k8s网络之calico学习

作者: wilsonchai | 来源:发表于2019-02-20 14:52 被阅读4次

    一、知识准备

    1.calico主要通过ipip协议与bgp协议来实现通信。前者通过ipip隧道作为通信基础,后者则是纯三层的路由交换
    2.bgp协议主要由两种方式:BGP Speaker 全互联模式(node-to-node mesh)与BGP Speaker RR模式
    3.本文主要探索一下calico bgp的两种模式

    二、环境准备

    组件 版本
    OS Ubuntu 18.04.1 LTS
    docker 18.06.0-ce
    k8s 1.10.1
    calico 3.1.3
    ip hostname
    192.168.56.101 k8s-master
    192.168.56.102 k8s-node1
    192.168.56.103 k8s-node2
    192.168.56.104 k8s-node3

    三、安装

    k8s安装

    参考官网安装以及社区诸多大神的安装帖子,这里就不班门弄斧了

    本文的k8s的环境打开了rbac,etcd加入了证书

    calico安装

    主要参考官方文档 https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/calico

    1.calico rbac

    kubectl apply -f \
    https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/rbac.yaml
    
    

    2.下载calico.yaml

    curl \
    https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/calico.yaml \
    -O
    
    

    3.填入etcd地址

    ETCD_ENDPOINTS="https://192.168.56.101:2379"
    sed -i "s#.*etcd_endpoints:.*#  etcd_endpoints: \"${ETCD_ENDPOINTS}\"#g" calico.yaml
    
    sed -i "s#__ETCD_ENDPOINTS__#${ETCD_ENDPOINTS}#g" calico.yaml
    
    

    4.将etcd证书信息填入。我的etcd证书在/etc/etcd/ssl下

    ETCD_CERT=`cat /etc/etcd/ssl/etcd.pem | base64 | tr -d '\n'`
    ETCD_KEY=`cat /etc/etcd/ssl/etcd-key.pem | base64 | tr -d '\n'`
    ETCD_CA=`cat /etc/etcd/ssl/etcd-root-ca.pem | base64 | tr -d '\n'`
    
    sed -i "s#.*etcd-cert:.*#  etcd-cert: ${ETCD_CERT}#g" calico.yaml
    sed -i "s#.*etcd-key:.*#  etcd-key: ${ETCD_KEY}#g" calico.yaml
    sed -i "s#.*etcd-ca:.*#  etcd-ca: ${ETCD_CA}#g" calico.yaml
    
    sed -i 's#.*etcd_ca:.*#  etcd_ca: "/calico-secrets/etcd-ca"#g' calico.yaml
    sed -i 's#.*etcd_cert:.*#  etcd_cert: "/calico-secrets/etcd-cert"#g' calico.yaml
    sed -i 's#.*etcd_key:.*#  etcd_key: "/calico-secrets/etcd-key"#g' calico.yaml
    
    sed -i "s#__ETCD_KEY_FILE__#/etc/etcd/ssl/etcd-key.pem#g" calico.yaml
    sed -i "s#__ETCD_CERT_FILE__#/etc/etcd/ssl/etcd.pem#g" calico.yaml
    sed -i "s#__ETCD_CA_CERT_FILE__#/etc/etcd/ssl/etcd-root-ca.pem#g" calico.yaml
    sed -i "s#__KUBECONFIG_FILEPATH__#/etc/cni/net.d/calico-kubeconfig#g" calico.yaml
    
    

    5.配置calico bgp 并且修改ip cidr:10.10.0.0/16

    sed -i '/CALICO_IPV4POOL_IPIP/{n;s/Always/off/g}' calico.yaml
    sed -i '/CALICO_IPV4POOL_CIDR/{n;s/192.168.0.0/10.10.0.0/g}' calico.yaml
    
    

    6.kubectl安装calico

    kubectl apply -f calico.yaml
    

    <font color=#de171c>注意:因为calico-node需要获取操作系统的权限运行,所以要在apiserver、kubelet中加入--allow-privileged=true</font>

    查看一下状态:

    root@k8s-master:/tmp# kubectl get pods -n kube-system -owide
    NAME                                        READY     STATUS    RESTARTS   AGE       IP               NODE
    calico-kube-controllers-98989846-b4n72      1/1       Running   0          18d       192.168.56.102   k8s-node1
    calico-node-58pck                           2/2       Running   0          18d       192.168.56.103   k8s-node2
    calico-node-s2txw                           2/2       Running   0          18d       192.168.56.101   k8s-master
    calico-node-svmbp                           2/2       Running   0          18d       192.168.56.102   k8s-node1
    ...
    

