k8s 集群信息
root@u22:~# k get node -A -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
u22 Ready control-plane,worker 6h4m v1.33.1 11.0.1.128 <none> Ubuntu 22.04.5 LTS 5.15.0-160-generic containerd://1.7.13
root@u22:~# k get po -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-system calico-kube-controllers-678fc69664-69bg8 1/1 Running 1 (4h31m ago) 6h4m 10.233.102.2 u22 <none> <none>
kube-system calico-node-x2k52 1/1 Running 0 6h4m 11.0.1.128 u22 <none> <none>
kube-system coredns-5bdf9456bc-7mhwg 1/1 Running 0 6h4m 10.233.102.1 u22 <none> <none>
kube-system coredns-5bdf9456bc-c9lmm 1/1 Running 0 6h4m 10.233.102.3 u22 <none> <none>
kube-system kube-apiserver-u22 1/1 Running 0 6h4m 11.0.1.128 u22 <none> <none>
kube-system kube-controller-manager-u22 1/1 Running 0 6h4m 11.0.1.128 u22 <none> <none>
kube-system kube-multus-ds-mkwd7 1/1 Running 0 6h4m 11.0.1.128 u22 <none> <none>
kube-system kube-proxy-482z4 1/1 Running 0 6h4m 11.0.1.128 u22 <none> <none>
kube-system kube-scheduler-u22 1/1 Running 1 (4h30m ago) 6h4m 11.0.1.128 u22 <none> <none>
kube-system nodelocaldns-57f8p 1/1 Running 0 6h4m 11.0.1.128 u22 <none> <none>
root@u22:~#
节点网络信息
root@u22:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:63:1a:4a brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 11.0.1.128/24 metric 100 brd 11.0.1.255 scope global dynamic ens33
valid_lft 1769sec preferred_lft 1769sec
inet6 fe80::20c:29ff:fe63:1a4a/64 scope link
valid_lft forever preferred_lft forever
3: nodelocaldns: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
link/ether 56:3c:49:e5:6c:d2 brd ff:ff:ff:ff:ff:ff
inet 169.254.25.10/32 scope global nodelocaldns
valid_lft forever preferred_lft forever
4: kube-ipvs0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
link/ether ca:7c:9f:83:93:25 brd ff:ff:ff:ff:ff:ff
inet 10.233.0.1/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.233.0.3/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
5: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
inet 10.233.102.0/32 scope global tunl0
valid_lft forever preferred_lft forever
8: cali88a282b6db3@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default qlen 1000
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-00d745d2-8a43-234e-6497-9d062cab7b02
inet6 fe80::ecee:eeff:feee:eeee/64 scope link
valid_lft forever preferred_lft forever
9: cali65be3d10ade@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default qlen 1000
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-a7e849d2-bc1c-623d-1d5b-5dabc09a66de
inet6 fe80::ecee:eeff:feee:eeee/64 scope link
valid_lft forever preferred_lft forever
10: cali84275e679c3@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default qlen 1000
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-cf2eafc0-6f80-cd9c-e99f-f010d83b5fe6
inet6 fe80::ecee:eeff:feee:eeee/64 scope link
valid_lft forever preferred_lft forever
root@u22:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 11.0.1.2 0.0.0.0 UG 100 0 0 ens33
10.233.102.0 0.0.0.0 255.255.255.0 U 0 0 0 *
10.233.102.1 0.0.0.0 255.255.255.255 UH 0 0 0 cali88a282b6db3
10.233.102.2 0.0.0.0 255.255.255.255 UH 0 0 0 cali65be3d10ade
10.233.102.3 0.0.0.0 255.255.255.255 UH 0 0 0 cali84275e679c3
11.0.1.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
11.0.1.2 0.0.0.0 255.255.255.255 UH 100 0 0 ens33
root@u22:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
node 上,访问本地 pod,都直接走 node 路由
大部分 iptables 规则都是 calico 的规则
root@u22:~# iptables-save
# Generated by iptables-save v1.8.7 on Sat Oct 18 07:38:55 2025
*raw
:PREROUTING ACCEPT [2911904:642811824]
:OUTPUT ACCEPT [2919295:613387888]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-rpf-skip - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -d 169.254.25.10/32 -p udp -m udp --dport 53 -m comment --comment "NodeLocal DNS Cache: skip conntrack" -j NOTRACK
-A PREROUTING -d 169.254.25.10/32 -p tcp -m tcp --dport 53 -m comment --comment "NodeLocal DNS Cache: skip conntrack" -j NOTRACK
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -s 169.254.25.10/32 -p tcp -m tcp --sport 8080 -m comment --comment "NodeLocal DNS Cache: skip conntrack" -j NOTRACK
-A OUTPUT -d 169.254.25.10/32 -p tcp -m tcp --dport 8080 -m comment --comment "NodeLocal DNS Cache: skip conntrack" -j NOTRACK
-A OUTPUT -d 169.254.25.10/32 -p udp -m udp --dport 53 -m comment --comment "NodeLocal DNS Cache: skip conntrack" -j NOTRACK
-A OUTPUT -d 169.254.25.10/32 -p tcp -m tcp --dport 53 -m comment --comment "NodeLocal DNS Cache: skip conntrack" -j NOTRACK
-A OUTPUT -s 169.254.25.10/32 -p udp -m udp --sport 53 -m comment --comment "NodeLocal DNS Cache: skip conntrack" -j NOTRACK
-A OUTPUT -s 169.254.25.10/32 -p tcp -m tcp --sport 53 -m comment --comment "NodeLocal DNS Cache: skip conntrack" -j NOTRACK
