Phawula. transl.: Eli nqaku, elibhalwe yinjineli ye-SRE evela kwi-LinkedIn, ingena kwiinkcukacha malunga nomlingo wangaphakathi kwi-Kubernetes - ngokuchanekileyo, ukusebenzisana kwe-CRI, i-CNI kunye ne-kube-apiserver - kwenzeka xa i-pod elandelayo idinga ukunikezelwa idilesi ye-IP.
Enye yeemfuno ezisisiseko
Ukuqala kwam ukusebenza noKubernetes, bekungacacanga kum ngokupheleleyo ukuba ii-pods zifumana njani iidilesi zabo ze-IP. Nangona kuqondwa indlela amalungu asebenza ngayo, kwakunzima ukuba nomfanekiso-ngqondweni wawo esebenza kunye. Ngokomzekelo, ndandisazi ukuba zeziphi iiplagi ze-CNI, kodwa ndandingazi ukuba zibizwa njani kanye. Ngoko ke, ndagqiba ekubeni ndibhale eli nqaku ukwabelana ngolwazi malunga namacandelo ahlukeneyo womnatha kunye nendlela asebenzisana ngayo kwi-cluster ye-Kubernetes, evumela ukuba i-pod nganye ifumane idilesi yayo ye-IP ekhethekileyo.
Kukho iindlela ezahlukeneyo zokucwangcisa uthungelwano kwi-Kubernetes, kanye njengokuba kukho iindlela ezahlukeneyo zexesha lokuqhuba kwizikhongozeli. Le mpapasho iya kusebenzisa
Ezinye iingqiqo ezisisiseko
Izikhongozeli kunye noThungelwano: Isishwankathelo esifutshane
Zininzi iimpapasho ezigqwesileyo kwi-Intanethi ezichaza indlela iikhonteyina ezinxibelelana ngayo kwinethiwekhi. Ke ngoko, ndiza kunika kuphela ujongo jikelele lweekhonsepthi ezisisiseko kwaye ndinqande indlela enye, ebandakanya ukwenza ibhulorho yeLinux kunye neepakethe ezigqunyiweyo. Iinkcukacha azikho, kuba isihloko se-container networking sifanelwe inqaku elahlukileyo. Uthungelwano oluya kupapasho olunokuqonda ngakumbi nolufundisayo luya kubonelelwa ngezantsi.
Izikhongozeli kwinginginya enye
Enye indlela yokucwangcisa unxibelelwano ngeedilesi ze-IP phakathi kwezikhongozeli ezisebenza kumsingathi omnye ibandakanya ukwenza ibhulorho yeLinux. Ngale njongo, izixhobo ezibonakalayo zenziwe kwiKubernetes (kunye neDocker)
Zonke iikhonteyina ezikwihostele enye zinesiphelo esinye se-veth esiqhagamshelwe kwibhulorho apho zinokunxibelelana khona ngeedilesi ze-IP. Ibhulorho ye-Linux nayo inedilesi ye-IP kwaye isebenza njengesango lokuphuma kwetrafikhi kwiipods ezilungiselelwe ezinye iindawo.
Izikhongozeli kwiinginginya ezahlukeneyo
I-Packet encapsulation yindlela enye evumela izikhongozeli kwiindawo ezahlukeneyo ukuba zinxibelelane omnye nomnye usebenzisa idilesi ye-IP. Kwi-Flannel, iteknoloji ijongene neli thuba.
Kwiqela leKubernetes, iFlannel idala isixhobo se-vxlan kwaye ihlaziya itafile yendlela kwindawo nganye ngokufanelekileyo. Ipakethi nganye eyenzelwe isikhongozeli kumncedisi owahlukileyo idlula kwisixhobo se-vxlan kwaye ifakwe kwipakethi ye-UDP. Kwindawo ekuyiwa kuyo, ipakethe efakwe kwindlwane iyatsalwa kwaye ithunyelwe kwipod efunwayo.
Qaphela: Le yindlela enye yokucwangcisa unxibelelwano lwenethiwekhi phakathi kwezikhongozeli.
Yintoni i-CRI?
Yintoni i-CNI?
Ukwabiwa kwee-subnets kwiindawo zokwabela iidilesi ze-IP kwii-pods
Ekubeni i-pod nganye kwi-cluster kufuneka ibe nedilesi ye-IP, kubalulekile ukuqinisekisa ukuba le dilesi iyingqayizivele. Oku kuphunyezwa ngokunika indawo nganye i-subnet eyodwa, apho ii-pods ezikuloo nodi zabelwa iidilesi ze-IP.
