Iyo Calico network plugin inopa huwandu hwakawanda hwetiweki marongero ane yakabatana syntax kuchengetedza hardware mauto, chaiwo michina uye pods. Aya marongero anogona kushandiswa mukati menzvimbo yezita kana kuve pasi rose network mitemo inoshanda kune (kuchengetedza zvikumbiro zvinomhanya zvakananga pane anotambira - muenzi anogona kunge ari sevha kana muchina chaiwo) kana (kudzivirira maapplication ari kushanda mumidziyo kana akagashirwa chaiwo muchina). Mitemo yeCalico inokutendera kuti ushandise matanho ekuchengetedza munzvimbo dzakasiyana siyana munzira yepakiti uchishandisa sarudzo dzakadai sepreDNAT, isina kuvharwa, uye shandisaOnForward. Kunzwisisa kuti sarudzo idzi dzinoshanda sei zvinogona kubatsira kuvandudza kuchengetedzeka uye kuita kwese system yako. Ichi chinyorwa chinotsanangura musimboti weiyi Calico policy sarudzo (preDNAT, isina kuvharwa uye applicationOnForward) inoshandiswa kune inotambira endpoints, nekusimbisa pane zvinoitika mumapaketi ekugadzirisa nzira (iptabels cheni).
Ichi chinyorwa chinofungidzira kuti iwe une nzwisiso yekutanga yekuti Kubernetes neCalico network mitemo inoshanda sei. Kana zvisina kudaro, tinokurudzira kuedza ΠΈ uchishandisa Calico usati waverenga chinyorwa ichi. Isu tinotarisirawo kuti iwe uve nekunzwisisa kwekutanga kwebasa muri linux.
Calico inokubvumira kushandisa seti yemitemo yekuwana nemavara (kumapoka evatenzi uye mabasa / pods). Izvi zvinobatsira zvakanyanya kana iwe ukashandisa heterogeneous masisitimu pamwe chete - chaiwo michina, sisitimu yakananga pane Hardware, kana kubernetes zvivakwa. Uye zvakare, iwe unogona kuchengetedza cluster yako (node) uchishandisa seti yeanozivisa marongero uye kushandisa network marongero kune inouya traffic (semuenzaniso, kuburikidza neNodePorts kana External IPs sevhisi).
Padanho rinokosha, kana Calico ichibatanidza podhi kunetiweki (ona dhayagiramu pazasi), inoibatanidza kune muiti ichishandisa virtual Ethernet interface (veth). Iyo traffic inotumirwa nepodhi inouya kumugadziri kubva kune ino chaiyo interface uye inogadziriswa nenzira imwechete sekunge yakabva kune yemuviri network interface. Nekumisikidza, Calico inotumidza aya mainterfaces kuti caliXXX. Sezvo iyo traffic inouya kuburikidza neiyo chaiyo interface, inoenda kuburikidza iptables sekunge iyo pod yaive imwe hop kure. Naizvozvo, kana traffic ikauya ku/kubva kune podhi, inoendeswa mberi kubva pakuona kweanotambira.
Pane Kubernetes node inomhanya Calico, unogona mepu chaiyo interface (veth) kune basa rekuita sezvinotevera. Mumuenzaniso uri pazasi, unogona kuona kuti veth#10 (calic1cbf1ca0f8) yakabatana ne cnx-maneja-* mucalico-monitoring namespace.
[centos@ip-172-31-31-46 K8S]$ sudo ip a
...
10: calic1cbf1ca0f8@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 5
inet6 fe80::ecee:eeff:feee:eeee/64 scope link
valid_lft forever preferred_lft forever
...
[centos@ip-172-31-31-46 K8S]$ calicoctl get wep --all-namespaces
...
calico-monitoring cnx-manager-8f778bd66-lz45m ip-172-31-31-46.ec2.internal 192.168.103.134/32
calic1cbf1ca0f8
...
Tichifunga kuti Calico inogadzira veth interface kune yega yega basa, inosimbisa sei mitemo? Kuti uite izvi, Calico inogadzira zvikorekedzo mumaketani akasiyana-siyana epaketi yekugadzirisa nzira uchishandisa iptables.
