Iplagi yenethiwekhi ye-Calico ibonelela ngoluhlu olubanzi lwemigaqo-nkqubo yenethiwekhi kunye ne-syntax edibeneyo yokukhusela i-hardware host hosts, ii-virtual machines kunye nee-pods. Le migaqo-nkqubo inokusetyenziswa kwisithuba segama okanye ibe yimigaqo-nkqubo yenethiwekhi yehlabathi esebenza kuyo (ukukhusela izicelo ezisebenza ngokuthe ngqo kumamkeli - umamkeli unokuba ngumncedisi okanye umatshini wenyani) okanye (ukukhusela izicelo ezisebenza kwizikhongozeli okanye koomatshini ababambekayo). Imigaqo-nkqubo ye-Calico ikuvumela ukuba usebenzise imilinganiselo yokhuseleko kwiindawo ezahlukeneyo kwindlela yepakethi usebenzisa iinketho ezifana ne-preDNAT, i-unraracked, kunye ne-applyOnForward. Ukuqonda ukuba ezi zikhetho zisebenza njani kunokunceda ukuphucula ukhuseleko kunye nokusebenza kwenkqubo yakho iyonke. Eli nqaku lichaza undoqo wolu khetho lomgaqo-nkqubo we-Calico (i-preDNAT, i-unraracked kunye ne-applicationOnForward) isetyenziswe kwiindawo zokugqibela zokusingatha, ngokugxininiswa kwinto eyenzekayo kwiindlela zokucwangcisa iipakethi (ii-iptabels chains).
Eli nqaku lithatha ukuba unokuqonda okusisiseko malunga nendlela i-Kubernetes kunye ne-Calico yenethiwekhi yemigaqo-nkqubo isebenza ngayo. Ukuba akunjalo, sincoma ukuzama ΠΈ usebenzisa iCalico ngaphambi kokufunda eli nqaku. Sikwalindele ukuba ube nolwazi olusisiseko lomsebenzi kwi-linux.
Calico ikuvumela ukuba usebenzise isethi yemigaqo yofikelelo ngeelebhile (kumaqela omkhosi kunye nomthwalo wokusebenza / iipod). Oku kuluncedo kakhulu ukuba usebenzisa iindlela ezingafaniyo kunye - oomatshini benyani, inkqubo ngokuthe ngqo kwihardware, okanye isiseko se kubernetes. Ukongezelela, unokukhusela i-cluster yakho (i-nodes) usebenzisa isethi yemigaqo-nkqubo yokuvakalisa kwaye usebenzise imigaqo-nkqubo yenethiwekhi kwi-traffic engenayo (umzekelo, nge-NodePorts okanye inkonzo ye-IPs yangaphandle).
Kwinqanaba elisisiseko, xa i-Calico idibanisa i-pod kwinethiwekhi (jonga umzobo ongezantsi), idibanisa kumamkeli usebenzisa i-interface ye-Ethernet ye-virtual (veth). I-traffic ethunyelwe yi-pod ifika kumamkeli ukusuka kolu jongano olubonakalayo kwaye icutshungulwa ngendlela efanayo nokuba ivela kwi-interface yenethiwekhi ebonakalayo. Ngokungagqibekanga, iCalico inika amagama olu jongano caliXXX. Ekubeni i-traffic iza nge-interface ebonakalayo, ihamba ngee-iptables ngokungathi i-pod i-hop enye kude. Ke ngoko, xa itrafikhi ifika/isuka kwipod, igqithiselwa ukusuka kwindawo yokujonga inginginya.
Kwi-node ye-Kubernetes eqhuba i-Calico, unokumaphu ujongano olubonakalayo (veth) kumthwalo wokusebenza ngolu hlobo lulandelayo. Kumzekelo ongezantsi, ungabona ukuba i-veth#10 (calic1cbf1ca0f8) idityaniselwe ku-cnx-manager-* kwisithuba segama sojongo lwe-calico.
