Qaphela. transl.: Lesi sihloko, esibhalwe unjiniyela we-SRE ovela ku-LinkedIn, singena emininingwaneni mayelana nomlingo wangaphakathi ku-Kubernetes - ngokuqondile, ukusebenzisana kwe-CRI, CNI kanye ne-kube-apiserver - okwenzeka lapho i-pod elandelayo idinga ukunikezwa ikheli le-IP.
Enye yezidingo eziyisisekelo ukuthi i-pod ngayinye kufanele ibe nekheli layo le-IP futhi noma iyiphi enye i-pod ku-cluster kufanele ikwazi ukuxhumana nayo kulelo kheli. Kukhona "abahlinzeki" abaningi benethiwekhi (Flannel, Calico, Canal, njll.) abasiza ukusebenzisa le modeli yenethiwekhi.
Lapho ngiqala ukusebenza noKubernetes, kwakungangicaceli ngokuphelele ukuthi ama-pods athola kanjani amakheli awo e-IP. Ngisho nokuqonda ukuthi izakhi ngazinye zisebenza kanjani, kwakunzima ukuzicabangela zisebenza ndawonye. Isibonelo, ngangazi ukuthi ama-plugin e-CNI ayenzelwe ini, kodwa ngangingazi ukuthi abizwa kanjani ngempela. Ngakho-ke, nginqume ukubhala lesi sihloko ukuze ngihlanganyele ulwazi mayelana nezingxenye ezihlukahlukene zenethiwekhi nokuthi zisebenza kanjani ndawonye kuqoqo le-Kubernetes, elivumela i-pod ngayinye ukuthi ithole ikheli layo le-IP eliyingqayizivele.
Kunezindlela ezahlukahlukene zokuhlela amanethiwekhi ku-Kubernetes, njengoba kunezinketho ezihlukile zesikhathi sokusebenza seziqukathi. Lokhu kushicilelwa kuzosetshenziswa ukuhlela inethiwekhi kuqoqo, futhi njengendawo esebenzisekayo - . Ngenza nokucabangela ukuthi uyazi ukuthi ukuxhumana phakathi kweziqukathi kusebenza kanjani, ngakho-ke ngizovele ngikuthinte kafushane, nje ngomongo.
Eminye imiqondo eyisisekelo
Iziqukathi kanye Nenethiwekhi: Uhlolojikelele olufushane
Kunenqwaba yezincwadi ezinhle kakhulu ku-inthanethi ezichaza ukuthi iziqukathi zixhumana kanjani kunethiwekhi. Ngakho-ke, ngizonikeza kuphela umbono ojwayelekile wemiqondo eyisisekelo futhi ngizikhawulele endleleni eyodwa, ehlanganisa ukudala ibhuloho le-Linux kanye namaphakheji ahlanganisayo. Imininingwane ayifakiwe, njengoba isihloko se-container networking sifanelwe i-athikili ehlukile. Izixhumanisi eziya kokunye okushicilelwe okunokuqonda nokufundisa zizonikezwa ngezansi.
Iziqukathi kumsingathi oyedwa
Enye indlela yokuhlela ukuxhumana ngamakheli e-IP phakathi kweziqukathi ezisebenza kumsingathi ofanayo ihlanganisa ukudala ibhuloho le-Linux. Ngale njongo, kwakhiwa amadivayisi abonakalayo ku-Kubernetes (kanye ne-Docker) . Ingxenye eyodwa yedivayisi ye-veth ixhuma ku-namespace yenethiwekhi yesiqukathi, enye ukuze kunethiwekhi yomsingathi.
Zonke iziqukathi ezikusokhaya ofanayo zinengxenye eyodwa ye-veth exhunywe ebhulohweni lapho zingakwazi ukuxhumana khona ngamakheli e-IP. Ibhuloho le-Linux futhi linekheli le-IP futhi lisebenza njengesango lokuphuma kwethrafikhi kuma-pods aqondiswe kwamanye ama-node.
Iziqukathi kubasingathi abahlukahlukene
I-packet encapsulation iyindlela eyodwa evumela iziqukathi ezikuma-node ahlukene ukuthi zixhumane zisebenzisa amakheli e-IP. E-Flannel, ubuchwepheshe bubhekene naleli thuba. , "elipakisha" iphakethe langempela ephaketheni le-UDP bese lilithumela lapho liya khona.