Dhiagiramu iri pazasi inoratidza maketani anosanganisirwa mukugadzirisa kwepaketi mu iptables (kana netfilter subsystem). Kana pakiti yasvika kuburikidza netiweki interface, inotanga kuburikidza nePREROUTING cheni. Sarudzo yekufambisa inobva yaitwa, uye zvichibva pane izvi, pakiti inopfuura nepakati peINPUT (inonangidzirwa kumaitirwo emaitiro) kana FORWARD (inonangidzirwa kune podhi kana imwe node pane network). Kubva pakuita kwenzvimbo, pakiti inoenda kuburikidza ne OUTPUT uyezve POSTROUTING cheni isati yatumirwa pasi tambo.
Ziva kuti iyo podhi zvakare inhengo yekunze (yakabatana kune veth) maererano neiyo iptables kugadzirisa. Ngatipfupise:
- Trafiki inofambiswa mberi (nat, yakafambiswa kana kuenda/kubva pane podhi) inopfuura nepakati pePREROUTING - FORWARD - POSTROUTING cheni.
- Traffic kune yenzvimbo yekugamuchira maitiro inopfuura nepakati pePREROUTING - INPUT cheni.
- Traffic kubva kumugadziri wenzvimbo inoenda kuburikidza ne OUTPUT - POSTROUTING cheni.
Calico inopa sarudzo dzesarudzo dzinokutendera kuti ushandise marongero pamaketani ese. Tine izvo mupfungwa, ngatitarisei kune akasiyana magadzirirwo esarudzo sarudzo dziripo muCalico. Nhamba dziri muhurongwa hwesarudzo dziri pazasi dzinoenderana nenhamba dziri padhayagiramu iri pamusoro.
- Workload endpoint (pod) mutemo
- Host endpoint policy
- ShandisaOnForward sarudzo
- PreDNAT Policy
- Untracked Policy
Ngatitangei nekutarisa kuti marongero anoiswa sei kune basa rekupedzisira (Kubernetes pods kana OpenStack VMs), tobva tatarisa sarudzo dzesarudzo dzeanotambira endpoints.
Workload Endpoints
Workload Endpoint Policy (1)
Iyi isarudzo yekuchengetedza yako kubernetes pods. Calico inotsigira kushanda neKubernetes NetworkPolicy, asi inopawo mamwe marongero - Calico NetworkPolicy uye GlobalNetworkPolicy. Calico inogadzira cheni kune yega yega pod (mutoro webasa) uye zvikorekedzo muINPUT uye OUTPUT cheni dzebasa rekuita kune sefa tafura yeFORWARD cheni.
Host Endpoints
Host Endpoint Policy (2)
Pamusoro peCNI (container network interface), mitemo yeCalico inopa kukwanisa kudzivirira muiti wacho pachake. MuCalico, unogona kugadzira nzvimbo yekupedzisira nekutsanangura musanganiswa weiyo host interface uye, kana zvichidikanwa, nhamba dzechiteshi. Kutevedzwa kwepolicy yesangano iri kunowanikwa pachishandiswa tafura yekusefa muINPUT uye OUTPUT cheni. Sezvauri kuona kubva padhizaini, (2) inoshanda kune emunharaunda maitiro pane node/host. Ndokunge, kana iwe ukagadzira mutemo unoshanda kune iyo host endpoint, hazvizokanganisa traffic inoenda / kubva kumapodhi ako. Asi inopa imwechete interface / syntax yekuvharira traffic kune yako host uye pods uchishandisa Calico marongero. Izvi zvinorerutsa zvakanyanya maitiro ekugadzirisa marongero kune heterogeneous network. Kugadzirisa magadzirirwo ekupedzisira ekugadzirisa kuchengetedzwa kwemasumbu ndeimwe nyaya yakakosha yekushandisa.