[centos@ip-172-31-31-46 K8S]$ sudo ip a
...
10: calic1cbf1ca0f8@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 5
inet6 fe80::ecee:eeff:feee:eeee/64 scope link
valid_lft forever preferred_lft forever
...
[centos@ip-172-31-31-46 K8S]$ calicoctl get wep --all-namespaces
...
calico-monitoring cnx-manager-8f778bd66-lz45m ip-172-31-31-46.ec2.internal 192.168.103.134/32
calic1cbf1ca0f8
...
Njengoko iCalico idala i-veth interface yomsebenzi ngamnye, inyanzelisa njani imigaqo-nkqubo? Ukwenza oku, iCalico idala iigwegwe kwiikhonkco ezahlukeneyo zendlela yokucubungula ipakethe usebenzisa iiptables.
Umzobo ongezantsi ubonisa amatyathanga abandakanyekayo ekusetyenzweni kwepakethe kwii-iptables (okanye i-netfilter subsystem). Xa ipakethi ifika nge-interface yenethiwekhi, kuqala ihamba ngetsheyini PREROUTING. Isigqibo somzila emva koko senziwe, kwaye ngokusekelwe kule nto, ipakethe idlula kwi-INPUT (eqondiswe kwiinkqubo zokusingatha) okanye PHAMBILI (eqondiswe kwipod okanye enye i-node kwinethiwekhi). Ukusuka kwinkqubo yendawo, ipakethi idlula kwi-OUTPUT kwaye emva koko i-POSTROUTING chain ngaphambi kokuba ithunyelwe phantsi kwentambo.
Qaphela ukuba i-pod iphinde ibe yinto yangaphandle (edityaniswe kwi-veth) ngokubhekiselele kwi-iptables processing. Masishwankathele:
- I-traffic egqithisiweyo (i-nat, i-router okanye i-/isuka kwi-pod) idlula kwi-PREROUTING - PHAMBILI - UKUTHUMELA amatyathanga.
- Itrafikhi ukuya kwinkqubo yomamkeli wasekhaya idlula kwi-PREROUTING - INPUT chain.
- Ithrafikhi esuka kwinkqubo yomamkeli wendawo idlula kwi-OUTPUT - POSTROUTING chain.
I-Calico ibonelela ngokhetho lomgaqo-nkqubo olukuvumela ukuba usebenzise imigaqo-nkqubo kuwo onke amatsheyini. Ngaloo nto engqondweni, makhe sijonge iindlela ezahlukeneyo zokumisela umgaqo-nkqubo okhoyo kwiCalico. Amanani akuluhlu lokhetho olungezantsi ahambelana namanani akumzobo ongentla.
- Umgaqo-nkqubo wokuphela komsebenzi (pod).
- Umgaqo-nkqubo wesiphelo somamkeli
- Inketho ye-ApplyOnForward
- Umgaqo-nkqubo we-PreDNAT
- Umgaqo-nkqubo ongalandelwanga
Masiqale ngokujonga indlela imigaqo-nkqubo esetyenziswa ngayo kwiindawo zokuphela komsebenzi (i-Kubernetes pods okanye i-OpenStack VMs), kwaye emva koko sijonge iinketho zomgaqo-nkqubo weendawo zokugqibela zokusingatha.
Amanqaku okuphela komsebenzi
Umgaqo-nkqubo weNqaku loMsebenzi (1)
Olu lukhetho lokukhusela i-kubernetes pods zakho. I-Calico ixhasa ukusebenza ne-Kubernetes NetworkPolicy, kodwa ikwabonelela ngemigaqo-nkqubo eyongezelelweyo - i-Calico NetworkPolicy kunye ne-GlobalNetworkPolicy. I-Calico yenza ikhonkco kwipod nganye (umthwalo womsebenzi) kunye neegwegwe kwi-INPUT kunye ne-OUTPUT yamatsheyini omthwalo womsebenzi kwitafile yokucoca ye-FORWARD chain.
