ProHoster > Блог > Gudanarwa > Fahimtar Zaɓuɓɓukan Tilasta Manufofin Hanyar Sadarwa tare da Calico

Fahimtar Zaɓuɓɓukan Tilasta Manufofin Hanyar Sadarwa tare da Calico

Fahimtar Zaɓuɓɓukan Tilasta Manufofin Hanyar Sadarwa tare da Calico

Filogin cibiyar sadarwa na Calico yana ba da manufofin cibiyar sadarwa da yawa tare da haɗin kai don kare rundunonin kayan aiki, injunan kama-da-wane da kwasfa. Ana iya amfani da waɗannan manufofin a cikin sararin suna ko zama manufofin cibiyar sadarwar duniya waɗanda ke aiki da su masaukin karshen (don kare aikace-aikacen da ke gudana kai tsaye akan mai watsa shiri - mai watsa shiri na iya zama uwar garken ko na'ura mai kama-da-wane) ko karshen aikin aiki (don kare aikace-aikacen da ke gudana a cikin kwantena ko injunan kama-da-wane). Manufofin Calico suna ba ku damar yin amfani da matakan tsaro a wurare daban-daban a cikin hanyar fakiti ta amfani da zaɓuɓɓuka kamar preDNAT, marasa ƙarfi, da applyOnForward. Fahimtar yadda waɗannan zaɓuɓɓukan ke aiki na iya taimakawa inganta tsaro da aikin gabaɗayan tsarin ku. Wannan labarin yana bayyana ainihin waɗannan zaɓuɓɓukan manufofin Calico (preDNAT, unracked and applyOnForward) da aka yi amfani da su don karɓar wuraren ƙarshen, tare da mai da hankali kan abin da ke faruwa a hanyoyin sarrafa fakiti ( sarƙoƙin iptabels).

Wannan labarin yana ɗauka cewa kuna da ainihin fahimtar yadda Kubernetes da Calico manufofin cibiyar sadarwa ke aiki. Idan ba haka ba, muna ba da shawarar gwada shi koyarwa manufofin cibiyar sadarwa na asali и rundunar kariya koyawa yin amfani da Calico kafin karanta wannan labarin. Muna kuma sa ran ku sami ainihin fahimtar aikin iptables in linux.

Calico manufofin sadarwar duniya yana ba ku damar yin amfani da saitin ƙa'idodin samun dama ta alamomi (zuwa ƙungiyoyin runduna da kayan aiki/pods). Wannan yana da amfani sosai idan kun yi amfani da tsarin daban-daban tare - na'urori masu kama da juna, tsarin kai tsaye akan kayan aiki, ko kayan aikin kubernetes. Bugu da kari, zaku iya kare tarin ku (nodes) ta amfani da saitin manufofin bayyanawa da amfani da manufofin hanyar sadarwa zuwa zirga-zirga masu shigowa (misali, ta hanyar NodePorts ko sabis na IPs na waje).

A matakin mahimmanci, lokacin da Calico ya haɗa kwafsa zuwa cibiyar sadarwar (duba zanen da ke ƙasa), yana haɗa shi zuwa mai watsa shiri ta amfani da ƙirar Ethernet mai kama-da-wane (veth). Hanyoyin zirga-zirgar da kwafs ɗin ke aikawa yana zuwa ga mai watsa shiri daga wannan ƙirar mai amfani kuma ana sarrafa shi kamar yadda ya fito daga hanyar sadarwa ta zahiri. Ta hanyar tsoho, Calico suna kiran waɗannan musaya na caliXXX. Tunda zirga-zirgar ababen hawa ta zo ta hanyar sadarwa mai kama-da-wane, yana tafiya ta hanyar iptables kamar dai kwafsa ɗaya ne. Don haka, lokacin da zirga-zirgar ababen hawa ta zo zuwa/daga kwasfa, ana tura ta daga mahangar mai masaukin baki.

A kan kumburin Kubernetes da ke aiki da Calico, zaku iya taswirar keɓancewar hanyar sadarwa (veth) zuwa nauyin aiki kamar haka. A cikin misalin da ke ƙasa, zaku iya ganin cewa veth#10 (calic1cbf1ca0f8) an haɗa shi zuwa cnx-manager-* a cikin sararin sunaye na calico.

[centos@ip-172-31-31-46 K8S]$ sudo ip a
...
10: calic1cbf1ca0f8@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 5
    inet6 fe80::ecee:eeff:feee:eeee/64 scope link
       valid_lft forever preferred_lft forever
...

[centos@ip-172-31-31-46 K8S]$ calicoctl get wep --all-namespaces
...
calico-monitoring cnx-manager-8f778bd66-lz45m                            ip-172-31-31-46.ec2.internal 192.168.103.134/32
calic1cbf1ca0f8
...

