Lura. fassara: Wannan labarin, wanda injiniyan SRE daga LinkedIn ya rubuta, ya shiga daki-daki game da sihiri na ciki a cikin Kubernetes - mafi daidai, hulɗar CRI, CNI da kube-apiserver - wanda ke faruwa lokacin da kwafsa na gaba ya buƙaci a sanya adireshin IP.
Ɗaya daga cikin buƙatun asali shi ne cewa kowane fasfo dole ne ya kasance yana da adireshin IP na kansa kuma duk wani kwas ɗin da ke cikin cluster dole ne ya iya tuntuɓar shi a wannan adireshin. Akwai "masu samar da cibiyar sadarwa" da yawa (Flannel, Calico, Canal, da dai sauransu) waɗanda ke taimakawa aiwatar da wannan ƙirar hanyar sadarwa.
Lokacin da na fara aiki tare da Kubernetes, ban fayyace mani gabaɗaya yadda ainihin kwas ɗin ke samun adireshin IP ɗin su ba. Ko da tare da fahimtar yadda ɗayan sassan ke aiki, yana da wuya a yi tunanin suna aiki tare. Misali, na san abin da CNI plugins suke, amma ban san yadda ake kiran su daidai ba. Saboda haka, na yanke shawarar rubuta wannan labarin don raba ilimi game da nau'ikan hanyoyin sadarwa daban-daban da kuma yadda suke aiki tare a cikin gungu na Kubernetes, wanda ke ba kowane kwafsa damar samun adireshin IP na musamman.
Akwai hanyoyi daban-daban don tsara hanyar sadarwa a Kubernetes, kamar yadda akwai zaɓuɓɓukan lokacin gudu daban-daban don kwantena. Wannan littafin zai yi amfani don tsara hanyar sadarwa a cikin tari, kuma azaman yanayin aiwatarwa - . Ina kuma yin zato cewa kun san yadda sadarwar tsakanin kwantena ke aiki, don haka zan taɓa shi a taƙaice, kawai don mahallin.
Wasu mahimman ra'ayoyi
Kwantena da Cibiyar sadarwa: Takaitaccen Bayani
Akwai ɗimbin ingantattun wallafe-wallafe akan Intanet waɗanda ke bayyana yadda kwantena ke sadarwa da juna akan hanyar sadarwa. Don haka, kawai zan ba da taƙaitaccen bayani game da ainihin ra'ayi kuma in iyakance kaina ga hanya ɗaya, wanda ya haɗa da ƙirƙirar gadar Linux da ɗaukar fakiti. An yi watsi da cikakkun bayanai, tunda batun sadarwar kwantena da kansa ya cancanci labarin daban. Za a samar da hanyoyin haɗin kai zuwa wasu wallafe-wallafen masu fa'ida da ilimi a ƙasa.
Kwantena a kan runduna ɗaya
Hanya ɗaya don tsara sadarwa ta adiresoshin IP tsakanin kwantena da ke gudana akan runduna ɗaya ta haɗa da ƙirƙirar gadar Linux. Don wannan dalili, ana ƙirƙira na'urori masu kama-da-wane a cikin Kubernetes (da Docker) . Ɗayan ƙarshen na'urar veth yana haɗi zuwa wurin sunan cibiyar sadarwar kwantena, ɗayan zuwa a kan cibiyar sadarwar mai watsa shiri.
Duk kwantena da ke kan masauki ɗaya suna da ƙarshen veth ɗin da aka haɗa da gada ta hanyar da za su iya sadarwa da juna ta adiresoshin IP. Gadar Linux kuma tana da adireshin IP kuma tana aiki azaman ƙofa don zirga-zirgar ababen hawa daga kwas ɗin da aka nufa don wasu nodes.
