TL; DR: Wonke ama-CNI asebenza ngendlela okufanele asebenze ngayo, ngaphandle kwe-Kube-Router ne-Kube-OVN, i-Calico, ngaphandle kokutholwa kwe-MTU okuzenzakalelayo, ihamba phambili.
Ukubuyekezwa kwe-athikili yamasheke ami adlule ( и ), ngesikhathi sokuhlolwa ngisebenzisa i-Kubernetes 1.19 ku-Ubuntu 18.04 ngama-CNI abuyekeziwe kusukela ngo-Agasti 2020.
Ngaphambi kokuthi singene kumamethrikhi...
Yini entsha kusukela ngo-Ephreli 2019?
- Ungahlola kuqoqo lakho: Ungakwazi ukwenza izivivinyo kuqoqo lakho usebenzisa ithuluzi lethu I-Kubernetes Network Benchmark:
- Amalungu amasha avele
- kusuka ku-VMware Tanzu
- kusuka ku-alauda.io
- Izimo Ezintsha: Ukuhlola kwamanje kusebenzisa ukuhlolwa kokusebenza kwenethiwekhi ye-"Pod-to-Pod", futhi iskripthi esisha sokuthi "I-Pod-to-Service" sengeziwe esiqhuba ukuhlolwa eduze nezimo zomhlaba wangempela. Empeleni, i-Pod yakho ene-API isebenza nesisekelo njengesevisi, hhayi ngekheli lasesizindeni se-inthanethi le-Pod (impela sihlola kokubili i-TCP ne-UDP kuzo zombili izimo).
- Ukusetshenziswa kwensiza: ukuhlolwa ngakunye manje kunokuqhathanisa kwensiza yayo
- Ukukhipha Izivivinyo Zohlelo Lokusebenza: Asisazenzi izivivinyo ze-HTTP, i-FTP ne-SCP njengoba ukusebenzisana kwethu okunezithelo nomphakathi kanye nabanakekeli be-CNI bathole igebe phakathi kwemiphumela ye-iperf ngaphezu kwe-TCP nemiphumela yama-curl ngenxa yokubambezeleka ekuqaliseni kwe-CNI (imizuzwana embalwa yokuqala ye-Pod ukuqalisa, okungajwayelekile ezimeni zangempela).
- Umthombo ovulekile: yonke imithombo yokuhlola (izikripthi, izilungiselelo ze-yml nedatha yoqobo “eluhlaza”) iyatholakala
I-Reference Test Protocol
Iphrothokholi ichazwe ngokuningiliziwe Sicela wazi ukuthi le ndatshana imayelana no-Ubuntu 18.04 nge-kernel ezenzakalelayo.
Ukukhetha i-CNI yokuhlola
Lokhu kuhlola kuhloselwe ukuqhathanisa ama-CNI alungiselelwe ngefayela elilodwa le-yaml (ngakho-ke, wonke lawo afakwe imibhalo, njenge-VPP nezinye, awafakiwe).
Ama-CNI ethu akhethiwe ukuze aqhathanise:
- I-Antrea v.0.9.1
- I-Calico v3.16
- I-Canal v3.16 (Inethiwekhi ye-Flannel + Izinqubomgomo zenethiwekhi ye-Calico)
- I-Cilium 1.8.2
- I-Flannel 0.12.0
- I-Kube-router yakamuva (2020–08–25)
- I-WeaveNet 2.7.0
Ilungiselela i-MTU ye-CNI
Okokuqala, sibheka umthelela wokutholwa kwe-MTU okuzenzakalelayo ekusebenzeni kwe-TCP:
Umthelela we-MTU ekusebenzeni kwe-TCP
Igebe elikhulu nakakhulu litholakala uma usebenzisa i-UDP:
Umthelela we-MTU ekusebenzeni kwe-UDP
Uma kubhekwa umthelela OMKHULU wokusebenza ovezwe ekuhlolweni, singathanda ukuthumela incwadi yethemba kubo bonke abagcini be-CNI: sicela wengeze ukutholwa kwe-MTU okuzenzakalelayo ku-CNI. Uzosindisa amakati, ama-unicorns ngisho nenhle kakhulu: i-Devop encane.
