Sepheo sa sengoloa ke ho tsebisa 'mali linthong tsa motheo tsa marang-rang le ho laola maano a marang-rang ho Kubernetes, hammoho le plugin ea motho oa boraro ea Calico e eketsang bokhoni bo tloaelehileng. Ha re ntse re le tseleng, boiketlo ba tlhophiso le likarolo tse ling li tla bontšoa ho sebelisoa mehlala ea 'nete ho tsoa ho boiphihlelo ba rona ba ts'ebetso.
Kenyelletso e potlakileng ea sesebelisoa sa marang-rang sa Kubernetes
Sehlopha sa Kubernetes se ke ke sa nahanoa ntle le marang-rang. Re se re hatisitse lisebelisoa mabapi le metheo ea bona: “"Le"".
Sebakeng sa sengoloa sena, ke habohlokoa ho hlokomela hore K8s ka boeona ha e ikarabelle bakeng sa khokahanyo ea marang-rang pakeng tsa lijana le li-node: bakeng sa sena, tse fapa-fapaneng. Li-plugins tsa CNI (Sehokelo sa Marang-rang sa Container). Ho feta ka mohopolo ona re .
Mohlala, tse atileng haholo ho li-plugins tsena ke - e fana ka khokahanyo e feletseng ea marang-rang pakeng tsa lihlopha tsohle tsa lihlopha ka ho phahamisa marokho sebakeng se seng le se seng, ho fana ka subnet ho eona. Leha ho le joalo, phihlello e felletseng le e sa laoleheng ha se kamehla e nang le molemo. Ho fana ka mofuta o itseng oa ho itšehla thajana ka har'a sehlopha, hoa hlokahala ho kenella tlhophisong ea firewall. Ka kakaretso, e behiloe tlas'a taolo ea CNI e le 'ngoe, ke ka lebaka leo mehato leha e le efe ea boraro ho iptables e ka hlalosoang ka phoso kapa ea hlokomolohuoa ka ho feletseng.
'Me "ho tsoa lebokoseng" bakeng sa ho hlophisa tsamaiso ea maano a marang-rang sehlopheng sa Kubernetes se fanoa . Sesebelisoa sena, se ajoang holim'a libaka tse khethiloeng, se ka ba le melao ea ho khetholla phihlello ho tsoa ho sesebelisoa se seng ho ea ho se seng. E boetse e u lumella ho hlophisa phihlello lipakeng tsa li-pods, tikoloho (mabitso a mabitso) kapa li-block tsa liaterese tsa IP:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978Sena ha se mohlala oa khale ka ho fetisisa oa e kanna ea nyahamisa takatso ea ho utloisisa mohopolo oa hore na maano a marang-rang a sebetsa joang. Leha ho le joalo, re ntse re tla leka ho utloisisa melao-motheo le mekhoa ea ho sebetsana le phallo ea sephethephethe ho sebelisa maano a marang-rang ...
Hoa utloahala hore ho na le mefuta e 'meli ea sephethephethe: ho kena pod (Ingress) le ho tsoa ho eona (Egress).
Haele hantle, lipolotiki li arotsoe ka mekhahlelo ena e 2 ho latela tataiso ea motsamao.
Sebopeho se latelang se hlokahalang ke mokhethi; eo molao o sebetsang ho yena. Sena e ka ba pod (kapa sehlopha sa li-pods) kapa tikoloho (e leng sebaka sa mabitso). Lintlha tsa bohlokoa: mefuta ka bobeli ea lintho tsena e tlameha ho ba le lengolo (labels ho Kubernetes terminology) - ana ke ao bo-ralipolotiki ba sebetsang le bona.
