Kubernetes之部署calico網絡
Calico組件:
Felix:Calico agent 運行在每臺node上,為容器設置網絡信息:IP,路由規則,iptable規則等
etcd:calico後端存儲
BIRD: BGP Client: 負責把Felix在各node上設置的路由信息廣播到Calico網絡 , 通過BGP協議來著
BGP Route Reflector: 大規則集群的分級路由分發。
calico: calico命令行管理工具
為Node節點部署calico網絡,參照官方文檔:https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/hosted ,步驟如下:
1,下載部署的yaml文件:
wget https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/rbac.yaml wget https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/calico.yaml
2,對於RBAC文件,不用做修改,直接創建即可:
root@calico:/data/calico.yaml# kubectl create -f calico-rbac.yaml clusterrole "calico-kube-controllers" created clusterrolebinding "calico-kube-controllers" created clusterrole "calico-node" created clusterrolebinding "calico-node" created
3,配置calico
calico# vim calico.yaml
data:
# Configure this with the location of your etcd cluster.
etcd_endpoints: "https://10.3.1.15:2379,https://10.3.1.16:2379,https://10.3.1.17:2379"
# If you're using TLS enabled etcd uncomment the following.
# You must also populate the Secret below with these files.
etcd_ca: "/calico-secrets/etcd-ca"
etcd_cert: "/calico-secrets/etcd-cert"
etcd_key: "/calico-secrets/etcd-key"
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: calico-etcd-secrets
namespace: kube-system
data:
etcd-key: (cat /etc/kubernetes/ssl/etcd-key.pem | base64 | tr -d '\n') #將輸出結果填寫在這裏
etcd-cert: (cat /etc/kubernetes/ssl/etcd.pem | base64 | tr -d '\n') #將輸出結果填寫在這裏
etcd-ca: (cat /etc/kubernetes/ssl/ca.pem | base64 | tr -d '\n') #將輸出結果填寫在這裏
#如果etcd沒用啟用tls則為null
#上面是必須要修改的參數,文件中有一個參數是設置pod network地址的,根據實際情況做修改:
- name: CALICO_IPV4POOL_CIDR
value: "192.168.0.0/16"calico-node服務的主要參數:
CALICO_IPV4POOL_CIDR: Calico IPAM的IP地址池,Pod的IP地址將從該池中進行分配
CALICO_IPV4POOL_IPIP:是否啟用IPIP模式,啟用IPIP模式時,Calico將在node上創建一個tunl0的虛擬隧道。
FELIX_LOGSEVERITYSCREEN: 日誌級別
FELIX_IPV6SUPPORT : 是否啟用IPV6
4,創建:
calico# kubectl create -f calico.yaml configmap "calico-config" created secret "calico-etcd-secrets" created daemonset "calico-node" created deployment "calico-kube-controllers" created deployment "calico-policy-controller" created serviceaccount "calico-kube-controllers" created serviceaccount "calico-node" created
創建的資源如下:
DaemonSet:
name: calico-node 這個pod裏運行兩個容器
hostNetwork: true
serviceAccountName: calico-node
兩個容器:
name: calico-node
image: quay.io/calico/node:v2.6.5
- name: install-cni
image: quay.io/calico/cni:v1.11.2
command: ["/install-cni.sh"]
calico-node: calico服務程序,用於設置Pod的網絡資源,保證pod的網絡與各Node互聯互通,它還需要以HostNetwork模式運行,直接使用宿主機網絡。
install-cni : 在各Node上安裝CNI二進制文件到/opt/cni/bin目錄下,並安裝相應的網絡配置文件到/etc/cni/net.d目錄下
Deployment
name ---calico-kube-controllers replicas: 1 #網絡策略控制器
serviceAccountName: calico-kube-controllers
containers:
- name: calico-kube-controllers
image: quay.io/calico/kube-controllers:v1.0.2calico# kubectl get deployment,pod -n kube-system NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE deploy/calico-kube-controllers 1 1 1 1 4m deploy/calico-policy-controller 0 0 0 0 4m NAME READY STATUS RESTARTS AGE po/calico-kube-controllers-56d9f8c44c-6hftd 1/1 Running 0 4m po/calico-node-6k827 2/2 Running 0 4m po/calico-node-wfbpz 2/2 Running 0 4m #calico-node用的是daemonset,會在每個node上啟動一個
5,設置各node上Kubelet服務的啟動參數: --network-plugin=cni, 可能還要加上這兩個參數:
--cni-conf-dir CNI插件的配置文件目錄,默認為/etc/cni/net.d 該目錄下的配置文件內容需要符合CNI規範
--cni-bin-dir: CNI插件的可執行文件目錄,默認為/opt/cni/bin
設置 master上的kube-apiserver服務的啟動參數: --allow-privileged=true (因為calico-node需要以特權模式運行在各node上)
設置好後,重新啟動kubelet。
這樣通過calico就完成了Node間容器網絡的設置 ,在後續的pod創建過程中,Kubelet將通過CNI接口調用 calico進行Pod的網絡設置
包括IP地址,路由規則,Iptables規則
6,驗證各Node間網絡聯通性:
kubelet啟動後主機上就生成了一個tunl0接口。 #第一臺Node查看: root@node1# ip route 192.168.77.192/26 via 10.3.1.17 dev tunl0 proto bird onlink #第二臺Node查看: root@node2# ip route 192.168.150.192/26 via 10.3.1.16 dev tunl0 proto bird onlink #每臺node上都自動設置了到其它node上pod網絡的路由,去往其它節點的路都是通過tunl0接口。
Kubernetes之部署calico網絡