Nokho, uma udinga ukusebenzisa i-CNI ngaphandle kokusekelwa kokutholwa kwe-MTU okuzenzakalelayo, ungayilungisa mathupha ukuze uthole ukusebenza. Sicela uqaphele ukuthi lokhu kusebenza ku-Calico, Canal kanye ne-WeaveNet.
Isicelo sami esincane kuma-CNI ahambisana naso...
Ukuhlolwa kwe-CNI: Idatha eluhlaza
Kulesi sigaba, sizoqhathanisa i-CNI ne-MTU efanele (enqunywa ngokuzenzakalelayo noma isethwe ngesandla). Umgomo oyinhloko lapha ukukhombisa idatha eluhlaza kumagrafu.
Ilejendi yombala:
- grey - isampula (okungukuthi insimbi engenalutho)
- okuluhlaza - umkhawulokudonsa ngaphezu kuka-9500 Mbps
- ophuzi - umkhawulokudonsa ongaphezu kuka-9000 Mbps
- okuwolintshi - umkhawulokudonsa ongaphezu kuka-8000 Mbps
- obomvu - umkhawulokudonsa ongaphansi kuka-8000 Mbps
- okuluhlaza okwesibhakabhaka - okungathathi hlangothi (okungahlobene nomkhawulokudonsa)
Ukusetshenziswa kwensiza engalayishiwe
Okokuqala, hlola ukusetshenziswa kwezinsiza lapho iqoqo "lilele".
Ukusetshenziswa kwensiza engalayishiwe
I-Pod-to-Pod
Lesi simo sithatha ukuthi i-Pod yeklayenti ixhuma ngqo kuseva ye-Pod isebenzisa ikheli layo le-IP.
I-Pod-to-Pod Scenario
I-TCP
Imiphumela ye-Pod-to-Pod TCP kanye nokusetshenziswa kwezinsiza okuhambisanayo:
UDP
Imiphumela ye-Pod-to-Pod UDP kanye nokusetshenziswa kwezinsiza okuhambisanayo:
I-Pod-to-Service
Lesi sigaba sifanelekile kumacala okusetshenziswa kwangempela, i-Pod yeklayenti ixhuma ku-Pod yeseva ngesevisi ye-ClusterIP.
Isikripthi se-Pod-to-Service
I-TCP
Imiphumela ye-Pod-to-Service TCP kanye nokusetshenziswa kwezinsiza okuhambisanayo:
UDP
Imiphumela ye-Pod-to-Service ye-UDP kanye nokusetshenziswa kwezinsiza okuhambisanayo:
Usekelo lwenqubomgomo yenethiwekhi
Phakathi kwakho konke okungenhla, okuwukuphela kwayo okungasekeli ipolitiki nguFlannel. Bonke abanye basebenzisa kahle izinqubomgomo zenethiwekhi, okuhlanganisa nokungenayo nokuphumayo. Umsebenzi omuhle!
Ukubethela kwe-CNI
Phakathi kwama-CNI ahloliwe kukhona lawo angabethela ukushintshaniswa kwenethiwekhi phakathi kwama-Pods:
- I-Antrea isebenzisa i-IPsec
- I-Calico isebenzisa i-wireguard
- I-Cilium isebenzisa i-IPsec
- I-WeaveNet isebenzisa i-IPsec
Umkhawulokudonsa
Njengoba sekusele ama-CNI ambalwa, ake sibeke zonke izimo kugrafu eyodwa:
Ukusetshenziswa kwezinsiza
Kulesi sigaba, sizohlola izinsiza ezisetshenziswa lapho kucutshungulwa ukuxhumana kwe-Pod-to-Pod ku-TCP ne-UDP. Asikho isidingo sokudweba igrafu ye-Pod-to-Service njengoba inganikezi ulwazi olwengeziwe.
Ukuhlanganisa konke
Ake sizame ukuphinda wonke amagrafu, sethule i-subjectivity encane lapha, sishintsha amanani wangempela ngamagama athi "vwry fast", "low", njll.
Isiphetho neziphetho zami
Lokhu kuyinto encane, njengoba ngidlulisela incazelo yami yemiphumela.
Ngiyajabula ukuthi ama-CNI amasha avele, i-Antrea yenze kahle, imisebenzi eminingi yasetshenziswa ngisho nasezinguqulweni zakuqala: ukutholwa kwe-MTU okuzenzakalelayo, ukubethela nokufaka kalula.
