Manufar labarin ita ce gabatar da mai karatu ga tushen hanyoyin sadarwar da kuma sarrafa manufofin cibiyar sadarwa a cikin Kubernetes, da kuma Calico plugin na ɓangare na uku wanda ke ƙaddamar da daidaitattun damar. Tare da hanya, za a nuna sauƙi na daidaitawa da wasu siffofi ta amfani da misalai na gaske daga kwarewar aikinmu.
Gabatarwa mai sauri zuwa na'urar sadarwar Kubernetes
Ba za a iya tunanin gungu na Kubernetes ba tare da hanyar sadarwa ba. Mun riga mun buga kayyade akan tushen su: “"Kuma"".
A cikin mahallin wannan labarin, yana da mahimmanci a lura cewa K8s kanta ba ta da alhakin haɗin cibiyar sadarwa tsakanin kwantena da nodes: don wannan, daban-daban. CNI plugins (Container Networking Interface). More game da wannan ra'ayi mu .
Misali, mafi yawan waɗannan plugins shine - yana ba da cikakkiyar haɗin yanar gizo tsakanin duk nodes ɗin tari ta hanyar ɗaga gadoji akan kowane kulli, sanya masa hanyar sadarwa ta yanar gizo. Duk da haka, cikakken isa ga mara tsari ba koyaushe yana da fa'ida ba. Don samar da wani nau'i na keɓancewa kaɗan a cikin tari, wajibi ne a shiga tsakani a cikin daidaitawar Tacewar zaɓi. A cikin yanayin gabaɗaya, an sanya shi ƙarƙashin ikon CNI iri ɗaya, wanda shine dalilin da ya sa duk wani shiga tsakani na ɓangare na uku a cikin iptables za a iya fassara shi da kuskure ko kuma watsi da shi gaba ɗaya.
Kuma "daga cikin akwatin" don tsara tsarin tafiyar da manufofin cibiyar sadarwa a cikin gungu na Kubernetes an ba da shi . Wannan albarkatun, wanda aka rarraba akan zaɓaɓɓun wuraren suna, na iya ƙunsar dokoki don bambance damar shiga daga wannan aikace-aikacen zuwa wani. Hakanan yana ba ku damar saita damar shiga tsakanin takamaiman pods, mahalli (wuraren suna) ko tubalan adiresoshin IP:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978Wannan ba shine mafi girman misali ba na iya sau ɗaya kuma gabaɗaya ya hana sha'awar fahimtar dabarun yadda manufofin cibiyar sadarwa ke aiki. Duk da haka, har yanzu za mu yi ƙoƙari mu fahimci ainihin ka'idoji da hanyoyin sarrafa zirga-zirga ta hanyar amfani da manufofin cibiyar sadarwa ...
Yana da ma'ana cewa akwai nau'ikan zirga-zirgar ababen hawa guda biyu: shigar da pod (Ingress) da fita daga gare ta (Egress).
A haƙiƙa, siyasa ta kasu gida biyu ne bisa alkiblar motsi.
Sifa ta gaba da ake buƙata ita ce zaɓe; wanda dokar ta shafi. Wannan na iya zama kwafsa (ko rukuni na kwasfa) ko muhalli (watau filin suna). Muhimmin daki-daki: duka nau'ikan waɗannan abubuwa dole ne su ƙunshi lakabi (lakabin a cikin kalmomin Kubernetes) - waɗannan su ne waɗanda 'yan siyasa ke aiki da su.
Bugu da ƙari ga iyakataccen adadin masu zaɓin da aka haɗa ta wani nau'i na lakabi, yana yiwuwa a rubuta dokoki kamar "Ba da izini / ƙaryatãwa kome / kowa" a cikin bambancin daban-daban. Don wannan dalili, ana amfani da ginin fom ɗin:
podSelector: {}
ingress: []
policyTypes:
- Ingress- a cikin wannan misalin, an toshe duk kwas ɗin da ke cikin muhalli daga zirga-zirga masu shigowa. Za a iya cimma akasin hali tare da gini mai zuwa:
podSelector: {}
ingress:
- {}
policyTypes:
- IngressHakazalika don fita:
podSelector: {}
policyTypes:
- Egress- don kashe shi. Ga abin da ya haɗa:
podSelector: {}
egress:
- {}
policyTypes:
- EgressKomawa zuwa zaɓi na CNI plugin don gungu, yana da kyau a lura da hakan ba kowane plugin ɗin cibiyar sadarwa ke goyan bayan NetworkPolicy ba. Misali, Flannel da aka ambata bai san yadda ake saita manufofin hanyar sadarwa ba, wanda a cikin ma'ajiyar hukuma. Hakanan an ambaci wani madadin a can - aikin Buɗewa , wanda ke haɓaka daidaitattun daidaitattun Kubernetes APIs dangane da manufofin cibiyar sadarwa.
