TL; DR: Ese maCNI anoshanda sezvaanofanira, kunze kweKube-Router uye Kube-OVN, Calico, kunze kwekuonekwa kweMTU otomatiki, ndiyo yakanyanya kunaka.
Chinyorwa-update yemacheki angu apfuura ( ΠΈ ), panguva yekuedzwa ndiri kushandisa Kubernetes 1.19 paUbuntu 18.04 ine CNIs yakagadziridzwa kubva muna Nyamavhuvhu 2020.
Tisati tanyura mumametrics ...
Chii chitsva kubva muna Kubvumbi 2019?
- Unogona kuyedza pane yako cluster: Unogona kumhanyisa bvunzo pane yako cluster uchishandisa chishandiso chedu Kubernetes Network Benchmark:
- Nhengo itsva dzaonekwa
- from VMware Tanzu
- kubva alauda.io
- Mamiriro Matsva: Macheki azvino anomhanyisa "Pod-to-Pod" network performance test, uye nyowani "Pod-to-Service" script yawedzerwa iyo inomhanyisa bvunzo padyo nemamiriro epasirese. Mukuita, Podhi yako ine API inoshanda nehwaro sevhisi, uye kwete kuburikidza nePod ip kero (zvechokwadi isu tinotarisa zvese TCP uye UDP kune ese ari maviri mamiriro).
- Kushandiswa kwezviwanikwa: bvunzo imwe neimwe ikozvino ine yayo sosi yekuenzanisa
- Kubvisa Miedzo Yekushandisa: Isu hatichaite HTTP, FTP uye SCP bvunzo sekudyidzana kwedu kune zvibereko nenharaunda uye CNI vachengeti vakawana mukaha pakati peiperf mhinduro pamusoro peTCP uye curl zvabuda nekuda kwekunonoka mukutanga CNI (masekonzi mashoma ekutanga ePod. kutanga, izvo zvisiri zvakajairika mumamiriro chaiwo).
- Vhura sosi: ese ebvunzo masosi (zvinyorwa, yml marongero uye yepakutanga "raw" data) iripo
Reference Test Protocol
Iyo protocol inotsanangurwa zvakadzama Ndokumbira utarise kuti chinyorwa ichi chiri nezve Ubuntu 18.04 ine default kernel.
Kusarudza CNI yeOngororo
Iyi bvunzo ine chinangwa chekuenzanisa maCNI akagadziridzwa neiyo yaml faira (saka, ese akaiswa nemagwaro, akadai seVPP nemamwe, haana kubatanidzwa).
Yedu yakasarudzwa CNIs yekuenzanisa:
- Antrea v.0.9.1
- Calico v3.16
- Canal v3.16 (Flannel network + Calico Network Policies)
- Cilium 1.8.2
- Flannel 0.12.0
- Kube-router yazvino (2020β08β25)
- WeaveNet 2.7.0
Kugadzirisa MTU yeCNI
Chekutanga pane zvese, isu tinotarisa maitiro e otomatiki MTU yekuona pane TCP kuita:
Kukanganisa kweMTU paTCP Performance
Gomba rakatokura rinowanikwa kana uchishandisa UDP:
Kukanganisa kweMTU paUDP Performance
Tichifunga nezve HUGE performance performance yakaratidzwa muzviedzo, tinoda kutumira tsamba yetariro kune vese vanochengeta CNI: ndapota wedzera otomatiki MTU yekuona kuCNI. Iwe uchachengetedza kittens, unicorns uye kunyangwe iyo yakanakisa: iyo diki Devop.
Nekudaro, kana iwe uchida kushandisa CNI pasina rutsigiro rweotomatiki MTU yekuona, unogona kuigadzirisa nemaoko kuti uwane kuita. Ndokumbira utarise kuti izvi zvinoshanda kuCalico, Canal uye WeaveNet.
Chikumbiro changu chidiki kune vanoperekedza CNIs...
CNI Kuedzwa: Raw Data
Muchikamu chino, tichafananidza CNI neMTU chaiyo (yakatemerwa otomatiki kana kuseta nemaoko). Chinangwa chikuru apa ndechekuratidza iyo yakaomeswa data mumagirafu.
Ruvara ngano:
- grey - muenzaniso (kureva simbi isina chinhu)
- girini - bandwidth pamusoro pe9500 Mbps
- yero - bandwidth pamusoro pe9000 Mbps
- orenji - bandwidth pamusoro pe8000 Mbps
- tsvuku - bandwidth pazasi 8000 Mbps
- bhuruu - kusarerekera (isina hukama nebandwidth)
Hapana-mutoro zviwanikwa kushandiswa
Chekutanga pane zvese, tarisa mashandisirwo ezviwanikwa kana sumbu "rakarara".
Hapana-mutoro zviwanikwa kushandiswa
Pod-to-Pod
Iyi mamiriro anofungidzira kuti mutengi Pod anobatana zvakananga kune server Pod achishandisa IP kero yayo.
Pod-to-Pod Scenario
TCP
Pod-to-Pod TCP mhedzisiro uye inoenderana nekushandisa zviwanikwa:
UDP
Pod-to-Pod UDP mhedzisiro uye inoenderana nekushandisa zviwanikwa:
Podhi-ku-Sevhisi
Ichi chikamu chakakodzera kune chaiwo ekushandisa kesi, iyo mutengi Pod inobatanidza kune server Pod kuburikidza neiyo ClusterIP sevhisi.
