Lub hom phiaj ntawm tsab xov xwm yog los qhia cov neeg nyeem txog cov hauv paus ntawm kev sib txuas lus thiab kev tswj hwm kev sib txuas lus hauv Kubernetes, nrog rau cov neeg thib peb Calico plugin uas txuas ntxiv cov peev txheej txheem. Nyob rau hauv txoj kev, qhov yooj yim ntawm configuration thiab ib co nta yuav raug pom siv cov piv txwv tiag tiag los ntawm peb cov kev khiav hauj lwm kev.
Kev taw qhia ceev rau Kubernetes networking appliance
Ib pawg Kubernetes tsis tuaj yeem xav txog yam tsis muaj lub network. Peb twb tau luam tawm cov ntaub ntawv ntawm lawv cov hauv paus: ""Thiab"".
Hauv cov ntsiab lus ntawm tsab xov xwm no, nws yog ib qho tseem ceeb uas yuav tsum nco ntsoov tias K8s nws tus kheej tsis yog lub luag haujlwm rau kev sib txuas hauv network ntawm cov thawv thiab cov nodes: rau qhov no, ntau yam. CNI plugins (Container Networking Interface). Xav paub ntau ntxiv txog lub tswvyim no peb .
Piv txwv li, feem ntau ntawm cov plugins no yog - muab tag nrho kev sib txuas ntawm lub network ntawm txhua pawg ntawm pawg los ntawm kev txhim kho txuas hniav ntawm txhua qhov ntawm, muab lub subnet rau nws. Txawm li cas los xij, kev ua kom tiav thiab tsis muaj kev tswj hwm tsis yog ib txwm muaj txiaj ntsig. Txhawm rau muab qee yam kev sib cais tsawg kawg nkaus hauv pawg, nws yog qhov yuav tsum tau cuam tshuam rau hauv kev teeb tsa ntawm firewall. Hauv cov ntaub ntawv dav dav, nws tau muab tso rau hauv kev tswj hwm ntawm tib CNI, uas yog vim li cas txhua qhov kev cuam tshuam thib peb hauv iptables tuaj yeem txhais tsis raug lossis tsis quav ntsej tag nrho.
Thiab "tawm ntawm lub thawv" rau kev teeb tsa txoj cai tswjfwm hauv lub network hauv Kubernetes pawg tau muab . Cov peev txheej no, muab faib rau cov npe xaiv, tuaj yeem muaj cov cai los sib txawv kev nkag los ntawm ib daim ntawv thov mus rau lwm qhov. Nws kuj tso cai rau koj los teeb tsa kev nkag mus tau ntawm cov pods tshwj xeeb, ib puag ncig (namespaces) lossis thaiv ntawm IP chaw nyob:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978Qhov no tsis yog qhov piv txwv tseem ceeb tshaj plaws ntawm Tej zaum yuav ib zaug thiab rau txhua tus neeg tsis txaus siab rau qhov kev xav nkag siab txog kev xav ntawm txoj cai network li cas. Txawm li cas los xij, peb tseem yuav sim nkag siab txog cov hauv paus ntsiab lus thiab cov txheej txheem ntawm kev khiav tsheb khiav siv txoj cai network ...
Nws yog qhov laj thawj uas muaj 2 hom kev khiav tsheb: nkag mus rau hauv pod (Ingress) thiab tawm ntawm nws (Egress).
Qhov tseeb, kev nom kev tswv tau muab faib ua 2 pawg no raws li kev coj ua ntawm kev txav mus los.
Tus cwj pwm xav tau tom ntej yog tus xaiv; tus uas txoj cai siv. Qhov no tuaj yeem yog lub plhaub (los yog ib pawg ntawm cov pods) lossis ib puag ncig (piv txwv li lub npe chaw). Cov ntsiab lus tseem ceeb: ob hom ntawm cov khoom no yuav tsum muaj daim ntawv lo (daim ntawv lo hauv Kubernetes terminology) - cov no yog cov uas cov nom tswv ua haujlwm nrog.