Sanin Calico: ka'idar
Ana iya amfani da plugin ɗin Calico a cikin haɗin gwiwa tare da Flannel (batun ) ko kuma a zaman kansa, yana rufe duka haɗin yanar gizo da damar gudanarwar samuwa.
Wadanne dama ne ke amfani da maganin K8s "akwatin" da API da aka saita daga Calico suna bayarwa?
Ga abin da aka gina a cikin NetworkPolicy:
- ‘yan siyasa sun iyakance ne da muhalli;
- ana amfani da manufofi akan kwas ɗin da aka yiwa alama;
- za a iya amfani da ka'idoji ga kwasfa, mahalli ko subnets;
- dokoki na iya ƙunsar ladabi, suna ko ƙayyadaddun bayanai na tashar jiragen ruwa.
Ga yadda Calico ke fadada waɗannan ayyuka:
- ana iya amfani da manufofi akan kowane abu: kwasfa, akwati, injin kama-da-wane ko dubawa;
- dokoki na iya ƙunsar takamaiman aiki (hani, izini, shiga);
- manufa ko tushen dokoki na iya zama tashar jiragen ruwa, kewayon tashar jiragen ruwa, ladabi, halayen HTTP ko ICMP, IP ko subnet (ƙarni na 4 ko 6), duk masu zaɓin (nodes, runduna, muhalli);
- Bugu da ƙari, zaku iya daidaita hanyar zirga-zirga ta amfani da saitunan DNAT da manufofin isar da zirga-zirga.
Na farko ya aikata akan GitHub a cikin ma'ajin Calico tun daga watan Yuli 2016, kuma shekara guda bayan haka aikin ya ɗauki babban matsayi a cikin tsara hanyar sadarwar Kubernetes - wannan yana nuna, alal misali, sakamakon binciken. :
Yawancin manyan hanyoyin sarrafawa da K8s, kamar , , kuma wasu sun fara ba da shawarar don amfani.
Amma ga aikin, komai yana da kyau a nan. A cikin gwajin samfuran su, ƙungiyar haɓaka ta Calico sun nuna aikin astronomical, suna gudanar da kwantena fiye da 50000 akan nodes na zahiri 500 tare da ƙimar ƙirƙira na kwantena 20 a sakan daya. Ba a gano wata matsala ba tare da ƙima. Irin wannan sakamakon riga a sanarwar farkon sigar. Nazari masu zaman kansu da ke mai da hankali kan kayan sarrafawa da amfani da albarkatu kuma sun tabbatar da aikin Calico ya kusan yi kyau kamar na Flannel. :
Aikin yana haɓakawa da sauri, yana tallafawa aiki a cikin shahararrun hanyoyin magance K8s, OpenShift, OpenStack, yana yiwuwa a yi amfani da Calico lokacin tura gungu ta amfani da , akwai nassoshi game da gina hanyoyin sadarwa na Sabis (Sabis Mesh Networks). ana amfani dashi tare da Istio).
Yi aiki tare da Calico
A cikin yanayin gaba ɗaya na amfani da vanilla Kubernetes, shigar da CNI ya sauko don amfani da fayil ɗin calico.yaml, , ta hanyar amfani kubectl apply -f.
A matsayinka na mai mulki, sigar plugin ɗin na yanzu yana dacewa da sabbin nau'ikan 2-3 na Kubernetes: aiki a cikin tsoffin juzu'in ba a gwada shi ba kuma ba shi da garanti. Dangane da masu haɓakawa, Calico yana gudana akan kernels Linux sama da 3.10 yana gudana CentOS 7, Ubuntu 16 ko Debian 8, akan iptables ko IPVS.
Warewa a cikin muhalli
Don fahimtar gabaɗaya, bari mu kalli wani lamari mai sauƙi don fahimtar yadda manufofin cibiyar sadarwa a cikin bayanin Calico suka bambanta da ma'auni da kuma yadda tsarin ƙirƙirar ƙa'idodi ke sauƙaƙe sauƙin karantawa da daidaitawa:
Akwai aikace-aikacen yanar gizo guda 2 da aka tura a cikin gungu: a cikin Node.js da PHP, ɗaya daga cikinsu yana amfani da Redis. Don toshe damar zuwa Redis daga PHP, yayin da ake ci gaba da haɗin kai tare da Node.js, kawai a yi amfani da manufofin mai zuwa:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-redis-nodejs
spec:
podSelector:
matchLabels:
service: redis
ingress:
- from:
- podSelector:
matchLabels:
service: nodejs
ports:
- protocol: TCP
port: 6379Ainihin mun ba da izinin zirga-zirga masu shigowa zuwa tashar jiragen ruwa na Redis daga Node.js. Kuma a fili ba su haramta wani abu ba. Da zaran NetworkPolicy ya bayyana, duk zaɓaɓɓun da aka ambata a ciki za su fara ware su, sai dai in an bayyana su. Koyaya, ƙa'idodin keɓewa ba su shafi wasu abubuwan da mai zaɓin bai rufe su ba.