Ho phaella ho palo e lekanyelitsoeng ea bakhethoa ba kopantsoeng ke mofuta o itseng oa label, hoa khoneha ho ngola melao e kang "Lumella / latola ntho e 'ngoe le e' ngoe / bohle" ka mefuta e fapaneng. Bakeng sa sena, ho sebelisoa libopeho tsa foromo:
podSelector: {}
ingress: []
policyTypes:
- Ingress- mohlaleng ona, lipopo tsohle tse tikolohong li koetsoe ho tsoa ho sephethephethe se tlang. Boitšoaro bo fapaneng bo ka finyelloa ka kaho e latelang:
podSelector: {}
ingress:
- {}
policyTypes:
- IngressKa mokhoa o ts'oanang le oa ho tsoa:
podSelector: {}
policyTypes:
- Egress- ho e tima. 'Me sena ke seo u lokelang ho se kenyelletsa:
podSelector: {}
egress:
- {}
policyTypes:
- EgressHa re khutlela khethong ea plugin ea CNI bakeng sa sehlopha, ho bohlokoa ho hlokomela seo ha se plugin e 'ngoe le e' ngoe ea marang-rang e tšehetsang NetworkPolicy. Ka mohlala, Flannel e seng e boletsoe ha e tsebe ho lokisa maano a marang-rang, e leng polokelong ea molao. Mokhoa o mong o boetse o boleloa moo - morero oa Open Source , e eketsang haholo sete e tloaelehileng ea Kubernetes API ho latela maano a marang-rang.
Ho tseba Calico: khopolo
Plugin ea Calico e ka sebelisoa hammoho le Flannel (subproject ) kapa ka boikemelo, e koahelang ka bobeli khokahanyo ea marang-rang le bokhoni ba taolo ea ho fumaneha.
Ho sebelisa tharollo ea "boxed" ea K8s le API e tsoang ho Calico ho fana ka menyetla efe?
Mona ke se hahelletsoeng ho NetworkPolicy:
- bo-ralipolotiki ba lekanyelitsoe ke tikoloho;
- maano a sebelisoa ho li-pods tse tšoailoeng ka lileibole;
- melao e ka sebelisoa ho li-pods, tikoloho kapa subnets;
- melao e ka ba le liprothokholo, tse reheletsoeng ka mabitso kapa litšoantšiso tsa boema-kepe.
Mona ke kamoo Calico e atolosang mesebetsi ena:
- maano a ka sebelisoa ho ntho efe kapa efe: pod, setshelo, mochini o hlakileng kapa sebopeho;
- melao e ka ba le ketso e itseng (thibelo, tumello, ho rema lifate);
- sepheo kapa mohloli oa melao e ka ba kou, mefuta e mengata ea likou, li-protocol, litšoaneleho tsa HTTP kapa ICMP, IP kapa subnet (moloko oa 4 kapa oa 6), bakhethoa leha e le bafe (li-node, mabotho, libaka);
- Ho feta moo, o ka laola tsela ea sephethephethe u sebelisa litlhophiso tsa DNAT le maano a ho fetisa sephethephethe.
Ea pele e itlama ka GitHub sebakeng sa polokelo ea Calico ho tloha ka Phupu 2016, 'me selemo hamorao morero o ile oa nka boemo bo ka sehloohong ba ho hlophisa khokahano ea marang-rang ea Kubernetes - sena se pakoa, ka mohlala, ke liphetho tsa lipatlisiso, :
Litharollo tse ngata tse kholo tse laoloang ka li-K8, joalo ka , , ’me ba bang ba qala ho e buella hore e sebelisoe.
Ha e le ts'ebetso, ntho e 'ngoe le e' ngoe e ntle mona. Ha ba leka sehlahisoa sa bona, sehlopha sa nts'etsopele ea Calico se bonts'itse ts'ebetso ea linaleli, se tsamaisa lijana tse fetang 50000 ho li-node tsa 'mele tse 500 ka sekhahla sa ho bopa lijana tse 20 motsotsoana. Ha ho mathata a fumanoeng ka ho lekanya. Liphetho tse joalo e se e ntse e phatlalatsoa ka mofuta oa pele. Lithuto tse ikemetseng tse shebaneng le ts'ebeliso ea lisebelisoa le lisebelisoa li boetse li tiisa hore ts'ebetso ea Calico e batla e lekana le ea Flannel. :
Morero o ntse o tsoela pele ka potlako haholo, o tšehetsa mosebetsi ho litharollo tse tsebahalang tse laoloang ke K8s, OpenShift, OpenStack, hoa khoneha ho sebelisa Calico ha ho tsamaisa sehlopha ho sebelisoa. , ho na le litšupiso tsa kaho ea marang-rang a Service Mesh ( se sebedisoang mmoho le Istio).
