Pulogalamu ya ProHoster > Blog > Ulamuliro > Kumvetsetsa zosankha za ma network ndi Calico

Kumvetsetsa zosankha za ma network ndi Calico

Kumvetsetsa zosankha za ma network ndi Calico

Pulogalamu yapaintaneti ya Calico imapereka njira zingapo zolumikizirana ndi ma syntax ogwirizana kuti ateteze makamu a hardware, makina owoneka bwino ndi ma pod. Ndondomekozi zitha kugwiritsidwa ntchito m'malo mwa dzina kapena kukhala mfundo zapadziko lonse lapansi zomwe zingagwire ntchito host endpoint (kuteteza mapulogalamu omwe akuyendetsa mwachindunji pa wolandirayo - wolandirayo akhoza kukhala seva kapena makina enieni) kapena mapeto a ntchito (kuteteza mapulogalamu omwe akuyenda m'mitsuko kapena makina omwe ali nawo). Ndondomeko za Calico zimakulolani kuti mugwiritse ntchito njira zachitetezo pamalo osiyanasiyana pa paketi pogwiritsa ntchito zosankha monga preDNAT, unraracked, ndi applyOnForward. Kumvetsetsa momwe zosankhazi zimagwirira ntchito kungathandize kukonza chitetezo ndi magwiridwe antchito adongosolo lanu lonse. Nkhaniyi ikufotokoza zofunikira za mfundo za Calico (preDNAT, unraracked ndi applyOnForward) zomwe zimagwiritsidwa ntchito pomaliza, ndikugogomezera zomwe zimachitika m'mapaketi opangira mapaketi (maketani a iptabels).

Nkhaniyi ikuganiza kuti muli ndi chidziwitso chofunikira cha momwe Kubernetes ndi Calico network mfundo zimagwirira ntchito. Ngati sichoncho, timalimbikitsa kuyesa mfundo zoyambira mfundo za netiweki ΠΈ maphunziro a chitetezo cha host host kugwiritsa ntchito Calico musanawerenge nkhaniyi. Tikuyembekezeranso kuti mukhale ndi chidziwitso choyambirira cha ntchitoyi iptables ku linux.

Kalico Global network policy amakulolani kuti mugwiritse ntchito malamulo olowera ndi malemba (kumagulu a makamu ndi zolemetsa / ma pod). Izi ndizothandiza kwambiri ngati mugwiritsa ntchito machitidwe osiyanasiyana palimodzi - makina enieni, makina mwachindunji pa hardware, kapena kubernetes infrastructure. Kuonjezera apo, mukhoza kuteteza gulu lanu (node) pogwiritsa ntchito ndondomeko zowonetsera ndikugwiritsanso ntchito ndondomeko zapaintaneti pamagalimoto omwe akubwera (mwachitsanzo, kudzera mu NodePorts kapena External IPs service).

Pamlingo wofunikira, Calico ikalumikiza pod ndi netiweki (onani chithunzi pansipa), imalumikiza ndi wolandilayo pogwiritsa ntchito mawonekedwe a Efaneti (veth). Magalimoto otumizidwa ndi pod amabwera kwa wolandira kuchokera ku mawonekedwe awa ndipo amakonzedwa mofanana ngati amachokera ku mawonekedwe a intaneti. Mwachikhazikitso, Calico amatchula maulalo awa caliXXX. Popeza magalimoto amabwera kudzera mu mawonekedwe enieni, amadutsa mu iptables ngati kuti pod ili kutali. Chifukwa chake, magalimoto akafika/kuchokera ku poto, amatumizidwa kuchokera kwa wolandirayo.

Pamalo a Kubernetes omwe akuyendetsa Calico, mutha kupanga mapu owoneka bwino (veth) pazantchito motere. Muchitsanzo chomwe chili pansipa mutha kuwona kuti veth#10 (calic1cbf1ca0f8) yolumikizidwa ndi cnx-manager-* mu calico-monitoring namespace.

[centos@ip-172-31-31-46 K8S]$ sudo ip a
...
10: calic1cbf1ca0f8@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 5
    inet6 fe80::ecee:eeff:feee:eeee/64 scope link
       valid_lft forever preferred_lft forever
...

[centos@ip-172-31-31-46 K8S]$ calicoctl get wep --all-namespaces
...
calico-monitoring cnx-manager-8f778bd66-lz45m                            ip-172-31-31-46.ec2.internal 192.168.103.134/32
calic1cbf1ca0f8
...