Amanqaku okuphela kwenginginya
Umgaqo-nkqubo weNdawo yokuPhelela yomamkeli (2)
Ukongeza kwi-CNI (i-container network interface), imigaqo-nkqubo yeCalico inika amandla okukhusela umamkeli ngokwawo. KwiCalico, ungenza isiphelo senginginya ngokukhankanya indibaniselwano yojongano lwenginginya kwaye, ukuba kuyimfuneko, amanani ezibuko. Unyanzeliso lomgaqo-nkqubo weli qumrhu luphunyezwa kusetyenziswa itafile yokucoca kwi-INPUT ne-OUTPUT chain. Njengoko unokubona kumzobo, (2) zisebenza kwiinkqubo zasekuhlaleni kwi-node/umamkeli. Oko kukuthi, ukuba udala umgaqo-nkqubo osebenzayo kwisiphelo somninimzi, akuyi kuchaphazela i-traffic eya kwi-pods yakho. Kodwa ibonelela ngojongano olunye/i-syntax yokuthintela itrafikhi kummkeli wakho kunye neepods usebenzisa imigaqo-nkqubo yeCalico. Oku kuyenza lula kakhulu inkqubo yokulawula imigaqo-nkqubo yothungelwano olwahlukileyo. Ukuqwalasela imigaqo-nkqubo yesiphelo senginginya ukomeleza ukhuseleko lweqela yenye imeko ebalulekileyo yosetyenziso.
Faka isicelo kuMgaqo-nkqubo wokuQhubela phambili (3)
Ukhetho lwe-ApplyOnForward luyafumaneka kumgaqo-nkqubo wothungelwano lwehlabathi jikelele weCalico ukuvumela imigaqo-nkqubo ukuba isetyenziswe kuzo zonke iitrafikhi ezidlula kwindawo yesiphelo yokusingatha, kubandakanywa itrafikhi eza kuthunyelwa ngumamkeli. Oku kubandakanya itrafikhi egqithiselwe kwi-pod yendawo okanye naphina kwenye indawo kuthungelwano. I-Calico ifuna ukuba olu seto luvulwe kwimigaqo-nkqubo esebenzisa i-PreDNAT kwaye ingalandelelwanga, bona la macandelo alandelayo. Ukongeza, i-ApplyOnForward ingasetyenziselwa ukubeka iliso kwi-traffic host kwiimeko apho kusetyenziswa i-router ebonakalayo okanye i-software ye-NAT.
Qaphela ukuba ukuba ufuna ukusebenzisa umgaqo-nkqubo wothungelwano ofanayo kuzo zombini iinkqubo zokusingatha kunye neepods, awudingi ukusebenzisa i-ApplyOnForward ukhetho. Konke okufuneka ukwenze kukwenza ileyibhile ye-hostendpoint efunekayo kunye nesiphelo somsebenzi (pod). I-Calico ihlakaniphile ngokwaneleyo ukunyanzelisa umgaqo-nkqubo osekelwe kwiilebhile, kungakhathaliseki ukuba luhlobo luni lwesiphelo (i-hostendpoint okanye umthwalo womsebenzi).
Umgaqo-nkqubo we-PreDNAT (4)
Kwi-Kubernetes, i-ports yenkampani yenkonzo inokuvezwa ngaphandle usebenzisa i-NodePorts ukhetho okanye, ngokukhetha (xa usebenzisa i-Calico), ngokuyithengisa ngokusebenzisa i-Cluster IPs okanye ii-IPs zangaphandle. I-Kube-proxy ibhalansisa i-traffic engenayo ebotshelelwe kwinkonzo kwiipod zenkonzo ehambelanayo usebenzisa i-DNAT. Unikwe oku, unyanzelisa njani imigaqo-nkqubo yetrafikhi ezayo ngeNodePorts? Ukuqinisekisa ukuba le migaqo-nkqubo isetyenziswa phambi kokuba i-traffic iqwalaselwe yi-DNAT (eyimaphu phakathi komncedisi: izibuko kunye nenkonzo ehambelanayo), i-Calico ibonelela ngepharamitha ye-globalNetworkPolicy ebizwa ngokuba yi-"preDNAT: true".