Pod-to-Service Script
TCP
Pod-to-Service TCP mhedzisiro uye inoenderana nekushandisa zviwanikwa:
UDP
Pod-to-Service UDP mibairo uye inowirirana yekushandisa zviwanikwa:
Network policy support
Pakati pese pamusoro apa, iyo chete isingatsigiri zvematongerwo enyika ndeyeFlannel. Vamwe vese vanoita nemazvo marongero etiweki, kusanganisira inbound nekubuda. Basa rakanaka!
CNI encryption
Pakati peakatariswa CNIs pane ayo anogona encrypt network exchange pakati pePods:
- Antrea uchishandisa IPsec
- Calico uchishandisa wireguard
- Cilium uchishandisa IPsec
- WeaveNet uchishandisa IPsec
Bandwidth
Sezvo kune mashoma maCNI asara, ngatiisei ese mamiriro mugirafu rimwechete:
Resource kushandiswa
Muchikamu chino, tichaongorora zviwanikwa zvinoshandiswa pakugadzirisa kutaurirana kwePod-to-Pod muTCP neUDP. Iko hakuna chikonzero mukudhirowa Pod-to-Sevhisi girafu sezvo isingape rumwe ruzivo.
Kuisa zvose pamwe chete
Ngatiedzei kudzokorora magirafu ese, isu takaunza zvishoma kuzviisa pasi pano, tichitsiva iwo chaiwo maitiro nemashoko okuti "vwry nekukurumidza", "pasi", nezvimwe.
Mhedziso uye mhedzisiro yangu
Izvi zvishoma kuzvimiririra, sezvo ndiri kuendesa yangu dudziro yemhedzisiro.
Ndinofara kuti maCNI matsva akaonekwa, Antrea yakaitwa zvakanaka, mabasa mazhinji akaitwa kunyangwe mushanduro dzekutanga: otomatiki MTU kuona, encryption uye nyore kuisa.
Kana tikaenzanisa maitiro, ese maCNI anoshanda zvakanaka, kunze kweKube-OVN uye Kube-Router. Kube-Router hainawo kukwanisa kuona MTU, handina kuwana nzira yekuigadzirisa chero kupi zvako muzvinyorwa ( chikumbiro pamusoro penyaya iyi chakazaruka).
Panyaya yekushandiswa kwezviwanikwa, Cilium ichiri kushandisa yakawanda RAM kupfuura vamwe, asi mugadziri ari kutarisisa masumbu makuru, izvo zviri pachena kuti hazvina kufanana nekuyedza pane matatu-node cluster. Kube-OVN inoshandisawo yakawanda yeCPU uye RAM zviwanikwa, asi idiki CNI yakavakirwa paOpen vSwitch (seAntrea, inoita zvirinani uye inopedza zvishoma).
Wese kunze kweFlannel ane network policy. Zvinonyanya kuitika kuti haazombovatsigira, sezvo chinangwa chacho chiri nyore kudarika turnip yakasvibiswa: iyo yakareruka, iri nani.
Zvakare, pakati pezvimwe zvinhu, iyo encryption performance inoshamisa. Calico ndeimwe yekare CNIs, asi encryption yakawedzerwa mavhiki mashoma apfuura. Vakasarudza wireguard panzvimbo yeIPsec, uye nekungoisa, inoshanda zvikuru uye inoshamisa, ichivhara zvachose mamwe maCNI muchikamu ichi chekuedzwa. Ehe, mashandisirwo ezviwanikwa anowedzera nekuda kwekuvharirwa, asi iyo throughput yakawana yakakosha (Calico yakaratidza kuvandudza kakapetwa katanhatu muyedzo yekuvharidzira kana ichienzaniswa neCilium, iyo iri yechipiri). Uyezve, iwe unogona kugonesa wireguard chero nguva mushure mekuendesa Calico kune sumbu, uye iwe unogona zvakare kuidzima kwenguva pfupi kana zvachose kana uchida. Zviri nyore zvikuru, kunyange zvakadaro! Tinokuyeuchidza kuti Calico haisati yaona otomatiki MTU (iyi ficha yakarongerwa shanduro dzinotevera), saka iva nechokwadi chekugadzirisa MTU kana network yako ichitsigira Jumbo Frames (MTU 9000).
Pakati pezvimwe zvinhu, ona kuti Cilium inogona encrypt traffic pakati pemasumbu node (uye kwete chete pakati pePods), iyo inogona kuve yakakosha kune yeruzhinji cluster node.
Semhedzisiro, ini ndinopa mazano anotevera ekushandisa:
- Inoda CNI yeboka diki diki KANA ini handidi chengetedzo: kushanda ne Flannel, CNI yakareruka uye yakagadzikana (ndiye zvakare mumwe wevakuru, maererano nengano yaakagadzirwa naHomo Kubernautus kana Homo Contaitorus.) Iwe unogona zvakare kufarira chirongwa chehungwaru , tarisa!
- Inoda CNI yeboka renguva dzose: Calico - sarudzo yako, asi usakanganwa kugadzirisa MTU kana zvichidiwa. Unogona kutamba zviri nyore uye nemasikirwo netiweki marongero, vhura nekudzima encryption, nezvimwe.
- Inoda CNI ye (yakanyanya) yakakura chiyero cluster: Zvakanaka, muedzo hauratidze maitiro emasumbu makuru, ndingafara kuita bvunzo, asi isu hatina mazana emaseva ane 10Gbps yekubatanidza. Saka yakanakisa sarudzo ndeyekumhanyisa bvunzo yakagadziridzwa pane ako node, zvirinani neCalico neCilium.
Source: www.habr.com