TL; DR: Zonke ii-CNIs zisebenza njengoko zifanele, ngaphandle kwe-Kube-Router kunye ne-Kube-OVN, i-Calico, ngaphandle kokufunyanwa kwe-MTU ngokuzenzekelayo, iyona nto ibhetele.
Uhlaziyo lwenqaku lokutshekishwa kwam kwangaphambili ( ΠΈ ), ngexesha lovavanyo ndisebenzisa i-Kubernetes 1.19 ku-Ubuntu 18.04 ngee-CNI ezihlaziyiweyo ukususela ngo-Agasti ka-2020.
Ngaphambi kokuba singene kwi-metrics ...
Yintoni entsha ukusukela ngoAprili 2019?
- Unokuvavanya kwiqela lakho: Ungaqhuba iimvavanyo kwiqela lakho usebenzisa isixhobo sethu I-Kubernetes Network Benchmark:
- Amalungu amatsha avele
- ukusuka eVMware Tanzu
- ukusuka alauda.io
- Iimeko eziNtsha: Iitshekhi zangoku ziqhuba iimvavanyo zentsebenzo yenethiwekhi ye-"Pod-to-Pod", kwaye iskripthi esitsha se-"Pod-to-Service" sifakiwe esiqhuba iimvavanyo ezikufutshane neemeko zehlabathi langempela. Ngokwenza, iPod yakho kunye ne-API isebenza ngesiseko njengenkonzo, kwaye kungekhona ngedilesi ye-Pod ip (ngokuqinisekileyo sijonga zombini i-TCP kunye ne-UDP kuzo zombini iimeko).
- Ukusetyenziswa kobutyebi: uvavanyo ngalunye ngoku lunothelekiso lwalo lobutyebi
- Ukususa iimvavanyo zesicelo: Asisenzi iimvavanyo ze-HTTP, i-FTP kunye ne-SCP njengoko intsebenziswano yethu eneziqhamo kunye noluntu kunye nabagcini be-CNI baye babonisa umsantsa phakathi kweziphumo ze-iperf ngaphezu kwe-TCP kunye neziphumo ze-curl ngenxa yokulibaziseka kwi-CNI yokuqalisa (imizuzwana embalwa yokuqala yePod ukuqala, okungaqhelekanga kwiimeko zokwenyani).
- Umthombo ovulekileyo: yonke imithombo yovavanyo (izikripthi, iisetingi ze-yml kunye nedatha "eluhlaza" yoqobo) iyafumaneka
Uvavanyo lweProtokholi yoVavanyo
Iprothokholi ichazwe ngokweenkcukacha Nceda uqaphele ukuba eli nqaku limalunga no-Ubuntu 18.04 kunye ne-kernel engagqibekanga.
Ukukhetha i-CNI yoVavanyo
Olu vavanyo lujolise ekuthelekiseni ii-CNIs ezicwangcisiweyo kunye nefayile ye-yaml enye (ngoko ke, zonke ezo zifakwe ngezikripthi, ezifana neVPP kunye nezinye, azibandakanywa).
Ii-CNI zethu ezikhethiweyo zokuthelekisa:
- Antrea v.0.9.1
- ICalico v3.16
- Umsele v3.16 (Inethiwekhi yeFlannel + Iipolisi zeNethiwekhi yeCalico)
- I-Cilium 1.8.2
- I-Flaneli 0.12.0
- I-Kube-router yamva nje (2020β08β25)
- I-WeaveNet 2.7.0
Ukuqwalasela i-MTU ye-CNI
Okokuqala, sijonga impembelelo yokufunyanwa kwe-MTU ngokuzenzekelayo ekusebenzeni kwe-TCP:
Impembelelo ye-MTU kwi-TCP Performance
Umsantsa omkhulu ngakumbi ufunyenwe xa usebenzisa i-UDP:
Impembelelo ye-MTU kwi-UDP Performance
Ukunikezelwa kwempembelelo ye-HUGE yokusebenza evezwe kwiimvavanyo, singathanda ukuthumela ileta yethemba kubo bonke abagcini be-CNI: nceda wongeze ubhaqo lwe-MTU oluzenzekelayo kwi-CNI. Uya kusindisa iikati, iiunicorns kunye neyona intle kakhulu: iDevop encinci.
