Kubernetes之部署calico網絡
Calico組件:
Felix:Calico agent 運行在每臺node上,為容器設置網絡信息:IP,路由規則,iptable規則等
etcd:calico後端存儲
BIRD: BGP Client: 負責把Felix在各node上設置的路由信息廣播到Calico網絡 , 通過BGP協議來著
BGP Route Reflector: 大規則集群的分級路由分發。
calico: calico命令行管理工具
為Node節點部署calico網絡,參照官方文檔:https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/hosted ,步驟如下:
1,下載部署的yaml文件:
wget https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/rbac.yaml wget https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/calico.yaml
2,對於RBAC文件,不用做修改,直接創建即可:
root@calico:/data/calico.yaml# kubectl create -f calico-rbac.yaml clusterrole "calico-kube-controllers" created clusterrolebinding "calico-kube-controllers" created clusterrole "calico-node" created clusterrolebinding "calico-node" created
3,配置calico
calico# vim calico.yaml data: # Configure this with the location of your etcd cluster. etcd_endpoints: "https://10.3.1.15:2379,https://10.3.1.16:2379,https://10.3.1.17:2379" # If you're using TLS enabled etcd uncomment the following. # You must also populate the Secret below with these files. etcd_ca: "/calico-secrets/etcd-ca" etcd_cert: "/calico-secrets/etcd-cert" etcd_key: "/calico-secrets/etcd-key" apiVersion: v1 kind: Secret type: Opaque metadata: name: calico-etcd-secrets namespace: kube-system data: etcd-key: (cat /etc/kubernetes/ssl/etcd-key.pem | base64 | tr -d '\n') #將輸出結果填寫在這裏 etcd-cert: (cat /etc/kubernetes/ssl/etcd.pem | base64 | tr -d '\n') #將輸出結果填寫在這裏 etcd-ca: (cat /etc/kubernetes/ssl/ca.pem | base64 | tr -d '\n') #將輸出結果填寫在這裏 #如果etcd沒用啟用tls則為null #上面是必須要修改的參數,文件中有一個參數是設置pod network地址的,根據實際情況做修改: - name: CALICO_IPV4POOL_CIDR value: "192.168.0.0/16"
calico-node服務的主要參數:
CALICO_IPV4POOL_CIDR: Calico IPAM的IP地址池,Pod的IP地址將從該池中進行分配
CALICO_IPV4POOL_IPIP:是否啟用IPIP模式,啟用IPIP模式時,Calico將在node上創建一個tunl0的虛擬隧道。
FELIX_LOGSEVERITYSCREEN: 日誌級別
FELIX_IPV6SUPPORT : 是否啟用IPV6
4,創建:
calico# kubectl create -f calico.yaml configmap "calico-config" created secret "calico-etcd-secrets" created daemonset "calico-node" created deployment "calico-kube-controllers" created deployment "calico-policy-controller" created serviceaccount "calico-kube-controllers" created serviceaccount "calico-node" created
創建的資源如下:
DaemonSet: name: calico-node 這個pod裏運行兩個容器 hostNetwork: true serviceAccountName: calico-node 兩個容器: name: calico-node image: quay.io/calico/node:v2.6.5 - name: install-cni image: quay.io/calico/cni:v1.11.2 command: ["/install-cni.sh"] calico-node: calico服務程序,用於設置Pod的網絡資源,保證pod的網絡與各Node互聯互通,它還需要以HostNetwork模式運行,直接使用宿主機網絡。 install-cni : 在各Node上安裝CNI二進制文件到/opt/cni/bin目錄下,並安裝相應的網絡配置文件到/etc/cni/net.d目錄下 Deployment name ---calico-kube-controllers replicas: 1 #網絡策略控制器 serviceAccountName: calico-kube-controllers containers: - name: calico-kube-controllers image: quay.io/calico/kube-controllers:v1.0.2
calico# kubectl get deployment,pod -n kube-system NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE deploy/calico-kube-controllers 1 1 1 1 4m deploy/calico-policy-controller 0 0 0 0 4m NAME READY STATUS RESTARTS AGE po/calico-kube-controllers-56d9f8c44c-6hftd 1/1 Running 0 4m po/calico-node-6k827 2/2 Running 0 4m po/calico-node-wfbpz 2/2 Running 0 4m #calico-node用的是daemonset,會在每個node上啟動一個
5,設置各node上Kubelet服務的啟動參數: --network-plugin=cni, 可能還要加上這兩個參數:
--cni-conf-dir CNI插件的配置文件目錄,默認為/etc/cni/net.d 該目錄下的配置文件內容需要符合CNI規範
--cni-bin-dir: CNI插件的可執行文件目錄,默認為/opt/cni/bin
設置 master上的kube-apiserver服務的啟動參數: --allow-privileged=true (因為calico-node需要以特權模式運行在各node上)
設置好後,重新啟動kubelet。
這樣通過calico就完成了Node間容器網絡的設置 ,在後續的pod創建過程中,Kubelet將通過CNI接口調用 calico進行Pod的網絡設置
包括IP地址,路由規則,Iptables規則
6,驗證各Node間網絡聯通性:
kubelet啟動後主機上就生成了一個tunl0接口。 #第一臺Node查看: root@node1# ip route 192.168.77.192/26 via 10.3.1.17 dev tunl0 proto bird onlink #第二臺Node查看: root@node2# ip route 192.168.150.192/26 via 10.3.1.16 dev tunl0 proto bird onlink #每臺node上都自動設置了到其它node上pod網絡的路由,去往其它節點的路都是通過tunl0接口。
Kubernetes之部署calico網絡