Phawula. transl.: Eli nqaku, elibhalwe yinjineli ye-SRE evela kwi-LinkedIn, ingena kwiinkcukacha malunga nomlingo wangaphakathi kwi-Kubernetes - ngokuchanekileyo, ukusebenzisana kwe-CRI, i-CNI kunye ne-kube-apiserver - kwenzeka xa i-pod elandelayo idinga ukunikezelwa idilesi ye-IP.
Enye yeemfuno ezisisiseko kukuba i-pod nganye kufuneka ibe nedilesi yayo ye-IP kwaye nayiphi na enye ipod kwiqela kufuneka ikwazi ukuqhagamshelana nayo kuloo dilesi. Kukho "ababoneleli" abaninzi benethiwekhi (Flannel, Calico, Canal, njl.) Abancedisa ukuphumeza le modeli yenethiwekhi.
Ukuqala kwam ukusebenza noKubernetes, bekungacacanga kum ngokupheleleyo ukuba ii-pods zifumana njani iidilesi zabo ze-IP. Nangona kuqondwa indlela amalungu asebenza ngayo, kwakunzima ukuba nomfanekiso-ngqondweni wawo esebenza kunye. Ngokomzekelo, ndandisazi ukuba zeziphi iiplagi ze-CNI, kodwa ndandingazi ukuba zibizwa njani kanye. Ngoko ke, ndagqiba ekubeni ndibhale eli nqaku ukwabelana ngolwazi malunga namacandelo ahlukeneyo womnatha kunye nendlela asebenzisana ngayo kwi-cluster ye-Kubernetes, evumela ukuba i-pod nganye ifumane idilesi yayo ye-IP ekhethekileyo.
Kukho iindlela ezahlukeneyo zokucwangcisa uthungelwano kwi-Kubernetes, kanye njengokuba kukho iindlela ezahlukeneyo zexesha lokuqhuba kwizikhongozeli. Le mpapasho iya kusebenzisa ukulungelelanisa inethiwekhi kwiqela, kwaye njengendawo esebenzayo - . Ndenza nengqikelelo yokuba uyayazi indlela uthungelwano phakathi kwezikhongozeli esebenza ngayo, ke ndiza kuyichukumisa nje ngokufutshane, kumxholo nje.
Ezinye iingqiqo ezisisiseko
Izikhongozeli kunye noThungelwano: Isishwankathelo esifutshane
Zininzi iimpapasho ezigqwesileyo kwi-Intanethi ezichaza indlela iikhonteyina ezinxibelelana ngayo kwinethiwekhi. Ke ngoko, ndiza kunika kuphela ujongo jikelele lweekhonsepthi ezisisiseko kwaye ndinqande indlela enye, ebandakanya ukwenza ibhulorho yeLinux kunye neepakethe ezigqunyiweyo. Iinkcukacha azikho, kuba isihloko se-container networking sifanelwe inqaku elahlukileyo. Uthungelwano oluya kupapasho olunokuqonda ngakumbi nolufundisayo luya kubonelelwa ngezantsi.
Izikhongozeli kwinginginya enye
Enye indlela yokucwangcisa unxibelelwano ngeedilesi ze-IP phakathi kwezikhongozeli ezisebenza kumsingathi omnye ibandakanya ukwenza ibhulorho yeLinux. Ngale njongo, izixhobo ezibonakalayo zenziwe kwiKubernetes (kunye neDocker) . Esinye isiphelo sesixhobo se-veth siqhagamshela kwisithuba segama sothungelwano lwesikhongozeli, esinye siye kwinethiwekhi yomkhosi.
Zonke iikhonteyina ezikwihostele enye zinesiphelo esinye se-veth esiqhagamshelwe kwibhulorho apho zinokunxibelelana khona ngeedilesi ze-IP. Ibhulorho ye-Linux nayo inedilesi ye-IP kwaye isebenza njengesango lokuphuma kwetrafikhi kwiipods ezilungiselelwe ezinye iindawo.
