命令一
查看tunnel
root@node5:/home/cilium# cilium bpf tunnel list
TUNNEL VALUE
10.0.0.0 192.168.2.10:0
说明:使用vxlan网络时候,对于要发往10.0.0.0网段的包,remote为192.168.2.10,即vxlan封装的时候会将目的ip设置为192.168.2.10
命令二
root@node4:/home/cilium# cilium identity list
ID LABELS
1 reserved:host
2 reserved:world
3 reserved:unmanaged
4 reserved:health
5 reserved:init
6 reserved:remote-node
7 reserved:kube-apiserver
reserved:remote-node
8 reserved:ingress
70509 k8s:app.kubernetes.io/name=hubble-relay
k8s:app.kubernetes.io/part-of=cilium
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=hubble-relay
73930 k8s:app.kubernetes.io/name=hubble-ui
k8s:app.kubernetes.io/part-of=cilium
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=hubble-ui
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=hubble-ui
80419 k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=coredns
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=kube-dns
117993 k8s:app=k8sutils
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
说明: ID是vxlan数据包中的VNI
命令三
root@node4:/home/cilium# cilium endpoint list
ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS
ENFORCEMENT ENFORCEMENT
642 Disabled Disabled 1 reserved:host ready
769 Disabled Disabled 80419 k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system 10.10.2.130 ready
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=coredns
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=kube-dns
1029 Disabled Disabled 117993 k8s:app=k8sutils 10.10.2.60 ready
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
1917 Disabled Disabled 80419 k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system 10.10.2.17 ready
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=coredns
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=kube-dns
2841 Disabled Disabled 70509 k8s:app.kubernetes.io/name=hubble-relay 10.10.2.61 ready
k8s:app.kubernetes.io/part-of=cilium
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=hubble-relay
3683 Disabled Disabled 73930 k8s:app.kubernetes.io/name=hubble-ui 10.10.2.111 ready
k8s:app.kubernetes.io/part-of=cilium
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system
k8s:io.cilium.k8s.policy.cluster=prvite-kubernetes
k8s:io.cilium.k8s.policy.serviceaccount=hubble-ui
k8s:io.kubernetes.pod.namespace=kube-system
k8s:k8s-app=hubble-ui
3836 Disabled Disabled 4 reserved:health 10.10.2.69 ready
说明: 每个Pod都有一个endpoint,可以更细粒度地区分
命令四
root@node4:/home/cilium# cilium monitor -vv
Listening for events on 128 CPUs with 64x4096 of shared memory
Press Ctrl-C to quit
------------------------------------------------------------------------------
level=info msg="Initializing dissection cache..." subsys=monitor
Ethernet {Contents=[..14..] Payload=[..62..] SrcMAC=ce:db:b0:f5:1e:35 DstMAC=6e:58:cf:f8:bc:00 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=48062 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=59239 SrcIP=192.168.202.154 DstIP=10.10.2.73 Options=[] Padding=[]}
TCP {Contents=[..40..] Payload=[] SrcPort=35478 DstPort=4245 Seq=107632067 Ack=0 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=false URG=false ECE=false CWR=false NS=false Window=64240 Checksum=38852 Urgent=0 Options=[..5..] Padding=[]}
CPU 01: MARK 0xf02c507 FROM 30 to-endpoint: 74 bytes (74 captured), state new, , identity host->70509, orig-ip 192.168.202.154, to endpoint 30
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..62..] SrcMAC=6e:58:cf:f8:bc:00 DstMAC=ce:db:b0:f5:1e:35 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=0 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=41766 SrcIP=10.10.2.73 DstIP=192.168.202.154 Options=[] Padding=[]}
TCP {Contents=[..40..] Payload=[] SrcPort=4245 DstPort=35478 Seq=51358435 Ack=107632068 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=true URG=false ECE=false CWR=false NS=false Window=65160 Checksum=38852 Urgent=0 Options=[..5..] Padding=[]}