Kuqoqo le-Kubernetes, i-Flannel idala idivayisi ye-vxlan futhi ibuyekeze ithebula lomzila endaweni ngayinye ngokufanele. Iphakethe ngalinye elihloselwe isiqukathi kumsingathi ohlukile lidlula kudivayisi ye-vxlan futhi lifakwe kuphakethe le-UDP. Endaweni okuyiwa kuyo, iphakethe elifakwe isidleke liyakhishwa futhi lidluliselwe ku-pod oyifunayo.
Qaphela: Lena yindlela eyodwa nje yokuhlela ukuxhumana kwenethiwekhi phakathi kweziqukathi.
Yini i-CRI?
iyi-plugin evumela i-kubelet ukuthi isebenzise izindawo ezihlukene zesikhathi sokusebenza esitsheni. I-CRI API yakhelwe ezinkathini zokusebenza ezihlukahlukene, ngakho abasebenzisi bangakhetha isikhathi sokusebenza abasithandayo.
Iyini i-CNI?
kuyinto a ukuhlela isixazululo senethiwekhi yendawo yonke yeziqukathi ze-Linux. Ngaphezu kwalokho, kuhlanganisa , unesibopho semisebenzi eyahlukene lapho usetha inethiwekhi ye-pod. I-plugin ye-CNI iyifayela elisebenzisekayo elithobelana nencazelo (sizoxoxa ngama-plugin athile ngezansi).
Ukwabiwa kwama-subnet kumanodi okunikeza amakheli e-IP kuma-pods
Njengoba i-pod ngayinye kuqoqo kufanele ibe nekheli le-IP, kubalulekile ukuqinisekisa ukuthi leli kheli lihlukile. Lokhu kufezwa ngokunikeza inodi ngayinye i-subnet eyingqayizivele, lapho ama-pods akuleyo nodi abe esenikezwa amakheli e-IP.
Setha Isilawuli se-IPAM
Nini nodeipam kuphasiswe njengepharamitha yefulegi --controllers , yabela i-subnet ehlukile (i-podCIDR) ku-node ngayinye ukusuka ku-cluster CIDR (okungukuthi, ububanzi bamakheli e-IP wenethiwekhi yeqoqo). Njengoba lawa ma-podCIDR engadluleli, kuyenzeka ukuthi i-pod ngayinye inikezwe ikheli le-IP eliyingqayizivele.
I-Kubernetes node yabelwa i-podCIDR uma ibhaliswe ekuqaleni neqoqo. Ukuze ushintshe i-podCIDR yama-node, udinga ukuwakhipha ohlwini bese uwabhalisa kabusha, wenze izinguquko ezifanele ekucushweni kongqimba lokulawula lwe-Kubernetes phakathi. Ungabonisa i-podCIDR ye-node usebenzisa umyalo olandelayo:
$ kubectl get no <nodeName> -o json | jq '.spec.podCIDR'
10.244.0.0/24
I-Kubelet, isikhathi sokusebenza sesitsha kanye nama-plugin e-CNI: ukuthi konke kusebenza kanjani
Ukuhlela i-pod ngenodi ngayinye kuhilela izinyathelo eziningi zokulungiselela. Kulesi sigaba, ngizogxila kuphela kulabo abahlobene ngokuqondile nokusetha inethiwekhi ye-pod.
Ukuhlela i-pod endaweni ethile kubangela uchungechunge lwemicimbi elandelayo:
Usizo: .
Ukusebenzisana phakathi kwesikhathi sokusebenza kwesiqukathi nama-plugin e-CNI
Umhlinzeki ngamunye wenethiwekhi une-plugin yakhe ye-CNI. Isikhathi sokusebenza sesiqukathi siyasiqhuba ukuze silungiselele inethiwekhi ye-pod njengoba siqala. Esimeni sokuqukatha, i-plugin ye-CNI yethulwa yi-plugin .
