Ko Kubernetes pod inowana sei IP kero?

Cherechedza. transl.: Chinyorwa ichi, chakanyorwa naSRE mainjiniya kubva kuLinkedIn, chinopinda mune zvakadzama nezvemashiripiti emukati muKubernetes - zvakanyanya, kudyidzana kweCRI, CNI uye kube-apiserver - izvo zvinoitika kana iyo pod inotevera inoda kupihwa IP kero.

Chimwe chezvakakosha zvinodiwa Kubernetes network modhi ndeyekuti podhi yega yega inofanirwa kunge iine kero yeIP yayo uye chero imwe pod iri musumbu inofanirwa kukwanisa kubata iyo kero. Kune akawanda network "vanopa" (Flannel, Calico, Canal, nezvimwewo) vanobatsira kuita iyi network network.

Pandakatanga kushanda naKubernetes, hazvina kunyatsojeka kwandiri kuti mapodhi anowana sei kero dzeIP. Kunyangwe nekunzwisisa kuti zvikamu zvega zvega zvaishanda sei, zvaive zvakaoma kufungidzira zvichishanda pamwechete. Semuenzaniso, ndaiziva kuti CNI plugins yaive yei, asi ini ndakanga ndisingazive kuti yakadanwa sei chaizvo. Nokudaro, ndakasarudza kunyora chinyorwa ichi kuti ndigoverane ruzivo pamusoro pezvikamu zvakasiyana-siyana zvetiweki uye kuti zvinoshanda sei pamwe chete muboka reKubernetes, iro rinobvumira pod yega yega kuti iwane kero yayo yakasiyana yeIP.

Kune nzira dzakasiyana dzekuronga network muKubernetes, sekunge kune dzakasiyana dzekumhanya sarudzo dzemidziyo. Ichi chinyorwa chichashandiswa Flannel kuronga network musumbu, uye senzvimbo inogoneka - Containerd. Ndiri kuitawo fungidziro yekuti unoziva kuti networking pakati pemidziyo inoshanda sei, saka ini ndichangobata pazviri muchidimbu, kuitira mamiriro.

Dzimwe pfungwa dzinokosha

Containers uye Network: Muchidimbu Muchidimbu

Kune akawanda ezvinyorwa zvakanakisa paInternet anotsanangura kuti midziyo inotaurirana sei pane network. Naizvozvo, ini ndinongopa tarisiro yakajairwa yeakakosha pfungwa uye ndozvimisa kune imwe nzira, iyo inosanganisira kugadzira Linux bhiriji uye encapsulating mapakeji. Ruzivo rwakasiiwa, sezvo musoro wemidziyo networking pachayo wakakodzera chinyorwa chakasiyana. Manongedzo kune mamwe anonyanya kunzwisisa uye anodzidzisa zvinyorwa achapihwa pazasi.

Containers pane imwe host

Imwe nzira yekuronga kutaurirana kuburikidza ne IP kero pakati pemidziyo inomhanya pane imwecheteyo host inosanganisira kugadzira Linux bhiriji. Nechinangwa ichi, zvishandiso zvinogadzirwa muKubernetes (uye Docker) veth (virtual ethernet). Imwe mugumo weveth mudziyo inobatanidza kune network network namespace, imwe yacho Linux bhiriji pane host network.

Yese midziyo pane imwe chete inomiririra ine imwe mugumo weveth yakabatana nebhiriji mavanogona kutaurirana kuburikidza neIP kero. Iyo Linux bhiriji zvakare ine IP kero uye inoita segedhi rekubuda kwetraffic kubva kumapodhi anoenda kune dzimwe node.

Containers pane akasiyana mauto

Packet encapsulation ndiyo imwe nzira inobvumira midziyo pane dzakasiyana node kutaurirana nemumwe uchishandisa IP kero. PaFlannel, tekinoroji inobata mukana uyu. vxlan, iyo "inorongedza" iyo yekutanga packet muUDP packet uye yozoitumira kwairi kuenda.

Mune Kubernetes cluster, Flannel inogadzira vxlan mudziyo uye inogadziridza tafura yenzira pane imwe neimwe node zvinoenderana. Pakiti yega yega yakarongerwa mudziyo pane imwe mugadziri akasiyana inopfuura nemu vxlan mudziyo uye yakavharirwa mu UDP packet. Pakuenda, pakiti yaiswa dendere inotorwa yoendeswa kune podhi yaunoda.

Ongorora: Iyi ingori nzira imwe yekuronga network kutaurirana pakati pemidziyo.

Chii chinonzi CRI?

CRI (Container Runtime Interface) iplugin inobvumira kubelet kushandisa akasiyana mudziyo runtime nharaunda. Iyo CRI API inovakwa mune dzakasiyana siyana dzekumhanya kuitira kuti vashandisi vasarudze nguva yekumhanya yavanoda.

Chii chinonzi CNI?

CNI Project is a tsanangudzo kuronga universal network solution yeLinux midziyo. Mukuwedzera, zvinosanganisira plugins, inotarisira mabasa akasiyana-siyana paunenge uchigadzira pod network. Iyo CNI plugin ifaira rinogoneka rinoenderana nezvakatsanangurwa (tichakurukura mamwe mapulagi pazasi).

