TL; DR: Wonke ama-CNI asebenza ngendlela okufanele asebenze ngayo, ngaphandle kwe-Kube-Router ne-Kube-OVN, i-Calico, ngaphandle kokutholwa kwe-MTU okuzenzakalelayo, ihamba phambili.
Ukubuyekezwa kwe-athikili yamasheke ami adlule ( и ), ngesikhathi sokuhlola ngisebenzisa i-Kubernetes 1.19 in Ubuntu 18.04 nge-CNI ebuyekeziwe ka-Agasti 2020.
Ngaphambi kokuthi singene kumamethrikhi...
Yini entsha kusukela ngo-Ephreli 2019?
- Ungahlola kuqoqo lakho: Ungakwazi ukwenza izivivinyo kuqoqo lakho usebenzisa ithuluzi lethu I-Kubernetes Network Benchmark:
- Amalungu amasha avele
- kusuka ku-VMware Tanzu
- kusuka ku-alauda.io
- Izimo Ezintsha: Ukuhlola kwamanje kusebenzisa ukuhlolwa kokusebenza kwenethiwekhi ye-"Pod-to-Pod", futhi iskripthi esisha sokuthi "I-Pod-to-Service" sengeziwe esiqhuba ukuhlolwa eduze nezimo zomhlaba wangempela. Empeleni, i-Pod yakho ene-API isebenza nesisekelo njengesevisi, hhayi ngekheli lasesizindeni se-inthanethi le-Pod (impela sihlola kokubili i-TCP ne-UDP kuzo zombili izimo).
- Ukusetshenziswa kwensiza: ukuhlolwa ngakunye manje kunokuqhathanisa kwensiza yayo
- Ukukhipha Izivivinyo Zohlelo Lokusebenza: Asisazenzi izivivinyo ze-HTTP, i-FTP ne-SCP njengoba ukusebenzisana kwethu okunezithelo nomphakathi kanye nabanakekeli be-CNI bathole igebe phakathi kwemiphumela ye-iperf ngaphezu kwe-TCP nemiphumela yama-curl ngenxa yokubambezeleka ekuqaliseni kwe-CNI (imizuzwana embalwa yokuqala ye-Pod ukuqalisa, okungajwayelekile ezimeni zangempela).
- Umthombo ovulekile: yonke imithombo yokuhlola (izikripthi, izilungiselelo ze-yml nedatha yoqobo “eluhlaza”) iyatholakala
I-Reference Test Protocol
Iphrothokholi ichazwe ngokuningiliziwe , sicela uqaphele ukuthi lesi sihloko sinikezelwe ku Ubuntu 18.04 nge-kernel ezenzakalelayo.
Ukukhetha i-CNI yokuhlola
Lokhu kuhlola kuhloselwe ukuqhathanisa ama-CNI alungiselelwe ngefayela elilodwa le-yaml (ngakho-ke, wonke lawo afakwe imibhalo, njenge-VPP nezinye, awafakiwe).
Ama-CNI ethu akhethiwe ukuze aqhathanise:
- I-Antrea v.0.9.1
- I-Calico v3.16
- I-Canal v3.16 (Inethiwekhi ye-Flannel + Izinqubomgomo zenethiwekhi ye-Calico)
- I-Cilium 1.8.2
- I-Flannel 0.12.0
- I-Kube-router yakamuva (2020–08–25)
- I-WeaveNet 2.7.0
Ilungiselela i-MTU ye-CNI
Okokuqala, sibheka umthelela wokutholwa kwe-MTU okuzenzakalelayo ekusebenzeni kwe-TCP:
Umthelela we-MTU ekusebenzeni kwe-TCP
Igebe elikhulu nakakhulu litholakala uma usebenzisa i-UDP:
Umthelela we-MTU ekusebenzeni kwe-UDP
Uma kubhekwa umthelela OMKHULU wokusebenza ovezwe ekuhlolweni, singathanda ukuthumela incwadi yethemba kubo bonke abagcini be-CNI: sicela wengeze ukutholwa kwe-MTU okuzenzakalelayo ku-CNI. Uzosindisa amakati, ama-unicorns ngisho nenhle kakhulu: i-Devop encane.