Misali yana amfani apiVersion Kubernetes daga cikin akwatin, amma babu abin da zai hana ku amfani da shi . Rubutun da ke wurin yana da cikakkun bayanai, don haka kuna buƙatar sake rubuta ƙa'idar shari'ar da ke sama a cikin tsari mai zuwa:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-redis-nodejs
spec:
selector: service == 'redis'
ingress:
- action: Allow
protocol: TCP
source:
selector: service == 'nodejs'
destination:
ports:
- 6379
Gine-ginen da aka ambata a sama don ba da izini ko hana duk zirga-zirga ta hanyar NetworkPolicy API na yau da kullun sun ƙunshi gine-gine tare da baƙar fata waɗanda ke da wahalar fahimta da tunawa. A cikin yanayin Calico, don canza ma'anar ka'idar Tacewar zaɓi zuwa akasin haka, kawai canza action: Allow a kan action: Deny.
Warewa ta wurin muhalli
Yanzu tunanin halin da ake ciki inda aikace-aikacen ke haifar da ma'aunin kasuwanci don tarawa a cikin Prometheus da ƙarin bincike ta amfani da Grafana. Load ɗin yana iya ƙunsar mahimman bayanai, waɗanda kuma ana iya gani a bainar jama'a ta tsohuwa. Bari mu ɓoye wannan bayanan daga idanu masu zazzagewa:
Prometheus, a matsayin mai mulkin, an sanya shi a cikin wani wurin sabis na daban - a cikin misali zai zama sunan suna kamar haka:
apiVersion: v1
kind: Namespace
metadata:
labels:
module: prometheus
name: kube-prometheus
filin metadata.labels wannan ya zama ba hatsari ba. Kamar yadda aka ambata a sama, namespaceSelector (har da podSelector) yana aiki tare da lakabi. Don haka, don ba da damar ɗaukar ma'auni daga kowane kwas ɗin a kan takamaiman tashar jiragen ruwa, dole ne ku ƙara wasu nau'ikan lakabin (ko ɗauka daga waɗanda suke), sannan ku yi amfani da tsari kamar:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-metrics-prom
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
module: prometheus
ports:
- protocol: TCP
port: 9100Kuma idan kun yi amfani da manufofin Calico, haɗin gwiwar zai kasance kamar haka:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-metrics-prom
spec:
ingress:
- action: Allow
protocol: TCP
source:
namespaceSelector: module == 'prometheus'
destination:
ports:
- 9100Gabaɗaya, ta ƙara waɗannan nau'ikan manufofi don takamaiman buƙatu, zaku iya kariya daga kutsawa na ƙeta ko na bazata a cikin ayyukan aikace-aikace a cikin tari.
Mafi kyawun aiki, bisa ga mahaliccin Calico, shine tsarin "Katange komai kuma a fili buɗe abin da kuke buƙata", wanda aka rubuta a ciki. (wasu kuma suna bin irin wannan hanya - musamman, a cikin ).
Amfani da Ƙarin Abubuwan Calico
Bari in tunatar da ku cewa ta hanyar tsawaita saitin Calico APIs zaku iya daidaita kasancewar nodes, ba'a iyakance ga kwasfa ba. A cikin misali mai zuwa ta amfani da GlobalNetworkPolicy ikon wucewa buƙatun ICMP a cikin gungu an rufe shi (misali, pings daga kwasfa zuwa kumburi, tsakanin kwasfa, ko daga kumburi zuwa kwas ɗin IP):
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: block-icmp
spec:
order: 200
selector: all()
types:
- Ingress
- Egress
ingress:
- action: Deny
protocol: ICMP
egress:
- action: Deny
protocol: ICMP
A cikin shari'ar da ke sama, har yanzu yana yiwuwa ga kuɗaɗɗen gungu su “kai wa juna” ta ICMP. Kuma ana magance wannan batu ta hanya GlobalNetworkPolicy, shafi wani mahaluži HostEndpoint:
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: deny-icmp-kube-02
spec:
selector: "role == 'k8s-node'"
order: 0
ingress:
- action: Allow
protocol: ICMP
egress:
- action: Allow
protocol: ICMP
---
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
name: kube-02-eth0
labels:
role: k8s-node
spec:
interfaceName: eth0
node: kube-02
expectedIPs: ["192.168.2.2"]Kasuwar VPN
A ƙarshe, zan ba da misali na gaske na yin amfani da ayyukan Calico don yanayin hulɗar kusa-ƙusa, lokacin da daidaitattun tsare-tsaren ba su isa ba. Don samun damar aikace-aikacen gidan yanar gizon, abokan ciniki suna amfani da rami na VPN, kuma wannan damar ana sarrafa shi sosai kuma yana iyakance ga takamaiman jerin ayyukan da aka ba da izinin amfani:
Abokan ciniki suna haɗi zuwa VPN ta daidaitaccen tashar tashar UDP 1194 kuma, idan an haɗa su, suna karɓar hanyoyin zuwa gungu-gungu na kwasfan fayiloli da ayyuka. Ana tura gabaɗayan rukunin yanar gizo don kar a rasa sabis yayin sake farawa da canje-canjen adireshi.