CPU 01: MARK 0x17ad0fe0 FROM 30 to-stack: 74 bytes (74 captured), state reply, , identity 70509->host, orig-ip 0.0.0.0
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..54..] SrcMAC=ce:db:b0:f5:1e:35 DstMAC=6e:58:cf:f8:bc:00 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..32..] Version=4 IHL=5 TOS=0 Length=52 Id=48063 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=59246 SrcIP=192.168.202.154 DstIP=10.10.2.73 Options=[] Padding=[]}
TCP {Contents=[..32..] Payload=[] SrcPort=35478 DstPort=4245 Seq=107632068 Ack=51358436 DataOffset=8 FIN=false SYN=false RST=false PSH=false ACK=true URG=false ECE=false CWR=false NS=false Window=502 Checksum=38844 Urgent=0 Options=[TCPOption(NOP:), TCPOption(NOP:), TCPOption(Timestamps:151461693/1234800187 0x09071f3d49998e3b)] Padding=[]}
CPU 01: MARK 0xf02c507 FROM 30 to-endpoint: 66 bytes (66 captured), state established, , identity host->70509, orig-ip 192.168.202.154, to endpoint 30
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..54..] SrcMAC=ce:db:b0:f5:1e:35 DstMAC=6e:58:cf:f8:bc:00 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..32..] Version=4 IHL=5 TOS=0 Length=52 Id=48064 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=59245 SrcIP=192.168.202.154 DstIP=10.10.2.73 Options=[] Padding=[]}
TCP {Contents=[..32..] Payload=[] SrcPort=35478 DstPort=4245 Seq=107632068 Ack=51358436 DataOffset=8 FIN=true SYN=false RST=false PSH=false ACK=true URG=false ECE=false CWR=false NS=false Window=502 Checksum=38844 Urgent=0 Options=[TCPOption(NOP:), TCPOption(NOP:), TCPOption(Timestamps:151461693/1234800187 0x09071f3d49998e3b)] Padding=[]}
CPU 01: MARK 0xf02c507 FROM 30 to-endpoint: 66 bytes (66 captured), state established, , identity host->70509, orig-ip 192.168.202.154, to endpoint 30
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..70..] SrcMAC=6e:58:cf:f8:bc:00 DstMAC=ce:db:b0:f5:1e:35 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..47..] Version=4 IHL=5 TOS=0 Length=67 Id=55719 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=51575 SrcIP=10.10.2.73 DstIP=192.168.202.154 Options=[] Padding=[]}
TCP {Contents=[..32..] Payload=[..15..] SrcPort=4245 DstPort=35478 Seq=51358436 Ack=107632069 DataOffset=8 FIN=false SYN=false RST=false PSH=true ACK=true URG=false ECE=false CWR=false NS=false Window=510 Checksum=38859 Urgent=0 Options=[TCPOption(NOP:), TCPOption(NOP:), TCPOption(Timestamps:1234800188/151461693 0x49998e3c09071f3d)] Padding=[]}
Failed to decode layer: No decoder for layer type Payload
CPU 01: MARK 0x17ad0fe0 FROM 30 to-stack: 81 bytes (81 captured), state reply, , identity 70509->host, orig-ip 0.0.0.0
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..46..] SrcMAC=ce:db:b0:f5:1e:35 DstMAC=6e:58:cf:f8:bc:00 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..20..] Version=4 IHL=5 TOS=0 Length=40 Id=0 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=41786 SrcIP=192.168.202.154 DstIP=10.10.2.73 Options=[] Padding=[]}
TCP {Contents=[..20..] Payload=[] SrcPort=35478 DstPort=4245 Seq=107632069 Ack=0 DataOffset=5 FIN=false SYN=false RST=true PSH=false ACK=false URG=false ECE=false CWR=false NS=false Window=0 Checksum=8432 Urgent=0 Options=[] Padding=[]}
CPU 01: MARK 0xf02c507 FROM 30 to-endpoint: 54 bytes (54 captured), state established, , identity host->70509, orig-ip 192.168.202.154, to endpoint 30
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..94..] SrcMAC=00:0c:29:9a:d6:b5 DstMAC=00:0c:29:34:15:b3 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..71..] Version=4 IHL=5 TOS=0 Length=91 Id=9284 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=65493 SrcIP=192.168.202.154 DstIP=192.168.202.151 Options=[] Padding=[]}