Nokho, uma udinga ukusebenzisa i-CNI ngaphandle kokusekelwa kokutholwa kwe-MTU okuzenzakalelayo, ungayilungisa mathupha ukuze uthole ukusebenza. Sicela uqaphele ukuthi lokhu kusebenza ku-Calico, Canal kanye ne-WeaveNet.
Isicelo sami esincane kuma-CNI ahambisana naso...
Ukuhlolwa kwe-CNI: Idatha eluhlaza
Kulesi sigaba, sizoqhathanisa i-CNI ne-MTU efanele (enqunywa ngokuzenzakalelayo noma isethwe ngesandla). Umgomo oyinhloko lapha ukukhombisa idatha eluhlaza kumagrafu.
Ilejendi yombala:
- grey - isampula (okungukuthi insimbi engenalutho)
- okuluhlaza - umkhawulokudonsa ngaphezu kuka-9500 Mbps
- ophuzi - umkhawulokudonsa ongaphezu kuka-9000 Mbps
- okuwolintshi - umkhawulokudonsa ongaphezu kuka-8000 Mbps
- obomvu - umkhawulokudonsa ongaphansi kuka-8000 Mbps
- okuluhlaza okwesibhakabhaka - okungathathi hlangothi (okungahlobene nomkhawulokudonsa)
Ukusetshenziswa kwensiza engalayishiwe
Okokuqala, hlola ukusetshenziswa kwezinsiza lapho iqoqo "lilele".
Ukusetshenziswa kwensiza engalayishiwe
I-Pod-to-Pod
Lesi simo sithatha ukuthi i-Pod yeklayenti ixhuma ngqo kuseva ye-Pod isebenzisa ikheli layo le-IP.
I-Pod-to-Pod Scenario
I-TCP
Imiphumela ye-Pod-to-Pod TCP kanye nokusetshenziswa kwezinsiza okuhambisanayo:
UDP
Imiphumela ye-Pod-to-Pod UDP kanye nokusetshenziswa kwezinsiza okuhambisanayo:
I-Pod-to-Service
Lesi sigaba sifanelekile kumacala okusetshenziswa kwangempela, i-Pod yeklayenti ixhuma ku-Pod yeseva ngesevisi ye-ClusterIP.
Isikripthi se-Pod-to-Service
I-TCP
Imiphumela ye-Pod-to-Service TCP kanye nokusetshenziswa kwezinsiza okuhambisanayo:
UDP
Imiphumela ye-Pod-to-Service ye-UDP kanye nokusetshenziswa kwezinsiza okuhambisanayo:
Usekelo lwenqubomgomo yenethiwekhi
Phakathi kwakho konke okungenhla, okuwukuphela kwayo okungasekeli ipolitiki nguFlannel. Bonke abanye basebenzisa kahle izinqubomgomo zenethiwekhi, okuhlanganisa nokungenayo nokuphumayo. Umsebenzi omuhle!
Ukubethela kwe-CNI
Phakathi kwama-CNI ahloliwe kukhona lawo angabethela ukushintshaniswa kwenethiwekhi phakathi kwama-Pods:
- I-Antrea isebenzisa i-IPsec
- I-Calico ngosizo wireguard
- I-Cilium isebenzisa i-IPsec
- I-WeaveNet isebenzisa i-IPsec
Umkhawulokudonsa
Njengoba sekusele ama-CNI ambalwa, ake sibeke zonke izimo kugrafu eyodwa:
Ukusetshenziswa kwezinsiza
Kulesi sigaba, sizohlola izinsiza ezisetshenziswa lapho kucutshungulwa ukuxhumana kwe-Pod-to-Pod ku-TCP ne-UDP. Asikho isidingo sokudweba igrafu ye-Pod-to-Service njengoba inganikezi ulwazi olwengeziwe.
Ukuhlanganisa konke
Ake sizame ukuphinda wonke amagrafu, sethule i-subjectivity encane lapha, sishintsha amanani wangempela ngamagama athi "vwry fast", "low", njll.
Isiphetho neziphetho zami
Lokhu kuyinto encane, njengoba ngidlulisela incazelo yami yemiphumela.
Ngiyajabula ukuthi ama-CNI amasha avele, i-Antrea yenze kahle, imisebenzi eminingi yasetshenziswa ngisho nasezinguqulweni zakuqala: ukutholwa kwe-MTU okuzenzakalelayo, ukubethela nokufaka kalula.