Ntxiv nrog rau tus naj npawb ntawm cov neeg xaiv, sib sau ua ke los ntawm qee hom ntawv sau, nws tuaj yeem sau cov cai xws li "Tso / tsis lees paub txhua yam / txhua tus" hauv ntau qhov sib txawv. Rau lub hom phiaj no, kev tsim kho ntawm daim ntawv yog siv:
podSelector: {}
ingress: []
policyTypes:
- Ingress- Hauv qhov piv txwv no, tag nrho cov pods hauv ib puag ncig raug thaiv los ntawm kev nkag mus. Tus cwj pwm txawv tuaj yeem ua tiav nrog kev tsim kho hauv qab no:
podSelector: {}
ingress:
- {}
policyTypes:
- IngressZoo sib xws rau kev tawm mus:
podSelector: {}
policyTypes:
- Egress- tig nws tawm. Thiab ntawm no yog dab tsi suav nrog:
podSelector: {}
egress:
- {}
policyTypes:
- EgressRov qab mus rau qhov kev xaiv ntawm CNI plugin rau pawg, nws tsim nyog sau cia tias tsis yog txhua lub network plugin txhawb NetworkPolicy. Piv txwv li, Flannel uas twb tau hais lawm tsis paub yuav ua li cas rau kev teeb tsa network txoj cai, uas nyob rau hauv lub official repository. Lwm txoj hauv kev kuj tau hais nyob rau ntawd - Open Source project , uas nthuav dav cov qauv txheej txheem ntawm Kubernetes APIs raws li cov cai hauv network.
Tau paub Calico: kev xav
Calico plugin tuaj yeem siv hauv kev koom ua ke nrog Flannel (subproject ) los yog ntawm nws tus kheej, suav nrog ob qho tib si kev sib txuas hauv network thiab muaj peev xwm tswj tau.
Dab tsi yog txoj hauv kev uas siv K8s "boxed" tov thiab API teev los ntawm Calico muab?
Nov yog qhov ua tau rau hauv NetworkPolicy:
- cov nom tswv raug txwv los ntawm ib puag ncig;
- txoj cai raug siv rau cov pods cim nrog cov ntawv lo;
- kev cai yuav siv tau rau cov pods, ib puag ncig lossis subnets;
- cov cai tuaj yeem muaj cov txheej txheem, npe lossis cov cim chaw nres nkoj tshwj xeeb.
Nov yog li cas Calico txuas cov haujlwm no:
- txoj cai siv tau rau txhua yam khoom: pod, thawv, virtual tshuab lossis interface;
- cov kev cai muaj peev xwm muaj ib qho kev txiav txim (kev txwv, kev tso cai, txiav);
- lub hom phiaj lossis cov kev cai tuaj yeem yog qhov chaw nres nkoj, ntau qhov chaw nres nkoj, cov txheej txheem, HTTP lossis ICMP cov yam ntxwv, IP lossis subnet (4th lossis 6th tiam), txhua tus xaiv (nodes, hosts, ib puag ncig);
- Tsis tas li ntawd, koj tuaj yeem tswj hwm txoj kev khiav tsheb los ntawm kev siv DNAT teeb tsa thiab cov cai xa mus rau kev thauj mus los.
Thawj qhov kev cog lus ntawm GitHub hauv Calico repository hnub rov qab mus rau Lub Xya Hli 2016, thiab ib xyoos tom qab qhov project tau ua txoj haujlwm tseem ceeb hauv kev teeb tsa Kubernetes network txuas - qhov no yog pov thawj, piv txwv li, los ntawm cov txiaj ntsig kev soj ntsuam, :
Ntau qhov kev daws teeb meem loj nrog K8s, xws li , , thiab lwm tus tau pib xav kom nws siv.
Raws li rau kev ua tau zoo, txhua yam zoo ntawm no. Hauv kev sim lawv cov khoom, pab pawg tsim kho Calico tau qhia txog kev ua haujlwm astronomical, khiav ntau dua 50000 ntim ntawm 500 lub cev nrog tus nqi tsim ntawm 20 ntim ib ob. Tsis muaj teeb meem raug txheeb xyuas nrog kev ntsuas. Cov txiaj ntsig zoo li no twb ntawm kev tshaj tawm ntawm thawj version. Cov kev tshawb fawb ywj pheej tsom rau kev xa tawm thiab kev siv peev txheej kuj lees paub Calico qhov kev ua tau zoo yuav luag zoo li Flannel's. :
Qhov project tab tom txhim kho sai heev, nws txhawb kev ua haujlwm hauv cov kev daws teeb meem nrov uas tswj hwm K8s, OpenShift, OpenStack, nws muaj peev xwm siv Calico thaum siv cov pawg siv. , muaj kev xa mus rau kev tsim kho ntawm Service Mesh networks ( siv ua ke nrog Istio).
