1.CNI介紹
一直以來,kubernetes 并沒有專門的網絡子產品負責網絡配置,它需要使用者在主機上已經配置好網絡。
kubernetes 對網絡的要求是:
- 容器之間(包括同一台主機上的容器,和不同主機的容器)可以互相通信
- 容器和叢集中所有的節點也能直接通信
kubernetes 網絡的發展方向是希望通過插件的方式來內建不同的網絡方案, CNI 就是這一努力的結果。CNI隻專注解決容器網絡連接配接和容器銷毀時的資源釋放,提供一套架構,是以CNI可以支援大量不同的網絡模式,并且容易實作。
2.網絡建立步驟
在Kubernetes建立Pod後CNI提供網絡的過程主要分三個步驟:
- Kubelet runtime建立network namespace
- Kubelete觸發CNI插件,指定網絡類型(網絡類型決定哪一個CNI plugin将會被使用)
- CNI插件将建立veth pair, 檢查IPAM類型和資料,觸發IPAM插件,擷取空閑的IP位址并将位址配置設定給容器的網絡接口
2.1 kubelet runtime建立network namespace
kubelet先建立pause容器,并為這個pause容器生成一個network namespace,然後把這個network namespace關聯到pause容器上。
2.2 Kubelet觸發CNI插件
在觸發cni插件的時候會将cni的配置load給cni插件
執行CNI需要傳入以下變量:
# 添加或者删除網卡
CNI_COMMAND=ADD/DEL
# 容器的ID
CNI_CONTAINERID=xxxxxxxxxxxxxxxxxxx
# 容器網絡空間主機映射路徑
CNI_NETNS=/proc//ns/net
# CNI參數,使用分号分開,主要是POD的一些相關資訊
CNI_ARGS=IgnoreUnknown=;K8S_POD_NAMESPACE=default;K8S_POD_NAME=-my-nginx--stgs;K8S_POD_INFRA_CONTAINER_ID=xxxxxxxxxxxxxxxx
# 容器内網卡的名稱
CNI_IFNAME=eth0
# CNI二進制檔案路徑
CNI_PATH=/opt/cni/bin.
例:
2.3 kubelet調用相應CNI插件
- CNI插件建立veth pair
kubernetes cni網絡詳解1.CNI介紹2.網絡建立步驟3.CNI網絡插件3.1 flannel3.2 calico4.calico部署參考 - 通過IPAM插件擷取空閑的ip位址
kubernetes cni網絡詳解1.CNI介紹2.網絡建立步驟3.CNI網絡插件3.1 flannel3.2 calico4.calico部署參考 - 将ip配置到容器net namespace的網絡裝置
kubernetes cni網絡詳解1.CNI介紹2.網絡建立步驟3.CNI網絡插件3.1 flannel3.2 calico4.calico部署參考
3.CNI網絡插件
3.1 flannel
flannel原理如下圖所示,flannel不是本文介紹重點,不做詳細介紹。
3.2 calico
calico在CNM和CNI兩大陣營都扮演着比較重要的角色。既有着不俗的性能表現,提供了很好的隔離性,還有不錯的ACL控制能力。
Calico 是一個三層的資料中心網絡方案,基于三層路由,不需要二層網橋。而且友善內建 OpenStack 這種 IaaS 雲架構,能夠提供高效可控的 VM、容器、裸機之間的通信。
Calico的BGP模式在每一個計算節點利用Linux Kernel實作了一個高效的vRouter來負責資料轉發,而每個vRouter通過BGP協定負責把自己上運作的workload的路由資訊向整個Calico網絡内傳播——小規模部署可以直接互聯,大規模下可通過指定的BGP route reflector來完成。所有的workload之間的資料流量都是通過IP路由的方式完成互聯的。
