红帽全球峰会2.11. 审计公开的网络端口
在 MicroShift 上,在以下情况下,可以通过工作负载打开主机端口。您可以检查日志以查看网络服务。
2.11.1. hostNetwork
当使用 hostNetwork:true 设置配置 pod 时,pod 在主机网络命名空间中运行。此配置可以独立打开主机端口。MicroShift 组件日志无法用于跟踪这种情况,这些端口取决于 firewalld 规则。如果端口在 firewalld 中打开,您可以在 firewalld 调试日志中查看打开的端口。
先决条件
- 有访问构建主机的 root 用户。
流程
可选:您可以使用以下示例命令检查 ovnkube-node pod 中是否设置了
hostNetwork:true参数:sudo oc get pod -n openshift-ovn-kubernetes <ovnkube-node-pod-name> -o json | jq -r '.spec.hostNetwork' true
$ sudo oc get pod -n openshift-ovn-kubernetes <ovnkube-node-pod-name> -o json | jq -r '.spec.hostNetwork' trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow 运行以下命令,在 firewalld 日志中启用 debug:
sudo vi /etc/sysconfig/firewalld
$ sudo vi /etc/sysconfig/firewalld FIREWALLD_ARGS=--debug=10Copy to Clipboard Copied! Toggle word wrap Toggle overflow 重启 firewalld 服务:
sudo systemctl restart firewalld.service
$ sudo systemctl restart firewalld.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow 要验证 debug 选项是否已正确添加,请运行以下命令:
sudo systemd-cgls -u firewalld.service
$ sudo systemd-cgls -u firewalld.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow firewalld 调试日志存储在
/var/log/firewalld路径中。添加端口打开规则时的日志示例
2023-06-28 10:46:37 DEBUG1: config.getZoneByName('public') 2023-06-28 10:46:37 DEBUG1: config.zone.7.addPort('8080', 'tcp') 2023-06-28 10:46:37 DEBUG1: config.zone.7.getSettings() 2023-06-28 10:46:37 DEBUG1: config.zone.7.update('...') 2023-06-28 10:46:37 DEBUG1: config.zone.7.Updated('public')2023-06-28 10:46:37 DEBUG1: config.getZoneByName('public') 2023-06-28 10:46:37 DEBUG1: config.zone.7.addPort('8080', 'tcp') 2023-06-28 10:46:37 DEBUG1: config.zone.7.getSettings() 2023-06-28 10:46:37 DEBUG1: config.zone.7.update('...') 2023-06-28 10:46:37 DEBUG1: config.zone.7.Updated('public')Copy to Clipboard Copied! Toggle word wrap Toggle overflow 删除端口打开规则时的日志示例
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.11.2. hostPort
您可以在 MicroShift 中访问 hostPort 设置日志。以下日志是 hostPort 设置的示例:
流程
您可以运行以下命令来访问日志:
journalctl -u crio | grep "local port"
$ journalctl -u crio | grep "local port"Copy to Clipboard Copied! Toggle word wrap Toggle overflow 打开主机端口时的 CRI-O 日志示例
Jun 25 16:27:37 rhel92 crio[77216]: time="2023-06-25 16:27:37.033003098+08:00" level=info msg="Opened local port tcp:443"
$ Jun 25 16:27:37 rhel92 crio[77216]: time="2023-06-25 16:27:37.033003098+08:00" level=info msg="Opened local port tcp:443"Copy to Clipboard Copied! Toggle word wrap Toggle overflow 主机端口关闭时的 CRI-O 日志示例
Jun 25 16:24:11 rhel92 crio[77216]: time="2023-06-25 16:24:11.342088450+08:00" level=info msg="Closing host port tcp:443"
$ Jun 25 16:24:11 rhel92 crio[77216]: time="2023-06-25 16:24:11.342088450+08:00" level=info msg="Closing host port tcp:443"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.11.3. NodePort 和 LoadBalancer 服务
OVN-Kubernetes 为 NodePort 和 LoadBalancer 服务类型打开主机端口。这些服务添加 iptables 规则,该规则从主机端口获取入口流量并将其转发到 clusterIP。以下示例中显示了 NodePort 和 LoadBalancer 服务的日志:
流程
要访问
ovnkube-masterpod 的名称,请运行以下命令:oc get pods -n openshift-ovn-kubernetes | awk '/ovnkube-master/{print $1}'$ oc get pods -n openshift-ovn-kubernetes | awk '/ovnkube-master/{print $1}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow ovnkube-masterpod 名称示例ovnkube-master-n2shv
ovnkube-master-n2shvCopy to Clipboard Copied! Toggle word wrap Toggle overflow 您可以使用
ovnkube-masterpod 访问NodePort和LoadBalancer服务日志,并运行以下示例命令:oc logs -n openshift-ovn-kubernetes <ovnkube-master-pod-name> ovnkube-master | grep -E "OVN-KUBE-NODEPORT|OVN-KUBE-EXTERNALIP"
$ oc logs -n openshift-ovn-kubernetes <ovnkube-master-pod-name> ovnkube-master | grep -E "OVN-KUBE-NODEPORT|OVN-KUBE-EXTERNALIP"Copy to Clipboard Copied! Toggle word wrap Toggle overflow NodePort 服务:
当主机端口打开时,ovnkube-master pod 的 ovnkube-master 容器中的日志示例
I0625 09:07:00.992980 2118395 iptables.go:27] Adding rule in table: nat, chain: OVN-KUBE-NODEPORT with args: "-p TCP -m addrtype --dst-type LOCAL --dport 32718 -j DNAT --to-destination 10.96.178.142:8081" for protocol: 0
$ I0625 09:07:00.992980 2118395 iptables.go:27] Adding rule in table: nat, chain: OVN-KUBE-NODEPORT with args: "-p TCP -m addrtype --dst-type LOCAL --dport 32718 -j DNAT --to-destination 10.96.178.142:8081" for protocol: 0Copy to Clipboard Copied! Toggle word wrap Toggle overflow 当主机端口关闭时,ovnkube-master pod 的 ovnkube-master 容器中的日志示例
Deleting rule in table: nat, chain: OVN-KUBE-NODEPORT with args: "-p TCP -m addrtype --dst-type LOCAL --dport 32718 -j DNAT --to-destination 10.96.178.142:8081" for protocol: 0
$ Deleting rule in table: nat, chain: OVN-KUBE-NODEPORT with args: "-p TCP -m addrtype --dst-type LOCAL --dport 32718 -j DNAT --to-destination 10.96.178.142:8081" for protocol: 0Copy to Clipboard Copied! Toggle word wrap Toggle overflow LoadBalancer 服务:
当主机端口打开时,ovnkube-master pod 的 ovnkube-master 容器中的日志示例
I0625 09:34:10.406067 128902 iptables.go:27] Adding rule in table: nat, chain: OVN-KUBE-EXTERNALIP with args: "-p TCP -d 172.16.47.129 --dport 8081 -j DNAT --to-destination 10.43.114.94:8081" for protocol: 0
$ I0625 09:34:10.406067 128902 iptables.go:27] Adding rule in table: nat, chain: OVN-KUBE-EXTERNALIP with args: "-p TCP -d 172.16.47.129 --dport 8081 -j DNAT --to-destination 10.43.114.94:8081" for protocol: 0Copy to Clipboard Copied! Toggle word wrap Toggle overflow 当主机端口关闭时,ovnkube-master pod 的 ovnkube-master 容器中的日志示例
I0625 09:37:00.976953 128902 iptables.go:63] Deleting rule in table: nat, chain: OVN-KUBE-EXTERNALIP with args: "-p TCP -d 172.16.47.129 --dport 8081 -j DNAT --to-destination 10.43.114.94:8081" for protocol: 0
$ I0625 09:37:00.976953 128902 iptables.go:63] Deleting rule in table: nat, chain: OVN-KUBE-EXTERNALIP with args: "-p TCP -d 172.16.47.129 --dport 8081 -j DNAT --to-destination 10.43.114.94:8081" for protocol: 0Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}