Itloaetse le Calico
Boemong bo akaretsang ba ho sebelisa vanilla Kubernetes, ho kenya CNI ho theoha ho sebelisa faele calico.yaml, , ka ho sebelisa kubectl apply -f.
E le molao, phetolelo ea morao-rao ea plugin e lumellana le liphetolelo tsa morao-rao tsa 2-3 tsa Kubernetes: ts'ebetso ea liphetolelo tsa khale ha e lekoe ebile ha e tiisetsoe. Ho ea ka bahlahisi, Calico e sebetsa ho Linux kernels ka holimo ho 3.10 e tsamaisang CentOS 7, Ubuntu 16 kapa Debian 8, ka holim'a li-iptables kapa IPVS.
Ho itšehla thajana ka har'a tikoloho
Bakeng sa kutloisiso e akaretsang, a re shebeng taba e bonolo ea ho utloisisa hore na maano a marang-rang ho Calico notation a fapana joang le a tloaelehileng le hore na mokhoa oa ho theha melao o nolofatsa mokhoa oa bona oa ho bala le ho feto-fetoha ha maemo:
Ho na le lits'ebetso tse 2 tsa webo tse kentsoeng sehlopheng: ho Node.js le PHP, e 'ngoe ea tsona e sebelisa Redis. Ho thibela phihlello ea Redis ho tsoa ho PHP, ha o ntse o boloka khokahano le Node.js, sebelisa leano le latelang:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-redis-nodejs
spec:
podSelector:
matchLabels:
service: redis
ingress:
- from:
- podSelector:
matchLabels:
service: nodejs
ports:
- protocol: TCP
port: 6379Ha e le hantle re ile ra lumella sephethephethe se kenang boema-kepeng ba Redis ho tloha Node.js. 'Me ho hlakile hore ha baa ka ba thibela letho le leng. Hang ha NetworkPolicy e hlaha, bakhethoa bohle ba boletsoeng ho eona ba qala ho aroloa, ntle le haeba ho boletsoe ka tsela e 'ngoe. Leha ho le joalo, melao ea ho itšehla thajana ha e sebetse ho lintho tse ling tse sa koahetsoeng ke mokhethoa.
Mohlala o sebetsang apiVersion Kubernetes ka ntle ho lebokose, empa ha ho letho le u thibelang ho e sebelisa . Syntax ea moo e na le lintlha tse ngata, kahoo o tla hloka ho ngola molao oa nyeoe e ka holimo ka mokhoa o latelang:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-redis-nodejs
spec:
selector: service == 'redis'
ingress:
- action: Allow
protocol: TCP
source:
selector: service == 'nodejs'
destination:
ports:
- 6379
Mehaho e boletsoeng ka holimo bakeng sa ho lumella kapa ho hana sephethephethe sohle ka NetworkPolicy API e tloaelehileng e na le lihahi tse nang le li-parentheses tseo ho leng thata ho li utloisisa le ho li hopola. Tabeng ea Calico, ho fetola mohopolo oa molao oa firewall ho fapana le hoo, fetola feela action: Allow mabapi le action: Deny.
