跳到主要内容

GKE 的 kube-proxy

组件 YAML

以 DaemonSet 方式部署了一个 kube-proxy:

apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
deprecated.daemonset.template.generation: "1"
labels:
addonmanager.kubernetes.io/mode: Reconcile
k8s-app: kube-proxy
name: kube-proxy
namespace: kube-system
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kube-proxy
template:
metadata:
labels:
k8s-app: kube-proxy
spec:
containers:
- command:
- /bin/sh
- -c
- kube-proxy --cluster-cidr=10.44.0.0/14 --oom-score-adj=-998 --v=2 --feature-gates=UnauthenticatedHTTP2DOSMitigation=true,KMSv1=true,WatchCacheInitializationPostStartHook=true
--iptables-sync-period=1m --iptables-min-sync-period=10s --ipvs-sync-period=1m
--ipvs-min-sync-period=10s --detect-local-mode=NodeCIDR 1>>/var/log/kube-proxy.log
2>&1
env:
- name: KUBERNETES_SERVICE_HOST
value: 10.142.0.7
image: us-east1-artifactregistry.gcr.io/gke-release/gke-release/kube-proxy-amd64:v1.34.0-gke.1662000
imagePullPolicy: IfNotPresent
name: kube-proxy
resources:
requests:
cpu: 100m
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/log
name: varlog
- mountPath: /run/xtables.lock
name: xtables-lock
- mountPath: /lib/modules
name: lib-modules
readOnly: true
dnsPolicy: ClusterFirst
hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
node.kubernetes.io/kube-proxy-ds-ready: "true"
priorityClassName: system-node-critical
restartPolicy: Always
schedulerName: default-scheduler
serviceAccount: kube-proxy
serviceAccountName: kube-proxy
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
- key: components.gke.io/gke-managed-components
operator: Exists
volumes:
- hostPath:
path: /var/log
type: ""
name: varlog
- hostPath:
path: /run/xtables.lock
type: FileOrCreate
name: xtables-lock
- hostPath:
path: /lib/modules
type: ""
name: lib-modules
updateStrategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 10%
type: RollingUpdate

但有 nodeSelector,默认不会部署到节点,不过节点上还是会有 kube-proxy 的 Pod 启动,只是不是来自这个 DeamonSet,而是通过 static pod 方式部署:

/etc/kubernetes/manifests/kube-proxy.manifest
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/config.hash: 3a2c77f7e2c9fa3a03323fe214e8ddd0
kubernetes.io/config.mirror: 3a2c77f7e2c9fa3a03323fe214e8ddd0
kubernetes.io/config.seen: "2025-09-23T07:49:22.570407571Z"
kubernetes.io/config.source: file
labels:
component: kube-proxy
tier: node
name: kube-proxy-gke-gke-test-default-pool-e5de334e-i8hi
namespace: kube-system
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cloud.google.com/autopilot-managed-node
operator: DoesNotExist
containers:
- command:
- /bin/sh
- -c
- exec kube-proxy --master=https://10.142.0.7 --kubeconfig=/var/lib/kube-proxy/kubeconfig
--cluster-cidr=10.44.0.0/14 --oom-score-adj=-998 --v=2 --feature-gates=RotateKubeletServerCertificate=true,ExecProbeTimeout=false
--iptables-sync-period=1m --iptables-min-sync-period=10s --ipvs-sync-period=1m
--ipvs-min-sync-period=10s --detect-local-mode=NodeCIDR 1>>/var/log/kube-proxy.log
2>&1
image: us-east1-artifactregistry.gcr.io/gke-release/gke-release/kube-proxy-amd64:v1.34.0-gke.1662000
name: kube-proxy
resources:
requests:
cpu: 100m
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: etc-ssl-certs
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-ca-certs
readOnly: true
- mountPath: /var/log
name: varlog
- mountPath: /var/lib/kube-proxy/kubeconfig
name: kubeconfig
- mountPath: /run/xtables.lock
name: iptableslock
- mountPath: /lib/modules
name: lib-modules
readOnly: true
hostNetwork: true
preemptionPolicy: PreemptLowerPriority
priority: 2000001000
priorityClassName: system-node-critical
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- hostPath:
path: /usr/share/ca-certificates
name: usr-ca-certs
- hostPath:
path: /etc/ssl/certs
name: etc-ssl-certs
- hostPath:
path: /var/lib/kube-proxy/kubeconfig
type: FileOrCreate
name: kubeconfig
- hostPath:
path: /var/log
name: varlog
- hostPath:
path: /run/xtables.lock
type: FileOrCreate
name: iptableslock
- hostPath:
path: /lib/modules
name: lib-modules

转发模式

从 YAML 中可以看出,没有设置 mode,也没有挂载 config,所以为 kube-proxy 的默认 mode,为 iptables 模式。

节点 iptables 版本

$ iptables --version
iptables v1.8.10 (nf_tables)