INode IPAM Controller
Xa nodeipam
igqithiswe njengeparamitha yeflegi --controllers
I-Kubernetes node yabelwa i-podCIDR xa ibhalisiwe okokuqala kunye neqela. Ukutshintsha i-podCIDR yee-nodes, kufuneka uzicime kwaye uphinde uzibhalise kwakhona, wenze utshintsho olufanelekileyo kwi-Kubernetes yolawulo lwe-layer configuration phakathi. Ungabonisa i-podCIDR ye-node usebenzisa lo myalelo ulandelayo:
$ kubectl get no <nodeName> -o json | jq '.spec.podCIDR'
10.244.0.0/24
I-Kubelet, ixesha lokuqhuba isikhongozeli kunye neeplagi ze-CNI: zisebenza njani zonke
Ukucwangcisa i-pod kwi-node nganye kubandakanya amanyathelo amaninzi okulungiselela. Kweli candelo, ndiza kugxila kuphela kwezo zihambelana ngokuthe ngqo nokuseta inethiwekhi ye-pod.
Ukucwangcisa i-pod kwindawo ethile kubangela olu thotho lweziganeko:
Uncedo:
Intsebenziswano phakathi kwexesha lokuqhuba isikhongozeli kunye neeplagi ze-CNI
Umboneleli ngamnye womnatha uneplagi yakhe ye-CNI. Ixesha lokuqhuba lesikhongozeli liyayiqhuba ukuqwalasela umsebenzi womnatha wepod njengoko iqala. Kwimeko yesiqulathi, iplagi ye-CNI iqaliswe yi-plugin
Ngaphezu koko, umboneleli ngamnye une-arhente yakhe. Ifakwe kuzo zonke iindawo ze-Kubernetes kwaye inoxanduva lokucwangciswa kwenethiwekhi yeepods. Le arhente inokuba ibandakanywe kunye noqwalaselo lwe-CNI okanye iyenze ngokuzimeleyo kwindawo yokusebenzela. Uqwalaselo lunceda iplagin ye-CRI iseti yeyiphi iplagin ye-CNI yokufowuna.
Indawo yoqwalaselo lwe-CNI lunokwenziwa ngokusesikweni; ngokungagqibekanga ingaphakathi /etc/cni/net.d/<config-file>
. Abalawuli beQela banoxanduva lokufakela iiplagi ze-CNI kwindawo nganye yeqela. Indawo yazo iyakwazi ukwenziwa; Uluhlu olumiselweyo - /opt/cni/bin
.
Xa usebenzisa isikhongozeli, iindlela zoqwalaselo lweplagi kunye nokubini kunokusetwa kwicandelo [plugins.Β«io.containerd.grpc.v1.criΒ».cni]
Π²
Kuba sisebenzisa iFlannel njengomboneleli wethu wenethiwekhi, makhe sithethe kancinci malunga nokuseta:
- I-Flanneld (i-daemon ye-Flannel) iqhele ukufakwa kwiqela njenge-DaemonSet ene
install-cni
Njengokoinit container . Install-cni
yenzaCNI ifayile yoqwalaselo (/etc/cni/net.d/10-flannel.conflist
) kwindawo nganye.- I-Flanneld idala isixhobo se-vxlan, ifumana imetadata yenethiwekhi kwiseva ye-API, kwaye ijonge uhlaziyo lwe-pod. Njengoko zidalwe, isasaza iindlela kuzo zonke iipods kulo lonke iqela.
- Ezi ndlela zivumela ii-pods ukuba zinxibelelane enye kwenye ngeedilesi ze-IP.
Ukufumana ulwazi oluthe kratya malunga nomsebenzi weFlannel, ndincoma ukusebenzisa izixhumanisi ekupheleni kwenqaku.
Nanku umzobo wonxibelelwano phakathi kwe-plugin ye-CRI eKhonjiweyo kunye neeplagi ze-CNI:
Njengoko ubona ngasentla, i-kubelet ibiza i-plugin ye-Containerd CRI ukwenza ipod, ethi emva koko ibize iplagi ye-CNI ukuqwalasela inethiwekhi ye-pod. Ngokwenza njalo, iplagi ye-CNI yomboneleli womnatha ibiza ezinye iiplagi ze-CNI ezingundoqo ukuqwalasela imiba eyahlukeneyo yenethiwekhi.
Ukusebenzisana phakathi kweeplagi ze-CNI
Kukho iiplagi ze-CNI ezahlukeneyo umsebenzi wazo ikukunceda ukuseta unxibelelwano lwenethiwekhi phakathi kwezikhongozeli kumamkeli. Eli nqaku liza kuxubusha ezithathu zazo.
CNI iplagi yeFlaneli
Xa usebenzisa iFlaneli njengomboneleli wenethiwekhi, icandelo le-Containerd CRI lifowuna /etc/cni/net.d/10-flannel.conflist
.
$ cat /etc/cni/net.d/10-flannel.conflist
{
"name": "cni0",
"plugins": [
{
"type": "flannel",
"delegate": {
"ipMasq": false,
"hairpinMode": true,
"isDefaultGateway": true
}
}
]
}
Iplagi yeFlannel CNI isebenza ngokubambisana neFlanneld. Ngexesha lokuqalisa, iFlanneld ifumana kwakhona i-podCIDR kunye nezinye iinkcukacha ezinxulumene nenethiwekhi kwiseva ye-API kwaye izigcine kwifayile. /run/flannel/subnet.env
.
