","KUBERNETES_PORT": "tcp://10.96.0.1:443","KUBERNETES_PORT_443_TCP_PORT": "443","ECHOSERVER_PORT": "tcp://[fd00:10:96::6138]:80","KUBERNETES_SERVICE_PORT": "443","KUBERNETES_PORT_443_TCP": "tcp://10.96.0.1:443","HOME": "/root"}
}

您应该会看到与上一个任务中的输出类似的输出。

我们已经验证了:

  • 与 ICMPv6 的节点间 IPv6 连接
  • 通过 HTTP 的 Pod 到服务 IPv6 连接
  • AAAA 记录的 DNS 解析。

4. 可视化架构

4.1 流量观测

Hubble CLI 连接到集群中的 Hubble Relay 组件,并检索名为“Flows”的日志。然后,此命令行工具使您能够可视化和筛选流。
使用 hubble CLI,您将能够看到一个日志列表,每个日志都包含:

  • 时间戳
  • 源 Pod,以及它的命名空间、端口和 Cilium 身份
  • 流向(-><-,如果方向无法确定,有时为 <>
  • 目标 Pod,以及它的命名空间、端口和 Cilium 身份
  • 跟踪观察点(例如 to-endpointto-stackto-overlay
  • 判定(例如 FORWARDEDDROPPED
  • 协议(例如 UDPTCP), 可选带有标志

4.2 IPv6可观测性

用 Hubble Port Forwarding 以可视化这些流:

cilium hubble port-forward &

另外个窗口 运行从 pod-worker 到 pod-worker2 的 IPv6 ping。

IPv6=$(kubectl get pod pod-worker2 -o jsonpath='{.status.podIPs[1].ip}')
kubectl exec -it pod-worker -- ping -c 5 $IPv6

执行 hubble observe 命令来监控流量。

root@server:~# ℹ️  Hubble Relay is available at 127.0.0.1:4245
hubble observe hubble observe --ipv6 --from-pod pod-worker
May 28 04:39:29.690: default/pod-worker (ID:2886) -> default/pod-worker2 (ID:51052) to-endpoint FORWARDED (ICMPv6 EchoRequest)
May 28 04:39:29.690: default/pod-worker (ID:2886) <- default/pod-worker2 (ID:51052) to-overlay FORWARDED (ICMPv6 EchoReply)
May 28 04:41:35.707: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: SYN)
May 28 04:41:35.707: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:41:35.707: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:41:35.707: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, PSH)
May 28 04:41:35.707: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
May 28 04:41:35.713: default/pod-worker:40472 (ID:2886) <> default/echoserver-6c45798fdc-v7j6l (ID:6541) pre-xlate-rev TRACED (TCP)
May 28 04:41:35.717: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, FIN)
May 28 04:41:35.717: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
May 28 04:41:35.719: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:41:35.719: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:42:05.924: default/pod-worker (ID:2886) <> [fd00:10:96::6138]:80 (world-ipv6) pre-xlate-fwd TRACED (TCP)
May 28 04:42:05.924: default/pod-worker (ID:2886) <> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) post-xlate-fwd TRANSLATED (TCP)
May 28 04:42:05.924: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: SYN)
May 28 04:42:05.924: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: SYN)
May 28 04:42:05.924: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:42:05.924: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:42:05.924: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, PSH)
May 28 04:42:05.924: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
May 28 04:42:05.930: default/pod-worker:48816 (ID:2886) <> default/echoserver-6c45798fdc-hp58p (ID:6541) pre-xlate-rev TRACED (TCP)
May 28 04:42:05.935: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, FIN)
May 28 04:42:05.935: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
May 28 04:42:05.937: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:42:05.937: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:43:00.967: default/pod-worker (ID:2886) <> [fd00:10:96::6138]:80 (world-ipv6) pre-xlate-fwd TRACED (TCP)
May 28 04:43:00.967: default/pod-worker (ID:2886) <> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) post-xlate-fwd TRANSLATED (TCP)
May 28 04:43:00.967: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: SYN)
May 28 04:43:00.967: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: SYN)
May 28 04:43:00.968: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:43:00.968: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:43:00.968: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, PSH)
May 28 04:43:00.968: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
May 28 04:43:00.970: default/pod-worker:37894 (ID:2886) <> default/echoserver-6c45798fdc-hp58p (ID:6541) pre-xlate-rev TRACED (TCP)
May 28 04:43:00.971: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, FIN)
May 28 04:43:00.971: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
May 28 04:43:00.971: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:43:00.971: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:49:09.390: default/pod-worker (ID:2886) -> default/pod-worker2 (ID:51052) to-overlay FORWARDED (ICMPv6 EchoRequest)
May 28 04:49:09.390: default/pod-worker (ID:2886) -> default/pod-worker2 (ID:51052) to-endpoint FORWARDED (ICMPv6 EchoRequest)
May 28 04:49:09.390: default/pod-worker (ID:2886) <- default/pod-worker2 (ID:51052) to-overlay FORWARDED (ICMPv6 EchoReply)
May 28 04:49:09.390: default/pod-worker (ID:2886) <- default/pod-worker2 (ID:51052) to-endpoint FORWARDED (ICMPv6 EchoReply)
EVENTS LOST: HUBBLE_RING_BUFFER CPU(0) 1
EVENTS LOST: HUBBLE_RING_BUFFER CPU(0) 1