Fahimtar Zaɓuɓɓukan Tilasta Manufofin Hanyar Sadarwa tare da Calico

Ganin cewa Calico yana ƙirƙirar ƙirar veth don kowane nauyin aiki, ta yaya yake aiwatar da manufofi? Don yin wannan, Calico yana ƙirƙirar ƙugiya a cikin sarƙoƙi daban-daban na hanyar sarrafa fakiti ta amfani da iptables.

Hoton da ke ƙasa yana nuna sarƙoƙin da ke cikin sarrafa fakiti a cikin iptables (ko tsarin tsarin netfilter). Lokacin da fakiti ya zo ta hanyar sadarwa ta hanyar sadarwa, zai fara shiga cikin sarkar PREROUTING. Daga nan sai a yanke shawarar yin tuƙi, kuma bisa ga wannan, fakitin ya ratsa ta ko dai INPUT (wanda aka ba da umarni don ɗaukar matakai) ko FORWARD (wanda aka nufa zuwa ga kwafsa ko wani kumburi akan hanyar sadarwa). Daga tsarin gida, fakitin yana bi ta hanyar OUTPUT sannan kuma POSTROUTING sarkar kafin a saukar da kebul ɗin.

Lura cewa kwaf ɗin shima wani abu ne na waje (haɗe da veth) dangane da sarrafa iptables. Bari mu taƙaita:

  • Hanyoyin da aka tura (nat, kora ko zuwa/daga cikin kwasfa) suna wucewa ta cikin sarƙoƙi na PREROUTING - GABA - POSTROUTING.
  • Traffic zuwa tsarin masaukin gida yana wucewa ta sarkar PREROUTING - INPUT.
  • Hanyoyin zirga-zirga daga tsarin masaukin gida suna tafiya ta hanyar OUTPUT - POSTROUTING sarkar.

Fahimtar Zaɓuɓɓukan Tilasta Manufofin Hanyar Sadarwa tare da Calico

Calico yana ba da zaɓuɓɓukan manufofin da ke ba ku damar amfani da manufofi a duk sarƙoƙi. Tare da wannan a zuciya, bari mu kalli zaɓuɓɓukan daidaita manufofin manufofin daban-daban da ke cikin Calico. Lambobin da ke cikin jerin zaɓuɓɓukan da ke ƙasa sun yi daidai da lambobin da ke cikin zanen da ke sama.

  1. Manufofin Ƙarshen Ƙarshen Aiki (Pod).
  2. Manufofin ƙarshen mai watsa shiri
  3. Zaɓin ApplyOnForward
  4. Manufar PreDNAT
  5. Hanyar da ba a bi ta ba

Bari mu fara da duban yadda ake amfani da manufofi zuwa wuraren ƙarewar aiki (Kubernetes pods ko OpenStack VMs), sannan mu dubi zaɓuɓɓukan manufofin don ƙarshen ƙarshen runduna.

Ƙarshen Ƙarshen Aikin Aiki

Manufar Ƙarshen Ƙarshen Aikin Aiki (1)

Wannan zaɓi ne don kare kubernetes pods. Calico yana goyan bayan aiki tare da Kubernetes NetworkPolicy, amma kuma yana ba da ƙarin manufofi - Calico NetworkPolicy da GlobalNetworkPolicy. Calico yana ƙirƙirar sarkar ga kowane kwafsa (nauyin aiki) da ƙugiya a cikin sarƙoƙin INPUT da FITARWA don aikin aiki zuwa teburin tace sarkar GABA.

Wurin Ƙarshen Mai watsa shiri

Manufofin Ƙarshen Mai watsa shiri (2)

Bugu da ƙari ga CNI (kwantin cibiyar sadarwar cibiyar sadarwa), manufofin Calico suna ba da damar kare mai watsa shiri kanta. A cikin Calico, zaku iya ƙirƙirar wurin ƙarshen mai watsa shiri ta hanyar ƙididdige haɗin haɗin mai watsa shiri kuma, idan ya cancanta, lambobin tashar jiragen ruwa. Ana samun aiwatar da manufofin wannan mahallin ta amfani da tebur mai tacewa a cikin sarƙoƙin INPUT da FITARWA. Kamar yadda kake gani daga zane, (2) suna amfani da matakan gida akan kumburi/mai watsa shiri. Wato, idan kun ƙirƙiri manufar da ta shafi wurin ƙarshen mai watsa shiri, ba zai shafi zirga-zirgar da ke zuwa / daga kwas ɗin ku ba. Amma yana ba da keɓancewar mahaɗa ɗaya / syntax guda ɗaya don toshe zirga-zirga don mai masaukin ku da kwasfa ta amfani da manufofin Calico. Wannan yana sauƙaƙa sosai tsarin sarrafa manufofi don hanyar sadarwa iri-iri. Haɓaka manufofin ƙarshen masauki don haɓaka tsaro ta gungu wani muhimmin yanayin amfani ne.