-A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
-A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
-A cali-PREROUTING -m comment --comment "cali:PWuxTAIaFCtsg5Qa" -m mark --mark 0x40000/0x40000 -j cali-rpf-skip
-A cali-PREROUTING -m comment --comment "cali:fSSbGND7dgyemWU7" -m mark --mark 0x40000/0x40000 -m rpfilter --validmark --invert -j DROP
-A cali-PREROUTING -m comment --comment "cali:ImU0-4Rl2WoOI9Ou" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:lV4V2MPoMBf0hl9T" -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Sat Oct 18 07:38:55 2025
# Generated by iptables-save v1.8.7 on Sat Oct 18 07:38:55 2025
*filter
:INPUT ACCEPT [2296:441427]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2336:450441]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-IPVS-FILTER - [0:0]
:KUBE-IPVS-OUT-FILTER - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-NODE-PORT - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
:KUBE-SOURCE-RANGES-FIREWALL - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-cidr-block - [0:0]
:cali-forward-check - [0:0]
:cali-forward-endpoint-mark - [0:0]
:cali-from-endpoint-mark - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-from-wl-dispatch-8 - [0:0]
:cali-fw-cali65be3d10ade - [0:0]
:cali-fw-cali84275e679c3 - [0:0]
:cali-fw-cali88a282b6db3 - [0:0]
:cali-pri-_PTRGc0U-L5Kz7V6ERW - [0:0]
:cali-pri-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pri-kns.kube-system - [0:0]
:cali-pro-_PTRGc0U-L5Kz7V6ERW - [0:0]
:cali-pro-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pro-kns.kube-system - [0:0]
:cali-set-endpoint-mark - [0:0]
:cali-set-endpoint-mark-8 - [0:0]
:cali-sm-cali65be3d10ade - [0:0]
:cali-sm-cali84275e679c3 - [0:0]
:cali-sm-cali88a282b6db3 - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-to-wl-dispatch-8 - [0:0]
:cali-tw-cali65be3d10ade - [0:0]
:cali-tw-cali84275e679c3 - [0:0]
:cali-tw-cali88a282b6db3 - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -d 169.254.25.10/32 -p udp -m udp --dport 53 -m comment --comment "NodeLocal DNS Cache: allow DNS traffic" -j ACCEPT
-A INPUT -d 169.254.25.10/32 -p tcp -m tcp --dport 53 -m comment --comment "NodeLocal DNS Cache: allow DNS traffic" -j ACCEPT
-A INPUT -m comment --comment "kubernetes ipvs access filter" -j KUBE-IPVS-FILTER
-A INPUT -m comment --comment "kube-proxy firewall rules" -j KUBE-PROXY-FIREWALL
-A INPUT -m comment --comment "kubernetes health check rules" -j KUBE-NODE-PORT
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
-A FORWARD -m comment --comment "kube-proxy firewall rules" -j KUBE-PROXY-FIREWALL
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m comment --comment "cali:S93hcgKJrXEqnTfs" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A FORWARD -m comment --comment "cali:mp77cMpurHhyjLrM" -j MARK --set-xmark 0x10000/0x10000
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -s 169.254.25.10/32 -p udp -m udp --sport 53 -m comment --comment "NodeLocal DNS Cache: allow DNS traffic" -j ACCEPT
-A OUTPUT -s 169.254.25.10/32 -p tcp -m tcp --sport 53 -m comment --comment "NodeLocal DNS Cache: allow DNS traffic" -j ACCEPT
-A OUTPUT -m comment --comment "kubernetes ipvs access filter" -j KUBE-IPVS-OUT-FILTER
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-IPVS-FILTER -m set --match-set KUBE-LOAD-BALANCER dst,dst -j RETURN
-A KUBE-IPVS-FILTER -m set --match-set KUBE-CLUSTER-IP dst,dst -j RETURN
-A KUBE-IPVS-FILTER -m set --match-set KUBE-EXTERNAL-IP dst,dst -j RETURN
-A KUBE-IPVS-FILTER -m set --match-set KUBE-EXTERNAL-IP-LOCAL dst,dst -j RETURN
-A KUBE-IPVS-FILTER -m set --match-set KUBE-HEALTH-CHECK-NODE-PORT dst -j RETURN
-A KUBE-IPVS-FILTER -m conntrack --ctstate NEW -m set --match-set KUBE-IPVS-IPS dst -j REJECT --reject-with icmp-port-unreachable
-A KUBE-NODE-PORT -m comment --comment "Kubernetes health check node port" -m set --match-set KUBE-HEALTH-CHECK-NODE-PORT dst -j ACCEPT
-A KUBE-SOURCE-RANGES-FIREWALL -j DROP
-A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
-A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
-A cali-FORWARD -m comment --comment "cali:NOSxoaGx8OIstr1z" -j cali-cidr-block
-A cali-INPUT -p ipencap -m comment --comment "cali:PajejrV4aFdkZojI" -m comment --comment "Allow IPIP packets from Calico hosts" -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p ipencap -m comment --comment "cali:_wjq-Yrma8Ly1Svo" -m comment --comment "Drop IPIP packets from non-Calico hosts" -j DROP
-A cali-INPUT -m comment --comment "cali:ss8lEMQsXi-s6qYT" -j MARK --set-xmark 0x0/0xfff00000
-A cali-INPUT -m comment --comment "cali:PgIW-V0nEjwPhF_8" -j cali-forward-check
-A cali-INPUT -m comment --comment "cali:QMJlDwlS0OjHyfMN" -m mark ! --mark 0x0/0xfff00000 -j RETURN