现在让我们使用 --print-node-name 打印运行 Pod 的节点:

root@server:~# hubble observe --ipv6 --from-pod pod-worker --print-node-name
May 28 04:39:29.690 [kind-kind/kind-worker2]: default/pod-worker (ID:2886) -> default/pod-worker2 (ID:51052) to-endpoint FORWARDED (ICMPv6 EchoRequest)
May 28 04:39:29.690 [kind-kind/kind-worker2]: default/pod-worker (ID:2886) <- default/pod-worker2 (ID:51052) to-overlay FORWARDED (ICMPv6 EchoReply)
May 28 04:41:35.707 [kind-kind/kind-worker3]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: SYN)
May 28 04:41:35.707 [kind-kind/kind-worker]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:41:35.707 [kind-kind/kind-worker3]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:41:35.707 [kind-kind/kind-worker]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, PSH)
May 28 04:41:35.707 [kind-kind/kind-worker3]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
May 28 04:41:35.713 [kind-kind/kind-worker3]: default/pod-worker:40472 (ID:2886) <> default/echoserver-6c45798fdc-v7j6l (ID:6541) pre-xlate-rev TRACED (TCP)
May 28 04:41:35.717 [kind-kind/kind-worker]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, FIN)
May 28 04:41:35.717 [kind-kind/kind-worker3]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
May 28 04:41:35.719 [kind-kind/kind-worker]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:41:35.719 [kind-kind/kind-worker3]: default/pod-worker:40472 (ID:2886) -> default/echoserver-6c45798fdc-v7j6l:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:42:05.924 [kind-kind/kind-worker]: default/pod-worker (ID:2886) <> [fd00:10:96::6138]:80 (world-ipv6) pre-xlate-fwd TRACED (TCP)
May 28 04:42:05.924 [kind-kind/kind-worker]: default/pod-worker (ID:2886) <> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) post-xlate-fwd TRANSLATED (TCP)
May 28 04:42:05.924 [kind-kind/kind-worker]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: SYN)
May 28 04:42:05.924 [kind-kind/kind-worker3]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: SYN)
May 28 04:42:05.924 [kind-kind/kind-worker]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:42:05.924 [kind-kind/kind-worker3]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:42:05.924 [kind-kind/kind-worker]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, PSH)
May 28 04:42:05.924 [kind-kind/kind-worker3]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
May 28 04:42:05.930 [kind-kind/kind-worker3]: default/pod-worker:48816 (ID:2886) <> default/echoserver-6c45798fdc-hp58p (ID:6541) pre-xlate-rev TRACED (TCP)
May 28 04:42:05.935 [kind-kind/kind-worker]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, FIN)
May 28 04:42:05.935 [kind-kind/kind-worker3]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
May 28 04:42:05.937 [kind-kind/kind-worker]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:42:05.937 [kind-kind/kind-worker3]: default/pod-worker:48816 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:43:00.967 [kind-kind/kind-worker]: default/pod-worker (ID:2886) <> [fd00:10:96::6138]:80 (world-ipv6) pre-xlate-fwd TRACED (TCP)
May 28 04:43:00.967 [kind-kind/kind-worker]: default/pod-worker (ID:2886) <> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) post-xlate-fwd TRANSLATED (TCP)
May 28 04:43:00.967 [kind-kind/kind-worker]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: SYN)
May 28 04:43:00.967 [kind-kind/kind-worker3]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: SYN)
May 28 04:43:00.968 [kind-kind/kind-worker]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:43:00.968 [kind-kind/kind-worker3]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:43:00.968 [kind-kind/kind-worker]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, PSH)
May 28 04:43:00.968 [kind-kind/kind-worker3]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
May 28 04:43:00.970 [kind-kind/kind-worker3]: default/pod-worker:37894 (ID:2886) <> default/echoserver-6c45798fdc-hp58p (ID:6541) pre-xlate-rev TRACED (TCP)
May 28 04:43:00.971 [kind-kind/kind-worker]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK, FIN)
May 28 04:43:00.971 [kind-kind/kind-worker3]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK, FIN)
May 28 04:43:00.971 [kind-kind/kind-worker]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-overlay FORWARDED (TCP Flags: ACK)
May 28 04:43:00.971 [kind-kind/kind-worker3]: default/pod-worker:37894 (ID:2886) -> default/echoserver-6c45798fdc-hp58p:80 (ID:6541) to-endpoint FORWARDED (TCP Flags: ACK)
May 28 04:49:09.390 [kind-kind/kind-worker]: default/pod-worker (ID:2886) -> default/pod-worker2 (ID:51052) to-overlay FORWARDED (ICMPv6 EchoRequest)
May 28 04:49:09.390 [kind-kind/kind-worker2]: default/pod-worker (ID:2886) -> default/pod-worker2 (ID:51052) to-endpoint FORWARDED (ICMPv6 EchoRequest)
May 28 04:49:09.390 [kind-kind/kind-worker2]: default/pod-worker (ID:2886) <- default/pod-worker2 (ID:51052) to-overlay FORWARDED (ICMPv6 EchoReply)
May 28 04:49:09.390 [kind-kind/kind-worker]: default/pod-worker (ID:2886) <- default/pod-worker2 (ID:51052) to-endpoint FORWARDED (ICMPv6 EchoReply)
EVENTS LOST: HUBBLE_RING_BUFFER CPU(0) 1
EVENTS LOST: HUBBLE_RING_BUFFER CPU(0) 1

默认情况下,Hubble 会将 IP 地址转换为逻辑名称,例如 Pod 名称或 FQDN。如果需要源 IPv6 地址和目标 IPv6 地址,可以禁用它:

root@server:~# hubble observe --ipv6 --from-pod pod-worker \-o dict \--ip-translation=false \--protocol ICMPv6TIMESTAMP: May 28 04:39:29.690SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:39:29.690SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:39:29.690SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: May 28 04:39:29.690SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1

再次运行 curl to the IPv6 Service 命令:

root@server:~# ServiceIPv6=$(kubectl get svc echoserver -o jsonpath='{.spec.clusterIP}')
echo $ServiceIPv6
kubectl exec -i -t pod-worker -- curl -6 http://[$ServiceIPv6]/ | jq
fd00:10:96::6138
{"host": {"hostname": "[fd00:10:96::6138]","ip": "fd00:10:244:2::a98f","ips": []},"http": {"method": "GET","baseUrl": "","originalUrl": "/","protocol": "http"},"request": {"params": {"0": "/"},"query": {},"cookies": {},"body": {},"headers": {"host": "[fd00:10:96::6138]","user-agent": "curl/8.7.1","accept": "*/*"}},"environment": {"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME": "echoserver-6c45798fdc-qpkjj","NODE_VERSION": "20.11.0","YARN_VERSION": "1.22.19","PORT": "80","KUBERNETES_SERVICE_HOST": "10.96.0.1","KUBERNETES_SERVICE_PORT": "443","KUBERNETES_PORT_443_TCP_PORT": "443","ECHOSERVER_PORT_80_TCP_PORT": "80","ECHOSERVER_PORT_80_TCP_PROTO": "tcp","ECHOSERVER_PORT_80_TCP_ADDR": "fd00:10:96::6138","KUBERNETES_SERVICE_PORT_HTTPS": "443","KUBERNETES_PORT_443_TCP": "tcp://10.96.0.1:443","KUBERNETES_PORT_443_TCP_PROTO": "tcp","ECHOSERVER_SERVICE_PORT": "80","KUBERNETES_PORT": "tcp://10.96.0.1:443","ECHOSERVER_PORT_80_TCP": "tcp://[fd00:10:96::6138]:80","KUBERNETES_PORT_443_TCP_ADDR": "10.96.0.1","ECHOSERVER_SERVICE_HOST": "fd00:10:96::6138","ECHOSERVER_PORT": "tcp://[fd00:10:96::6138]:80","HOME": "/root"}
}

现在将看到 HTTP(DESTINATION 端口为 80,SUMMARY 中有 TCP 标志)和 ICMPv6 流:

root@server:~# hubble observe --ipv6 --from-pod pod-worker -o dict --ip-translation=falseTIMESTAMP: May 28 04:39:29.690SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:39:29.690SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: May 28 04:41:35.707SOURCE: [fd00:10:244:2::a98f]:40472
DESTINATION: [fd00:10:244:3::6e88]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: SYN
------------TIMESTAMP: May 28 04:41:35.707SOURCE: [fd00:10:244:2::a98f]:40472
DESTINATION: [fd00:10:244:3::6e88]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:41:35.707SOURCE: [fd00:10:244:2::a98f]:40472
DESTINATION: [fd00:10:244:3::6e88]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, PSH
------------TIMESTAMP: May 28 04:41:35.713SOURCE: [fd00:10:244:2::a98f]:40472
DESTINATION: fd00:10:244:3::6e88TYPE: pre-xlate-revVERDICT: TRACEDSUMMARY: TCP
------------TIMESTAMP: May 28 04:41:35.717SOURCE: [fd00:10:244:2::a98f]:40472
DESTINATION: [fd00:10:244:3::6e88]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, FIN
------------TIMESTAMP: May 28 04:41:35.719SOURCE: [fd00:10:244:2::a98f]:40472
DESTINATION: [fd00:10:244:3::6e88]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:42:05.924SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: SYN
------------TIMESTAMP: May 28 04:42:05.924SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:42:05.924SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-overlayVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, PSH
------------TIMESTAMP: May 28 04:42:05.924SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, PSH
------------TIMESTAMP: May 28 04:42:05.930SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: fd00:10:244:3::e17cTYPE: pre-xlate-revVERDICT: TRACEDSUMMARY: TCP
------------TIMESTAMP: May 28 04:42:05.935SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-overlayVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, FIN
------------TIMESTAMP: May 28 04:42:05.935SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, FIN