Manufar Aiwatar da Gaba (3)

Zaɓin ApplyOnForward yana samuwa a cikin manufofin cibiyar sadarwar duniya na Calico don ba da damar manufofin da za a yi amfani da su ga duk zirga-zirgar da ke wucewa ta wurin ƙarshen mai watsa shiri, gami da zirga-zirgar da mai watsa shiri zai tura. Wannan ya haɗa da zirga-zirgar zirga-zirgar da aka tura zuwa faifan gida ko kuma wani wuri a kan hanyar sadarwa. Calico yana buƙatar kunna wannan saitin don manufofin amfani da PreDNAT kuma ba a gano shi ba, duba sassan masu zuwa. Bugu da ƙari, ana iya amfani da ApplyOnForward don saka idanu kan zirga-zirgar baƙi a lokuta inda ake amfani da na'ura mai ba da hanya tsakanin hanyoyin sadarwa ko software NAT.

Lura cewa idan kuna buƙatar aiwatar da manufofin hanyar sadarwa iri ɗaya zuwa duka hanyoyin tafiyar da runduna, to ba kwa buƙatar amfani da zaɓi na ApplyOnForward. Duk abin da kuke buƙatar ku yi shine ƙirƙirar lakabi don wurin masaukin da ake buƙata da ƙarshen aikin aiki (pod). Calico yana da wayo sosai don aiwatar da manufofin bisa lakabi, ba tare da la'akari da nau'in ƙarshen ƙarshen ba (maki mai masauki ko aikin aiki).

Manufar PreDNAT (4)

A cikin Kubernetes, za a iya fallasa tashoshin jiragen ruwa na sabis a waje ta amfani da zaɓi na NodePorts ko, na zaɓi (lokacin amfani da Calico), ta tallata su ta amfani da Zaɓuɓɓukan IPs na Cluster ko na waje. Kube-proxy yana daidaita zirga-zirgar zirga-zirga masu shigowa daure zuwa sabis zuwa kwas ɗin sabis ɗin da ya dace ta amfani da DNAT. Ganin wannan, ta yaya kuke aiwatar da manufofin zirga-zirgar da ke zuwa ta NodePorts? Don tabbatar da cewa ana amfani da waɗannan manufofin kafin a sarrafa zirga-zirga ta hanyar DNAT (wanda shine taswira tsakanin mai watsa shiri: tashar jiragen ruwa da sabis ɗin da ya dace), Calico yana ba da ma'auni don GlobalNetworkPolicy da ake kira "preDNAT: gaskiya".

Lokacin da aka kunna pre-DNAT, ana aiwatar da waɗannan manufofin a (4) a cikin zane-a cikin teburin mangle na sarkar PREROUTING-nan da nan kafin DNAT. Ba a bin tsarin tsare-tsare na yau da kullun a nan, tunda aikace-aikacen waɗannan manufofin ya faru a baya a cikin hanyar sarrafa zirga-zirga. Koyaya, manufofin preDNAT suna mutunta tsarin aiwatarwa a tsakanin su.

Lokacin ƙirƙirar manufofi tare da pre-DNAT, yana da mahimmanci a yi hankali game da zirga-zirgar da kuke son aiwatarwa kuma ku ƙyale yawancin a ƙi. Tafiyar da aka yiwa alama a matsayin 'bazara' a cikin manufofin pre-DNAT ba za a sake bincika ta hanyar manufar masaukin baki ba, yayin da zirga-zirgar da ta gaza manufofin pre-DNAT za ta ci gaba ta sauran sarƙoƙi.
Calico ya sanya wajibi don kunna zaɓin applyOnForward lokacin amfani da preDNAT, tunda ta ma'anar har yanzu ba a zaɓi wurin da zirga-zirgar zai kasance ba. Ana iya ba da izinin zirga-zirga zuwa tsarin mai masaukin baki, ko kuma ana iya tura shi zuwa kwasfa ko wani kumburi.

Hanyar da ba a bi ba (5)

Cibiyoyin sadarwa da aikace-aikace na iya samun manyan bambance-bambancen halaye. A wasu matsanancin yanayi, aikace-aikace na iya haifar da haɗe-haɗe na ɗan gajeren lokaci. Wannan na iya sa conntrack (babban ɓangaren cibiyar sadarwar Linux) ya ƙare daga ƙwaƙwalwar ajiya. A al'adance, don gudanar da waɗannan nau'ikan aikace-aikacen akan Linux, dole ne ku daidaita ko kashe haɗin gwiwa da hannu, ko rubuta ƙa'idodin iptables don ƙetare ka'idodin. Manufofin da ba a kula da su ba a cikin Calico zaɓi ne mafi sauƙi kuma mafi inganci idan kuna son aiwatar da haɗin gwiwa da sauri. Misali, idan kun yi amfani da m memcache ko a matsayin ƙarin ma'auni na kariya daga DDOS.

