k8s ServiceNodePortRange 是什么

· devopsnote's blog


在 Kubernetes 中,ServiceNodePortRange 是一个用于指定 NodePort 服务端口范围的参数。该参数定义了可以分配给 NodePort 服务的端口范围。默认情况下,NodePort 服务使用的端口范围是 30000 到 32767。

如何查看 k8s ServiceNodePortRange #

k8s master 节点上的 kube-apiserver 进程启动时,会指定参数 --service-node-port-range=xxx-xxx,该参数的值就是 ServiceNodePortRange 的值

Alt text

使用 net.ipv4.ip_local_reserved_ports 配置保留端口范围 #

文档

ip_local_reserved_ports - list of comma separated ranges
	Specify the ports which are reserved for known third-party
	applications. These ports will not be used by automatic port
	assignments (e.g. when calling connect() or bind() with port
	number 0). Explicit port allocation behavior is unchanged.

	The format used for both input and output is a comma separated
	list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and
	10). Writing to the file will clear all previously reserved
	ports and update the current list with the one given in the
	input.

	Note that ip_local_port_range and ip_local_reserved_ports
	settings are independent and both are considered by the kernel
	when determining which ports are available for automatic port
	assignments.

	You can reserve ports which are not in the current
	ip_local_port_range, e.g.:

	$ cat /proc/sys/net/ipv4/ip_local_port_range
	32000	60999
	$ cat /proc/sys/net/ipv4/ip_local_reserved_ports
	8080,9148

	although this is redundant. However such a setting is useful
	if later the port range is changed to a value that will
	include the reserved ports.

	Default: Empty

ref: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

net.ipv4.ip_local_reserved_ports 是 Linux 内核参数,用于指定保留的本地端口范围,这些端口不会被随机分配给普通用户程序

防止冲突 防止普通用户程序占用 NodePort 服务端口范围,导致 NodePort 服务无法正常使用

net.ipv4.ip_local_reserved_ports="30000–32768"

这么写在我的系统上会报错

sysctl: setting key "net.ipv4.ip_local_reserved_ports": Invalid argument`

这么写是可以的

sysctl -w net.ipv4.ip_local_reserved_ports=31000,32222,30080

修改NodePort端口范围时必须十分谨慎。务必保证NodePort端口范围与集群节点上Linux内核提供的net.ipv4.ip_local_port_range参数中的端口范围不冲突。该内核参数ip_local_port_range控制了Linux系统上任意应用程序可以使用的本地端口号范围。ip_local_port_range的默认值为32768~60999。

查看已经使用的 NodePort #

kubectl get svc -A -o jsonpath='{range .items[*]}{.spec.ports[*].nodePort}{","}'

ref #