ゼロからはじめる実践 Kubernetes セキュリティ(5) コンテナ技術の基礎（3）namespaceとcgroupで下から見るKubernetes

ネットワークを確認する

ネットワークについても確認してみます。5つのnamespaceとnamespaceにひもづくvethが作られていることが分かります。

id	namespace	veth	route
0	cni-6f11b87d-1a2b-e95b-0c4d-8b57d4aaf822	azveb78922e0be@if3	10.240.0.120
1	cni-27dd6491-b667-2f36-a5ab-8cb404276547	azvdeb7c0733b9@if19	10.240.0.185
2	cni-3e8372c7-7b9c-1325-f3bc-60d4443e2811	azv6bf1c5f71ac@if29	10.240.0.200
5	cni-2ff38e97-62c6-90c9-5f23-2525ff3c9292	azv19d57a972e9@if25	10.240.0.122
7	cni-27dd6491-b667-2f36-a5ab-8cb404276547	azv233e3487410@if17	10.240.0.192


# nsenter --target 1 --all bash
# ip netns list
cni-a78e763e-11b1-03c0-889b-ccf6e2290d92 (id: 2)
cni-2ff38e97-62c6-90c9-5f23-2525ff3c9292 (id: 5)
cni-3e8372c7-7b9c-1325-f3bc-60d4443e2811 (id: 1)
cni-27dd6491-b667-2f36-a5ab-8cb404276547 (id: 7)
cni-6f11b87d-1a2b-e95b-0c4d-8b57d4aaf822 (id: 0)

# ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:  mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:22:48:68:f4:bd brd ff:ff:ff:ff:ff:ff
4: azveb78922e0be@if3:  mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 2a:c6:90:c3:66:b3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
18: azv233e3487410@if17:  mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 66:d8:33:ab:3a:6f brd ff:ff:ff:ff:ff:ff link-netnsid 7
20: azvdeb7c0733b9@if19:  mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 6e:18:fd:7a:63:6d brd ff:ff:ff:ff:ff:ff link-netnsid 1
26: azv19d57a972e9@if25:  mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 92:de:0e:c5:07:41 brd ff:ff:ff:ff:ff:ff link-netnsid 5
30: azv6bf1c5f71ac@if29:  mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 5a:37:35:af:83:e6 brd ff:ff:ff:ff:ff:ff link-netnsid 2

# ip -d link show azv6bf1c5f71ac
30: azv6bf1c5f71ac@if29:  mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 5a:37:35:af:83:e6 brd ff:ff:ff:ff:ff:ff link-netnsid 2 promiscuity 0
    veth addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

# ip route
default via 10.240.0.1 dev eth0 proto dhcp src 10.240.0.115 metric 100
10.240.0.0/16 dev eth0 proto kernel scope link src 10.240.0.115
10.240.0.120 dev azveb78922e0be proto static
10.240.0.122 dev azv19d57a972e9 proto static
10.240.0.185 dev azvdeb7c0733b9 proto static
10.240.0.192 dev azv233e3487410 proto static
10.240.0.200 dev azv6bf1c5f71ac proto static
168.63.129.16 via 10.240.0.1 dev eth0 proto dhcp src 10.240.0.115 metric 100
169.254.169.254 via 10.240.0.1 dev eth0 proto dhcp src 10.240.0.115 metric 100

nginxのPIDに割り当てられているnamespaceを確認してみます。


ip netns identify 14611

cni-a78e763e-11b1-03c0-889b-ccf6e2290d92

今度は、cni-a78e763e-11b1-03c0-889b-ccf6e2290d92にひもづくPIDを確認してみます。


ip netns pids cni-a78e763e-11b1-03c0-889b-ccf6e2290d92

14509 ★pauseコンテナ
14611 ★nginxのMaster
14656 ★nginxのWorker

cni-a78e763e-11b1-03c0-889b-ccf6e2290d92の中でip addressを実行すると、10.240.0.200/16のeth0@if30がでてきます。これはnginxのPodに割り当てられているIPアドレスと同じものになっているのが分かります。


ip netns exec cni-a78e763e-11b1-03c0-889b-ccf6e2290d92 ip address

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       validlft forever preferredlft forever
    inet6 ::1/128 scope host
       validlft forever preferredlft forever
29: eth0@if30:  mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 86:0d:b8:e5:96:1e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.240.0.200/16 scope global eth0
       validlft forever preferredlft forever
    inet6 fe80::840d:b8ff:fee5:961e/64 scope link
       validlft forever preferredlft forever