Kwantena a kan runduna daban-daban
Rufin fakiti hanya ɗaya ce da ke ba da damar kwantena akan nodes daban-daban don sadarwa tare da juna ta amfani da adiresoshin IP. A Flannel, fasaha ce ke da alhakin wannan damar. , wanda "fakitin" ainihin fakitin cikin fakitin UDP sannan ya aika zuwa inda yake.
A cikin gungu na Kubernetes, Flannel yana ƙirƙirar na'urar vxlan kuma yana sabunta teburin hanya akan kowane kumburi daidai da haka. Kowane fakitin da aka nufa don kwantena akan wani masauki daban yana wucewa ta na'urar vxlan kuma an lullube shi a cikin fakitin UDP. A wurin da aka nufa, ana fitar da fakitin da aka gina a tura shi zuwa faifan da ake so.
Lura: Wannan hanya ɗaya ce kawai don tsara sadarwar hanyar sadarwa tsakanin kwantena.
Menene CRI?
plugin ne wanda ke ba da damar kubelet don amfani da mahalli daban-daban na lokacin aiki. API ɗin CRI an gina shi cikin lokuta daban-daban, don haka masu amfani za su iya zaɓar lokacin aikin da suka zaɓa.
Menene CNI?
ne mai don tsara hanyar sadarwa ta duniya don kwantena Linux. Bugu da kari, ya hada da , alhakin ayyuka daban-daban lokacin kafa cibiyar sadarwa ta pod. Fayil ɗin CNI fayil ne mai aiwatarwa wanda ya dace da ƙayyadaddun bayanai (za mu tattauna wasu plugins a ƙasa).
Rarraba hanyoyin sadarwa zuwa nodes don sanya adiresoshin IP zuwa kwasfan fayiloli
Tunda kowane kwasfa a cikin tari dole ne ya sami adireshin IP, yana da mahimmanci a tabbatar da cewa wannan adireshin na musamman ne. Ana samun wannan ta hanyar sanya wa kowane kulli wani yanki na musamman na musamman, wanda daga cikin kuɗaɗɗen da ke wannan kumburin ana sanya adiresoshin IP.
Node IPAM Controller
Lokacin nodeipam wuce a matsayin siga na tuta --controllers , yana keɓance keɓantaccen yanki (podCIDR) ga kowane kumburi daga gungu CIDR (watau kewayon adiresoshin IP don cibiyar sadarwar tari). Tun da waɗannan podCIDRs ba su zoba, yana yiwuwa ga kowane kwafsa a ware wani adireshin IP na musamman.
Ana sanya kumburin Kubernetes podCIDR lokacin da aka fara rajista da gungu. Don canza podCIDR na nodes, kuna buƙatar soke rajistar su sannan ku sake yi musu rajista, yin canje-canje masu dacewa ga tsarin kula da Layer Kubernetes tsakanin. Kuna iya nuna podCIDR na kumburi ta amfani da umarni mai zuwa:
$ kubectl get no <nodeName> -o json | jq '.spec.podCIDR'
10.244.0.0/24
Kubelet, lokacin aikin kwantena da CNI plugins: yadda duk yake aiki
Tsara fasfo kowane kumburi ya ƙunshi matakai na shiri da yawa. A cikin wannan sashe, zan mayar da hankali ne kawai ga waɗanda ke da alaƙa kai tsaye da kafa hanyar sadarwa ta pod.
Tsara fasfo zuwa wani kumburi yana haifar da jerin abubuwan da ke biyowa:
Taimako: .
Ma'amala tsakanin lokacin aikin ganga da plugins CNI
Kowane mai samar da hanyar sadarwa yana da nasa plugin CNI. Lokacin aikin kwantena yana gudanar da shi don saita hanyar sadarwa don kwafsa yayin da yake farawa. A cikin yanayin akwati, plugin ɗin CNI yana ƙaddamar da plugin ɗin .