ShandisaOnForward Policy (3)
Iyo ApplyOnForward sarudzo inowanikwa muCalico yepasirese network mutemo kubvumidza marongero kuti ashandiswe kune yese traffic inopfuura nepanzvimbo inotambira, kusanganisira traffic inozoendeswa mberi nemugamuchiri. Izvi zvinosanganisira traffic inotumirwa kune yemunharaunda pod kana kupi zvako pane network. Calico inoda kuti kuseta uku kugoneswe kune marongero anoshandisa PreDNAT uye asina kurondwa, ona zvikamu zvinotevera. Pamusoro pezvo, ApplyOnForward inogona kushandiswa kutarisisa traffic yevatambi mumamiriro ezvinhu apo panoshandiswa virtual router kana software NAT.
Ziva kuti kana iwe uchida kushandisa imwechete network policy kune ese ari maviri maitirwo maitiro uye pods, saka haufanire kushandisa iyo ApplyOnForward sarudzo. Zvese zvaunoda kuti uite kugadzira label yeinodiwa hostendpoint uye yebasa endpoint (pod). Calico yakangwara zvakakwana kuti isimbise mutemo unobva pane zvinyorwa, zvisinei nerudzi rwekupedzisira (hostendpoint kana basa rebasa).
PreDNAT Policy (4)
MuKubernetes, sevhisi entity ports inogona kuburitswa kunze uchishandisa iyo NodePorts sarudzo kana, sarudzo (kana uchishandisa Calico), nekuvashambadza uchishandisa iyo Cluster IPs kana External IPs sarudzo. Kube-proxy inoyera traffic inouya inosungwa kune sevhisi kumapodhi ebasa rinoenderana uchishandisa DNAT. Tichifunga izvi, iwe unosimbisa sei mitemo yetraffic inouya kuburikidza neNodePorts? Kuti ive nechokwadi chekuti marongero aya ashandiswa traffic isati yagadziriswa neDNAT (inove mepu pakati pekugamuchira: port uye inoenderana sevhisi), Calico inopa parameter yeglobalNetworkPolicy inonzi "preDNAT: chokwadi".
Kana pre-DNAT ikagoneswa, mitemo iyi inoshandiswa mu (4) mudhayagiramu - mune mangle tafura yePREROUTING cheni - pakarepo pamberi peDNAT. Iyo yakajairwa kurongeka kwemitemo haitevedzwe pano, sezvo kushandiswa kwemitemo iyi kunoitika kare kare munzira yekugadzira traffic. Nekudaro, preDNAT marongero anoremekedza kurongeka kwekushandisa pakati pavo.
Paunenge uchigadzira marongero ane pre-DNAT, zvakakosha kungwarira nezve traffic yaunoda kugadzirisa uye kubvumira ruzhinji kurambwa. Traffic yakanyorwa se 'inobvumira' mupre-DNAT mutemo haichatariswa neiyo hostendpoint policy, nepo traffic inotadza iyo pre-DNAT mutemo inoenderera kuburikidza nemaketani asara.
Calico yakazviita zvinosungirwa kugonesa iyo applicationOnForward sarudzo kana uchishandisa preDNAT, sezvo netsanangudzo kwainoenda traffic haisati yasarudzwa. Traffic inogona kunangana kune iyo host process, kana inogona kuendeswa kune pod kana imwe node.
Untracked Policy (5)
Manetiweki uye maapplication anogona kuve nekusiyana kukuru mumaitiro. Mune zvimwe zviitiko zvakanyanyisa, maapplication anogona kugadzira akawanda enguva pfupi yekubatanidza. Izvi zvinogona kukonzera contrack (chinhu chakakosha cheLinux networking stack) kupera mundangariro. Nechinyakare, kuti umhanye aya marudzi ezvishandiso paLinux, iwe unofanirwa kugadzirisa nemaoko kana kudzima contrack, kana kunyora iptables mitemo yekunzvenga contrack. Untracked policy muCalico inzira iri nyore uye inoshanda zvakanyanya kana iwe uchida kugadzirisa zvinongedzo nekukurumidza sezvinobvira. Semuenzaniso, kana ukashandisa yakakura kana sechimwe chiyero chekudzivirira kubva .