Kugoverwa kwema subnets kune node yekugovera IP kero kune pods

Sezvo podhi yega yega musumbu inofanirwa kunge iine IP kero, zvakakosha kuve nechokwadi kuti kero iyi yakasiyana. Izvi zvinowanikwa nekupa imwe neimwe node yakasarudzika subnet, kubva iyo mapodhi ari paiyo node anobva apihwa IP kero.

Node IPAM Controller

When nodeipam yakapfuura semureza parameter --controllers kube-controller-maneja, inogovera subnet yakaparadzana (podCIDR) kune imwe node kubva kuCluster CIDR (kureva, huwandu hwemakero eIP kune network network). Sezvo mapodCIDR aya asingapindirane, zvinoita kuti podhi yega yega igoverwe imwe kero yeIP.

Iyo Kubernetes node inopihwa podCIDR kana yatanga kunyoreswa ne cluster. Kuti uchinje iyo podCIDR yemanodhi, iwe unofanirwa kudzibvisa uye wozodzinyoresa zvakare, uchiita shanduko dzakakodzera kuKubernetes control layer configuration pakati. Unogona kuratidza iyo podCIDR yenode uchishandisa murairo unotevera:

$ kubectl get no <nodeName> -o json | jq '.spec.podCIDR'
10.244.0.0/24

Kubelet, mudziyo wekumhanya uye CNI plugins: zvese zvinoshanda sei

Kuronga podhi pane node kunosanganisira akawanda matanho ekugadzirira. Muchikamu chino, ini ndichatarisa chete kune izvo zvine chekuita nekugadzirisa pod network.

Kuronga podhi kune imwe node kunokonzeresa zvinotevera zviitiko:

Rubatsiro: Architecture yeContainerd CRI plugins.

Kudyidzana pakati pemudziyo runtime uye CNI plugins

Imwe neimwe network network ine yayo CNI plugin. Iyo yekumhanya yemudziyo inomhanyisa kuti igadzirise network yepodhi sezvainotangisa. Panyaya yemidziyo, iyo CNI plugin inotangwa neiyo plugin Containerd CRI.

Uyezve, mupi wega wega ane mumiririri wake. Iyo yakaiswa pane ese Kubernetes node uye ine basa rekugadzirisa network yepods. Uyu mumiririri anosanganisirwa neiyo CNI config kana akazvimiririra anozvigadzira pane node. Iyo config inobatsira CRI plugin set iyo CNI plugin yekufonera.

Nzvimbo yeCNI config inogona kugadziriswa; by default iri mukati /etc/cni/net.d/<config-file>. Cluster administrator vanewo basa rekuisa CNI plugins pane imwe neimwe cluster node. Nzvimbo yavo zvakare inogoneka; default directory - /opt/cni/bin.

Paunenge uchishandisa mudziyo, nzira dze plugin config uye mabhinari anogona kuiswa muchikamu [plugins.«io.containerd.grpc.v1.cri».cni] в containerd configuration file.

Sezvo isu tiri kushandisa Flannel semupi wetiweki yedu, ngatitaurei zvishoma nezve kumisikidza:

• Flanneld (Flannel's daemon) inowanzoiswa musumbu seDaemonSet ine. install-cni sezvo init container.
• Install-cni inogadzira CNI gadziriso faira (/etc/cni/net.d/10-flannel.conflist) panzvimbo imwe neimwe.
• Flanneld inogadzira vxlan mudziyo, inotora network metadata kubva kune API server, uye inotarisisa pod updates. Sezvo ivo vakasikwa, inogovera nzira kune ese mapodhi musumbu rese.
• Nzira idzi dzinobvumira mapods kuti ataurirane kuburikidza ne IP kero.

Kuti uwane rumwe ruzivo rwakadzama nezve basa reFlannel, ndinokurudzira kushandisa zvinongedzo pakupera kwechinyorwa.

Heino dhayagiramu yekudyidzana pakati peContainerd CRI plugin uye CNI plugins:

Sezvauri kuona pamusoro, kubelet inodaidza Containerd CRI plugin kugadzira iyo pod, iyo inobva yadaidza CNI plugin kugadzirisa iyo pod network. Mukuita izvi, network network CNI plugin inodaidza mamwe macore CNI plugins kugadzirisa akasiyana siyana etiweki.

Kudyidzana pakati peCNI plugins

Kune akasiyana CNI plugins ane basa rekubatsira kumisikidza network yekukurukurirana pakati pemidziyo pane iyo host. Nyaya ino ichakurukura zvitatu zvacho.

CNI plugin Flannel

Paunenge uchishandisa Flannel semupi wetiweki, iyo Containerd CRI chikamu chinofona CNI plugin Flanneluchishandisa iyo CNI yekumisikidza faira /etc/cni/net.d/10-flannel.conflist.