-A cali-INPUT -i cali+ -m comment --comment "cali:nDRe73txrna-aZjG" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:iX2AYvqGXaVqwkro" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:bhpnxD5IRtBP8KW0" -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment "cali:H5_bccAbHV0sooVy" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:inBL01YlfurT0dbI" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:5Z67OUUpTOM7Xa1a" -m mark ! --mark 0x0/0xfff00000 -g cali-forward-endpoint-mark
-A cali-OUTPUT -o cali+ -m comment --comment "cali:M2Wf0OehNdig8MHR" -j RETURN
-A cali-OUTPUT -p ipencap -m comment --comment "cali:AJBkLho_0Qd8LNr3" -m comment --comment "Allow IPIP packets to other Calico hosts" -m set --match-set cali40all-hosts-net dst -m addrtype --src-type LOCAL -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:iz2RWXlXJDUfsLpe" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:xQqLi8S0sxbiyvjR" -m conntrack ! --ctstate DNAT -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:aSnsxZdmhxm_ilRZ" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-forward-check -m comment --comment "cali:Pbldlb4FaULvpdD8" -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A cali-forward-check -p tcp -m comment --comment "cali:ZD-6UxuUtGW-xtzg" -m comment --comment "To kubernetes NodePort service" -m multiport --dports 30000:32767 -m set --match-set cali40this-host dst -g cali-set-endpoint-mark
-A cali-forward-check -p udp -m comment --comment "cali:CbPfUajQ2bFVnDq4" -m comment --comment "To kubernetes NodePort service" -m multiport --dports 30000:32767 -m set --match-set cali40this-host dst -g cali-set-endpoint-mark
-A cali-forward-check -m comment --comment "cali:jmhU0ODogX-Zfe5g" -m comment --comment "To kubernetes service" -m set ! --match-set cali40this-host dst -j cali-set-endpoint-mark
-A cali-forward-endpoint-mark -m comment --comment "cali:O0SmFDrnm7KggWqW" -m mark ! --mark 0x100000/0xfff00000 -j cali-from-endpoint-mark
-A cali-forward-endpoint-mark -o cali+ -m comment --comment "cali:aFl0WFKRxDqj8oA6" -j cali-to-wl-dispatch
-A cali-forward-endpoint-mark -m comment --comment "cali:AZKVrO3i_8cLai5f" -j cali-to-hep-forward
-A cali-forward-endpoint-mark -m comment --comment "cali:96HaP1sFtb-NYoYA" -j MARK --set-xmark 0x0/0xfff00000
-A cali-forward-endpoint-mark -m comment --comment "cali:VxO6hyNWz62YEtul" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-from-endpoint-mark -m comment --comment "cali:bs911v9jbOHQkdDp" -m mark --mark 0x29600000/0xfff00000 -g cali-fw-cali65be3d10ade
-A cali-from-endpoint-mark -m comment --comment "cali:Whz5m9QH2gNYm_KS" -m mark --mark 0x72900000/0xfff00000 -g cali-fw-cali84275e679c3
-A cali-from-endpoint-mark -m comment --comment "cali:IuZGJ3hof-YNH8JX" -m mark --mark 0x26000000/0xfff00000 -g cali-fw-cali88a282b6db3
-A cali-from-endpoint-mark -m comment --comment "cali:XzspCbdGnlOgXKzY" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch -i cali65be3d10ade -m comment --comment "cali:b6pE1QhSpqJuVfmD" -g cali-fw-cali65be3d10ade
-A cali-from-wl-dispatch -i cali8+ -m comment --comment "cali:pHDNd9VTUwTnU-xo" -g cali-from-wl-dispatch-8
-A cali-from-wl-dispatch -m comment --comment "cali:DfOcf8Qt5J0IJPSW" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-8 -i cali84275e679c3 -m comment --comment "cali:q3Q5vNVQeoqmYnWr" -g cali-fw-cali84275e679c3
-A cali-from-wl-dispatch-8 -i cali88a282b6db3 -m comment --comment "cali:aKA1LoA_kDv6KHw3" -g cali-fw-cali88a282b6db3
-A cali-from-wl-dispatch-8 -m comment --comment "cali:V7maskNmO6rfAdt1" -m comment --comment "Unknown interface" -j DROP
-A cali-fw-cali65be3d10ade -m comment --comment "cali:86lH47eoA2vdfmTP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali65be3d10ade -m comment --comment "cali:yU88vLnPjzapQnm_" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali65be3d10ade -m comment --comment "cali:J2LJHzLeWjarR6rq" -j MARK --set-xmark 0x0/0x10000
-A cali-fw-cali65be3d10ade -p udp -m comment --comment "cali:NBkJj3d2mImWXUmr" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP
-A cali-fw-cali65be3d10ade -p ipencap -m comment --comment "cali:MjNluC5ZDBaH4A-0" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP
-A cali-fw-cali65be3d10ade -m comment --comment "cali:qa83ESiBPrHsIocA" -j cali-pro-kns.kube-system
-A cali-fw-cali65be3d10ade -m comment --comment "cali:UZc_H9spRZM-nLvk" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali65be3d10ade -m comment --comment "cali:YM1J2B3l1SeBjxhd" -j cali-pro-_PTRGc0U-L5Kz7V6ERW
-A cali-fw-cali65be3d10ade -m comment --comment "cali:OPO70MCRQce4vt_1" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali65be3d10ade -m comment --comment "cali:LIUllLaILsjJwnCD" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali84275e679c3 -m comment --comment "cali:K73VYEQ4oBjO8RQj" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali84275e679c3 -m comment --comment "cali:PtYOO1WcblQVfYnA" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali84275e679c3 -m comment --comment "cali:hIucyALJ8OZypnbK" -j MARK --set-xmark 0x0/0x10000