Ho itšehla thajana ka tikoloho
Joale ak'u nahane ka boemo boo kopo e hlahisang metrics ea khoebo bakeng sa ho bokelloa Prometheus le tlhahlobo e eketsehileng e sebelisang Grafana. E ka 'na ea kenya data ea bohlokoa, e ka bonoang hape ke sechaba. Ha re pate lintlha tsena ho batho ba qhekellang:
Prometheus, joalo ka molao, e beoa sebakeng se arohaneng sa ts'ebeletso - ka mohlala, e tla ba sebaka sa mabitso se kang sena:
apiVersion: v1
kind: Namespace
metadata:
labels:
module: prometheus
name: kube-prometheus
tšimo metadata.labels sena ha sea etsahala ka tšohanyetso. Joalokaha ho boletsoe ka holimo, namespaceSelector (moho le podSelector) e sebetsa ka lileibole. Ka hona, ho lumella metrics ho nkuoa ho li-pods tsohle boema-kepeng bo itseng, o tla tlameha ho eketsa mofuta o itseng oa leibole (kapa o nke ho tse seng li ntse li le teng), ebe o sebelisa tlhophiso e kang:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-metrics-prom
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
module: prometheus
ports:
- protocol: TCP
port: 9100'Me haeba u sebelisa maano a Calico, syntax e tla ba tjena:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-metrics-prom
spec:
ingress:
- action: Allow
protocol: TCP
source:
namespaceSelector: module == 'prometheus'
destination:
ports:
- 9100Ka kakaretso, ka ho kenyelletsa mefuta ena ea maano bakeng sa litlhoko tse ikhethileng, o ka sireletsa khahlano le tšitiso e mpe kapa ka phoso ts'ebetsong ea lits'ebetso ho sehlopha.
Mokhoa o motle ka ho fetisisa, ho ea ka baetsi ba Calico, ke mokhoa oa "Thibela ntho e 'ngoe le e' ngoe 'me u bule ka ho hlaka seo u se hlokang", se ngotsoeng ho (ba bang ba latela mokhoa o ts'oanang - haholo-holo, ho ).
Ho Sebelisa Lintho Tse Eketsehileng tsa Calico
E-re ke u hopotse hore ka sete e atolositsoeng ea Calico APIs u ka laola ho fumaneha ha li-node, eseng feela ho li-pods. Mohlala o latelang o sebelisa GlobalNetworkPolicy bokhoni ba ho fetisa likopo tsa ICMP sehlopheng bo koetsoe (mohlala, pings ho tloha pod ho ea ho node, pakeng tsa li-pods, kapa ho tloha node ho ea ho IP pod):
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: block-icmp
spec:
order: 200
selector: all()
types:
- Ingress
- Egress
ingress:
- action: Deny
protocol: ICMP
egress:
- action: Deny
protocol: ICMP
Tabeng e ka holimo, ho ntse ho ka khoneha hore li-cluster nodes li "fihlane" ho tse ling ka ICMP. 'Me taba ena e rarolloa ka mekhoa GlobalNetworkPolicy, e sebelisoa ho mokhatlo HostEndpoint:
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: deny-icmp-kube-02
spec:
selector: "role == 'k8s-node'"
order: 0
ingress:
- action: Allow
protocol: ICMP
egress:
- action: Allow
protocol: ICMP
---
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
name: kube-02-eth0
labels:
role: k8s-node
spec:
interfaceName: eth0
node: kube-02
expectedIPs: ["192.168.2.2"]Taba ea VPN
Qetellong, ke tla fana ka mohlala oa sebele oa ho sebelisa mesebetsi ea Calico tabeng ea ho sebelisana haufi le lihlopha, ha mokhoa o tloaelehileng oa maano o sa lekana. Ho fihlella ts'ebeliso ea marang-rang, bareki ba sebelisa kotopo ea VPN, 'me phihlello ena e laoloa ka thata ebile e lekanyelitsoe lethathamong le ikhethileng la lits'ebeletso tse lumelletsoeng ho sebelisoa:
Bareki ba hokela ho VPN ka boema-kepe bo tloaelehileng ba UDP 1194, 'me, ha ba hokahane, ba fumana litsela tse eang ho lihlopha tse nyane tsa li-pods le lits'ebeletso. Li-subnets kaofela li sutumetsoa e le hore li se ke tsa lahleheloa ke lits'ebeletso nakong ea ho qala bocha le liphetoho tsa aterese.