Calico 節點組網可以直接利用資料中心的網絡結構(支援 L2 或者 L3),不需要額外的 NAT、端口映射、隧道或者 VXLAN overlay network,擴充性和性能都很好。與其他容器網絡方案相比,Calico 還有一大優勢:豐富而靈活的network policy。使用者可以通過動态定義各個節點上的 ACL 規則,控制進出容器的資料包,來提供Workload的多租戶隔離、安全組以及其他可達性限制等功能,實作業務需求。
如上圖所示,這樣保證這個方案的簡單可控,而且沒有封包解包,節約CPU計算資源的同時,提高了整個網絡的性能。
3.2.1 Calico架構
結合上面這張圖,我們來過一遍BGP模式下Calico的核心元件:
- Felix(Calico Agent):跑在每台需要運作Workload的節點上的守護程序,主要負責配置路由及ACLs等資訊來確定Endpoint的連通狀态;根據對接的編排架構的不同,felix主要包含以下功能:
- 網絡接口管理:把接口的一些資訊告訴核心,讓核心正确的處理這個接口的鍊路,特殊情況下,會去響應ARP請求,允許ip forwarding等。
- 路由管理:在節點上把endpoints的路由配置到Linux kernel FIB(forwarding information base), 保障包正确的到達節點的endpoint上,我的了解endpoints是節點上的虛拟網卡
- ACL管理:準入控制清單,設定核心的ACL,保證隻有合法的包才可以在鍊路上發送,保障安全。
- 狀态報告:把節點的網絡狀态資訊寫入etcd。
- The Orchestrator plugin:通過該插件更好地與編排系統(k8s/mesos/openstack等)進行內建。(The purpose of these plugins is to bind Calico more tightly into the orchestrator, allowing users to manage the Calico network just as they’d manage network tools that were built into the orchestrator.)工作包括:
- API轉化:編排系統 kubernetes openstack等有自己的API,編排插件翻譯成calico的資料模型存到calico的資料庫中。
- 資訊回報:把網絡狀态的一些資訊回報給上層的編排排程系統
- etcd:分布式鍵值存儲,主要負責網絡中繼資料一緻性,確定Calico網絡狀态的準确性;用途有:
- 資料存儲
- 各元件之間通信
- BGP Client(BIRD):主要負責把Felix寫入Kernel的路由資訊分發到目前Calico網絡,確定Workload間的通信的有效性;BIRD Bird是一個BGP client,它會主動讀取felix在host上設定的路由資訊,然後通過BGP協定廣播出去。
- BGP Route Reflector(BIRD):大規模部署時使用,摒棄所有節點互聯的 mesh 模式(每個BGP用戶端之間都會互相連接配接,會以 N^2次方增長),reflector負責client之間的連接配接,防止它們需要兩兩相連。通過一個或者多個BGP Route Reflector來完成集中式的路由分發;為了備援,可以部署多個reflectors, 它僅僅包含控制面,endpoint之間的資料不經過它們。
- birdc是bird的client,可以用來檢視bird的狀态,例如
- 檢視配置的協定: birdctl -s /var/run/calico/bird.ctl show protocols
-
檢視所有的路由: birdctl -s /var/run/calico/bird.ctl show route
可以到birdc中檢視更多的指令。
架構詳情請見官網
3.2.2 Calico模式
3.2.2.1 BGP模式
BGP模式流量分析
<1>流量從容器中到達主機的過程
cni-plugin會在指定的network ns中建立veth pair。位于容器中的veth,将被設定ip,在容器中可以看到内部ip位址是啟動kube-proxy時指定的