-A cali-fw-cali84275e679c3 -p udp -m comment --comment "cali:YfUECWDxneE88tZt" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP
-A cali-fw-cali84275e679c3 -p ipencap -m comment --comment "cali:6J8vTZcySLoCt-PG" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP
-A cali-fw-cali84275e679c3 -m comment --comment "cali:WHg_FWv5BNxnxPcX" -j cali-pro-kns.kube-system
-A cali-fw-cali84275e679c3 -m comment --comment "cali:c1Tz_79kPSUXNlJS" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali84275e679c3 -m comment --comment "cali:8MRGi5grdOAcLirJ" -j cali-pro-_u2Tn2rSoAPffvE7JO6
-A cali-fw-cali84275e679c3 -m comment --comment "cali:7MuY1hjtfvYAn_hn" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali84275e679c3 -m comment --comment "cali:tissOcR2EyQ0Z5pP" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali88a282b6db3 -m comment --comment "cali:eGyjeGJVAMNcROF5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali88a282b6db3 -m comment --comment "cali:20r7XJBAYRXt75hm" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali88a282b6db3 -m comment --comment "cali:HfkLr4fmZdP-K_YH" -j MARK --set-xmark 0x0/0x10000
-A cali-fw-cali88a282b6db3 -p udp -m comment --comment "cali:jVCaioNmGEoi7C99" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP
-A cali-fw-cali88a282b6db3 -p ipencap -m comment --comment "cali:ty-mKxPpDzBStEHj" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP
-A cali-fw-cali88a282b6db3 -m comment --comment "cali:T7vKgNOR6FAgFDJ7" -j cali-pro-kns.kube-system
-A cali-fw-cali88a282b6db3 -m comment --comment "cali:vCA5yKcZmeiNt_VA" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali88a282b6db3 -m comment --comment "cali:ekXnB05jWWphdj2k" -j cali-pro-_u2Tn2rSoAPffvE7JO6
-A cali-fw-cali88a282b6db3 -m comment --comment "cali:OJoT4YedhZ9YNA0W" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali88a282b6db3 -m comment --comment "cali:pJkoR3vj4nfhbXiu" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-pri-_PTRGc0U-L5Kz7V6ERW -m comment --comment "cali:g4z4yZxg6IEqYbOs" -m comment --comment "Profile ksa.kube-system.calico-kube-controllers ingress"
-A cali-pri-_u2Tn2rSoAPffvE7JO6 -m comment --comment "cali:WqgznqAQ-uYV0oBx" -m comment --comment "Profile ksa.kube-system.coredns ingress"
-A cali-pri-kns.kube-system -m comment --comment "cali:J1TyxtHWd0qaBGK-" -m comment --comment "Profile kns.kube-system ingress" -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-kns.kube-system -m comment --comment "cali:QIB6k7eEKdIg73Jp" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-pro-_PTRGc0U-L5Kz7V6ERW -m comment --comment "cali:DR9-t6YJRvFY-IdZ" -m comment --comment "Profile ksa.kube-system.calico-kube-controllers egress"
-A cali-pro-_u2Tn2rSoAPffvE7JO6 -m comment --comment "cali:0-_UPh39dt5XfhmJ" -m comment --comment "Profile ksa.kube-system.coredns egress"
-A cali-pro-kns.kube-system -m comment --comment "cali:tgOR2S8DVHZW3F1M" -m comment --comment "Profile kns.kube-system egress" -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-kns.kube-system -m comment --comment "cali:HVEEtYPJsiGRXCIt" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-set-endpoint-mark -i cali65be3d10ade -m comment --comment "cali:7ClfXahY8VqQMUV2" -g cali-sm-cali65be3d10ade
-A cali-set-endpoint-mark -i cali8+ -m comment --comment "cali:rb5DFNgx82M1ACgy" -g cali-set-endpoint-mark-8
-A cali-set-endpoint-mark -i cali+ -m comment --comment "cali:G7nVWKt19Fs23h7N" -m comment --comment "Unknown endpoint" -j DROP
-A cali-set-endpoint-mark -m comment --comment "cali:vRISbhxrXw6UXSk6" -m comment --comment "Non-Cali endpoint mark" -j MARK --set-xmark 0x100000/0xfff00000
-A cali-set-endpoint-mark-8 -i cali84275e679c3 -m comment --comment "cali:OfDGU-TMAKluhh2R" -g cali-sm-cali84275e679c3
-A cali-set-endpoint-mark-8 -i cali88a282b6db3 -m comment --comment "cali:jMrCypS8x1OIBCuN" -g cali-sm-cali88a282b6db3
-A cali-sm-cali65be3d10ade -m comment --comment "cali:lyQs6WWC3cmG4qqQ" -j MARK --set-xmark 0x29600000/0xfff00000
-A cali-sm-cali84275e679c3 -m comment --comment "cali:5cR2Empun_Rx-ZG3" -j MARK --set-xmark 0x72900000/0xfff00000
-A cali-sm-cali88a282b6db3 -m comment --comment "cali:e_c694Qt2VunC8as" -j MARK --set-xmark 0x26000000/0xfff00000
-A cali-to-wl-dispatch -o cali65be3d10ade -m comment --comment "cali:-wxSlgVKzZ8HGkLu" -g cali-tw-cali65be3d10ade
-A cali-to-wl-dispatch -o cali8+ -m comment --comment "cali:cqMEmkzm7vwqPTl7" -g cali-to-wl-dispatch-8
-A cali-to-wl-dispatch -m comment --comment "cali:PbAlblyNweEYZEuS" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-8 -o cali84275e679c3 -m comment --comment "cali:EZauBBWDillTovHF" -g cali-tw-cali84275e679c3