Ngaphezu kwalokho, umhlinzeki ngamunye une-ejenti yakhe. Ifakwe kuwo wonke ama-node e-Kubernetes futhi inesibopho sokucushwa kwenethiwekhi yama-pods. Lo menzeli ufakwa nokucushwa kwe-CNI noma uyidale ngokuzimela kunodi. Ukulungiselelwa kusiza i-plugin ye-CRI ukuthi imise ukuthi iyiphi i-plugin ye-CNI okufanele ishayelwe.
Indawo yokucushwa kwe-CNI ingenziwa ngendlela oyifisayo; ngokuzenzakalelayo ingaphakathi /etc/cni/net.d/<config-file>. Abalawuli Beqoqo nabo banesibopho sokufaka ama-plugin e-CNI endaweni ngayinye yeqoqo. Indawo yabo ibuye ibe ngokwezifiso; uhla lwemibhalo oluzenzakalelayo - /opt/cni/bin.
Uma usebenzisa okuqukethwe, izindlela zokulungiselelwa kwe-plugin namabhanari zingasethwa esigabeni [plugins.Β«io.containerd.grpc.v1.criΒ».cni] Π² .
Njengoba sisebenzisa i-Flannel njengomhlinzeki wethu wenethiwekhi, ake sikhulume kancane ngokuyimisa:
- I-Flanneld (i-daemon ye-Flannel) ivamise ukufakwa kuqoqo njenge-DaemonSet ene
install-cninjengoba . Install-cnikudala (/etc/cni/net.d/10-flannel.conflist) endaweni ngayinye.- I-Flanneld idala idivayisi ye-vxlan, ibuyisa imethadatha yenethiwekhi kuseva ye-API, futhi iqaphe izibuyekezo ze-pod. Njengoba zidaliwe, isabalalisa imizila kuwo wonke ama-pods kulo lonke iqoqo.
- Le mizila ivumela ama-pod ukuthi axhumane namanye ngamakheli e-IP.
Ukuze uthole ukwaziswa okwengeziwe mayelana nomsebenzi weFlannel, ngincoma ukusebenzisa izixhumanisi ekupheleni kwesihloko.
Nawu umdwebo wokusebenzelana phakathi kwe-plugin ye-Containerd CRI kanye nama-plugin e-CNI:
Njengoba ubona ngenhla, i-kubelet ibiza i-plugin ye-Containerd CRI ukuze idale i-pod, ebese ibiza i-plugin ye-CNI ukuze ilungiselele inethiwekhi ye-pod. Ngokwenza kanjalo, i-plugin ye-CNI yomhlinzeki wenethiwekhi ibiza amanye ama-plugin we-CNI angumongo ukuze alungiselele izici ezihlukahlukene zenethiwekhi.
Ukusebenzisana phakathi kwama-plugin e-CNI
Kunama-plugin e-CNI ahlukahlukene umsebenzi wawo uwukusiza ukusetha ukuxhumana kwenethiwekhi phakathi kweziqukathi kumsingathi. Lesi sihloko sizoxoxa ngezintathu zazo.
I-Flannel ye-plugin ye-CNI
Uma usebenzisa iFlaneli njengomhlinzeki wenethiwekhi, ingxenye ye-Containerd CRI iyafona usebenzisa ifayela lokumisa le-CNI /etc/cni/net.d/10-flannel.conflist.
$ cat /etc/cni/net.d/10-flannel.conflist
{
"name": "cni0",
"plugins": [
{
"type": "flannel",
"delegate": {
"ipMasq": false,
"hairpinMode": true,
"isDefaultGateway": true
}
}
]
}
I-plugin ye-Flannel CNI isebenza ngokuhlanganyela noFlanneld. Ngesikhathi sokuqalisa, i-Flanneld ithola i-podCIDR neminye imininingwane ehlobene nenethiwekhi kuseva ye-API futhi iyilondoloze efayelini. /run/flannel/subnet.env.
FLANNEL_NETWORK=10.244.0.0/16
FLANNEL_SUBNET=10.244.0.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=false
I-plugin ye-Flannel CNI isebenzisa idatha kusuka /run/flannel/subnet.env ukuze ulungiselele futhi ushayele i-plugin yebhuloho le-CNI.