Xyaum nrog Calico
Hauv cov ntaub ntawv dav dav ntawm kev siv vanilla Kubernetes, txhim kho CNI nqis los siv cov ntaub ntawv calico.yaml, , s pab kubectl apply -f.
Raws li txoj cai, tam sim no version ntawm lub plugin yog sib xws nrog qhov tseeb 2-3 versions ntawm Kubernetes: kev ua haujlwm hauv cov ntawv qub tsis raug kuaj thiab tsis lav. Raws li cov neeg tsim tawm, Calico khiav ntawm Linux kernels saum toj 3.10 khiav CentOS 7, Ubuntu 16 lossis Debian 8, nyob rau sab saum toj ntawm iptables lossis IPVS.
Kev cais tawm hauv ib puag ncig
Rau kev nkag siab dav dav, cia peb saib cov ntaub ntawv yooj yim kom nkag siab tias cov kev cai network hauv Calico cov cim txawv ntawm cov qauv thiab yuav ua li cas txoj hauv kev los tsim cov cai yooj yim rau lawv nyeem tau yooj yim thiab teeb tsa yooj yim:
Muaj 2 lub vev xaib thov xa mus rau hauv pawg: hauv Node.js thiab PHP, ib qho uas siv Redis. Txhawm rau thaiv kev nkag mus rau Redis los ntawm PHP, thaum tswj kev sib txuas nrog Node.js, tsuas yog siv txoj cai hauv qab no:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-redis-nodejs
spec:
podSelector:
matchLabels:
service: redis
ingress:
- from:
- podSelector:
matchLabels:
service: nodejs
ports:
- protocol: TCP
port: 6379Qhov tseem ceeb peb tau tso cai nkag mus rau Redis chaw nres nkoj los ntawm Node.js. Thiab lawv meej meej tsis txwv lwm yam. Thaum NetworkPolicy tshwm sim, txhua tus neeg xaiv tau hais hauv nws pib raug cais tawm, tshwj tsis yog tias tau teev tseg. Txawm li cas los xij, txoj cai cais tsis siv rau lwm yam khoom uas tsis suav nrog tus xaiv.
Piv txwv siv apiVersion Kubernetes tawm ntawm lub thawv, tab sis tsis muaj dab tsi tiv thaiv koj los ntawm kev siv nws . Cov syntax muaj cov ncauj lus kom ntxaws, yog li koj yuav tsum rov sau txoj cai rau cov ntaub ntawv saum toj no hauv daim ntawv hauv qab no:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-redis-nodejs
spec:
selector: service == 'redis'
ingress:
- action: Allow
protocol: TCP
source:
selector: service == 'nodejs'
destination:
ports:
- 6379
Cov kev tsim kho uas tau hais los saum toj no rau kev tso cai lossis tsis lees paub tag nrho cov tsheb khiav los ntawm NetworkPolicy API li niaj zaus muaj kev tsim nrog cov kab lus uas nyuaj rau kev nkag siab thiab nco ntsoov. Nyob rau hauv cov ntaub ntawv ntawm Calico, hloov lub logic ntawm ib tug firewall txoj cai rau qhov opposite, tsuas yog hloov action: Allow rau action: Deny.