$ cat /etc/cni/net.d/10-flannel.conflist
{
  "name": "cni0",
  "plugins": [
    {
      "type": "flannel",
      "delegate": {
         "ipMasq": false,
        "hairpinMode": true,
        "isDefaultGateway": true
      }
    }
  ]
}

Iyo Flannel CNI plugin inoshanda pamwe chete neFlanneld. Panguva yekutanga, Flanneld inotora podCIDR uye zvimwe zvine hukama netiweki kubva kuAPI server uye inozvichengeta kufaira. /run/flannel/subnet.env.

FLANNEL_NETWORK=10.244.0.0/16 
FLANNEL_SUBNET=10.244.0.1/24
FLANNEL_MTU=1450 
FLANNEL_IPMASQ=false

Iyo Flannel CNI plugin inoshandisa data kubva /run/flannel/subnet.env kugadzirisa uye kufonera CNI bhiriji plugin.

CNI plugin Bridge

Iyi plugin inodaidzwa neinotevera gadziriro:

{
  "name": "cni0",
  "type": "bridge",
  "mtu": 1450,
  "ipMasq": false,
  "isGateway": true,
  "ipam": {
    "type": "host-local",
    "subnet": "10.244.0.0/24"
  }
}

Kana yadaidzwa kekutanga, inogadzira Linux bhiriji ne «name»: «cni0», iyo inoratidzwa mu config. Zvadaro veth pair inogadzirwa kune imwe neimwe pod. Imwe magumo ayo akabatana kunetiweki network namespace, imwe yacho inosanganisirwa muLinux bhiriji pane network network. CNI plugin Bridge inobatanidza zvese midziyo yekugamuchira kune Linux bhiriji pane iyo network network.

Wapedza kumisikidza veth pair, iyo Bridge plugin inodaidza iyo host-yenzvimbo IPAM CNI plugin. IPAM plugin mhando inogona kugadzirwa muCNI config iyo CRI plugin inoshandisa kudaidza Flannel CNI plugin.

Host-yenzvimbo IPAM CNI plugins

Bridge CNI inofona host-yenzvimbo IPAM plugin CNI ne configuration inotevera:

{
  "name": "cni0",
  "ipam": {
    "type": "host-local",
    "subnet": "10.244.0.0/24",
    "dataDir": "/var/lib/cni/networks"
  }
}

Host-yemunharaunda IPAM plugin (IP Akubvarura Mkugadzirisa - IP kero manejimendi) inodzorera IP kero yemudziyo kubva kune subnet uye inochengeta iyo yakagoverwa IP pane iyo host mune dhairekitori inotsanangurwa muchikamu. dataDir - /var/lib/cni/networks/<network-name=cni0>/<ip>. Iri faira rine ID yemudziyo unopihwa iyi kero yeIP.

Kana ichifonera iyo host-yenzvimbo IPAM plugin, inodzosera inotevera data:

{
  "ip4": {
    "ip": "10.244.4.2",
    "gateway": "10.244.4.3"
  },
  "dns": {}
}

Summary

Kube-controller-maneja inopa podCIDR kune imwe neimwe node. Mapodhi ega ega anogashira IP kero kubva panzvimbo yekero muchikamu chepodCIDR chakagoverwa. Sezvo node 'podCIDRs isingapindirane, mapodhi ese anogamuchira akasiyana IP kero.

Iyo Kubernetes cluster maneja inogadzirisa uye inoisa iyo kubelet, mudziyo wekumhanyisa nguva, network inopa mumiriri, uye inokopa iyo CNI plugins kune imwe neimwe node. Panguva yekutanga, network provider agent inogadzira CNI config. Kana podhi yakarongwa kune node, kubelet inodaidza CRI plugin kuti igadzire. Tevere, kana mudziyo ukashandiswa, Containerd CRI plugin inodaidza CNI plugin yakatsanangurwa muCNI config kugadzirisa iyo pod network. Nekuda kweizvozvo, iyo pod inogamuchira IP kero.

Zvakanditorera nguva kuti ndinzwisise zvese zvidiki uye nuances dzekudyidzana kwese uku. Ndinovimba chiitiko ichi chichakubatsira iwe kunzwisisa zviri nani kuti Kubernetes inoshanda sei. Kana pane chandisina kukanganisa, ndapota ndibate pa Twitter kana kuti pakero [email inodzivirirwa]. Inzwa wakasununguka kusvika kana uchida kukurukura nezvechinyorwa chino kana chimwewo chinhu. Ndinoda kutaura newe!

nezvakanyorwa

Containers uye network

• A container network overview
• Demystifying container networking

Flannel inoshanda sei?

• Flannel Networking Demystify
• Kubernetes NeFlannel - Kunzwisisa Iyo Networking

CRI uye CNI

• CRI Plugin Architecture
• CNI Spec
• CNI Plugins

PS kubva kumushanduri

Verenga zvakare pablog yedu:

• «Calico ye networking muKubernetes: sumo uye chiitiko chidiki";
• "An Illustrated Guide to Networking muKubernetes": zvikamu 1 uye 2 (network model, overlay network), Chikamu 3 (masevhisi uye kugadzirisa traffic);
• «Container Networking Interface (CNI) - network interface uye yakajairwa yeLinux midziyo".

Source: www.habr.com