Verenga izvi (kana ) kuti uwane rumwe ruzivo, kusanganisira bvunzo dzekuita uchishandisa isina kurongeka mutemo.
Paunoseta iyo "doNotTrack: true" sarudzo muCalico globalNetworkPolicy, inova **isina kurongeka** mutemo uye inoshandiswa kare kare muLinux packet processing pipeline. Tichitarisa dhayagiramu riri pamusoro, mitemo isina kurongeka inoiswa muPREROUTING uye OUTPUT cheni mutafura mbishi isati yatanga yekubatanidza (conntrack). Kana pakiti ichibvumidzwa neiyo isina kurongerwa mutemo, inomakwa kudzima yekubatanidza tracking yepakiti iyoyo. Zvinoreva:
- Iyo isina kuteedzerwa mutemo inoshandiswa pa-per-packet basis. Iko hakuna pfungwa yekubatanidza (kana kuyerera). Kushaikwa kwekubatana kune zvakakosha zvakati wandei:
- Kana iwe uchida kubvumidza zvese zviri zviviri chikumbiro nemhinduro traffic, iwe unoda mutemo kune zvese zvinopinda nekubuda (sezvo Calico ichiwanzo shandisa contrack kumaka mhinduro traffic sekubvumidzwa).
- Iyo isina kurongerwa mutemo haishande Kubernetes workloads (pods), nekuti mune iyi kesi hapana nzira yekutevera inobuda kubatana kubva pod.
- NAT haishande nemapakeji asina kurojerwa (sezvo kernel inochengeta mepu yeNAT mukupesana).
- Kana uchipfuura nemutemo we "bvumira zvese" mugwaro risina kurongeka, mapaketi ese anozoiswa chiratidzo seasina kurondwa. Izvi zvinenge zvisiri izvo zvauri kuda, saka zvakakosha kuti uve wakanyanya kusarudza nezvemapaketi anotenderwa nemitemo isina kurongeka (uye bvumidza traffic yakawanda kuti iende neyakajairwa yakatevedzwa marongero).
- Mitemo isina kurongeka inoshandiswa pakutanga chaipo pombi yekugadzira packet. Izvi zvakakosha kuti unzwisise kana uchigadzira Calico marongero. Iwe unogona kuve nepoliti yepod ine kurongeka:1 uye isina kurondwa mutemo ine kurongeka:1000. Hazvina basa. Iyo Untracked policy ichashandiswa pamberi pepolicy yepod. Mitemo isina kurongeka inoremekedza kuurayiwa chete pakati pavo.
Nekuti chimwe chezvinangwa zvedoNotTrack mutemo ndeyekusimbisa mutemo kare kare muLinux packet yekugadzirisa pombi, Calico inoita kuti zvive zvinosungirwa kutsanangura iyo applicationOnForward sarudzo kana uchishandisa doNotTrack. Uchitaura nezve dhizaini rekugadzirisa dhizaini, cherechedza kuti iyo isina kunyorwa (5) mutemo inoiswa pamberi pesarudzo dzenzira. Traffic inogona kunangana kune iyo host process, kana inogona kuendeswa kune pod kana imwe node.
Migumisiro
Takatarisa akasiyana esarudzo sarudzo (Host endpoint, ApplyOnForward, preDNAT, uye Untracked) muCalico uye mashandisirwo aanoitwa munzira yekurongedza packet. Kunzwisisa mashandiro avanoita kunobatsira mukugadzira mitemo inoshanda uye yakachengeteka. NeCalico unogona kushandisa mutemo wepasi rose wetiweki unoshanda kune chinyorwa (boka remanodhi nemapodhi) uye shandisa marongero ane akasiyana paramita. Izvi zvinobvumira chengetedzo uye netiweki dhizaini nyanzvi kuchengetedza zviri nyore "zvese" (endpoint mhando) panguva imwe chete uchishandisa imwechete mutemo mutauro neCalico.
Tendai :Ndinoda kutenda ΠΈ nokuda kwekuongorora kwavo uye ruzivo rwakakosha.
Source: www.habr.com