Xa i-pre-DNAT yenziwe yasebenza, le migaqo-nkqubo iphunyezwa ku-(4) kwidayagram - kwi-mangle table ye-PREROUTING chain - ngokukhawuleza phambi kwe-DNAT. Ulandelelwano oluqhelekileyo lwemigaqo-nkqubo alulandelwa apha, kuba ukusetyenziswa kwale migaqo-nkqubo kwenzeka kwangethuba kakhulu kwindlela yokusetyenzwa kwetrafikhi. Nangona kunjalo, imigaqo-nkqubo ye-preDNAT ihlonipha umyalelo wokusetyenziswa phakathi kwabo.
Xa udala imigaqo-nkqubo nge-pre-DNAT, kubalulekile ukuba uqaphele malunga ne-traffic ofuna ukuyiqhuba kwaye uvumele uninzi ukuba lwaliwe. I-Traffic ephawulwe njenge 'ivumelekile' kumgaqo-nkqubo wangaphambili we-DNAT ayisayi kuphinda ihlolwe ngumgaqo-nkqubo we-hostendpoint, ngelixa i-traffic engaphumeleli umgaqo-nkqubo we-pre-DNAT iya kuqhubeka ngamatyathanga aseleyo.
I-Calico ikwenze ukuba kube yimfuneko ukwenza i-applicationOnForward isebenze xa usebenzisa i-preDNAT, kuba ngokwengcaciso indawo ekuyiwa kuyo i-traffic ayikakhethwa. I-Traffic ingabhekiswa kwinkqubo yokusingatha, okanye inokuthunyelwa kwi-pod okanye enye i-node.
Umgaqo-nkqubo ongalandelwanga (5)
Uthungelwano kunye nezicelo zinokuba nokwahlukana okukhulu kwindlela yokuziphatha. Kwezinye iimeko ezigqithisileyo, izicelo zinokuvelisa uqhagamshelo oluhlala ixesha elifutshane. Oku kunokubangela ungquzulwano (ilungu elingundoqo le-Linux yokupakisha uthungelwano) ukuphelelwa yinkumbulo. Ngokwemveli, ukuqhuba ezi ntlobo zezicelo kwi Linux, kuya kufuneka uqwalasele okanye uvale uqhagamshelo ngesandla, okanye ubhale imithetho ye-iptables ukuze ugqithe kwicontrack. Umgaqo-nkqubo ongalandelelwanga kwiCalico lukhetho olulula nolusebenzayo ngakumbi ukuba ufuna ukucubungula imidibaniso ngokukhawuleza. Ngokomzekelo, ukuba usebenzisa i-max okanye njengomlinganiselo owongezelelweyo wokhuseleko .
Funda oku (okanye ) ngolwazi oluthe kratya, kubandakanywa neemvavanyo zokusebenza kusetyenziswa umgaqo-nkqubo ongalandelwanga.
Xa useta u-"doNotTrack: true" ukhetho kwi-Calico globalNetworkPolicy, iba ngumgaqo-nkqubo **ongalandelelwanga** kwaye isetyenziswa kwangoko kakhulu kumbhobho wokusetyenzwa kwepakethe yeLinux. Ukujonga kulo mzobo ungentla, imigaqo-nkqubo engalandelwanga isetyenziswa kwi-PREROUTING kunye ne-OUTPUT yamatsheyini kwitafile ekrwada phambi kokuba kuqalwe ukulandelwa koqhagamshelo (contrack). Xa ipakethi ivunyelwe ngumgaqo-nkqubo ongalandelwanga, iphawulwe ukukhubaza ukulandelwa koqhagamshelwano lwaloo pakethi. Ithatha ukuba:
- Umgaqo-nkqubo ongalandelwanga usetyenziswa ngokwepakethi nganye. Akukho ngcamango yoqhagamshelwano (okanye ukuhamba). Ukunqongophala konxibelelwano kuneziphumo ezininzi ezibalulekileyo:
- Ukuba ufuna ukuvumela zombini isicelo kunye ne-traffic yempendulo, udinga umgaqo wazo zombini ezingenayo neziphumayo (ekubeni iCalico isebenzisa i-contrack ukuphawula i-traffic impendulo njengoko kuvunyelwe).