-A cali-to-wl-dispatch-8 -o cali88a282b6db3 -m comment --comment "cali:8VpOaN-tpX9A9v5J" -g cali-tw-cali88a282b6db3
-A cali-to-wl-dispatch-8 -m comment --comment "cali:VdnFq1apxxkNzNj_" -m comment --comment "Unknown interface" -j DROP
-A cali-tw-cali65be3d10ade -m comment --comment "cali:z2YxkDIj01D2Shnt" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali65be3d10ade -m comment --comment "cali:XFdLvndu1pIwPA6X" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali65be3d10ade -m comment --comment "cali:2k8L7Q5Zq1NxUr6P" -j MARK --set-xmark 0x0/0x10000
-A cali-tw-cali65be3d10ade -m comment --comment "cali:ujSSd7dv5kS_YgEW" -j cali-pri-kns.kube-system
-A cali-tw-cali65be3d10ade -m comment --comment "cali:Ngo3JXbHTHiFrTIk" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali65be3d10ade -m comment --comment "cali:altFPFygS1Xc_xiF" -j cali-pri-_PTRGc0U-L5Kz7V6ERW
-A cali-tw-cali65be3d10ade -m comment --comment "cali:lkxNpWbHg033KpA1" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali65be3d10ade -m comment --comment "cali:gJo7dlzjimzeXn7f" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali84275e679c3 -m comment --comment "cali:vMb2dYjw8C96KMy1" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali84275e679c3 -m comment --comment "cali:zLBgFbfOCbWq5dyJ" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali84275e679c3 -m comment --comment "cali:T4RODLIYegXYpbSv" -j MARK --set-xmark 0x0/0x10000
-A cali-tw-cali84275e679c3 -m comment --comment "cali:XKdUdg75L6gFr87v" -j cali-pri-kns.kube-system
-A cali-tw-cali84275e679c3 -m comment --comment "cali:SFAmDlBvyXwCa6iQ" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali84275e679c3 -m comment --comment "cali:iZlkLYMslMuC21pw" -j cali-pri-_u2Tn2rSoAPffvE7JO6
-A cali-tw-cali84275e679c3 -m comment --comment "cali:jwsl_pYvH69oI6f8" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali84275e679c3 -m comment --comment "cali:b6G_jrUxFaG4S9Mu" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali88a282b6db3 -m comment --comment "cali:MUlBCjXcd8Ka5BCY" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali88a282b6db3 -m comment --comment "cali:kSHqnqNU17WJBHmK" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali88a282b6db3 -m comment --comment "cali:W1kd_HfB_EyoruYI" -j MARK --set-xmark 0x0/0x10000
-A cali-tw-cali88a282b6db3 -m comment --comment "cali:8s0FwOSZBkesOoXi" -j cali-pri-kns.kube-system
-A cali-tw-cali88a282b6db3 -m comment --comment "cali:7MOdH9J8ozq_vqaQ" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali88a282b6db3 -m comment --comment "cali:Ks0IrNtPNb6pNp3x" -j cali-pri-_u2Tn2rSoAPffvE7JO6
-A cali-tw-cali88a282b6db3 -m comment --comment "cali:1kwiVFI5PFS8_SMc" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali88a282b6db3 -m comment --comment "cali:qEF90G1nDKRcMlSa" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Sat Oct 18 07:38:55 2025
# Generated by iptables-save v1.8.7 on Sat Oct 18 07:38:55 2025
*mangle
:PREROUTING ACCEPT [82377:4948220]
:INPUT ACCEPT [2929342:717668429]
:FORWARD ACCEPT [6:2921]
:OUTPUT ACCEPT [2936162:618079865]
:POSTROUTING ACCEPT [2936041:618074643]
:KUBE-IPTABLES-HINT - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A cali-POSTROUTING -m comment --comment "cali:NX-7roTexQ3fGRfU" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-POSTROUTING -m comment --comment "cali:qaajsWArU1ku9saf" -m mark ! --mark 0x0/0xfff00000 -j RETURN
-A cali-POSTROUTING -m comment --comment "cali:N2faOPfc4DVQAfQj" -j MARK --set-xmark 0x0/0xf0000
-A cali-POSTROUTING -m comment --comment "cali:IR1ghU6yHNWsaaJF" -m conntrack --ctstate DNAT -j cali-to-host-endpoint
-A cali-POSTROUTING -m comment --comment "cali:fcjhvOBNywbfCkS2" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Sat Oct 18 07:38:55 2025
# Generated by iptables-save v1.8.7 on Sat Oct 18 07:38:55 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [76:4576]
:POSTROUTING ACCEPT [76:4576]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-LOAD-BALANCER - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODE-PORT - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SERVICES - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A KUBE-LOAD-BALANCER -j KUBE-MARK-MASQ
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-POSTROUTING -m comment --comment "Kubernetes endpoints dst ip:port, source ip for solving hairpin purpose" -m set --match-set KUBE-LOOP-BACK dst,dst,src -j MASQUERADE
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully
-A KUBE-SERVICES -s 127.0.0.0/8 -j RETURN
-A KUBE-SERVICES ! -s 10.233.64.0/18 -m comment --comment "Kubernetes service cluster ip + port for masquerade purpose" -m set --match-set KUBE-CLUSTER-IP dst,dst -j KUBE-MARK-MASQ