Nangona kunjalo, ukuba ufuna ukusebenzisa i-CNI ngaphandle kwenkxaso yobhaqo lwe-MTU oluzenzekelayo, ungayiqwalasela ngesandla ukuze ufumane ukusebenza. Nceda uqaphele ukuba oku kusebenza kwiCalico, Canal kunye neWeaveNet.
Isicelo sam esincinci kwiiCNIs ezihamba kunye...
Uvavanyo lwe-CNI: Idatha ekrwada
Kweli candelo, siya kuthelekisa i-CNI kunye ne-MTU echanekileyo (inqunywe ngokuzenzekelayo okanye isethwe ngesandla). Injongo ephambili apha kukubonisa idatha ekrwada kwiigrafu.
Ilivo lombala:
- ngwevu - isampuli (okt. intsimbi engenanto)
- eluhlaza - i-bandwidth ngaphezu kwe-9500 Mbps
- yellow - bandwidth ngaphezu kwe-9000 Mbps
- i-orenji - i-bandwidth ngaphezu kwe-8000 Mbps
- obomvu - umda ongaphantsi kwe-8000 Mbps
- blu-engathathi hlangothi (enganxulumananga ne-bandwidth)
Akukho mthwalo wokusetyenziswa kobutyebi
Okokuqala, jonga ukusetyenziswa kwezixhobo xa i-cluster "ilele".
Akukho mthwalo wokusetyenziswa kobutyebi
I-Pod-to-Pod
Le meko ithatha ukuba iPod yomxhasi idibanisa ngqo kwi-Pod yomncedisi isebenzisa idilesi ye-IP.
I-Pod-to-Pod Scenario
TCP
Iziphumo zePod-to-Pod TCP kunye nokusetyenziswa kwezixhobo ezihambelanayo:
UDP
Iziphumo zePod-to-Pod UDP kunye nokusetyenziswa kwezixhobo ezihambelanayo:
I-Pod-to-Service
Eli candelo lifanelekile kwiimeko zokusetyenziswa ngokwenene, iPod yomxhasi idibanisa kwiPod yomncedisi ngenkonzo yeClusterIP.
I-Pod-to-Service script
TCP
Iziphumo ze-TCP ze-Pod-to-Service kunye nokusetyenziswa kwezixhobo ezihambelanayo:
UDP
Iziphumo ze-Pod-to-Service ze-UDP kunye nokusetyenziswa kwezixhobo ezihambelanayo:
Inkxaso yomgaqo-nkqubo womnatha
Phakathi kwazo zonke ezi ngasentla, ekuphela kwento engaxhasi ezopolitiko yiFlannel. Bonke abanye baphumeza ngokuchanekileyo imigaqo-nkqubo yothungelwano, kubandakanywa ukungena nokuphumayo. Umsebenzi omhle kakhulu!
Uguqulelo oluntsonkothileyo lwe-CNI
Phakathi kwee-CNI ezikhangelweyo kukho ezo zinokubethelela utshintshiselwano lwenethiwekhi phakathi kweePods:
- Antrea usebenzisa IPsec
- I-Calico isebenzisa i-wireguard
- Cilium usebenzisa IPsec
- WeaveNet usebenzisa IPsec
Ngokusetyenziswa
Kuba zimbalwa ii-CNIs ezishiyekileyo, masibeke zonke iimeko kwigrafu enye:
Ukusetyenziswa kobutyebi
Kweli candelo, siya kuvavanya izibonelelo ezisetyenziswayo xa kusenziwa unxibelelwano lwePod-to-Pod kwi-TCP kunye ne-UDP. Akukho sizathu sokuzoba igrafu ye-Pod-to-Service kuba ayiboneleli ngolwazi olongezelelweyo.
Ukubeka konke kunye
Makhe sizame ukuphinda zonke iigrafu, sazisa i-subjectivity encinci apha, sitshintsha amaxabiso okwenene ngamagama athi "vwry fast", "low", njl.
Isiphelo kunye nezigqibo zam
Oku kuxhomekeke kancinci, kuba ndihambisa eyam inkcazo yeziphumo.
Ndiyavuya ukuba ii-CNIs ezintsha zivele, i-Antrea isebenze kakuhle, imisebenzi emininzi yaphunyezwa nakwiinguqulelo zokuqala: ukufumanisa i-MTU ngokuzenzekelayo, uguqulelo kunye nokufakwa lula.