Tashar tashar jiragen ruwa a cikin tsarin daidaitaccen tsari ne, wanda ke sanya wasu nuances akan tsarin daidaita aikace-aikacen da canja wurin shi zuwa gungu na Kubernetes. Misali, a cikin AWS LoadBalancer guda ɗaya na UDP ya bayyana a zahiri a ƙarshen shekarar da ta gabata a cikin ƙayyadaddun jerin yankuna, kuma NodePort ba za a iya amfani da shi ba saboda isar da shi akan duk nodes ɗin gungu kuma ba shi yiwuwa a ƙididdige adadin sabar sabar don dalilai haƙuri. Bugu da kari, dole ne ka canza tsoffin kewayon tashoshin jiragen ruwa...
Sakamakon neman hanyoyin da za a iya magance su, an zaɓi waɗannan abubuwa masu zuwa:
- Pods tare da VPN an tsara su a kowane kulli a ciki
hostNetwork, wato, zuwa ga ainihin IP. - Ana buga sabis ɗin a waje ta
ClusterIP. An shigar da tashar jiragen ruwa ta jiki akan kumburi, wanda ke samun dama daga waje tare da ƙananan ajiyar kuɗi (kasancewar yanayin adireshin IP na ainihi). - Ƙayyade kumburin da kwandon ya tashi ya wuce iyakar labarinmu. Zan ce kawai za ku iya tam "ƙusa" sabis ɗin zuwa kumburi ko rubuta ƙaramin sabis na gefen mota wanda zai saka idanu akan adireshin IP na yanzu na sabis na VPN kuma shirya bayanan DNS masu rijista tare da abokan ciniki - duk wanda ke da isasshen tunani.
Ta hanyar hangen nesa, za mu iya gano abokin ciniki na VPN musamman ta hanyar adireshin IP ɗin sa ta VPN uwar garken. A ƙasa akwai babban misali na ƙuntata irin wannan damar abokin ciniki zuwa sabis, wanda aka kwatanta akan Redis da aka ambata a sama:
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
name: vpnclient-eth0
labels:
role: vpnclient
environment: production
spec:
interfaceName: "*"
node: kube-02
expectedIPs: ["172.176.176.2"]
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: vpn-rules
spec:
selector: "role == 'vpnclient'"
order: 0
applyOnForward: true
preDNAT: true
ingress:
- action: Deny
protocol: TCP
destination:
ports: [6379]
- action: Allow
protocol: UDP
destination:
ports: [53, 67]Anan, haɗa zuwa tashar jiragen ruwa 6379 an haramta shi sosai, amma a lokaci guda ana kiyaye aikin sabis na DNS, wanda galibi yana shan wahala lokacin zana dokoki. Domin, kamar yadda aka ambata a baya, lokacin da mai zaɓi ya bayyana, ana amfani da tsohuwar manufar ƙin yarda da ita sai dai in an ƙayyade.
Sakamakon
Don haka, ta amfani da API na ci-gaba na Calico, zaku iya daidaitawa da kuma canza hanya mai ƙarfi a ciki da kewayen tari. Gabaɗaya, amfani da shi na iya kama da harbin sparrows tare da igwa, da aiwatar da hanyar sadarwar L3 tare da ramukan BGP da IP-IP suna kallon ban tsoro a cikin sauƙi Kubernetes shigarwa akan hanyar sadarwa mai lebur ... Duk da haka, in ba haka ba kayan aiki yana da kyau sosai kuma yana da amfani. .
Ware gungu don biyan buƙatun tsaro bazai yuwu koyaushe yana yiwuwa ba, kuma anan ne Calico (ko mafita makamancin haka) ke zuwa don ceto. Misalan da aka bayar a cikin wannan labarin (tare da ƙananan gyare-gyare) ana amfani da su a yawancin shigarwa na abokan cinikinmu a cikin AWS.
PS
Karanta kuma a kan shafinmu:
- «";
- "Jagorar da aka kwatanta don Sadarwar Sadarwar a Kubernetes": , ;
- «".
source: www.habr.com