-A KUBE-SERVICES -m addrtype --dst-type LOCAL -j KUBE-NODE-PORT
-A KUBE-SERVICES -m set --match-set KUBE-CLUSTER-IP dst,dst -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
-A cali-POSTROUTING -o tunl0 -m comment --comment "cali:SXWvdsbh4Mw7wOln" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE --random-fully
-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment "cali:flqWnvo8yq4ULQLa" -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE --random-fully
COMMIT
# Completed on Sat Oct 18 07:38:55 2025
root@u22:~#
root@u22:~# iptables-save | wc -l
295
root@u22:~# iptables-save | grep calico | wc -l
2
root@u22:~# iptables-save | grep cali | wc -l
205
root@u22:~#
1. CRD 数据配置一览
CRD
root@u22:~# k get crd -A -o wide | grep cali
bgpconfigurations.crd.projectcalico.org 2025-10-18T01:30:29Z
bgpfilters.crd.projectcalico.org 2025-10-18T01:30:29Z
bgppeers.crd.projectcalico.org 2025-10-18T01:30:29Z
blockaffinities.crd.projectcalico.org 2025-10-18T01:30:29Z
caliconodestatuses.crd.projectcalico.org 2025-10-18T01:30:29Z
clusterinformations.crd.projectcalico.org 2025-10-18T01:30:29Z
felixconfigurations.crd.projectcalico.org 2025-10-18T01:30:29Z
globalnetworkpolicies.crd.projectcalico.org 2025-10-18T01:30:29Z
globalnetworksets.crd.projectcalico.org 2025-10-18T01:30:29Z
hostendpoints.crd.projectcalico.org 2025-10-18T01:30:29Z
ipamblocks.crd.projectcalico.org 2025-10-18T01:30:29Z
ipamconfigs.crd.projectcalico.org 2025-10-18T01:30:29Z
ipamhandles.crd.projectcalico.org 2025-10-18T01:30:29Z
ippools.crd.projectcalico.org 2025-10-18T01:30:29Z
ipreservations.crd.projectcalico.org 2025-10-18T01:30:29Z
kubecontrollersconfigurations.crd.projectcalico.org 2025-10-18T01:30:29Z
networkpolicies.crd.projectcalico.org 2025-10-18T01:30:30Z
networksets.crd.projectcalico.org 2025-10-18T01:30:30Z
具体 CRD 应用详情
blockaffinities 子网分配
root@u22:~# kubectl get blockaffinities -A -o wide
NAME AGE
u22-10-233-102-0-24 6h35m
# 为 node 上的 pod 分配地址段
root@u22:~# kubectl get blockaffinities u22-10-233-102-0-24 -o yaml
apiVersion: crd.projectcalico.org/v1
kind: BlockAffinity
metadata:
annotations:
projectcalico.org/metadata: '{"creationTimestamp":null}'
creationTimestamp: "2025-10-18T01:30:37Z"
generation: 2
name: u22-10-233-102-0-24
resourceVersion: "554"
uid: baf3ec6d-751b-497a-9671-d2a6166f32f4
spec:
cidr: 10.233.102.0/24
deleted: "false"
node: u22
state: confirmed
clusterinformations 集群信息
root@u22:~# kubectl get clusterinformations -A -o wide
NAME AGE
default 6h39m
root@u22:~# kubectl get clusterinformations default -o yaml
apiVersion: crd.projectcalico.org/v1
kind: ClusterInformation
metadata:
annotations:
projectcalico.org/metadata: '{"uid":"a50f3373-8e19-48a0-967d-ecb45f355eeb","creationTimestamp":"2025-10-18T01:30:37Z"}'
creationTimestamp: "2025-10-18T01:30:37Z"
generation: 1
name: default
resourceVersion: "547"
uid: 4e958562-4d71-40e8-a951-1a4b15a971c5
spec:
calicoVersion: v3.27.4
clusterGUID: e9932f80d13f4783b1abddd5c3786106
clusterType: k8s,bgp,kubeadm,kdd
datastoreReady: true
-
datastoreReady: true:Calico 的数据存储已就绪。Calico 需要存储网络策略、路由规则等配置,此处表示存储(通常是 Kubernetes API 或 etcd)可用。 -
clusterType: k8s,bgp,kubeadm,kdd(重点):该字段是 Calico 记录的集群关键特征集合,由多个关键词组成,分别表示:k8s:表明当前集群是Kubernetes 集群,Calico 作为 Kubernetes 的网络插件运行(适配 K8s 的 Pod 网络模型)。bgp:表示 Calico 使用BGP 协议实现网络路由。BGP(边界网关协议)是一种动态路由协议,Calico 通过 BGP 在集群节点间交换 Pod 网段路由信息,实现 Pod 跨节点通信(Calico 的 “BGP 模式”,区别于 IPIP/VXLAN 等 overlay 模式)。kubeadm:说明当前 Kubernetes 集群是通过kubeadm 工具部署的。kubeadm 是 Kubernetes 官方的集群部署工具(用于初始化控制平面、加入节点等),Calico 会适配 kubeadm 部署的集群配置(如默认网段、证书路径等)。kdd:即Kubernetes Data Store(Kubernetes 数据存储),表示 Calico 使用 Kubernetes API 作为自身的数据存储(而非独立的 etcd)。Calico 的配置(如网络策略、BGP 对等体等)会以 Kubernetes 自定义资源(CR)的形式存储在 K8s API 服务器中,简化部署和维护。
felixconfigurations
root@u22:~# k get felixconfigurations -A
NAME AGE
default 6h49m
root@u22:~#
root@u22:~# k get felixconfigurations default -o yaml
apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
annotations:
projectcalico.org/metadata: '{"uid":"513fb5c0-e7a7-41c2-903d-4924995779a9","creationTimestamp":"2025-10-18T01:30:37Z"}'
creationTimestamp: "2025-10-18T01:30:37Z"
generation: 1
name: default
resourceVersion: "548"
uid: 788adb33-a721-4f3a-a428-6a0387643f52
spec:
bpfConnectTimeLoadBalancing: TCP
bpfHostNetworkedNATWithoutCTLB: Enabled
bpfLogLevel: ""
floatingIPs: Disabled
logSeverityScreen: Info
reportingInterval: 0s
bpfConnectTimeLoadBalancing: TCP启用基于 BPF 的 “连接建立时负载均衡”,且仅针对 TCP 协议。该功能在连接创建时通过 BPF 程序分发流量,提升负载均衡效率。bpfHostNetworkedNATWithoutCTLB: Enabled启用针对 “主机网络命名空间(hostNetwork)” 的 NAT 功能,且不依赖 “连接跟踪负载均衡(CTLB)”。适用于主机网络的 Pod 需要访问集群内服务时的 NAT 场景。bpfLogLevel: ""BPF 相关日志级别未特别配置,使用 Felix 默认值(通常为info或更低,避免日志过多)。floatingIPs: Disabled禁用 “浮动 IP” 功能。浮动 IP 是 Calico 的一种机制,允许一个 IP 关联到多个工作负载(类似 VIP),此处未启用。
ipamblocks ipam 的分配状态
root@u22:~# k get ipamblocks -A
NAME AGE
10-233-102-0-24 6h54m
root@u22:~#