    7.kubelet配置calico

    找到kubelet的配置文件(我的环境在/etc/kubernetes/kubelet),加入
    --network-plugin=cni
    
    重启kubelet
    

    8.测试一个pod

    cat << EOF | kubectl create -f -
    apiVersion: v1
    kind: Pod
    metadata:
      name: network-test
      namespace: test
    spec:
      containers:
      - image: busybox:latest
        command:
          - sleep
          - "3600"
        name: network-test
    EOF
    
    root@k8s-master:~# kubectl -n test get pods -owide
    NAME           READY     STATUS    RESTARTS   AGE       IP              NODE
    network-test   1/1       Running   0          41s       10.10.169.139   k8s-node2
    

    至此:calico安装已经完成

    四、calicoctl使用

    1.下载calicoctl

    https://github.com/projectcalico/calicoctl/releases/download/v3.1.3/calicoctl-linux-amd64

    2.查看当前的calico-node

    root@k8s-master:/tmp# calicoctl get node
    NAME
    k8s-master
    k8s-node1
    k8s-node2
    
    calicoctl get node -o yaml 查看详细信息
    

    3.查看当前的ippool

    root@k8s-master:/tmp# calicoctl get ippool
    NAME                  CIDR
    default-ipv4-ippool   10.10.0.0/16
    default-ipv6-ippool   fdc6:1a69:2b39::/48
    

    4.查看当前模式

    root@k8s-master:/tmp# calicoctl node status
    Calico process is running.
    
    IPv4 BGP status
    +----------------+-------------------+-------+----------+-------------+
    |  PEER ADDRESS  |     PEER TYPE     | STATE |  SINCE   |    INFO     |
    +----------------+-------------------+-------+----------+-------------+
    | 192.168.56.102 | node-to-node mesh | up    | 07:39:02 | Established |
    | 192.168.56.103 | node-to-node mesh | up    | 07:39:02 | Established |
    +----------------+-------------------+-------+----------+-------------+
    
    IPv6 BGP status
    No IPv6 peers found.
    
    root@k8s-master:/tmp# netstat -anp | grep ESTABLISH | grep bird
    tcp        0      0 192.168.56.101:33029    192.168.56.102:179      ESTABLISHED 26558/bird
    tcp        0      0 192.168.56.101:58055    192.168.56.103:179      ESTABLISHED 26558/bird
    

    当前运行在BGP Speaker 全互联模式(node-to-node mesh)模式,calico集群中的节点之间都会相互建立连接,用于路由交换。适合规模不大的集群中运行,一旦集群节点增大,mesh模式将形成一个巨大服务网格,连接数暴增

    5.修改BGP Speaker RR模式

    禁止mesh模式,配置bgpPeer

    cat << EOF | calicoctl create -f -
    apiVersion: projectcalico.org/v3
    kind: BGPConfiguration
    metadata:
      name: default
    spec:
      logSeverityScreen: Info
      nodeToNodeMeshEnabled: false
      asNumber: 61234
    EOF
    
    cat << EOF | calicoctl create -f -
    apiVersion: projectcalico.org/v3
    kind: BGPPeer
    metadata:
      name: bgppeer-global
    spec:
      peerIP: 192.168.56.103
      asNumber: 61234
    EOF
    

    查看RR模式配置:

    root@k8s-master:~# calicoctl get bgpconfig
    NAME      LOGSEVERITY   MESHENABLED   ASNUMBER
    default   Info          false         61234
    
    root@k8s-master:~# calicoctl get bgppeer
    NAME             PEERIP           NODE       ASN
    bgppeer-global   192.168.56.103   (global)   61234
    

    安装routereflector

    docker run --privileged --net=host -d                             \
               --name=calico-rr                                       \
               -e IP=192.168.56.104                                   \
               -e ETCD_ENDPOINTS=https://192.168.56.101:2379          \
               -v /etc/etcd/ssl:/etc/calico/ssl                     \
               -e ETCD_CA_CERT_FILE=/etc/calico/ssl/etcd-root-ca.pem  \
               -e ETCD_CERT_FILE=/etc/calico/ssl/etcd.pem             \
               -e ETCD_KEY_FILE=/etc/calico/ssl/etcd-key.pem          \
               calico/routereflector:v0.6.1
    

    查看效果:

    root@k8s-master:~# calicoctl node status
    Calico process is running.
    
    IPv4 BGP status
    +----------------+-----------+-------+----------+-------------+
    |  PEER ADDRESS  | PEER TYPE | STATE |  SINCE   |    INFO     |
    +----------------+-----------+-------+----------+-------------+
    | 192.168.56.103 | global    | up    | 09:13:23 | Established |
    +----------------+-----------+-------+----------+-------------+
    
    IPv6 BGP status
    No IPv6 peers found.
    
    root@k8s-master:~# netstat -anp | grep ESTABLISH | grep bird
    tcp        0      0 192.168.56.101:179      192.168.56.103:54903    ESTABLISHED 26558/bird
    

    每台机器都只会与rr建立一条连接,并且与rr通信即可拿到所有路由,大大减少了连接数量


    至此,本文结束
    在下才疏学浅,有撒汤漏水的,请各位不吝赐教...

    相关文章

      网友评论

        本文标题:k8s网络之calico学习

        本文链接:https://www.haomeiwen.com/subject/epdhyqtx.html