Karanta wannan blog post (ko fassarar mu) don ƙarin bayani, gami da gwaje-gwajen aiki ta amfani da manufofin da ba a kula da su ba.

Lokacin da kuka saita zaɓin "doNotTrack: gaskiya" a cikin Calico globalNetworkPolicy, ya zama tsarin ** wanda ba a bi shi ba** kuma ana amfani dashi da wuri a cikin bututun sarrafa fakitin Linux. Duban zanen da ke sama, ana amfani da manufofin da ba a bin diddigin su a cikin sarƙoƙi na PREROUTING da FITARWA a cikin ɗanyen tebur kafin a fara bin hanyar haɗin gwiwa (conntrack). Lokacin da fakitin ya ba da izinin manufofin da ba a sa ido ba, ana yi masa alama don kashe sa ido kan wannan fakitin. Yana nufin:

  • Ana amfani da manufofin da ba a bin diddigin su akan kowane fakiti. Babu ra'ayi na haɗi (ko gudana). Rashin haɗin kai yana da sakamako masu mahimmanci da yawa:
  • Idan kuna son ba da izinin zirga-zirgar buƙatu da amsawa, kuna buƙatar ƙa'ida don duka mai shigowa da waje (tunda Calico yawanci yana amfani da conntrack don alamar zirga-zirgar amsa kamar yadda aka yarda).
  • Manufar da ba a kula da ita ba ta yi aiki ga Kubernetes ayyukan aiki (pods), saboda a cikin wannan yanayin babu wata hanyar da za ta bi hanyar haɗi mai fita daga kwasfa.
  • NAT ba ta aiki daidai tare da fakitin da ba a bin diddigin su ba (tunda kernel yana adana taswirar NAT a gaba).
  • Lokacin wucewa ta hanyar "ba da izini ga duka" a cikin manufofin da ba a bi ba, duk fakiti za a yi musu alama a matsayin wanda ba a bin sawu. Wannan kusan ba shine abin da kuke so ba, don haka yana da mahimmanci ku kasance masu zaɓi sosai game da fakitin da aka ba da izini ta hanyar manufofin da ba a bin diddigin su (kuma ba da damar yawancin zirga-zirgar ababen hawa su bi ta al'ada manufofin sa ido).
  • Ana amfani da manufofin da ba a bin diddigin su a farkon bututun sarrafa fakiti. Wannan yana da matukar muhimmanci a fahimta lokacin ƙirƙirar manufofin Calico. Kuna iya samun manufofin kwas ɗin tare da tsari: 1 da tsarin da ba a kula da shi tare da tsari: 1000. Ba kome ba. Za a yi amfani da manufofin da ba a bin diddigin su ba kafin manufofin fasfo. Manufofin da ba a bi su ba suna mutunta odar kisa a tsakanin juna kawai.

Saboda daya daga cikin dalilan manufar doNotTrack shine aiwatar da manufar da wuri a cikin bututun sarrafa fakiti na Linux, Calico ya sa ya zama tilas a saka zabin applyOnForward lokacin amfani da doNotTrack. Dangane da zane mai sarrafa fakiti, lura cewa ana amfani da manufofin da ba a bi ba (5) kafin kowane yanke shawara. Ana iya ba da izinin zirga-zirga zuwa tsarin mai masaukin baki, ko kuma ana iya tura shi zuwa kwasfa ko wani kumburi.

Sakamakon

Mun duba zaɓuɓɓukan manufofin daban-daban (Mai watsa shiri na ƙarshe, ApplyOnForward, preDNAT, da Untracked) a cikin Calico da yadda ake amfani da su tare da hanyar sarrafa fakiti. Fahimtar yadda suke aiki yana taimakawa wajen haɓaka ingantattun manufofi masu aminci. Tare da Calico zaku iya amfani da manufofin hanyar sadarwa ta duniya wacce ta shafi lakabi (rukunin nodes da pods) da amfani da manufofi tare da sigogi daban-daban. Wannan yana ba da damar ƙwararrun ƙirar ƙira na tsaro da cibiyar sadarwa don dacewa da kare "komai" (nau'in ƙarshen ƙarshen) lokaci ɗaya ta amfani da harshe guda ɗaya tare da manufofin Calico.

Godiya: Ina so in gode Sean Crampton и Alexa Pollitta don nazarin su da bayanai masu mahimmanci.

source: www.habr.com

Add a comment