------------TIMESTAMP: May 28 04:42:05.937SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-overlayVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:42:05.937SOURCE: [fd00:10:244:2::a98f]:48816
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:43:00.967SOURCE: fd00:10:244:2::a98f
DESTINATION: [fd00:10:96::6138]:80TYPE: pre-xlate-fwdVERDICT: TRACEDSUMMARY: TCP
------------TIMESTAMP: May 28 04:43:00.967SOURCE: fd00:10:244:2::a98f
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: post-xlate-fwdVERDICT: TRANSLATEDSUMMARY: TCP
------------TIMESTAMP: May 28 04:43:00.967SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-overlayVERDICT: FORWARDEDSUMMARY: TCP Flags: SYN
------------TIMESTAMP: May 28 04:43:00.967SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: SYN
------------TIMESTAMP: May 28 04:43:00.968SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-overlayVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:43:00.968SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:43:00.968SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-overlayVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, PSH
------------TIMESTAMP: May 28 04:43:00.968SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, PSH
------------TIMESTAMP: May 28 04:43:00.970SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: fd00:10:244:3::e17cTYPE: pre-xlate-revVERDICT: TRACEDSUMMARY: TCP
------------TIMESTAMP: May 28 04:43:00.971SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-overlayVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, FIN
------------TIMESTAMP: May 28 04:43:00.971SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, FIN
------------TIMESTAMP: May 28 04:43:00.971SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-overlayVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:43:00.971SOURCE: [fd00:10:244:2::a98f]:37894
DESTINATION: [fd00:10:244:3::e17c]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: May 28 04:51:22.619SOURCE: fd00:10:244:2::a98f
DESTINATION: [fd00:10:96::6138]:80TYPE: pre-xlate-fwdVERDICT: TRACEDSUMMARY: TCP
------------TIMESTAMP: May 28 04:51:22.619SOURCE: fd00:10:244:2::a98f
DESTINATION: [fd00:10:244:2::f470]:80TYPE: post-xlate-fwdVERDICT: TRANSLATEDSUMMARY: TCP
------------TIMESTAMP: May 28 04:51:22.619SOURCE: [fd00:10:244:2::a98f]:37848
DESTINATION: [fd00:10:244:2::f470]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: SYN
------------TIMESTAMP: May 28 04:51:22.619SOURCE: [fd00:10:244:2::a98f]:37848
DESTINATION: [fd00:10:244:2::f470]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: May 28 04:51:22.619SOURCE: [fd00:10:244:2::a98f]:37848
DESTINATION: [fd00:10:244:2::f470]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, PSH
------------TIMESTAMP: May 28 04:51:22.627SOURCE: [fd00:10:244:2::a98f]:37848
DESTINATION: fd00:10:244:2::f470TYPE: pre-xlate-revVERDICT: TRACEDSUMMARY: TCP
------------TIMESTAMP: May 28 04:51:22.658SOURCE: [fd00:10:244:2::a98f]:37848
DESTINATION: [fd00:10:244:2::f470]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK, FIN
------------TIMESTAMP: May 28 04:51:22.659SOURCE: [fd00:10:244:2::a98f]:37848
DESTINATION: [fd00:10:244:2::f470]:80TYPE: to-endpointVERDICT: FORWARDEDSUMMARY: TCP Flags: ACK
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1