TCP {Contents=[..32..] Payload=[..39..] SrcPort=59608 DstPort=6443(sun-sr-https) Seq=3440982317 Ack=2792127437 DataOffset=8 FIN=false SYN=false RST=false PSH=true ACK=true URG=false ECE=false CWR=false NS=false Window=501 Checksum=5841 Urgent=0 Options=[TCPOption(NOP:), TCPOption(NOP:), TCPOption(Timestamps:1092696027/3509813741 0x412137dbd13381ed)] Padding=[]}
Failed to decode layer: No decoder for layer type Payload
CPU 02: MARK 0xc81cb025 FROM 2693 to-network: 105 bytes (105 captured), state established, orig-ip 0.0.0.0
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..94..] SrcMAC=00:0c:29:9a:d6:b5 DstMAC=00:0c:29:34:15:b3 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..71..] Version=4 IHL=5 TOS=0 Length=91 Id=24824 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=49953 SrcIP=192.168.202.154 DstIP=192.168.202.151 Options=[] Padding=[]}
TCP {Contents=[..32..] Payload=[..39..] SrcPort=59624 DstPort=6443(sun-sr-https) Seq=2683855108 Ack=1946103753 DataOffset=8 FIN=false SYN=false RST=false PSH=true ACK=true URG=false ECE=false CWR=false NS=false Window=501 Checksum=5841 Urgent=0 Options=[TCPOption(NOP:), TCPOption(NOP:), TCPOption(Timestamps:1092696355/3509814624 0x41213923d1338560)] Padding=[]}
Failed to decode layer: No decoder for layer type Payload
CPU 02: MARK 0xc3e0e855 FROM 2693 to-network: 105 bytes (105 captured), state established, orig-ip 0.0.0.0
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..62..] SrcMAC=56:0f:4d:b6:6a:70 DstMAC=16:b4:ed:cb:ba:7e EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=63558 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=43789 SrcIP=192.168.202.154 DstIP=10.10.2.27 Options=[] Padding=[]}
TCP {Contents=[..40..] Payload=[] SrcPort=43334 DstPort=8181(intermapper) Seq=2205426267 Ack=0 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=false URG=false ECE=false CWR=false NS=false Window=64240 Checksum=38806 Urgent=0 Options=[..5..] Padding=[]}
CPU 03: MARK 0xc18fb63 FROM 3106 to-endpoint: 74 bytes (74 captured), state new, , identity host->80419, orig-ip 192.168.202.154, to endpoint 3106
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..62..] SrcMAC=16:b4:ed:cb:ba:7e DstMAC=56:0f:4d:b6:6a:70 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=0 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=41812 SrcIP=10.10.2.27 DstIP=192.168.202.154 Options=[] Padding=[]}
TCP {Contents=[..40..] Payload=[] SrcPort=8181(intermapper) DstPort=43334 Seq=668833426 Ack=2205426268 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=true URG=false ECE=false CWR=false NS=false Window=65160 Checksum=38806 Urgent=0 Options=[..5..] Padding=[]}
CPU 03: MARK 0x96365dbf FROM 3106 to-stack: 74 bytes (74 captured), state reply, , identity 80419->host, orig-ip 0.0.0.0
------------------------------------------------------------------------------
Ethernet {Contents=[..14..] Payload=[..54..] SrcMAC=56:0f:4d:b6:6a:70 DstMAC=16:b4:ed:cb:ba:7e EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..32..] Version=4 IHL=5 TOS=0 Length=52 Id=63559 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=43796 SrcIP=192.168.202.154 DstIP=10.10.2.27 Options=[] Padding=[]}
TCP {Contents=[..32..] Payload=[] SrcPort=43334 DstPort=8181(intermapper) Seq=2205426268 Ack=668833427 DataOffset=8 FIN=false SYN=false RST=false PSH=false ACK=true URG=false ECE=false CWR=false NS=false Window=502 Checksum=38798 Urgent=0 Options=[TCPOption(NOP:), TCPOption(NOP:), TCPOption(Timestamps:274565194/3110002871 0x105d884ab95ee0b7)] Padding=[]}
CPU 03: MARK 0xc18fb63 FROM 3106 to-endpoint: 66 bytes (66 captured), state established, , identity host->80419, orig-ip 192.168.202.154, to endpoint 3106
说明: 可以查看数据包封包过程,注意monitor只能monitor自己所在的节点