Kumvetsetsa zosankha za ma network ndi Calico

Popeza Calico imapanga mawonekedwe a veth pantchito iliyonse, imakhazikitsa bwanji mfundo? Kuti achite izi, Calico imapanga mbedza pamaketani osiyanasiyana a njira yopangira paketi pogwiritsa ntchito ma iptables.

Chithunzi chomwe chili pansipa chikuwonetsa maunyolo omwe akukhudzidwa pakukonza mapaketi mu iptables (kapena netfilter subsystem). Paketi ikafika kudzera pa intaneti, imadutsa kaye PREROUTING. Chisankho chamayendedwe chimapangidwa, ndipo kutengera izi, paketiyo imadutsamo INPUT (yolunjika ku njira zochitira) kapena FORWARD (yolunjika ku pod kapena node ina pamanetiweki). Kuchokera kumayendedwe akomweko, paketiyo imadutsa mu OUTPUT ndiyeno POSTROUTING unyolo musanatumizidwe pansi chingwe.

Dziwani kuti pod imakhalanso chinthu chakunja (cholumikizidwa ndi veth) potengera ma iptables processing. Tiyeni tifotokoze mwachidule:

  • Magalimoto otumizidwa (nat, oyendetsedwa kapena kupita/kuchokera ku pod) amadutsa mumayendedwe a PREROUTING - FORWARD - POSTROUTING.
  • Magalimoto opita kwa olandira alendo amadutsa mumndandanda wa PREROUTING - INPUT.
  • Magalimoto ochokera kwa olandira alendo amadutsa mu OUTPUT - POSTROUTING chain.

Kumvetsetsa zosankha za ma network ndi Calico

Calico imapereka zosankha zomwe zimakulolani kugwiritsa ntchito mfundo pamaketani onse. Poganizira izi, tiyeni tiwone njira zosiyanasiyana zosinthira mfundo zomwe zikupezeka ku Calico. Manambala omwe ali pamndandanda wazomwe mungasankhe pansipa zimagwirizana ndi manambala omwe ali pachithunzi pamwambapa.

  1. Ndondomeko ya ntchito yomaliza (pod).
  2. Mfundo yomaliza yolandira
  3. Njira ya ApplyOnForward
  4. Ndondomeko ya PreDNAT
  5. Ndondomeko Yosasinthidwa

Tiyeni tiyambe ndi kuyang'ana momwe ndondomeko zimagwiritsidwira ntchito kumapeto kwa ntchito (Kubernetes pods kapena OpenStack VMs), ndiyeno tiyang'ane zosankha za ndondomeko za ma endpoints.

Mapeto a Ntchito

Ndondomeko Yomaliza Yantchito (1)

Iyi ndi njira yotetezera ma pod anu a kubernetes. Calico imathandizira kugwira ntchito ndi Kubernetes NetworkPolicy, koma imaperekanso ndondomeko zowonjezera - Calico NetworkPolicy ndi GlobalNetworkPolicy. Calico imapanga unyolo wa pod iliyonse (katundu wa ntchito) ndi zokowera mu INPUT ndi OUTPUT maunyolo a ntchito ku tebulo losefera la FORWARD chain.

Host Endpoints

Mfundo Zomaliza za Host (2)

Kuphatikiza pa CNI (mawonekedwe a network network), mfundo za Calico zimapereka kuthekera koteteza mwiniwakeyo. Ku Calico, mutha kupanga malo omaliza mwa kufotokoza kuphatikiza kwa mawonekedwe olandila ndipo, ngati kuli kofunikira, manambala adoko. Kukhazikitsa malamulo ku bungweli kumatheka pogwiritsa ntchito tebulo losefera mu INPUT ndi OUTPUT tcheni. Monga mukuwonera pachithunzichi, (2) amagwiritsa ntchito njira zakomweko pa node/host. Ndiko kuti, ngati mupanga ndondomeko yomwe ikugwiritsidwa ntchito kumapeto kwa wolandira, sizidzakhudza magalimoto opita ku / kuchokera ku ma pod anu. Koma imapereka mawonekedwe amodzi / ma syntax otsekereza kuchuluka kwa omwe akukulandirani ndi ma pod pogwiritsa ntchito mfundo za Calico. Izi zimachepetsa kwambiri njira yoyendetsera ndondomeko zamagulu osiyanasiyana. Kukonza mfundo za endpoint kuti mulimbikitse chitetezo chamagulu ndi vuto linanso lofunikira.