如果您只想查看您的 ping 消息,只需使用标志 --protocol ICMPv6 根据协议进行过滤即可:

root@server:~# hubble observe --ipv6 --from-pod pod-worker -o dict --ip-translation=false --protocol ICMPv6TIMESTAMP: May 28 04:39:29.690SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:39:29.690SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:2::a98f
DESTINATION: fd00:10:244:1::ac0fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoRequest
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-overlayVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: May 28 04:49:09.390SOURCE: fd00:10:244:1::ac0f
DESTINATION: fd00:10:244:2::a98fTYPE: to-endpointVERDICT: FORWARDEDSUMMARY: ICMPv6 EchoReply
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1
------------TIMESTAMP: SOURCE: HUBBLE_RING_BUFFERTYPE: EVENTS LOSTVERDICT: SUMMARY: CPU(0) - 1

就是这样!您现在可以在 Kubernetes 中可视化 IPv6 流,并希望您能看到,如果您有合适的工具,在 Kubernetes 上运行 IPv6 并不一定是一场运营噩梦。

4.3 小测验

√	Dual-stack IPv4/IPv6 Networking Reached General Availability in Kubernetes 1.23.
√	Hubble supports both IPv4 and IPv6 flows.
×	IPv6 is enabled by default with Cilium.
×	The DNS AAAA record matches a domain name with an IPv4 address.

