Skip to content

Commit c2a14fc

Browse files
author
Mengjiao Liu
committed
[zh]Resync concepts/services-networking/_index.md
1 parent b599a32 commit c2a14fc

File tree

1 file changed

+85
-6
lines changed
  • content/zh/docs/concepts/services-networking

1 file changed

+85
-6
lines changed

content/zh/docs/concepts/services-networking/_index.md

Lines changed: 85 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,16 +4,95 @@ weight: 60
44
description: Kubernetes 网络背后的概念和资源。
55
---
66

7+
<!--
8+
## The Kubernetes network model
9+
10+
Every [`Pod`](/docs/concepts/workloads/pods/) gets its own IP address.
11+
This means you do not need to explicitly create links between `Pods` and you
12+
almost never need to deal with mapping container ports to host ports.
13+
This creates a clean, backwards-compatible model where `Pods` can be treated
14+
much like VMs or physical hosts from the perspectives of port allocation,
15+
naming, service discovery, [load balancing](/docs/concepts/services-networking/ingress/#load-balancing), application configuration,
16+
and migration.
17+
18+
Kubernetes imposes the following fundamental requirements on any networking
19+
implementation (barring any intentional network segmentation policies):
20+
21+
* pods on a [node](/docs/concepts/architecture/nodes/) can communicate with all pods on all nodes without NAT
22+
* agents on a node (e.g. system daemons, kubelet) can communicate with all
23+
pods on that node
24+
25+
Note: For those platforms that support `Pods` running in the host network (e.g.
26+
Linux):
27+
28+
* pods in the host network of a node can communicate with all pods on all
29+
nodes without NAT
30+
-->
31+
## Kubernetes 网络模型 {#the-kubernetes-network-model}
32+
33+
每一个 [`Pod`](/zh/docs/concepts/workloads/pods/) 都有它自己的IP地址,
34+
这就意味着你不需要显式地在 `Pod` 之间创建链接, 你几乎不需要处理容器端口到主机端口之间的映射。
35+
这将形成一个干净的、向后兼容的模型;在这个模型里,从端口分配、命名、服务发现、
36+
[负载均衡](/zh/docs/concepts/services-networking/ingress/#load-balancing)、应用配置和迁移的角度来看,
37+
`Pod` 可以被视作虚拟机或者物理主机。
38+
39+
Kubernetes 强制要求所有网络设施都满足以下基本要求(从而排除了有意隔离网络的策略):
40+
41+
* [节点](/zh/docs/concepts/architecture/nodes/)上的 Pod 可以不通过 NAT 和其他任何节点上的 Pod 通信
42+
* 节点上的代理(比如:系统守护进程、kubelet)可以和节点上的所有 Pod 通信
43+
44+
备注:对于支持在主机网络中运行 `Pod` 的平台(比如:Linux):
45+
46+
* 运行在节点主机网络里的 Pod 可以不通过 NAT 和所有节点上的 Pod 通信
47+
48+
<!--
49+
This model is not only less complex overall, but it is principally compatible
50+
with the desire for Kubernetes to enable low-friction porting of apps from VMs
51+
to containers. If your job previously ran in a VM, your VM had an IP and could
52+
talk to other VMs in your project. This is the same basic model.
53+
54+
Kubernetes IP addresses exist at the `Pod` scope - containers within a `Pod`
55+
share their network namespaces - including their IP address and MAC address.
56+
This means that containers within a `Pod` can all reach each other's ports on
57+
`localhost`. This also means that containers within a `Pod` must coordinate port
58+
usage, but this is no different from processes in a VM. This is called the
59+
"IP-per-pod" model.
60+
-->
61+
这个模型不仅不复杂,而且还和 Kubernetes 的实现从虚拟机向容器平滑迁移的初衷相符,
62+
如果你的任务开始是在虚拟机中运行的,你的虚拟机有一个 IP,
63+
可以和项目中其他虚拟机通信。这里的模型是基本相同的。
64+
65+
Kubernetes 的 IP 地址存在于 `Pod` 范围内 - 容器共享它们的网络命名空间 - 包括它们的 IP 地址和 MAC 地址。
66+
这就意味着 `Pod` 内的容器都可以通过 `localhost` 到达对方端口。
67+
这也意味着 `Pod` 内的容器需要相互协调端口的使用,但是这和虚拟机中的进程似乎没有什么不同,
68+
这也被称为“一个 Pod 一个 IP”模型。
69+
70+
<!--
71+
How this is implemented is a detail of the particular container runtime in use.
72+
73+
It is possible to request ports on the `Node` itself which forward to your `Pod`
74+
(called host ports), but this is a very niche operation. How that forwarding is
75+
implemented is also a detail of the container runtime. The `Pod` itself is
76+
blind to the existence or non-existence of host ports.
77+
-->
78+
如何实现以上需求是所使用的特定容器运行时的细节。
79+
80+
也可以在 `Node` 本身请求端口,并用这类端口转发到你的 `Pod`(称之为主机端口),
81+
但这是一个很特殊的操作。转发方式如何实现也是容器运行时的细节。
82+
`Pod` 自己并不知道这些主机端口的存在。
83+
784
<!--
885
Kubernetes networking addresses four concerns:
9-
- Containers within a Pod use networking to communicate via loopback.
86+
- Containers within a Pod [use networking to communicate](/docs/concepts/services-networking/dns-pod-service/) via loopback.
1087
- Cluster networking provides communication between different Pods.
11-
- The Service resource lets you expose an application running in Pods to be reachable from outside your cluster.
12-
- You can also use Services to publish services only for consumption inside your cluster.
88+
- The [Service resource](/docs/concepts/services-networking/service/) lets you [expose an application running in Pods](/docs/concepts/services-networking/connect-applications-service/) to be reachable from outside your cluster.
89+
- You can also use Services to [publish services only for consumption inside your cluster](/docs/concepts/services-networking/service-traffic-policy/).
1390
-->
1491

1592
Kubernetes 网络解决四方面的问题:
16-
- 一个 Pod 中的容器之间通过本地回路(loopback)通信。
93+
- 一个 Pod 中的容器之间[通过本地回路(loopback)通信](/zh/docs/concepts/services-networking/dns-pod-service/)
1794
- 集群网络在不同 pod 之间提供通信。
18-
- Service 资源允许你对外暴露 Pods 中运行的应用程序,以支持来自于集群外部的访问。
19-
- 可以使用 Services 来发布仅供集群内部使用的服务。
95+
- [Service 资源](/zh/docs/concepts/services-networking/service/)允许你
96+
[对外暴露 Pods 中运行的应用程序](/zh/docs/concepts/services-networking/connect-applications-service/)
97+
以支持来自于集群外部的访问。
98+
- 可以使用 Services 来[发布仅供集群内部使用的服务](/zh/docs/concepts/services-networking/service-traffic-policy/)

0 commit comments

Comments
 (0)