- Umgaqo-nkqubo ongalandelwanga awusebenzi kwi-Kubernetes imithwalo yomsebenzi (iipods), kuba kulo mzekelo akukho ndlela yokulandelela uxhulumaniso oluphumayo kwi-pod.
- I-NAT ayisebenzi ngokuchanekileyo kunye neepakethi ezingalandelwanga (ekubeni i-kernel igcina imephu ye-NAT kwi-contrack).
- Xa udlula kumgaqo othi "allow all" kumgaqo-nkqubo ongalandelwanga, zonke iipakethi ziya kumakishwa njengezingalandelwanga. Oku akusoloko kungeyonto uyifunayo, ngoko ke kubalulekile ukuba ukhethe kakhulu malunga neepakethi ezivunyelwe yimigaqo-nkqubo engalandelwanga (kwaye uvumele uninzi lwetrafikhi ukuba ludlule kwimigaqo-nkqubo elandelwayo eqhelekileyo).
- Imigaqo-nkqubo engalandelwanga isetyenziswa kwasekuqaleni kombhobho wokusetyenzwa kwepakethi. Oku kubaluleke kakhulu ukuqonda xa usenza imigaqo-nkqubo yeCalico. Unokuba nepolisi ye-pod eneodolo:1 kunye nepolisi engalandelwanga ngomyalelo:1000. Ayinamsebenzi. Ipolisi engalandelwayo iya kusetyenziswa phambi kwepolisi yepod. Imigaqo-nkqubo engalandelwanga ihlonipha umyalelo wophumezo phakathi kwayo kuphela.
Ngenxa yokuba enye yeenjongo zomgaqo-nkqubo we-doNotTrack kukunyanzelisa umgaqo-nkqubo kwangoko kakhulu kumbhobho wokusetyenzwa kwepakethe yeLinux, iCalico ikwenza kube yimfuneko ukukhankanya ukhetho lwe-applicationOnForward xa usebenzisa idoNotTrack. Ngokubhekiselele kwidayagram yokusetyenzwa kwepakethe, qaphela ukuba umgaqo-nkqubo ongalandelwanga (5) usetyenziswa phambi kwazo naziphi na izigqibo zomzila. I-Traffic ingabhekiswa kwinkqubo yokusingatha, okanye inokuthunyelwa kwi-pod okanye enye i-node.
Iziphumo
Sijonge iindlela ezahlukeneyo zomgaqo-nkqubo (i-Host endpoint, i-ApplyOnForward, i-preDNAT, kunye ne-Untracked) kwi-Calico kunye nendlela ezisetyenziswa ngayo kwindlela yokupakisha ipakethe. Ukuqonda indlela abasebenza ngayo kunceda ekuphuhliseni imigaqo-nkqubo esebenzayo nekhuselekileyo. NgeCalico ungasebenzisa umgaqo-nkqubo womnatha wehlabathi jikelele osebenza kwileyibhile (iqela lee-nodes kunye neepods) kwaye usebenzise imigaqo-nkqubo eneeparameters ezahlukeneyo. Oku kuvumela ukhuseleko kunye neengcali zoyilo lwenethiwekhi ukuba zikhusele ngokufanelekileyo "yonke into" (iintlobo zesiphelo) ngokukhawuleza usebenzisa ulwimi olulodwa lomgaqo-nkqubo kunye nemigaqo-nkqubo yeCalico.
Abulele : Ndicela ukubulela ΠΈ ngophononongo lwabo kunye nolwazi oluxabisekileyo.
umthombo: www.habr.com