Kev cais los ntawm ib puag ncig
Tam sim no xav txog qhov xwm txheej uas daim ntawv thov tsim cov kev ntsuas kev lag luam rau kev sau hauv Prometheus thiab kev tshuaj xyuas ntxiv siv Grafana. Lub upload tej zaum yuav muaj cov ntaub ntawv rhiab, uas yog rov tuaj yeem pom tau los ntawm lub neej ntawd. Cia peb nkaum cov ntaub ntawv no los ntawm prying ob lub qhov muag:
Prometheus, raws li txoj cai, muab tso rau hauv ib puag ncig kev pabcuam cais - hauv qhov piv txwv nws yuav yog lub npe zoo li no:
apiVersion: v1
kind: Namespace
metadata:
labels:
module: prometheus
name: kube-prometheus
teb metadata.labels qhov no ua rau tsis muaj xwm txheej. Raws li tau hais los saum no, namespaceSelector (zoo li podSelector) ua haujlwm nrog cov ntawv sau. Yog li ntawd, txhawm rau tso cai rau kev ntsuas los ntawm txhua lub pods ntawm ib qho chaw nres nkoj tshwj xeeb, koj yuav tsum tau ntxiv qee yam ntawm daim ntawv lo (lossis nqa los ntawm cov uas twb muaj lawm), thiab tom qab ntawd siv cov kev teeb tsa xws li:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-metrics-prom
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
module: prometheus
ports:
- protocol: TCP
port: 9100Thiab yog tias koj siv Calico cov cai, cov syntax yuav zoo li no:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-metrics-prom
spec:
ingress:
- action: Allow
protocol: TCP
source:
namespaceSelector: module == 'prometheus'
destination:
ports:
- 9100Feem ntau, los ntawm kev ntxiv cov kev cai no rau cov kev xav tau tshwj xeeb, koj tuaj yeem tiv thaiv kev ua phem lossis kev cuam tshuam tsis zoo hauv kev ua haujlwm ntawm cov ntawv thov hauv pawg.
Qhov kev coj ua zoo tshaj plaws, raws li tus tsim ntawm Calico, yog "Tshem txhua yam thiab nthuav dav qhov koj xav tau" txoj hauv kev, sau tseg hauv (lwm tus ua raws li txoj hauv kev zoo sib xws - tshwj xeeb, hauv ).
Siv Cov Khoom Siv Calico Ntxiv
Cia kuv ceeb toom rau koj tias dhau ntawm cov txheej txheem txuas ntxiv ntawm Calico APIs koj tuaj yeem tswj hwm qhov muaj ntawm nodes, tsis txwv rau cov pods. Hauv qhov piv txwv hauv qab no siv GlobalNetworkPolicy lub peev xwm dhau ICMP thov hauv pawg raug kaw (piv txwv li, pings los ntawm lub plhaub taum mus rau ib qho, nruab nrab ntawm cov pods, los yog los ntawm ib lub rau ntawm IP pod):
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: block-icmp
spec:
order: 200
selector: all()
types:
- Ingress
- Egress
ingress:
- action: Deny
protocol: ICMP
egress:
- action: Deny
protocol: ICMP
Nyob rau hauv cov ntaub ntawv saum toj no, nws tseem ua tau rau pawg nodes "sach out" rau ib leeg ntawm ICMP. Thiab qhov teeb meem no tau daws los ntawm txoj kev GlobalNetworkPolicy, siv rau ib qho chaw HostEndpoint:
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: deny-icmp-kube-02
spec:
selector: "role == 'k8s-node'"
order: 0
ingress:
- action: Allow
protocol: ICMP
egress:
- action: Allow
protocol: ICMP
---
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
name: kube-02-eth0
labels:
role: k8s-node
spec:
interfaceName: eth0
node: kube-02
expectedIPs: ["192.168.2.2"]VPN Case
Thaum kawg, kuv yuav muab ib qho piv txwv tiag tiag ntawm kev siv Calico functions rau cov ntaub ntawv ntawm kev sib cuam tshuam ze ntawm pawg, thaum cov txheej txheem txheej txheem tsis txaus. Txhawm rau nkag mus rau hauv daim ntawv thov lub vev xaib, cov neeg siv khoom siv VPN qhov, thiab qhov kev nkag mus tau nruj tswj hwm thiab txwv rau cov npe tshwj xeeb uas tso cai rau siv:
Cov neeg siv khoom txuas mus rau VPN ntawm tus qauv UDP chaw nres nkoj 1194 thiab, thaum txuas nrog, tau txais txoj hauv kev mus rau pawg subnets ntawm pods thiab cov kev pabcuam. Tag nrho cov subnets raug thawb kom tsis txhob poob cov kev pabcuam thaum rov pib dua thiab hloov chaw nyob.