Bugu da ƙari, kowane mai bayarwa yana da nasa wakili. An shigar da shi akan duk nodes na Kubernetes kuma yana da alhakin daidaitawar kwas ɗin cibiyar sadarwa. Ana haɗa wannan wakili ko dai tare da saitin CNI ko kuma ya ƙirƙira shi da kansa akan kumburi. Tsarin yana taimakawa CRI plugin saita wanda CNI plugin ya kira.
Za'a iya daidaita wurin saitin CNI; ta tsohuwa yana ciki /etc/cni/net.d/<config-file>. Masu gudanar da tari kuma suna da alhakin shigar da plugins na CNI akan kowane kullin gungu. Hakanan ana iya daidaita wurin su; tsoho directory - /opt/cni/bin.
Lokacin amfani da kwantena, ana iya saita hanyoyin don saitin plugin da binaries a cikin sashin [plugins.«io.containerd.grpc.v1.cri».cni] в .
Tun da muna amfani da Flannel a matsayin mai ba da hanyar sadarwar mu, bari mu ɗan yi magana game da saita shi:
- Flanneld (Flannel's daemon) yawanci ana shigar dashi a cikin gungu azaman DaemonSet tare da
install-cnikamar yadda . Install-cnihalitta (/etc/cni/net.d/10-flannel.conflist) a kowane kumburi.- Flanneld yana ƙirƙira na'urar vxlan, maido da metadata na cibiyar sadarwa daga uwar garken API, kuma yana sa ido kan sabunta kwas ɗin. Kamar yadda aka ƙirƙira su, yana rarraba hanyoyi zuwa duk kwas ɗin a cikin gungu.
- Waɗannan hanyoyin suna ba da damar kwasfan fayiloli don sadarwa tare da juna ta adiresoshin IP.
Don ƙarin cikakkun bayanai game da aikin Flannel, Ina ba da shawarar yin amfani da hanyoyin haɗin gwiwa a ƙarshen labarin.
Anan ga hoton ma'amala tsakanin kayan aikin Containerd CRI da plugins na CNI:
Kamar yadda kuke gani a sama, kubelet yana kiran Plugin Containerd CRI don ƙirƙirar kwaf ɗin, wanda sannan ya kira plugin ɗin CNI don saita hanyar sadarwar pod. A yin haka, CNI plugin na mai ba da hanyar sadarwa yana kiran sauran manyan abubuwan haɗin CNI don saita bangarori daban-daban na hanyar sadarwa.
Ma'amala tsakanin CNI plugins
Akwai nau'ikan plugins na CNI daban-daban waɗanda aikinsu shine don taimakawa saita sadarwar hanyar sadarwa tsakanin kwantena akan mai watsa shiri. Wannan talifin zai tattauna uku cikinsu.
CNI plugin Flannel
Lokacin amfani da Flannel azaman mai ba da hanyar sadarwa, ɓangaren CRI yana kira ta amfani da fayil ɗin sanyi na CNI /etc/cni/net.d/10-flannel.conflist.
$ cat /etc/cni/net.d/10-flannel.conflist
{
"name": "cni0",
"plugins": [
{
"type": "flannel",
"delegate": {
"ipMasq": false,
"hairpinMode": true,
"isDefaultGateway": true
}
}
]
}
Flannel CNI plugin yana aiki tare da Flanneld. Yayin farawa, Flanneld yana dawo da podCIDR da sauran bayanan da suka danganci hanyar sadarwa daga uwar garken API kuma yana adana su zuwa fayil /run/flannel/subnet.env.
FLANNEL_NETWORK=10.244.0.0/16
FLANNEL_SUBNET=10.244.0.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=false
Flannel CNI plugin yana amfani da bayanai daga /run/flannel/subnet.env don daidaitawa da kira plugin CNI gada.