Izikhongozeli kwiinginginya ezahlukeneyo
I-Packet encapsulation yindlela enye evumela izikhongozeli kwiindawo ezahlukeneyo ukuba zinxibelelane omnye nomnye usebenzisa idilesi ye-IP. Kwi-Flannel, iteknoloji ijongene neli thuba. , ethi "ipakishe" ipakethe yokuqala kwipakethi ye-UDP kwaye emva koko iyithumele kwindawo yayo.
Kwiqela leKubernetes, iFlannel idala isixhobo se-vxlan kwaye ihlaziya itafile yendlela kwindawo nganye ngokufanelekileyo. Ipakethi nganye eyenzelwe isikhongozeli kumncedisi owahlukileyo idlula kwisixhobo se-vxlan kwaye ifakwe kwipakethi ye-UDP. Kwindawo ekuyiwa kuyo, ipakethe efakwe kwindlwane iyatsalwa kwaye ithunyelwe kwipod efunwayo.
Qaphela: Le yindlela enye yokucwangcisa unxibelelwano lwenethiwekhi phakathi kwezikhongozeli.
Yintoni i-CRI?
yiplagi evumela i-kubelet ukuba isebenzise iimeko-bume zexesha lesikhongozeli ezahlukeneyo. I-CRI API yakhelwe kumaxesha ahlukeneyo okusebenza, ngoko abasebenzisi banokukhetha ixesha lokubaleka abalithandayo.
Yintoni i-CNI?
ngu ukulungelelanisa isisombululo sothungelwano jikelele kwizikhongozeli zeLinux. Ukongeza, ibandakanya , uxanduva lwemisebenzi eyahlukeneyo xa useka inethiwekhi ye-pod. I-plugin ye-CNI yifayile ephunyeziweyo ehambelana neenkcukacha (siya kuxoxa ngezinye iiplagi ezingezantsi).
Ukwabiwa kwee-subnets kwiindawo zokwabela iidilesi ze-IP kwii-pods
Ekubeni i-pod nganye kwi-cluster kufuneka ibe nedilesi ye-IP, kubalulekile ukuqinisekisa ukuba le dilesi iyingqayizivele. Oku kuphunyezwa ngokunika indawo nganye i-subnet eyodwa, apho ii-pods ezikuloo nodi zabelwa iidilesi ze-IP.
INode IPAM Controller
Xa nodeipam igqithiswe njengeparamitha yeflegi --controllers , inika i-subnet eyahlukileyo (i-podCIDR) kwi-node nganye ukusuka kwiqela le-CIDR (oko kukuthi, uluhlu lweedilesi ze-IP zenethiwekhi yeqela). Kuba ezi podCIDRs zingadibaniyo, kuyenzeka ukuba ipod nganye inikwe idilesi yeIP eyodwa.
I-Kubernetes node yabelwa i-podCIDR xa ibhalisiwe okokuqala kunye neqela. Ukutshintsha i-podCIDR yee-nodes, kufuneka uzicime kwaye uphinde uzibhalise kwakhona, wenze utshintsho olufanelekileyo kwi-Kubernetes yolawulo lwe-layer configuration phakathi. Ungabonisa i-podCIDR ye-node usebenzisa lo myalelo ulandelayo:
$ kubectl get no <nodeName> -o json | jq '.spec.podCIDR'
10.244.0.0/24
I-Kubelet, ixesha lokuqhuba isikhongozeli kunye neeplagi ze-CNI: zisebenza njani zonke
Ukucwangcisa i-pod kwi-node nganye kubandakanya amanyathelo amaninzi okulungiselela. Kweli candelo, ndiza kugxila kuphela kwezo zihambelana ngokuthe ngqo nokuseta inethiwekhi ye-pod.
Ukucwangcisa i-pod kwindawo ethile kubangela olu thotho lweziganeko:
Uncedo: .
Intsebenziswano phakathi kwexesha lokuqhuba isikhongozeli kunye neeplagi ze-CNI
Umboneleli ngamnye womnatha uneplagi yakhe ye-CNI. Ixesha lokuqhuba lesikhongozeli liyayiqhuba ukuqwalasela umsebenzi womnatha wepod njengoko iqala. Kwimeko yesiqulathi, iplagi ye-CNI iqaliswe yi-plugin .