FLANNEL_NETWORK=10.244.0.0/16
FLANNEL_SUBNET=10.244.0.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=false
Iplagi yeFlannel CNI isebenzisa idatha evela /run/flannel/subnet.env
ukuqwalasela nokufowunela iplagi yebhulorho ye-CNI.
CNI plugin Bridge
Le plugin ibizwa ngolu lungelelwaniso lulandelayo:
{
"name": "cni0",
"type": "bridge",
"mtu": 1450,
"ipMasq": false,
"isGateway": true,
"ipam": {
"type": "host-local",
"subnet": "10.244.0.0/24"
}
}
Xa ubizwa okokuqala, yenza ibhulorho yeLinux nge Β«nameΒ»: Β«cni0Β»
, eboniswe kuqwalaselo. Emva koko iperi ye-veth yenziwe kwi-pod nganye. Esinye isiphelo sayo siqhagamshelwe kwindawo yegama lomnatha wesikhongozeli, esinye sifakwe kwibhulorho yeLinux kumnatha womnatha.
Ukugqiba ukuseta iperi ye-veth, iplagi yeBridge ifowunela iplagi ye-IPAM CNI yengingqi. Uhlobo lwe-plugin ye-IPAM lunokuqwalaselwa kwi-config ye-CNI esetyenziswa yi-CRI plugin ukubiza iplagi yeFlannel CNI.
Inginginya iiplagi ze-IPAM CNI zendawo
Iifowuni zeBridge CNI
{
"name": "cni0",
"ipam": {
"type": "host-local",
"subnet": "10.244.0.0/24",
"dataDir": "/var/lib/cni/networks"
}
}
I-plugin ye-IPAM yokusingatha indawo (IP Adressress Mulawulo-Ulawulo lwedilesi yeIP) ibuyisela idilesi ye IP yesikhongozeli kwi subnet kwaye igcina i IP eyabiweyo kumamkeli kulawulo olukhankanyiweyo kwicandelo. dataDir
- /var/lib/cni/networks/<network-name=cni0>/<ip>
. Le fayile iqulethe i-ID yesikhongozeli apho le dilesi ye-IP inikwe khona.
Xa ufowunela iplagi ye-IPAM yomnini-ndawo, ibuyisela le datha ilandelayo:
{
"ip4": {
"ip": "10.244.4.2",
"gateway": "10.244.4.3"
},
"dns": {}
}
Isishwankathelo
I-Kube-controller-manager inika i-podCIDR kwindawo nganye. Iipod zenodi nganye zifumana iidilesi ze-IP ukusuka kwindawo yedilesi kuluhlu lwe-podCIDR olwabiweyo. Kuba ii-podCIDRs zeendawo zokuhlangana zingadibani, zonke ii-pods zifumana iidilesi ze-IP ezizodwa.
Umlawuli weqela le-Kubernetes uqwalasela kwaye afake i-kubelet, i-container runtime, i-arhente yomboneleli womnatha, kwaye ikopisha iiplagi ze-CNI kwindawo nganye. Ngexesha loqaliso, iarhente yomboneleli womnatha yenza uqwalaselo lwe-CNI. Xa i-pod icwangciswe kwi-node, i-kubelet ibiza iplagi ye-CRI ukuyidala. Okulandelayo, ukuba isikhongozeli sisetyenzisiwe, iplagi ye-CRI eKhonjiweyo ifowunela iplagi ye-CNI echazwe kuqwalaselo lwe-CNI ukuqwalasela umnatha wepod. Ngenxa yoko, i-pod ifumana idilesi ye-IP.
Kwandithatha ixesha ukuqonda zonke izinto ezifihlakeleyo kunye nee-nuances zazo zonke ezi ntsebenziswano. Ndiyathemba ukuba la mava aya kukunceda uqonde ngcono indlela uKubernetes asebenza ngayo. Ukuba kukho into engalunganga ngayo, nceda uqhagamshelane nam
iimbekiselo
Izikhongozeli kunye nenethiwekhi
Isebenza njani iFlannel?
I-CRI kunye ne-CNI
PS evela kumguquleli
Funda nakwibhlog yethu:
- Β«
I-Calico yokunxibelelana kwi-Kubernetes: isingeniso kunye namava amancinci "; - "Isikhokelo esineMizobo kwiNethiwekhi eKubernetes":
icandelo 1 kunye ne-2 (imodeli yothungelwano, uthungelwano olungaphezulu) ,icandelo 3 (iinkonzo kunye nokulungiswa kwezithuthi) ; - Β«
Isikhongozeli seNxibelelwano yoThungelwano (CNI) - ujongano lwenethiwekhi kunye nomgangatho wezikhongozeli zeLinux Β».
umthombo: www.habr.com