--cluster-cidr=192.168.0.0/16
中的一個:
并将169.254.1.1設定為預設路由,在容器内可以看到:
因為169.254.1.1是無效IP,是以,cni-plugin還要在容器内設定一條靜态arp:
在主機上檢視網絡接口,可以找到和上述mac位址一緻的一個calixxx接口:
由以上可見:169.254.1.1的mac位址被設定為了veth裝置在host中的一端veth的mac位址,容器中所有的封包就會發送到主機的veth端。
<2>流量從主機到達其他pod的過程
檢視主機路由表:
可以看到到10.233.64.0/18這個pod網段的流量主要走兩種iface:calixxxxx和eno16777984(主機網卡),走calixxxx的是通路在同一主機的pod的流量;走eno16777984的是通路其他主機的pod的流量,然後Gateway直接就是所要通路的pod所在主機的ip。
<3>與docker bridge模式對比
單純使用docker bridge模式起容器的話可以看到内部ip位址是docker0網橋那個網段的内部位址:
同樣會建立veth pair。位于容器中的veth,将被設定ip,并設定bridge0網橋172.17.0.1為預設路由,在容器内可以看到:
因為172.17.0.1是docker0網橋的有效IP,是以,這裡就沒有再像calico模式一樣設設定一條靜态arp了。
在主機上檢視網絡接口,可以找到對應在主機上的vethxxx接口:
3.2.2.2 IP-in-IP模式
Calico的BGP模式在主機間跨子網的情況下要求網關的路由器也支援BGP協定才可以,當資料中心環境不滿足這個要求時,可以考慮使用ipip模式。
IPIP從字面來了解,就是把一個IP資料包又套在一個IP包裡。是把 IP 層封裝到 IP 層的一個 tunnel,看起來似乎是浪費,實則不然。它的作用其實基本上就相當于一個基于IP層的網橋!我們知道,普通的網橋是基于mac層的,根本不需 IP,而這個 ipip 則是通過兩端的路由做一個 tunnel,把兩個本來不通的網絡通過點對點連接配接起來。啟用IPIP模式時,Calico将在各Node上建立一個名為”tunl0”的虛拟網絡接口。ipip 的源代碼在核心 net/ipv4/ipip.c 中可以找到。
ipip模式流量分析
<1>流量從容器中到達主機的過程
同BGP模式
<2>流量從主機到達其他pod的過程
啟用IPIP模式時,Calico将在node上建立一個tunl0的虛拟網卡做隧道使用,如以下2圖所示:
檢視主機路由表:
可以看到到192.168.x.x這個pod網段的流量主要走兩種iface:calixxxxx和tunl0,走calixxxx的是通路在同一主機的pod的流量;走tunl0的是通路其他主機的pod的流量,然後Gateway直接就是所要通路的pod所在主機的ip。
配置方法請見官網
3.2.2.3 cross-subnet模式
同子網内的機器間采用bgp模式,跨子網的機器間采用ipip模式。要想使用cross-subnet模式,需要配置如下兩項:
- 配置ipPool,具體配置方式請見官網
Configuring cross-subnet IP-in-IP
- 配置calico-node,具體配置方式請見官網,尤其注意可能需要手動修改node子網路遮罩(雖然calico會自動探測并設定主機ip和子網路遮罩,但很多時候設定的子網路遮罩是32,是以需要手動改一下)。
4.calico部署
4.1 前提
根據官方文檔,calico部署前,已有的k8s叢集需做好以下配置:
- kubelet需要添加如下啟動參數:
-
--network-plugin=cni
-
--cni-conf-dir=/etc/cni/net.d
-
--cni-bin-dir=/opt/cni/bin
-
- kube-proxy必須采用iptables proxy mode
--proxy-mode=iptables
- kubec-proxy 元件啟動方式不能采用
--masquerade-all
備注:
1.