root@u22:~#
root@u22:~# k get ipamblocks 10-233-102-0-24 -o yaml
apiVersion: crd.projectcalico.org/v1
kind: IPAMBlock
metadata:
annotations:
projectcalico.org/metadata: '{"creationTimestamp":null}'
creationTimestamp: "2025-10-18T01:30:37Z"
generation: 5
name: 10-233-102-0-24
resourceVersion: "619"
uid: cb737992-b9f0-4f5f-8886-0fb4a81a396d
spec:
affinity: host:u22
allocations:
- 0
- 1
- 2
- 3
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
- null
attributes:
- handle_id: ipip-tunnel-addr-u22
secondary:
node: u22
type: ipipTunnelAddress
- handle_id: k8s-pod-network.3ca847d4a3a9ffce9ae60265e437e2e65f6042fb25397355cf1f2b0b9d87e295
secondary:
namespace: kube-system
node: u22
pod: coredns-5bdf9456bc-7mhwg
timestamp: 2025-10-18 01:30:50.741401997 +0000 UTC
- handle_id: k8s-pod-network.b86b381ec3bf3e83919ddc234d3a1c305ed48ab60638e55dc4e6a0d011108761
secondary:
namespace: kube-system
node: u22
pod: calico-kube-controllers-678fc69664-69bg8
timestamp: 2025-10-18 01:30:50.778908053 +0000 UTC
- handle_id: k8s-pod-network.daf60b672667dd0b4fd721a5acf189f521f83d83d10186a87e7138793c5d83fd
secondary:
namespace: kube-system
node: u22
pod: coredns-5bdf9456bc-c9lmm
timestamp: 2025-10-18 01:30:51.703393559 +0000 UTC
cidr: 10.233.102.0/24
deleted: false
sequenceNumber: 1760751037979994803
sequenceNumberForAllocation:
"0": 1760751037979994799
"1": 1760751037979994800
"2": 1760751037979994801
"3": 1760751037979994802
strictAffinity: false
unallocated:
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
root@u22:~#
ipamconfig
root@u22:~# k get ipamconfigs -A
NAME AGE
default 6h56m
root@u22:~#
root@u22:~#
root@u22:~# k get ipamconfigs default -o yaml
apiVersion: crd.projectcalico.org/v1
kind: IPAMConfig
metadata:
annotations:
projectcalico.org/metadata: '{"creationTimestamp":null}'
creationTimestamp: "2025-10-18T01:30:37Z"
generation: 1
name: default
resourceVersion: "551"
uid: 933b9dff-239e-4765-addf-396f29c9096d
spec:
autoAllocateBlocks: true
strictAffinity: false
root@u22:~#
- **
autoAllocateBlocks: true**表示 Calico 会自动为节点分配 IP 地址块(IPAM Blocks),无需手动创建。这是默认且推荐的配置,能自动管理集群的 IP 地址空间,避免手动分配的繁琐。 - **
strictAffinity: false**表示关闭 “严格亲和性”。当此参数为false时,即使某个节点曾使用过某 IP 地址块,其他节点也可能被分配该块中的 IP 地址,从而提高 IP 地址的利用率。若设为true,则 IP 地址块会严格绑定到首次使用它的节点,其他节点无法使用该块的 IP(适合对节点 IP 分配有严格固定需求的场景)。
地址块和 node 的对应关系可以不是严格绑定的
ipamhandles
root@u22:~# k get ipamhandles -A -o wide
NAME AGE
ipip-tunnel-addr-u22 6h58m
k8s-pod-network.3ca847d4a3a9ffce9ae60265e437e2e65f6042fb25397355cf1f2b0b9d87e295 6h58m
k8s-pod-network.b86b381ec3bf3e83919ddc234d3a1c305ed48ab60638e55dc4e6a0d011108761 6h58m
k8s-pod-network.daf60b672667dd0b4fd721a5acf189f521f83d83d10186a87e7138793c5d83fd 6h58m
root@u22:~#
root@u22:~#
root@u22:~# k get ipamhandles ipip-tunnel-addr-u22 -o yaml
apiVersion: crd.projectcalico.org/v1
kind: IPAMHandle
metadata:
annotations:
projectcalico.org/metadata: '{"creationTimestamp":null}'
creationTimestamp: "2025-10-18T01:30:37Z"
generation: 1
name: ipip-tunnel-addr-u22
resourceVersion: "555"
uid: 104192b1-d62a-4d97-b848-f2e3b20c2b06
spec:
block:
10.233.102.0/24: 1
deleted: false
handleID: ipip-tunnel-addr-u22
root@u22:~# k get ipamhandles k8s-pod-network.3ca847d4a3a9ffce9ae60265e437e2e65f6042fb25397355cf1f2b0b9d87e295 -o yaml
apiVersion: crd.projectcalico.org/v1
kind: IPAMHandle
metadata:
annotations:
projectcalico.org/metadata: '{"creationTimestamp":null}'
creationTimestamp: "2025-10-18T01:30:50Z"
generation: 1
name: k8s-pod-network.3ca847d4a3a9ffce9ae60265e437e2e65f6042fb25397355cf1f2b0b9d87e295
resourceVersion: "588"
uid: 6b2022a3-d8f2-4098-8e26-072eba6c10c7
spec:
block:
10.233.102.0/24: 1
deleted: false
handleID: k8s-pod-network.3ca847d4a3a9ffce9ae60265e437e2e65f6042fb25397355cf1f2b0b9d87e295
root@u22:~# k get ipamhandles k8s-pod-network.b86b381ec3bf3e83919ddc234d3a1c305ed48ab60638e55dc4e6a0d011108761 -o yaml
\apiVersion: crd.projectcalico.org/v1
kind: IPAMHandle
metadata:
annotations:
projectcalico.org/metadata: '{"creationTimestamp":null}'
creationTimestamp: "2025-10-18T01:30:50Z"
generation: 1
name: k8s-pod-network.b86b381ec3bf3e83919ddc234d3a1c305ed48ab60638e55dc4e6a0d011108761
resourceVersion: "593"
uid: 991fad06-b22e-4aee-b345-77084b7540e7
spec:
block:
10.233.102.0/24: 1
deleted: false
handleID: k8s-pod-network.b86b381ec3bf3e83919ddc234d3a1c305ed48ab60638e55dc4e6a0d011108761
root@u22:~# k get ipamhandles k8s-pod-network.daf60b672667dd0b4fd721a5acf189f521f83d83d10186a87e7138793c5d83fd -o yaml
apiVersion: crd.projectcalico.org/v1
kind: IPAMHandle
metadata:
annotations:
projectcalico.org/metadata: '{"creationTimestamp":null}'
creationTimestamp: "2025-10-18T01:30:51Z"
generation: 1
name: k8s-pod-network.daf60b672667dd0b4fd721a5acf189f521f83d83d10186a87e7138793c5d83fd
resourceVersion: "618"
uid: e871a189-ed71-43bf-b24b-53fe1719f13b
spec:
block:
10.233.102.0/24: 1
deleted: false
handleID: k8s-pod-network.daf60b672667dd0b4fd721a5acf189f521f83d83d10186a87e7138793c5d83fd
root@u22:~#
-
作用:记录节点
u22的 IPIP 隧道接口占用了10.233.102.0/24中的 1 个 IP 地址(用于节点间隧道通信)。 -
作用:这 3 个
IPAMHandle分别对应 3 个 Pod(或 Pod 网络接口),记录它们各自占用了10.233.102.0/24中的 1 个 IP 地址(即这些 Pod 的 IP 都来自该网段)。
关键信息总结
- 共享 IP 地址块:所有
IPAMHandle均关联10.233.102.0/24,说明当前节点u22的 IPIP 隧道接口和运行在该节点上的 3 个 Pod,共享同一个 IP 地址块(该块由 Calico 的IPAMConfig自动分配,见之前的配置)。 - 资源状态:所有
IPAMHandle均为deleted: false,表明对应的网络资源(隧道接口、Pod)均处于活跃状态,IP 地址正在被使用。 - IP 占用量:每个
IPAMHandle在10.233.102.0/24中占用 1 个 IP,共占用 4 个 IP(1 个隧道 IP + 3 个 Pod IP)。
这些信息反映了 Calico 对节点隧道和 Pod IP 的精细化管理,确保 IP 地址分配可追溯、不冲突,是集群网络正常运行的重要保障。
ippools
root@u22:~# k get ippools -A -o wide
NAME AGE
default-ipv4-ippool 7h7m
root@u22:~# k get ippools default-ipv4-ippool -o yaml
apiVersion: crd.projectcalico.org/v1
kind: IPPool
metadata:
annotations:
projectcalico.org/metadata: '{"uid":"20b9620c-ac2d-46d7-be98-401db36c030d","creationTimestamp":"2025-10-18T01:30:37Z"}'
creationTimestamp: "2025-10-18T01:30:37Z"
generation: 1
name: default-ipv4-ippool
resourceVersion: "546"
uid: d69926d6-ce1a-4cfc-a23b-84f2fd0b0c8c
spec:
allowedUses:
- Workload
- Tunnel
blockSize: 24
cidr: 10.233.64.0/18
ipipMode: Always
natOutgoing: true
nodeSelector: all()
vxlanMode: Never
root@u22:~#
-
**
allowedUses: [Workload, Tunnel]**明确该地址池的 IP 可分配给两种资源:Workload:即 Kubernetes 的 Pod(之前看到的k8s-pod-network.xxx对应的 Pod IP 就来自这里);Tunnel:即节点间通信的隧道接口(如ipip-tunnel-addr-u22对应的 IPIP 隧道 IP)。这解释了为什么之前的IPAMHandle都关联到该地址池衍生的 IP 块(10.233.102.0/24属于10.233.64.0/18的子范围)。
-
**
blockSize: 24**定义 Calico 分配给节点的 IP 地址块大小为/24(即每个块包含 256 个 IP,扣除网络地址、广播地址等,实际可用约 254 个)。之前看到的10.233.102.0/24就是这样的块(从10.233.64.0/18中划分出来),节点u22当前使用的正是这个块。 -
**
cidr: 10.233.64.0/18**地址池的总 IP 范围,/18子网掩码对应的范围是10.233.64.0 - 10.233.127.255,共包含2^(32-18) = 16384个 IP 地址,足够中小型集群使用(支持大量 Pod 和隧道接口)。 -
**
ipipMode: Always**启用 IPIP 隧道模式,且为 “强制启用”:Calico 会在节点间建立 IPIP 隧道(一种将 IP 数据包封装在另一个 IP 数据包中的技术),用于跨节点 Pod 通信。这与之前的ipip-tunnel-addr-u22(节点u22的 IPIP 隧道地址)对应,隧道接口的 IP 正是从该地址池分配的。
**natOutgoing: true**开启 “出站 NAT”:当 Pod 访问集群外部网络(如公网或集群外的服务器)时,Calico 会自动将 Pod 的源 IP 转换为节点的物理网卡 IP,确保外部网络能正确回包(否则外部无法识别 Pod 的私有 IP)。这是集群访问外部网络的常见必要配置
- **
nodeSelector: all()**节点选择器为all(),表示集群中所有节点都可以使用该地址池的 IP 资源(无节点限制)。如果需要为特定节点分配不同地址池,可通过修改此参数(如nodeSelector: kubernetes.io/hostname=node1)实现。 - **
vxlanMode: Never**关闭 VXLAN 隧道模式:Calico 支持 IPIP 和 VXLAN 两种隧道技术,此处配置为仅使用 IPIP(ipipMode: Always),不使用 VXLAN。
Calico 默认不支持同时启用 IPIP 和 VXLAN 两种隧道模式,同一集群中通常只能选择一种模式用于节点间的 Pod 通信。
1. 为什么不能同时使用?
核心原因是两种隧道技术的封装逻辑和转发路径冲突,同时启用会导致网络通信异常:
- 封装冲突:IPIP 是将 Pod 的 IP 数据包封装在节点的 IP 数据包中(IP-in-IP),而 VXLAN 是将 Pod 的 IP 数据包封装在 UDP 数据包中(基于 L2 虚拟网络)。两种模式同时启用会让节点无法确定数据包的封装方式,可能出现 “双重封装” 或 “封装失败”,导致流量丢失。
- 路由混乱:Calico 的路由规则是基于单一隧道模式配置的(比如仅为 IPIP 或仅为 VXLAN 生成路由)。若同时启用,节点会收到两种不同隧道的路由信息,无法判断优先转发哪种,最终导致跨节点 Pod 通信中断。
2. 如何选择:IPIP 还是 VXLAN?
实际使用中需根据集群的网络环境和性能需求二选一,两者的核心差异如下:
| 对比维度 | IPIP 模式 | VXLAN 模式 |
|---|---|---|
| 兼容性 | 更好,支持跨三层网络(如不同子网的节点),无需交换机支持 | 较差,依赖 L2 网络或支持 VXLAN 的交换机(需配置 VTEP) |
| 性能 | 略低,仅一次 IP 封装,开销较小但转发效率不如 VXLAN | 更高,基于 UDP 封装,减少路由表条目,适合大规模集群 |
| 适用场景 | 小规模集群、跨三层网络部署(如节点分布在不同机房) | 大规模集群(如数百个节点)、同 L2 网络内部署 |
kubecontrollersconfigurations k8s 控制面配置
root@u22:~# k get kubecontrollersconfigurations -A
NAME AGE
default 7h12m
root@u22:~# k get kubecontrollersconfigurations default -o yaml
apiVersion: crd.projectcalico.org/v1
kind: KubeControllersConfiguration
metadata:
annotations:
projectcalico.org/metadata: '{"uid":"c1ae426a-c9f3-450a-b892-b022bcc4722c","creationTimestamp":"2025-10-18T01:30:51Z"}'
creationTimestamp: "2025-10-18T01:30:51Z"
generation: 2
name: default
resourceVersion: "601"
uid: c1ae426a-c9f3-450a-b892-b022bcc4722c
spec:
controllers:
namespace:
reconcilerPeriod: 5m0s
node:
leakGracePeriod: 15m0s
reconcilerPeriod: 5m0s
syncLabels: Enabled
policy:
reconcilerPeriod: 5m0s
serviceAccount:
reconcilerPeriod: 5m0s
workloadEndpoint:
reconcilerPeriod: 5m0s
etcdV3CompactionPeriod: 10m0s
healthChecks: Enabled
logSeverityScreen: Info
prometheusMetricsPort: 9094
status:
environmentVars:
DATASTORE_TYPE: kubernetes
ENABLED_CONTROLLERS: node
runningConfig:
controllers:
node:
hostEndpoint:
autoCreate: Disabled
leakGracePeriod: 15m0s
syncLabels: Disabled
etcdV3CompactionPeriod: 10m0s
healthChecks: Enabled
logSeverityScreen: Info
spec定义了期望的控制器配置,主要包括:
-
控制器调和周期(reconcilerPeriod) :
namespace、node、policy、serviceAccount、workloadEndpoint等控制器的调和周期均为5m0s(5 分钟),即控制器每 5 分钟检查一次资源状态并修复偏差。
-
节点控制器(node)特殊配置:
leakGracePeriod: 15m0s:节点 “泄漏”(如节点故障后未正常删除)的 grace 周期为 15 分钟,超过此时长后控制器会清理相关残留资源。syncLabels: Enabled:期望启用节点标签同步(即 Calico 节点资源与 Kubernetes 节点标签同步)。
-
其他全局配置:
etcdV3CompactionPeriod: 10m0s:etcd V3 数据的压缩周期(虽然这里数据存储是 K8s,但仍保留该配置)。healthChecks: Enabled:启用健康检查。logSeverityScreen: Info:日志级别为Info。prometheusMetricsPort: 9094:Prometheus 指标暴露端口为 9094。