Ukuba sithelekisa ukusebenza, zonke ii-CNIs zisebenza kakuhle, ngaphandle kwe-Kube-OVN kunye ne-Kube-Router. I-Kube-Router ayizange ikwazi ukubona i-MTU, andizange ndifumane indlela yokuyiqwalasela naphi na kuxwebhu ( isicelo kwesi sihloko sivuliwe).
Ngokumalunga nokusetyenziswa kobutyebi, i-Cilium isasebenzisa i-RAM eninzi kunabanye, kodwa umenzi ujolise ngokucacileyo kumaqela amakhulu, ngokucacileyo akufani novavanyo kwi-cluster ye-node ezintathu. I-Kube-OVN iphinda idle i-CPU eninzi kunye nezixhobo ze-RAM, kodwa i-CNI encinci esekelwe kwi-Open vSwitch (efana ne-Antrea, isebenza ngcono kunye nokusetyenziswa okuncinci).
Wonke umntu ngaphandle kweFlannel unemigaqo-nkqubo yenethiwekhi. Kunokwenzeka kakhulu ukuba akayi kuze abaxhase, ekubeni injongo ilula kune-turnip ene-steamed: i-lighter, ingcono.
Kwakhona, phakathi kwezinye izinto, ukusebenza kwe-encryption kuyamangalisa. I-Calico yenye yezona CNIs ezindala, kodwa uguqulelo oluntsonkothileyo longezwe kwiiveki ezimbalwa ezidlulileyo. Bakhetha i-wireguard endaweni ye-IPsec, kwaye ngokulula, isebenza kakuhle kwaye iyamangalisa, ifihla ngokupheleleyo ezinye ii-CNIs kule nxalenye yovavanyo. Ngokuqinisekileyo, ukusetyenziswa kobutyebi kwandisa ngenxa yokufihla, kodwa i-throughput efunyenweyo ifanelekile (i-Calico ibonise ukuphucuka okuphindwe kathandathu kuvavanyo lwe-encryption xa kuthelekiswa ne-Cilium, ebeka indawo yesibini). Ngaphezu koko, unokwenza i-wireguard nangaliphi na ixesha emva kokuba uthumele iCalico kwiqela, kwaye unokuyikhubaza ixesha elifutshane okanye ngokusisigxina ukuba uyafuna. Iluncedo kakhulu, nangona kunjalo! Siyakukhumbuza ukuba i-Calico ayibonakali ngoku ngokuzenzekelayo i-MTU (olu phawu lucwangciselwe iinguqulelo ezizayo), ke qiniseka ukuba uqwalasele i-MTU ukuba umsebenzi womnatha wakho uxhasa iJumbo Frames (MTU 9000).
Phakathi kwezinye izinto, qaphela ukuba i-Cilium inokubethela i-traffic phakathi kwee-cluster nodes (kwaye kungekhona nje phakathi kweePods), ezinokuthi zibaluleke kakhulu kwiinqununu zeqela loluntu.
Njengokugqiba, ndicebisa iimeko zokusetyenziswa zilandelayo:
- Kufuneka i-CNI yeqela elincinci kakhulu OKANYE andifuni khuseleko: sebenza kunye Flannel, eyona CNI ikhaphukhaphu kwaye izinzile (ukwangomnye wabadala, ngokwentsomi wayilwa nguHomo Kubernautus okanye uHomo Contaitorus.). Usenokuba nomdla kweyona projekthi ikrelekrele , khangela!
- Kufuneka i-CNI yeqela eliqhelekileyo: Calico - ukhetho lwakho, kodwa ungalibali ukuqwalasela i-MTU ukuba kuyimfuneko. Ungadlala ngokulula nangendalo ngemigaqo-nkqubo yenethiwekhi, uvule kwaye ucime ufihlo, njl.
- Ifuna i-CNI ye (kakhulu) isikali seqela elikhulu: Ewe, uvavanyo alubonisi ukuziphatha kwamaqela amakhulu, ndingakuvuyela ukuqhuba iimvavanyo, kodwa asinawo amakhulu amaseva anonxibelelwano lwe-10Gbps. Ke olona khetho lulungileyo kukuqhuba uvavanyo olulungisiweyo kwiinodi zakho, ubuncinci ngeCalico kunye neCilium.
umthombo: www.habr.com