Ngaphezu koko, umboneleli ngamnye une-arhente yakhe. Ifakwe kuzo zonke iindawo ze-Kubernetes kwaye inoxanduva lokucwangciswa kwenethiwekhi yeepods. Le arhente inokuba ibandakanywe kunye noqwalaselo lwe-CNI okanye iyenze ngokuzimeleyo kwindawo yokusebenzela. Uqwalaselo lunceda iplagin ye-CRI iseti yeyiphi iplagin ye-CNI yokufowuna.
Indawo yoqwalaselo lwe-CNI lunokwenziwa ngokusesikweni; ngokungagqibekanga ingaphakathi /etc/cni/net.d/<config-file>. Abalawuli beQela banoxanduva lokufakela iiplagi ze-CNI kwindawo nganye yeqela. Indawo yazo iyakwazi ukwenziwa; Uluhlu olumiselweyo - /opt/cni/bin.
Xa usebenzisa isikhongozeli, iindlela zoqwalaselo lweplagi kunye nokubini kunokusetwa kwicandelo [plugins.Β«io.containerd.grpc.v1.criΒ».cni] Π² .
Kuba sisebenzisa iFlannel njengomboneleli wethu wenethiwekhi, makhe sithethe kancinci malunga nokuseta:
- I-Flanneld (i-daemon ye-Flannel) iqhele ukufakwa kwiqela njenge-DaemonSet ene
install-cniNjengoko . Install-cniyenza (/etc/cni/net.d/10-flannel.conflist) kwindawo nganye.- I-Flanneld idala isixhobo se-vxlan, ifumana imetadata yenethiwekhi kwiseva ye-API, kwaye ijonge uhlaziyo lwe-pod. Njengoko zidalwe, isasaza iindlela kuzo zonke iipods kulo lonke iqela.
- Ezi ndlela zivumela ii-pods ukuba zinxibelelane enye kwenye ngeedilesi ze-IP.
Ukufumana ulwazi oluthe kratya malunga nomsebenzi weFlannel, ndincoma ukusebenzisa izixhumanisi ekupheleni kwenqaku.
Nanku umzobo wonxibelelwano phakathi kwe-plugin ye-CRI eKhonjiweyo kunye neeplagi ze-CNI:
Njengoko ubona ngasentla, i-kubelet ibiza i-plugin ye-Containerd CRI ukwenza ipod, ethi emva koko ibize iplagi ye-CNI ukuqwalasela inethiwekhi ye-pod. Ngokwenza njalo, iplagi ye-CNI yomboneleli womnatha ibiza ezinye iiplagi ze-CNI ezingundoqo ukuqwalasela imiba eyahlukeneyo yenethiwekhi.
Ukusebenzisana phakathi kweeplagi ze-CNI
Kukho iiplagi ze-CNI ezahlukeneyo umsebenzi wazo ikukunceda ukuseta unxibelelwano lwenethiwekhi phakathi kwezikhongozeli kumamkeli. Eli nqaku liza kuxubusha ezithathu zazo.
CNI iplagi yeFlaneli
Xa usebenzisa iFlaneli njengomboneleli wenethiwekhi, icandelo le-Containerd CRI lifowuna usebenzisa i CNI ifayile yoqwalaselo /etc/cni/net.d/10-flannel.conflist.
$ cat /etc/cni/net.d/10-flannel.conflist
{
"name": "cni0",
"plugins": [
{
"type": "flannel",
"delegate": {
"ipMasq": false,
"hairpinMode": true,
"isDefaultGateway": true
}
}
]
}
Iplagi yeFlannel CNI isebenza ngokubambisana neFlanneld. Ngexesha lokuqalisa, iFlanneld ifumana kwakhona i-podCIDR kunye nezinye iinkcukacha ezinxulumene nenethiwekhi kwiseva ye-API kwaye izigcine kwifayile. /run/flannel/subnet.env.
FLANNEL_NETWORK=10.244.0.0/16
FLANNEL_SUBNET=10.244.0.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=false
Iplagi yeFlannel CNI isebenzisa idatha evela /run/flannel/subnet.env ukuqwalasela nokufowunela iplagi yebhulorho ye-CNI.