Qhov chaw nres nkoj hauv kev teeb tsa yog tus qauv, uas ua rau qee qhov nuances ntawm tus txheej txheem ntawm kev teeb tsa daim ntawv thov thiab xa mus rau Kubernetes pawg. Piv txwv li, nyob rau tib lub AWS LoadBalancer rau UDP tau tshwm sim nyob rau thaum xaus ntawm lub xyoo tas los nyob rau hauv ib tug txwv daim ntawv teev cov cheeb tsam, thiab NodePort yuav siv tsis tau vim nws xa mus rau tag nrho cov pawg nodes thiab nws yog tsis yooj yim sua rau scale tus naj npawb ntawm cov neeg rau zaub mov piv txwv rau txhaum cai lub hom phiaj. Ntxiv rau, koj yuav tau hloov lub neej ntawd ntau ntawm cov chaw nres nkoj ...
Raws li kev tshawb nrhiav los ntawm cov kev daws teeb meem, cov hauv qab no tau xaiv:
- Pods nrog VPN tau teem caij rau ib lub hauv
hostNetwork, uas yog, rau qhov tseeb IP. - Cov kev pabcuam raug muab tso tawm sab nraud los ntawm
ClusterIP. Ib qho chaw nres nkoj tau nruab rau ntawm lub cev, uas tuaj yeem nkag tau los ntawm sab nraud nrog kev tshwj xeeb me me (qhov xwm txheej muaj qhov chaw nyob IP tiag). - Kev txiav txim siab ntawm qhov twg lub pod sawv yog dhau ntawm peb zaj dab neeg. Kuv tsuas yog hais tias koj tuaj yeem nruj "ntsiag" cov kev pabcuam rau ntawm ib qho lossis sau cov kev pabcuam me me uas yuav saib xyuas tus IP chaw nyob tam sim no ntawm VPN kev pabcuam thiab kho cov ntaub ntawv DNS sau npe nrog cov neeg siv khoom - leej twg muaj kev xav txaus.
Los ntawm txoj kev xav, peb tuaj yeem txheeb xyuas tus neeg siv VPN los ntawm nws qhov chaw nyob IP uas muab los ntawm VPN server. Hauv qab no yog ib qho piv txwv tseem ceeb ntawm kev txwv xws li tus neeg siv khoom nkag mus rau cov kev pabcuam, piv txwv li Redis hais saum toj no:
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
name: vpnclient-eth0
labels:
role: vpnclient
environment: production
spec:
interfaceName: "*"
node: kube-02
expectedIPs: ["172.176.176.2"]
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: vpn-rules
spec:
selector: "role == 'vpnclient'"
order: 0
applyOnForward: true
preDNAT: true
ingress:
- action: Deny
protocol: TCP
destination:
ports: [6379]
- action: Allow
protocol: UDP
destination:
ports: [53, 67]Ntawm no, txuas mus rau qhov chaw nres nkoj 6379 yog txwv tsis pub nruj, tab sis tib lub sijhawm kev ua haujlwm ntawm DNS kev pabcuam raug khaws cia, kev ua haujlwm uas feem ntau raug kev txom nyem thaum teeb tsa cov cai. Vim hais tias, raws li tau hais dhau los, thaum tus neeg xaiv tau tshwm sim, lub neej ntawd tsis lees paub txoj cai raug siv rau nws tshwj tsis yog tau teev tseg.
Cov txiaj ntsim tau los
Yog li, siv Calico's advanced API, koj tuaj yeem hloov kho tau yooj yim thiab hloov pauv kev hloov pauv hauv thiab ib puag ncig pawg. Feem ntau, nws txoj kev siv tuaj yeem zoo li tua sparrows nrog rab phom loj, thiab siv lub L3 network nrog BGP thiab IP-IP tunnels zoo li monstrous nyob rau hauv ib qho yooj yim Kubernetes installation ntawm lub tiaj tus network ... Txawm li cas los xij, txwv tsis pub cov cuab yeej zoo li siv tau thiab muaj txiaj ntsig zoo. .
Kev cais ib pawg kom tau raws li qhov yuav tsum tau muaj kev ruaj ntseg yuav tsis yog ib txwm ua tau, thiab qhov no yog qhov twg Calico (los yog cov tshuaj zoo sib xws) los rau kev cawm. Cov piv txwv tau muab rau hauv tsab xov xwm no (nrog kev hloov kho me me) yog siv rau hauv ntau qhov kev teeb tsa ntawm peb cov neeg siv khoom hauv AWS.
PS
Nyeem kuj ntawm peb blog:
- «»;
- "Ib Daim Ntawv Qhia Txog Kev Sib Txuas Hauv Kubernetes": , ;
- Β«".
Tau qhov twg los: www.hab.com