Uma siqhathanisa ukusebenza, wonke ama-CNI asebenza kahle, ngaphandle kwe-Kube-OVN ne-Kube-Router. I-Kube-Router nayo ayikwazanga ukuthola i-MTU, angizange ngithole indlela yokuyilungisa noma yikuphi kumadokhumenti ( isicelo kulesi sihloko sivuliwe).
Ngokuphathelene nokusetshenziswa kwezinsiza, i-Cilium isasebenzisa i-RAM eningi kunabanye, kodwa umenzi uqondise ngokucacile amaqoqo amakhulu, okusobala ukuthi akufani nokuhlolwa kweqoqo lama-node amathathu. I-Kube-OVN iphinde isebenzise izinsiza eziningi ze-CPU ne-RAM, kodwa iyi-CNI encane esekelwe ku-Open vSwitch (njenge-Antrea, yenza kangcono futhi idla kancane).
Wonke umuntu ngaphandle kwe-Flannel unezinqubomgomo zenethiwekhi. Kungenzeka kakhulu ukuthi akasoze abasekela, ngoba umgomo ulula kune-turnip ene-steamed: ukukhanya, kungcono.
Futhi, ukusebenza kokubethela kuyamangalisa. I-Calico ingenye yama-CNI amadala kakhulu, kodwa ukubethela kwengezwe emasontweni ambalwa edlule. Bakhethe wireguard esikhundleni se-IPsec, futhi kalula nje, konke kusebenza kahle futhi ngokumangalisayo, kususa ngokuphelele amanye ama-CNI kule ngxenye yokuhlolwa. Vele, ukusetshenziswa kwezinsiza kuyanda ngenxa yokubethela, kodwa umphumela ozuziwe uyakufanelekela (iCalico ibonise inzuzo ephindwe kasithupha kuneCilium, ebekwe endaweni yesibili, ekuhlolweni kokubethela). Ngaphezu kwalokho, ungavumela wireguard Noma nini ngemva kokufaka iCalico ku-cluster, ungayikhubaza okwesikhashana noma unomphela uma ufisa. Lokhu kulula kakhulu, kodwa! Sikukhumbuza ukuthi iCalico okwamanje ayiboni ngokuzenzakalelayo i-MTU (lesi sici sihlelelwe izinguqulo zesikhathi esizayo), ngakho-ke qiniseka ukuthi ulungiselela i-MTU uma inethiwekhi yakho isekela ama-Jumbo Frames (MTU 9000).
Phakathi kwezinye izinto, phawula ukuthi i-Cilium ingakwazi ukubethela ithrafikhi phakathi kwama-cluster nodes (hhayi nje phakathi kwama-Pods), okungaba kubaluleke kakhulu kuma-cluster node womphakathi.
Njengesiphetho, ngiphakamisa izimo ezilandelayo zokusetshenziswa:
- Udinga i-CNI yeqoqo elincane kakhulu NOMA angikudingi ukuphepha: sebenza ne Flannel, i-CNI elula futhi ezinzile kakhulu (futhi ungomunye wabadala, ngokwenganekwane aqanjwa nguHomo Kubernautus noma uHomo Contaitorus.). Ungase futhi ube nentshisekelo kuphrojekthi ehlakaniphe kakhulu , hlola!
- Udinga i-CNI yeqoqo elivamile: UCalico - ukukhetha kwakho, kodwa ungakhohlwa ukumisa i-MTU uma kudingeka. Ungakwazi ukudlala kalula futhi ngokwemvelo ngezinqubomgomo zenethiwekhi, uvule futhi uvale ukubethela, njll.
- Udinga i-CNI yeqoqo (kakhulu) lesilinganiso esikhulu: Nokho, ukuhlolwa akubonisi ukuziphatha kwamaqoqo amakhulu, ngingajabula ukwenza izivivinyo, kodwa asinawo amakhulu amaseva anoxhumo lwe-10Gbps. Ngakho-ke inketho engcono kakhulu ukwenza ukuhlolwa okushintshiwe kumanodi akho, okungenani nge-Calico ne-Cilium.
Source: www.habr.com