Ndondomeko ya ApplyOnForward (3)

Njira ya ApplyOnForward ikupezeka mu ndondomeko yapadziko lonse ya Calico network network kuti ilole kuti ndondomeko zigwiritsidwe ntchito pa magalimoto onse odutsa pomaliza, kuphatikizapo magalimoto omwe adzatumizidwa ndi wolandirayo. Izi zikuphatikiza kuchuluka kwa magalimoto omwe amatumizidwa kumalo akomweko kapena kwina kulikonse pa netiweki. Calico imafuna kuti zosinthazi zikhazikitsidwe pamalingaliro ogwiritsira ntchito PreDNAT komanso osatsatiridwa, onani magawo otsatirawa. Kuphatikiza apo, ApplyOnForward itha kugwiritsidwa ntchito kuyang'anira kuchuluka kwa anthu omwe akukhala nawo nthawi zomwe rauta kapena pulogalamu ya NAT imagwiritsidwa ntchito.

Zindikirani kuti ngati mukufuna kugwiritsa ntchito ndondomeko ya netiweki yofananira panjira zonse zochitira ndi ma pod, ndiye kuti simuyenera kugwiritsa ntchito njira ya ApplyOnForward. Zomwe muyenera kuchita ndikupanga chilembo cha malo ofunikira a hostendpoint ndi ntchito yomaliza (pod). Calico ndi wanzeru mokwanira kuti akhazikitse mfundo zozikidwa pa zilembo, mosasamala kanthu za mtundu wa mapeto (hostendpoint kapena ntchito).

Ndondomeko ya PreDNAT (4)

Ku Kubernetes, madoko a mabungwe othandizira amatha kuwonetsedwa kunja pogwiritsa ntchito njira ya NodePorts kapena, mwakufuna (pogwiritsa ntchito Calico), powatsatsa pogwiritsa ntchito ma Cluster IPs kapena ma IP akunja. Kube-proxy imayang'anira kuchuluka kwa magalimoto omwe akubwera omwe amapita kumayendedwe ogwirizana ndi DNAT. Popeza izi, mumakhazikitsa bwanji mfundo zamagalimoto obwera kudzera ku NodePorts? Kuwonetsetsa kuti mfundozi zikugwiritsidwa ntchito magalimoto asanayambe kukonzedwa ndi DNAT (omwe ndi mapu apakati pa wolandira:port ndi ntchito zofananira), Calico imapereka gawo la GlobalNetworkPolicy lotchedwa "preDNAT: zoona".

Pre-DNAT ikayatsidwa, mfundozi zimayikidwa pa (4) mu chithunzi-mu tebulo la mangle la chain PREROUTING-nthawi yomweyo DNAT isanachitike. Ndondomeko yokhazikika ya ndondomeko sizimatsatiridwa pano, chifukwa kugwiritsa ntchito ndondomekozi kumachitika kale kwambiri panjira yokonza magalimoto. Komabe, ndondomeko za preDNAT zimalemekeza dongosolo la ntchito pakati pawo.

Popanga ndondomeko ndi pre-DNAT, ndikofunika kusamala za magalimoto omwe mukufuna kukonza ndikulola kuti ambiri akanidwe. Magalimoto olembedwa kuti 'alole' mu ndondomeko ya pre-DNAT sadzayang'aniridwa ndi ndondomeko ya hostendpoint, pamene magalimoto omwe amalephera ndondomeko ya pre-DNAT adzapitirira kupyolera mu maunyolo otsala.
Calico yapangitsa kuti ikhale yovomerezeka kuti azitha kugwiritsa ntchitoOnForward mukamagwiritsa ntchito preDNAT, popeza pofotokoza komwe amapitako sikunasankhidwe. Magalimoto atha kupita ku njira yopangira, kapena atha kutumizidwa ku pod kapena node ina.

Ndondomeko Yosatsatiridwa (5)

Maukonde ndi ntchito zitha kukhala ndi kusiyana kwakukulu pamakhalidwe. Nthawi zina, mapulogalamu amatha kupanga kulumikizana kwakanthawi kochepa. Izi zitha kupangitsa conntrack (chinthu chachikulu chapaintaneti ya Linux) kutha kukumbukira. Pachikhalidwe, kuti mugwiritse ntchito mitundu iyi pa Linux, mumayenera kukonza pamanja kapena kuletsa contrack, kapena kulemba malamulo a iptables kuti mulambalale contrack. Ndondomeko yosatsatiridwa ku Calico ndi njira yosavuta komanso yothandiza ngati mukufuna kukonza maulumikizidwe mwachangu momwe mungathere. Mwachitsanzo, ngati mugwiritsa ntchito zazikulu memcache kapena ngati njira yowonjezera yodzitetezera DDOS.