CNI plugin Bridge
Ana kiran wannan plugin ɗin tare da tsari mai zuwa:
{
"name": "cni0",
"type": "bridge",
"mtu": 1450,
"ipMasq": false,
"isGateway": true,
"ipam": {
"type": "host-local",
"subnet": "10.244.0.0/24"
}
}
Lokacin da aka kira shi da farko, yana ƙirƙirar gadar Linux tare da «name»: «cni0», wanda aka nuna a cikin config. Sa'an nan kuma an ƙirƙiri wani nau'i na veth don kowane kwasfa. Ɗayan ƙarshensa an haɗa shi da sunan cibiyar sadarwar kwantena, ɗayan yana cikin gadar Linux akan cibiyar sadarwar mai watsa shiri. yana haɗa duk kwantena masu masaukin baki zuwa gadar Linux akan cibiyar sadarwar rundunar.
Bayan gama saita veth biyu, gadar plugin ta kira mai masaukin baki IPAM CNI plugin. Ana iya daidaita nau'in plugin ɗin IPAM a cikin tsarin CNI wanda plugin ɗin CRI ke amfani da shi don kiran plugin ɗin Flannel CNI.
Mai masaukin baki IPAM CNI plugins
Bridge CNI kira tare da tsari mai zuwa:
{
"name": "cni0",
"ipam": {
"type": "host-local",
"subnet": "10.244.0.0/24",
"dataDir": "/var/lib/cni/networks"
}
}
Plugin IPAM mai masaukin baki (IP Address MGudanar da adireshin IP) dawo da adireshin IP na akwati daga rukunin yanar gizon kuma yana adana IP da aka keɓe akan mai watsa shiri a cikin kundin da aka ƙayyade a cikin sashin. dataDir - /var/lib/cni/networks/<network-name=cni0>/<ip>. Wannan fayil ɗin ya ƙunshi ID na akwati wanda aka sanya wannan adireshin IP ɗin zuwa gare shi.
Lokacin kiran kayan aikin IPAM na gida-gida, yana dawo da bayanan masu zuwa:
{
"ip4": {
"ip": "10.244.4.2",
"gateway": "10.244.4.3"
},
"dns": {}
}
Takaitaccen
Kube-controller-manajan yana sanya podCIDR zuwa kowane kumburi. Kowane kwas ɗin kulli yana karɓar adiresoshin IP daga sararin adireshi a cikin kewayon podCIDR da aka keɓe. Tun da nodes' podCIDRs ba su zoba, duk kwas ɗin suna karɓar adiresoshin IP na musamman.
Mai kula da gungu na Kubernetes yana daidaitawa da shigar da kubelet, lokacin aiki na ganga, wakilin mai ba da hanyar sadarwa, da kwafi plugins na CNI zuwa kowane kumburi. Yayin farawa, wakilin mai ba da hanyar sadarwa yana haifar da saitin CNI. Lokacin da aka tsara kwafsa zuwa kumburi, kubelet ya kira plugin ɗin CRI don ƙirƙirar shi. Bayan haka, idan an yi amfani da kwantena, plugin ɗin Containerd CRI yana kiran plugin ɗin CNI da aka kayyade a cikin tsarin CNI don daidaita hanyar sadarwar pods. A sakamakon haka, kwaf ɗin yana karɓar adireshin IP.
Na ɗauki ɗan lokaci don fahimtar duk dabara da ɓarna na duk waɗannan hulɗar. Ina fatan wannan ƙwarewar zata taimaka muku fahimtar yadda Kubernetes ke aiki. Idan na yi kuskure game da wani abu, don Allah a tuntube ni a ko kuma a adireshin . Jin kyauta don tuntuɓar juna idan kuna son tattauna sassan wannan labarin ko wani abu dabam. Ina so in yi magana da ku!
nassoshi
Kwantena da hanyar sadarwa
Ta yaya Flannel ke aiki?
CRI da CNI
PS daga mai fassara
Karanta kuma a kan shafinmu:
- «";
- "Jagorar da aka kwatanta don Sadarwar Sadarwar a Kubernetes": , ;
- «".
source: www.habr.com