Uma siqhathanisa ukusebenza, wonke ama-CNI asebenza kahle, ngaphandle kwe-Kube-OVN ne-Kube-Router. I-Kube-Router nayo ayikwazanga ukuthola i-MTU, angizange ngithole indlela yokuyilungisa noma yikuphi kumadokhumenti ( isicelo kulesi sihloko sivuliwe).
Ngokuphathelene nokusetshenziswa kwezinsiza, i-Cilium isasebenzisa i-RAM eningi kunabanye, kodwa umenzi uqondise ngokucacile amaqoqo amakhulu, okusobala ukuthi akufani nokuhlolwa kweqoqo lama-node amathathu. I-Kube-OVN iphinde isebenzise izinsiza eziningi ze-CPU ne-RAM, kodwa iyi-CNI encane esekelwe ku-Open vSwitch (njenge-Antrea, yenza kangcono futhi idla kancane).
Wonke umuntu ngaphandle kwe-Flannel unezinqubomgomo zenethiwekhi. Kungenzeka kakhulu ukuthi akasoze abasekela, ngoba umgomo ulula kune-turnip ene-steamed: ukukhanya, kungcono.
Futhi, phakathi kwezinye izinto, ukusebenza kokubethela kuyamangalisa. I-Calico ingenye yama-CNI amadala kakhulu, kodwa ukubethela kwengezwe emasontweni ambalwa edlule. Bakhethe i-wireguard esikhundleni se-IPsec, futhi kalula nje, isebenza kahle futhi iyamangalisa, idlula ngokuphelele amanye ama-CNIs kule ngxenye yokuhlola. Yiqiniso, ukusetshenziswa kwezinsiza kuyanda ngenxa yokubethela, kodwa umphumela ozuziwe ufanelekile (i-Calico ibonise ukuthuthuka okuphindwe kasithupha ekuhlolweni kokubethela uma kuqhathaniswa ne-Cilium, ebeka isibili). Ngaphezu kwalokho, ungakwazi ukunika amandla i-wireguard nganoma yisiphi isikhathi ngemuva kokuphakela i-Calico kuqoqo, futhi ungayicisha isikhathi esifushane noma unomphela uma uthanda. Kuwusizo ngendlela emangalisayo, nokho! Sikukhumbuza ukuthi i-Calico okwamanje ayiboni ngokuzenzakalela i-MTU (lesi sici sihlelelwe izinguqulo ezizayo), ngakho qiniseka ukuthi ulungiselela i-MTU uma inethiwekhi yakho isekela i-Jumbo Frames (MTU 9000).
Phakathi kwezinye izinto, phawula ukuthi i-Cilium ingakwazi ukubethela ithrafikhi phakathi kwama-cluster nodes (hhayi nje phakathi kwama-Pods), okungaba kubaluleke kakhulu kuma-cluster node womphakathi.
Njengesiphetho, ngiphakamisa izimo ezilandelayo zokusetshenziswa:
- Udinga i-CNI yeqoqo elincane kakhulu NOMA angikudingi ukuphepha: sebenza ne Flannel, i-CNI elula futhi ezinzile kakhulu (futhi ungomunye wabadala, ngokwenganekwane aqanjwa nguHomo Kubernautus noma uHomo Contaitorus.). Ungase futhi ube nentshisekelo kuphrojekthi ehlakaniphe kakhulu , hlola!
- Udinga i-CNI yeqoqo elivamile: UCalico - ukukhetha kwakho, kodwa ungakhohlwa ukumisa i-MTU uma kudingeka. Ungakwazi ukudlala kalula futhi ngokwemvelo ngezinqubomgomo zenethiwekhi, uvule futhi uvale ukubethela, njll.
- Udinga i-CNI yeqoqo (kakhulu) lesilinganiso esikhulu: Nokho, ukuhlolwa akubonisi ukuziphatha kwamaqoqo amakhulu, ngingajabula ukwenza izivivinyo, kodwa asinawo amakhulu amaseva anoxhumo lwe-10Gbps. Ngakho-ke inketho engcono kakhulu ukwenza ukuhlolwa okushintshiwe kumanodi akho, okungenani nge-Calico ne-Cilium.
Source: www.habr.com