Boema-kepe bo hlophisitsoeng ke bo tloaelehileng, bo behang lintlha tse ling molemong oa ho hlophisa ts'ebeliso le ho e fetisetsa ho sehlopha sa Kubernetes. Ka mohlala, ho AWS LoadBalancer e tšoanang bakeng sa UDP e hlahile qetellong ea selemo se fetileng lethathamong le lekanyelitsoeng la libaka, 'me NodePort e ke ke ea sebelisoa ka lebaka la ho fetisoa ha eona ho lihlopha tsohle tsa lihlopha' me ha ho khonehe ho lekanya palo ea liketsahalo tsa seva bakeng sa sepheo sa ho mamella liphoso. Hape, o tla tlameha ho fetola mefuta e mengata ea li-ports ...
Ka lebaka la ho batla litharollo tse ka khonehang, tse latelang li ile tsa khethoa:
- Li-pods tse nang le VPN li hlophisitsoe ka node ka 'ngoe
hostNetwork, ke hore, ho IP ea sebele. - Tšebeletso e romelloa ka ntle
ClusterIP. Boema-kepe bo kentsoe ka 'mele node, e fumanehang ho tsoa kantle ka lipeeletso tse nyane (ho ba teng ka maemo a aterese ea IP ea nnete). - Ho khetha node eo pod rose e fetang hole ea pale ea rona. Ke tla bolela feela hore o ka "khokhothela" ts'ebeletso ho node kapa oa ngola tšebeletso e nyenyane ea koloi e tla shebella aterese ea hona joale ea IP ea tšebeletso ea VPN le ho hlophisa litlaleho tsa DNS tse ngolisitsoeng le bareki - mang kapa mang ea nang le mehopolo e lekaneng.
Ho latela pono ea ho tsamaisa, re ka khetholla moreki oa VPN ka aterese ea eona ea IP e fanoeng ke seva sa VPN. Ka tlase ke mohlala oa khale oa ho thibela phihlello ea moreki ea joalo litšebeletsong, e bontšitsoeng ho Redis e boletsoeng ka holimo:
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
name: vpnclient-eth0
labels:
role: vpnclient
environment: production
spec:
interfaceName: "*"
node: kube-02
expectedIPs: ["172.176.176.2"]
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: vpn-rules
spec:
selector: "role == 'vpnclient'"
order: 0
applyOnForward: true
preDNAT: true
ingress:
- action: Deny
protocol: TCP
destination:
ports: [6379]
- action: Allow
protocol: UDP
destination:
ports: [53, 67]Mona, ho hokela ho port 6379 ho thibetsoe ka thata, empa ka nako e ts'oanang ts'ebetso ea ts'ebeletso ea DNS e bolokiloe, ts'ebetso ea eona e atisang ho ba le mathata ha ho etsoa melao. Hobane, joalo ka ha ho boletsoe pejana, ha mokhethoa a hlaha, leano la ho hana ka ho sa feleng le sebelisoa ho eona ntle le ha ho boletsoe ka tsela e 'ngoe.
Liphello
Ka hona, ka ho sebelisa API e tsoetseng pele ea Calico, u ka khona ho hlophisa le ho fetola mokhoa oa ho tsamaisa ka har'a le ho potoloha sehlopha. Ka kakaretso, tšebeliso ea eona e ka shebahala joaloka lirobele tse thunyang ka cannon, 'me ho kenya ts'ebetsong marang-rang a L3 a nang le lithanele tsa BGP le IP-IP ho shebahala ho le monate ka mokhoa o bonolo oa ho kenya Kubernetes holim'a marang-rang a bataletseng ... Leha ho le joalo, ho seng joalo sesebelisoa se shebahala se sebetsa ebile se molemo. .
Ho arola sehlopha ho fihlela litlhoko tsa ts'ireletso ho kanna ha se khonehe kamehla, 'me ke hona moo Calico (kapa tharollo e ts'oanang) e tla thusa. Mehlala e fanoeng sengolong sena (e nang le liphetoho tse nyane) e sebelisoa lits'ebetsong tse 'maloa tsa bareki ba rona ho AWS.
PES
Bala hape ho blog ea rona:
- «";
- "An Illustrated Guide to Networking in Kubernetes": , ;
- «".
Source: www.habr.com