I-CNI plugin Bridge
Le plugin ibizwa ngokucushwa okulandelayo:
{
"name": "cni0",
"type": "bridge",
"mtu": 1450,
"ipMasq": false,
"isGateway": true,
"ipam": {
"type": "host-local",
"subnet": "10.244.0.0/24"
}
}
Uma ibizwa okokuqala, idala ibhuloho le-Linux nge Β«nameΒ»: Β«cni0Β», ekhonjiswe ku-config. Bese kwakhiwa i-veth pair ye-pod ngayinye. Ukuphela kwayo okukodwa kuxhunywe endaweni yamagama yenethiwekhi yesiqukathi, enye ifakiwe ebhulohweni le-Linux kunethiwekhi yomsingathi. ixhuma zonke iziqukathi zokusingatha ebhulohweni le-Linux kunethiwekhi yomsingathi.
Ngemva kokuqeda ukusetha ipheya ye-veth, i-plugin Yebhuloho ibiza i-plugin ye-IPAM CNI yomsingathi wendawo. Uhlobo lwe-plugin ye-IPAM lungalungiselelwa ekucushweni kwe-CNI esetshenziswa i-plugin ye-CRI ukuze kushayelwe i-plugin ye-Flannel CNI.
Isingethe ama-plugin we-IPAM CNI wendawo
Izingcingo zeBridge CNI ngokucushwa okulandelayo:
{
"name": "cni0",
"ipam": {
"type": "host-local",
"subnet": "10.244.0.0/24",
"dataDir": "/var/lib/cni/networks"
}
}
I-plugin ye-IPAM yokusingatha yendawo (IP Aukhiye Mukuphathwa - ukuphathwa kwekheli le-IP) ibuyisela ikheli le-IP lesiqukathi esivela ku-subnet futhi igcina i-IP eyabiwe kumsingathi ohlwini lwemibhalo olushiwo esigabeni. dataDir - /var/lib/cni/networks/<network-name=cni0>/<ip>. Leli fayela liqukethe i-ID yesiqukathi esinikezwe leli kheli le-IP.
Uma ushayela i-plugin ye-IPAM yomsingathi wendawo, ibuyisela idatha elandelayo:
{
"ip4": {
"ip": "10.244.4.2",
"gateway": "10.244.4.3"
},
"dns": {}
}
Isifingqo
I-Kube-controller-manager yabela i-podCIDR endaweni ngayinye. Amaphodi enodi ngayinye athola amakheli e-IP esikhaleni sekheli ebangeni le-podCIDR elabelwe. Njengoba ama-podCIDR ama-node engadluleli, wonke ama-pod athola amakheli e-IP ahlukile.
Umlawuli weqoqo le-Kubernetes ulungisa futhi afake i-kubelet, isikhathi sokusebenza sesiqukathi, i-ejenti yomhlinzeki wenethiwekhi, futhi akopishe ama-plugin e-CNI endaweni ngayinye. Ngesikhathi sokuqalisa, umenzeli womhlinzeki wenethiwekhi ukhiqiza ukucushwa kwe-CNI. Uma i-pod ihlelelwe indawo, i-kubelet ibiza i-plugin ye-CRI ukuyidala. Okulandelayo, uma okuqukathi kusetshenziswa, i-plugin ye-Containerd CRI ibiza i-plugin ye-CNI eshiwo ku-CNI config ukuze ilungiselele inethiwekhi ye-pod. Ngenxa yalokho, i-pod ithola ikheli le-IP.
Kwangithatha isikhathi ukuqonda zonke izinto eziyinkimbinkimbi nama-nuances akho konke lokhu kusebenzisana. Ngethemba ukuthi lokhu okwenziwayo kuzokusiza uqonde kangcono ukuthi u-Kubernetes usebenza kanjani. Uma nginephutha nganoma yini, ngicela ungithinte ku noma ekhelini . Zizwe ukhululekile ukufinyelela uma ungathanda ukuxoxa ngezici zalesi sihloko nanoma yini enye. Ngingathanda ukuxoxa nawe!
izithenjwa
Iziqukathi kanye nenethiwekhi
Isebenza kanjani iFlannel?
I-CRI kanye ne-CNI
I-PS evela kumhumushi
Funda futhi kubhulogi yethu:
- Β«";
- "Umhlahlandlela Onemifanekiso Wokuxhumana Nenethiwekhi ku-Kubernetes": , ;
- Β«".
Source: www.habr.com