--cni-conf-dir
和
--cni-bin-dir
這兩個參數在啟動calico-node pod的
install-cni
容器的時候也會指定挂載進容器,需要和這裡設定的一樣。
2.net.d下有如下内容:
[[email protected] net.d]# ll
總用量 12
-rw-rw-r--. root root 月 : -calico.conf
-rw-r--r--. root root 月 : calico-kubeconfig
drwxr-xr-x. 2 root root 4096 12月 5 21:47 calico-tls
其中,10-calico.conf是一些calico的基本配置項,内容如下:
{
"name": "k8s-pod-network",
"cniVersion": "0.1.0",
"type": "calico",
"etcd_endpoints": "https://10.142.21.21:2379",
"etcd_key_file": "/etc/cni/net.d/calico-tls/etcd-key",
"etcd_cert_file": "/etc/cni/net.d/calico-tls/etcd-cert",
"etcd_ca_cert_file": "/etc/cni/net.d/calico-tls/etcd-ca",
"log_level": "info",
"mtu": ,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s",
"k8s_api_root": "https://10.233.0.1:443",
"k8s_auth_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjYWxpY28tbm9kZS10b2tlbi1qNHg0bSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjYWxpY28tbm9kZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImE4N2ZiZjY1LWQzNTctMTFlNy1hZTVkLTAwNTA1Njk0ZWI2YSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpjYWxpY28tbm9kZSJ9.om9TzY_4uYSx2b0kVooTmlA_xrHlL0vpGd4m6Pxq4s--CwQHQb5yvOy3qtMqpRlQrSliDRSLUi1O5QQXfjWNrbyk206B4F0k9NsZi0s-1ZzNVhwI6hsatXl8NZ0qb4LQ2rulm5uM9ykKwXnGpQyCghtwlcBGqQmY63VrBdZHxD3NeyCJ9HqM8BfhclpfzepN-ADADhNn59m96cSaXPJbogVOoMdntXn9x9kn_VaQn5A-XIBNQDMGrUhz1dWCOFfG3nVlxAbo24UcxurvtX4gWyxlUTrkc195i_cnuTbYlIMfBCgKsnuf9QMryn5EWULC5IMB8hPW9Bm1e8fUIHeMvQ"
},
"kubernetes": {
"kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
}
}
3.我部署的是calico2.6.2版本,該版本涉及的各元件版本資訊請見:https://docs.projectcalico.org/v2.6/releases/#v2.6.2。
Calico 依賴 etcd 在不同主機間共享和交換資訊,存儲 Calico 網絡狀态。Calico 網絡中的每個主機都需要運作 Calico 元件,提供容器 interface 管理、動态路由、動态 ACL、報告狀态等功能。
4.2 calicoctl部署
4.2.1 calicoctl安裝
到這裡擷取calicoctl并安裝,1.9及以前版本的k8s下載下傳1.6.3版本的calicoctl,1.10及以後的k8s下載下傳3.1.1的calicoct:https://console.bluemix.net/docs/containers/cs_network_policy.html#cli_install。
sudo wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1/calicoctl
sudo chmod a+x /usr/local/bin/calicoctl
4.2.2 calicoctl配置
calicoctl預設是會讀取/etc/calico/calicoctl.cfg的配置檔案(也可以通過
--config
選項來指定要讀取的配置檔案),配置裡指定etcd叢集的位址,檔案的格式請見官網。
示例:
apiVersion: v1
kind: calicoApiConfig
metadata:
spec:
datastoreType: "etcdv2"
etcdEndpoints: "https://10.142.232.21:2379,https://10.142.232.22:2379,https://10.142.232.23:2379"
etcdKeyFile: "/etc/calico/certs/key.pem"
etcdCertFile: "/etc/calico/certs/cert.crt"
etcdCACertFile: "/etc/calico/certs/ca_cert.crt"
4.2.3 常用calicoctl指令
檢視ip pool
calicoctl get ipPool
檢視節點狀态資訊
calicoctl node status
建立ipPool
calicoctl apply -f - << EOF
apiVersion: v1
kind: ipPool
metadata:
cidr: /
spec:
ipip:
enabled: true
nat-outgoing: true
EOF
修改calico網絡模式,由BGP改為ipip:
calicoctl apply -f - << EOF
apiVersion: v1
kind: ipPool
metadata:
cidr: /
spec:
ipip:
enabled: true
mode: always
nat-outgoing: true
EOF
4.3 calico核心元件部署
主要涉及3個元件:
- calico/node:v2.6.2
- calico/cni:v1.11.0
- calico/kube-controllers:v1.0.0
使用kubernetes部署,使用的yaml檔案請見:https://github.com/projectcalico/calico/blob/v2.6.2/master/getting-started/kubernetes/installation/hosted/calico.yaml
下面以我的實際檔案為例進行講解:
4.3.1 calico-config(configmap)
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-config
namespace: kube-system
data:
# Configure this with the location of your etcd cluster.
etcd_endpoints: "https://10.142.21.21:2379"
# Configure the Calico backend to use.
calico_backend: "bird"
# The CNI network configuration to install on each node.
cni_network_config: |-
{
"name": "k8s-pod-network",
"cniVersion": "0.1.0",
"type": "calico",
"etcd_endpoints": "__ETCD_ENDPOINTS__",
"etcd_key_file": "__ETCD_KEY_FILE__",
"etcd_cert_file": "__ETCD_CERT_FILE__",
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
"log_level": "info",
"mtu": ,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s",
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
}
}
# If you're using TLS enabled etcd uncomment the following.
# You must also populate the Secret below with these files.
etcd_ca: "/calico-secrets/etcd-ca"
etcd_cert: "/calico-secrets/etcd-cert"
etcd_key: "/calico-secrets/etcd-key"
說明:
1.這個configmap給calico-node配置env使用
2.calico-config的data.etcd_endpoints(endpoints為etcd的真實環境位址)
4.3.2 calico-etcd-secrets(secret)
# The following contains k8s Secrets for use with a TLS enabled etcd cluster.
# For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: calico-etcd-secrets
namespace: kube-system
data:
# Populate the following files with etcd TLS configuration if desired, but leave blank if
# not using TLS for etcd.
# This self-hosted install expects three files with the following names. The values
# should be base64 encoded strings of the entire contents of each file.
etcd-key: 太長了,省略...
etcd-cert: 太長了,省略...
etcd-ca: 太長了,省略...
說明:
1. 這個secret用來給calico-node和kube-controller連接配接etcd使用
2. calico-etcd-secrets的etcd-key、etcd-cert、etcd-ca,分别使用/etc/ssl/etcd/ssl/目錄下的node-k8smaster01-key.pem、node-k8smaster01.pem、ca.pem(根據實際環境的證書資料填寫。)的base64編碼(生成base64編碼:base64 /etc/ssl/etcd/ssl/node-k8smaster01-key.pem)
4.3.3 calico-node(daemonset)
# This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: calico-node
namespace: kube-system
labels:
k8s-app: calico-node
spec:
selector:
matchLabels:
k8s-app: calico-node
template:
metadata:
labels:
k8s-app: calico-node
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
/cheduler.alpha.kubernetes.io/tolerations: |
[{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
spec:
hostNetwork: true
serviceAccountName: calico-node
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds:
containers:
# Runs calico/node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
image: quay.io/calico/node:v2
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# Choose the backend to use.
- name: CALICO_NETWORKING_BACKEND
valueFrom:
configMapKeyRef:
name: calico-config
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "k8s,bgp"
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
value: "ACCEPT"
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
# Set Felix logging to "info"
- name: FELIX_LOGSEVERITYSCREEN
value: "info"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
value: "1440"
# Location of the CA certificate for etcd.
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_ca
# Location of the client key for etcd.
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_key
# Location of the client certificate for etcd.
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_cert
# Auto-detect the BGP IP address.
- name: IP
value: ""
- name: FELIX_HEALTHENABLED
value: "true"
securityContext:
privileged: true
resources:
requests:
cpu: m
livenessProbe:
httpGet:
path: /liveness
port:
periodSeconds:
initialDelaySeconds:
failureThreshold:
readinessProbe:
httpGet:
path: /readiness
port:
periodSeconds:
volumeMounts:
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /calico-secrets
name: etcd-certs
# This container installs the Calico CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: quay.io/calico/cni:v1
command: ["/install-cni.sh"]
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: calico-config
key: cni_network_config
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /calico-secrets
name: etcd-certs
volumes:
# Used by calico/node.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run-calico
hostPath:
path: /var/run/calico
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
# Mount in the etcd TLS secrets.
- name: etcd-certs
secret:
secretName: calico-etcd-secrets
備注:
1.calico-node的CALICO_IPV4POOL_CIDR參數(注:需要根據實際環境更改)
2.每個pod裡除pause外有兩個容器:calico-node和install-cni,其中calico-node這個容器裡起了多個程序,有:calico-felix、bird、bird6、confd(confd根據etcd上狀态資訊,與本地模闆,生成并更新BIRD配置)
3.根據環境裡的所有節點的taints,為daemon/calico-node添加tolerations參數,使其能在每個節點上都能部署。例如如下參數:
spec:
tolerations:
- key: "nginx-ingress-controller"
operator: "Equal"
value: "true"
effect: "NoSchedule"
hostNetwork: true
這是為了taints的節點能夠部署calico-node。其中的key和value為标記的taints。
4.3.4 calico-kube-controllers(deployment)
# This manifest deploys the Calico Kubernetes controllers.
# See https://github.com/projectcalico/kube-controllers
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: calico-kube-controllers
namespace: kube-system
labels:
k8s-app: calico-kube-controllers
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: |
[{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
spec:
# The controllers can only have a single active instance.
replicas:
strategy:
type: Recreate
template:
metadata:
name: calico-kube-controllers
namespace: kube-system
labels:
k8s-app: calico-kube-controllers
spec:
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
serviceAccountName: calico-kube-controllers
containers:
- name: calico-kube-controllers
image: quay.io/calico/kube-controllers:v1
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# Location of the CA certificate for etcd.
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_ca
# Location of the client key for etcd.
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_key
# Location of the client certificate for etcd.
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_cert
volumeMounts:
# Mount in the etcd TLS secrets.
- mountPath: /calico-secrets
name: etcd-certs
volumes:
# Mount in the etcd TLS secrets.
- name: etcd-certs
secret:
secretName: calico-etcd-secrets
4.3.5 calico-policy-controller(deployment)
# This deployment turns off the old "policy-controller". It should remain at replicas, and then
# be removed entirely once the new kube-controllers deployment has been deployed above.
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: calico-policy-controller
namespace: kube-system
labels:
k8s-app: calico-policy
spec:
# Turn this deployment off in favor of the kube-controllers deployment above.
replicas:
strategy:
type: Recreate
template:
metadata:
name: calico-policy-controller
namespace: kube-system
labels:
k8s-app: calico-policy
spec:
hostNetwork: true
serviceAccountName: calico-kube-controllers
containers:
- name: calico-policy-controller
image: quay.io/calico/kube-controllers:v1
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
4.3.6 calico-kube-controllers(serviceaccount)
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-kube-controllers
namespace: kube-system
4.3.7 calico-node(serviceaccount)
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-node
namespace: kube-system
整體流量具體怎麼走的,請參考(有時間再整理):
http://blog.csdn.net/liukuan73/article/details/78635711
http://blog.csdn.net/liukuan73/article/details/78837424
http://cizixs.com/2017/03/30/kubernetes-introduction-service-and-kube-proxy?utm_source=tuicool&utm_medium=referral
http://www.lijiaocn.com/%E9%A1%B9%E7%9B%AE/2017/03/27/Kubernetes-kube-proxy.html
參考
1.http://lameleg.com/tech/calico-architecture.html
2.http://www.lijiaocn.com/%E9%A1%B9%E7%9B%AE/2017/08/04/calico-arch.html
3.http://blog.csdn.net/felix_yujing/article/details/55213239
4.https://mritd.me/2017/07/31/calico-yml-bug/
5.http://v.youku.com/v_show/id_XMzE2MzM5MzMwNA==.html
6.https://neuvector.com/network-security/kubernetes-networking/
7.https://platform9.com/blog/kubernetes-networking-achieving-high-performance-with-calico/
8.http://www.dockermall.com/there-are-clouds-container-network-those-things/
更多精彩内容,請訂閱本人微信公衆号:K8SPractice