Werengani izi Blog positi (kapena kumasulira kwathu) kuti mumve zambiri, kuphatikiza kuyesa magwiridwe antchito pogwiritsa ntchito mfundo zosatsatiridwa.

Mukakhazikitsa njira ya "doNotTrack: true" mu Calico globalNetworkPolicy, imakhala mfundo **yosatsatiridwa** ndipo imagwiritsidwa ntchito koyambirira kwambiri pokonza paketi ya Linux. Poyang'ana chithunzi pamwambapa, ndondomeko zomwe sizinatsatidwe zimagwiritsidwa ntchito mu PREROUTING ndi OUTPUT tcheni patebulo losaphika musanayambe kufufuza (conntrack). Paketi ikaloledwa ndi ndondomeko yosasinthidwa, imayikidwa chizindikiro kuti iletse kutsata kulumikizidwa kwa paketiyo. Amatanthauza:

  • Ndondomeko yosatsatiridwa ikugwiritsidwa ntchito pa paketi. Palibe lingaliro la kulumikizana (kapena kuyenda). Kupanda kulumikizana kuli ndi zotsatira zingapo zofunika:
  • Ngati mukufuna kulola zopempha ndi mayankho, mufunika lamulo pazolowera kapena zotuluka (popeza Calico nthawi zambiri amagwiritsa ntchito contrack kuti alembe kuchuluka kwa mayankho momwe amaloledwa).
  • Ndondomeko yosasunthika siigwira ntchito kwa Kubernetes (pods), chifukwa pamenepa palibe njira yowunikira kugwirizana komwe kumatuluka kuchokera ku pod.
  • NAT siigwira bwino ntchito ndi mapaketi osatsatiridwa (popeza kernel imasunga mapu a NAT molumikizana).
  • Mukadutsa lamulo la "lolani zonse" mu ndondomeko yosasankhidwa, mapaketi onse amalembedwa ngati osatsatiridwa. Izi nthawi zonse sizomwe mukufuna, kotero ndikofunikira kuti muzisankha kwambiri mapaketi omwe amaloledwa ndi mfundo zosatsatiridwa (ndikulola kuti magalimoto ambiri adutse ndondomeko zotsatiridwa).
  • Ndondomeko zosatsatiridwa zimagwiritsidwa ntchito kumayambiriro kwenikweni kwa mapaipi opangira paketi. Izi ndizofunikira kwambiri kumvetsetsa popanga mfundo za Calico. Mutha kukhala ndi ndondomeko ya pod ndi dongosolo:1 ndi ndondomeko yosatsatiridwa ndi dongosolo:1000. Zilibe kanthu. Ndondomeko Yosasinthidwa idzagwiritsidwa ntchito patsogolo pa ndondomeko ya pod. Ndondomeko zosatsatiridwa zimalemekeza lamulo la kuphedwa kokha pakati pawo.

Chifukwa chimodzi mwa zolinga za ndondomeko ya doNotTrack ndikukhazikitsa lamuloli koyambirira kwambiri papaipi yokonza paketi ya Linux, Calico imapangitsa kuti zikhale zokakamiza kutchula njira ya applyOnForward mukamagwiritsa ntchito doNotTrack. Ponena za chithunzi chokonzera paketi, zindikirani kuti mfundo yosasinthidwa (5) imagwiritsidwa ntchito musanasankhe njira iliyonse. Magalimoto atha kupita ku njira yopangira, kapena atha kutumizidwa ku pod kapena node ina.

Zotsatira

Tinayang'ana njira zosiyanasiyana za ndondomeko (Host endpoint, ApplyOnForward, preDNAT, ndi Untracked) ku Calico ndi momwe amagwiritsidwira ntchito panjira yopangira paketi. Kumvetsetsa momwe amagwirira ntchito kumathandizira kupanga mfundo zothandiza komanso zotetezeka. Ndi Calico mungagwiritse ntchito ndondomeko yapadziko lonse lapansi yomwe ikugwiritsidwa ntchito ku chizindikiro (gulu la nodes ndi pods) ndikugwiritsanso ntchito ndondomeko ndi magawo osiyanasiyana. Izi zimathandiza akatswiri a chitetezo ndi maukonde kuti ateteze mosavuta "chilichonse" (mitundu yomaliza) nthawi imodzi pogwiritsa ntchito chinenero chimodzi chokhala ndi ndondomeko za Calico.

Kuyamikira: Ndikufuna kuthokoza Sean Crampton ΠΈ Alexa Pollitta kuwunika kwawo komanso chidziwitso chofunikira.

Source: www.habr.com

Kuwonjezera ndemanga