CNI plugin Bridge
Le plugin ibizwa ngolu lungelelwaniso lulandelayo:
{
"name": "cni0",
"type": "bridge",
"mtu": 1450,
"ipMasq": false,
"isGateway": true,
"ipam": {
"type": "host-local",
"subnet": "10.244.0.0/24"
}
}
Xa ubizwa okokuqala, yenza ibhulorho yeLinux nge Β«nameΒ»: Β«cni0Β», eboniswe kuqwalaselo. Emva koko iperi ye-veth yenziwe kwi-pod nganye. Esinye isiphelo sayo siqhagamshelwe kwindawo yegama lomnatha wesikhongozeli, esinye sifakwe kwibhulorho yeLinux kumnatha womnatha. idibanisa zonke izikhongozeli zenginginya kwibhulorho ye Linux kumsebenzi womnatha womamkeli.
Ukugqiba ukuseta iperi ye-veth, iplagi yeBridge ifowunela iplagi ye-IPAM CNI yengingqi. Uhlobo lwe-plugin ye-IPAM lunokuqwalaselwa kwi-config ye-CNI esetyenziswa yi-CRI plugin ukubiza iplagi yeFlannel CNI.
Inginginya iiplagi ze-IPAM CNI zendawo
Iifowuni zeBridge CNI ngolungelelwaniso olulandelayo:
{
"name": "cni0",
"ipam": {
"type": "host-local",
"subnet": "10.244.0.0/24",
"dataDir": "/var/lib/cni/networks"
}
}
I-plugin ye-IPAM yokusingatha indawo (IP Adressress Mulawulo-Ulawulo lwedilesi yeIP) ibuyisela idilesi ye IP yesikhongozeli kwi subnet kwaye igcina i IP eyabiweyo kumamkeli kulawulo olukhankanyiweyo kwicandelo. dataDir - /var/lib/cni/networks/<network-name=cni0>/<ip>. Le fayile iqulethe i-ID yesikhongozeli apho le dilesi ye-IP inikwe khona.
Xa ufowunela iplagi ye-IPAM yomnini-ndawo, ibuyisela le datha ilandelayo:
{
"ip4": {
"ip": "10.244.4.2",
"gateway": "10.244.4.3"
},
"dns": {}
}
Isishwankathelo
I-Kube-controller-manager inika i-podCIDR kwindawo nganye. Iipod zenodi nganye zifumana iidilesi ze-IP ukusuka kwindawo yedilesi kuluhlu lwe-podCIDR olwabiweyo. Kuba ii-podCIDRs zeendawo zokuhlangana zingadibani, zonke ii-pods zifumana iidilesi ze-IP ezizodwa.
Umlawuli weqela le-Kubernetes uqwalasela kwaye afake i-kubelet, i-container runtime, i-arhente yomboneleli womnatha, kwaye ikopisha iiplagi ze-CNI kwindawo nganye. Ngexesha loqaliso, iarhente yomboneleli womnatha yenza uqwalaselo lwe-CNI. Xa i-pod icwangciswe kwi-node, i-kubelet ibiza iplagi ye-CRI ukuyidala. Okulandelayo, ukuba isikhongozeli sisetyenzisiwe, iplagi ye-CRI eKhonjiweyo ifowunela iplagi ye-CNI echazwe kuqwalaselo lwe-CNI ukuqwalasela umnatha wepod. Ngenxa yoko, i-pod ifumana idilesi ye-IP.
Kwandithatha ixesha ukuqonda zonke izinto ezifihlakeleyo kunye nee-nuances zazo zonke ezi ntsebenziswano. Ndiyathemba ukuba la mava aya kukunceda uqonde ngcono indlela uKubernetes asebenza ngayo. Ukuba kukho into engalunganga ngayo, nceda uqhagamshelane nam okanye kwidilesi . Zive ukhululekile ukufikelela ukuba ungathanda ukuxoxa ngemiba yeli nqaku okanye nayiphi na enye into. Ndingathanda ukuncokola nawe!
iimbekiselo
Izikhongozeli kunye nenethiwekhi
Isebenza njani iFlannel?
I-CRI kunye ne-CNI
PS evela kumguquleli
Funda nakwibhlog yethu:
- Β«";
- "Isikhokelo esineMizobo kwiNethiwekhi eKubernetes": , ;
- «».
umthombo: www.habr.com