5. 考试

5.1 题目

对于此实践考试,您需要:

  1. 基于 nginx 镜像部署 Pod 并验证它是否分配了 IPv6 地址。确保 Pod 名为 my-nginx
  2. 使用 NodePort 服务公开 nginx 应用程序。您可以使用预填充的 YAML 文件 service-challenge.yaml 作为起点。该文件位于 /exam/ 文件夹中。
  3. 使用 curl 验证通过 Node IPv6 地址访问 nginx 服务器是否成功。使用 TCP 和端口 80 访问此服务器。

5.2 解题

  1. 创建pod
kubectl run my-nginx --image=nginx

确认pod创建完成

root@server:~# kubectl run my-nginx --image=nginx
pod/my-nginx created
root@server:~# k get po my-nginx --show-labels
NAME       READY   STATUS    RESTARTS   AGE   LABELS
my-nginx   1/1     Running   0          18s   run=my-nginx
  1. 创建svc并应用配置
root@server:~# yq exam/service-challenge.yaml 
---
apiVersion: v1
kind: Service
metadata:name: nginx
spec:ipFamilyPolicy: PreferDualStackipFamilies:- IPv6- IPv4ports:- port: 80targetPort: 80protocol: TCPtype: NodePortselector:run: my-nginx
root@server:~# k apply -f exam/service-challenge.yaml
service/my-nginx created
  1. 确认pod和svc的IPv6
root@server:~# k describe po my-nginx | grep -A 2 IPs
IPs:IP:  10.244.3.61IP:  fd00:10:244:3::1d3c
root@server:~# IPv6=$(kubectl get pod my-nginx -o jsonpath='{.status.podIPs[1].ip}')
echo $IPv6
fd00:10:244:3::1d3c
  1. 从pod-worker2测试ping svc
root@server:~# kubectl exec -it pod-worker2 -- ping -c 4 $IPv6
PING fd00:10:244:3::937 (fd00:10:244:3::937) 56 data bytes
64 bytes from fd00:10:244:3::937: icmp_seq=1 ttl=63 time=0.221 ms
64 bytes from fd00:10:244:3::937: icmp_seq=2 ttl=63 time=0.115 ms
64 bytes from fd00:10:244:3::937: icmp_seq=3 ttl=63 time=0.127 ms
64 bytes from fd00:10:244:3::937: icmp_seq=4 ttl=63 time=0.127 ms--- fd00:10:244:3::937 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3095ms
rtt min/avg/max/mdev = 0.115/0.147/0.221/0.042 ms	
root@server:~#

好了,交卷.

请添加图片描述

新徽章GET !

请添加图片描述

相关文章:

  • ROS2里面与话题 /move_base_simple/goal 和 /move_base/status 相对应的话题名字及其含义
  • 基于SSM框架的医院电子病历管理系统,分为用户网页和管理后台,包括科室模块、医生模块、预约挂号模块、就诊记录模块、就诊评价模块、轮播图模块和系统基础模块
  • 【PhysUnits】15.15 变量类型(variable.rs)
  • 【SSM】SpringBoot学习笔记1:SpringBoot快速入门
  • 链表相关知识
  • python技巧:pyvisa打开hislip设备;IEEE 488.2
  • 一日总结0605
  • Spring MVC 之 异常处理
  • 腾讯云服务器端口怎么全部打开?CVM和轻量端口开通教程
  • w10激活方法
  • Java中线程创建的三种方式
  • Java 9 新特性全整理
  • 快递电子面单便宜吗?怎样申请呢
  • 短视频矩阵系统技术saas源头6年开发构架
  • Python使用总结之Mac安装docker并配置wechaty
  • 鸿蒙Next开发真机调试签名申请流程
  • 基于eclipse进行Birt报表开发
  • 轨道交通可视化,赋能智慧车站运维
  • NumPy 比较、掩码与布尔逻辑
  • UDP:简洁高效的报文结构解析与关键注意事项
  • 口碑好的秦皇岛网站建设哪家好/南和网站seo
  • 从化商城网站建设/企业网站代运营
  • seo在线教学/郑州seo外包服务
  • 胶南做网站/广州排名推广
  • 建筑公司简介范文大全/怎么优化关键词排名优化
  • 泗洪做网站/app推广在哪里可以接单