I-plugin yenethiwekhi ye-Calico ihlinzeka ngezinqubomgomo zenethiwekhi eziningi nge-syntax ehlanganisiwe ukuze kuvikelwe abasingathi behadiwe, imishini ebonakalayo nama-pods. Lezi zinqubomgomo zingasetshenziswa ngaphakathi kwendawo yamagama noma zibe izinqubomgomo zenethiwekhi yomhlaba wonke ezisebenza kukho (ukuvikela izinhlelo zokusebenza ezisebenza ngqo kumsingathi - umsingathi angaba iseva noma umshini obonakalayo) noma (ukuvikela izinhlelo zokusebenza ezisebenza ezitsheni noma emishinini ebonakalayo esingethwe). Izinqubomgomo ze-Calico zikuvumela ukuthi usebenzise izinyathelo zokuphepha ezindaweni ezihlukahlukene endleleni yephakethe usebenzisa izinketho ezifana ne-preDNAT, i-unraracked, kanye ne-applyOnForward. Ukuqonda ukuthi lezi zinketho zisebenza kanjani kungasiza ukuthuthukisa ukuphepha nokusebenza kwesistimu yakho iyonke. Lesi sihloko sichaza ingqikithi yalezi zinketho zenqubomgomo ye-Calico (preDNAT, unraracked kanye ne-applyOnForward) esetshenziswa kuma-endpoints, ngokugcizelela ukuthi kwenzekani ezindleleni zokucubungula iphakethe (amaketanga e-iptabels).
Lesi sihloko sithatha ukuthi unokuqonda okuyisisekelo kokuthi izinqubomgomo zenethiwekhi ye-Kubernetes ne-Calico zisebenza kanjani. Uma kungenjalo, sincoma ukuyizama ΠΈ usebenzisa i-Calico ngaphambi kokufunda lesi sihloko. Silindele futhi ukuthi ube nokuqonda okuyisisekelo komsebenzi kwe linux.
UCalico ikuvumela ukuthi usebenzise isethi yemithetho yokufinyelela ngamalebula (emaqenjini ababungazi kanye nomthwalo wokusebenza/amaphodi). Lokhu kuwusizo kakhulu uma usebenzisa amasistimu ane-heterogeneous ndawonye - imishini ebonakalayo, isistimu ngqo ku-hardware, noma ingqalasizinda ye-kubernetes. Ngaphezu kwalokho, ungakwazi ukuvikela iqoqo lakho (ama-node) usebenzisa isethi yezinqubomgomo ezimemezelayo futhi usebenzise izinqubomgomo zenethiwekhi kuthrafikhi engenayo (isibonelo, nge-NodePorts noma isevisi ye-IPs yangaphandle).
Ezingeni eliyisisekelo, lapho i-Calico ixhuma i-pod kunethiwekhi (bona umdwebo ngezansi), iyixhuma kumsingathi isebenzisa isixhumi esibonakalayo se-Ethernet (veth). I-traffic ethunyelwe yi-pod iza kumsingathi isuka kulesi sikhombimsebenzisi esibonakalayo futhi icutshungulwa ngendlela efanayo njengokuthi ivela kusixhumanisi esibonakalayo senethiwekhi. Ngokuzenzakalelayo, i-Calico iqamba lezi zixhumanisi ngokuthi caliXXX. Njengoba ithrafikhi iza ngesibonisi esibonakalayo, idlula kuma-iptables sengathi i-pod ikude kakhulu. Ngakho-ke, uma ithrafikhi ifika/isuka ku-pod, idluliselwa ngokombono womsingathi.
Kunodi ye-Kubernetes esebenzisa i-Calico, ungakwazi ukumepha isixhumi esibonakalayo esibonakalayo (veth) kumthwalo wokusebenza ngale ndlela elandelayo. Esibonelweni esingezansi, ungabona ukuthi i-veth#10 (calic1cbf1ca0f8) ixhumeke ku-cnx-manager-* ku-calico-monitoring namespace.
[centos@ip-172-31-31-46 K8S]$ sudo ip a
...
10: calic1cbf1ca0f8@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 5
inet6 fe80::ecee:eeff:feee:eeee/64 scope link
valid_lft forever preferred_lft forever
...
[centos@ip-172-31-31-46 K8S]$ calicoctl get wep --all-namespaces
...
calico-monitoring cnx-manager-8f778bd66-lz45m ip-172-31-31-46.ec2.internal 192.168.103.134/32
calic1cbf1ca0f8
...
Njengoba i-Calico idala i-veth interface yomsebenzi ngamunye, izisebenzisa kanjani izinqubomgomo? Ukwenza lokhu, i-Calico idala izingwegwe kumaketanga ahlukahlukene wendlela yokucubungula iphakethe isebenzisa ama-iptables.
Umdwebo ongezansi ubonisa amaketanga abandakanyeka ekucutshungulweni kwephakethe kuma-iptables (noma i-netfilter subsystem). Uma iphakethe lifika ngesixhumi esibonakalayo senethiwekhi, liqala lidlule ochungechungeni lwe-PREROUTING. Isinqumo somzila sibe sesenziwa, futhi ngokusekelwe kulokhu, iphakethe lidlula ku-INPUT (eqondiswe kuzinqubo zokusingatha) noma PHAMBILI (iqondiswe ku-pod noma enye i-node kunethiwekhi). Kusukela kunqubo yendawo, iphakethe lidlula ku-OUTPUT bese lithi POSTROUTING chain ngaphambi kokuthunyelwa phansi kwekhebuli.
Qaphela ukuthi i-pod futhi iyinhlangano yangaphandle (exhunywe ku-veth) ngokuya ngokucubungula ama-iptables. Ake sifinyeze:
- Ithrafikhi edlulisiwe (i-nat, i-ruited noma eya/kusuka ku-pod) idlula OKUPHAMBILI - PHAMBILI - OKUTHUMELA.
- Ithrafikhi eya kunqubo yomsingathi wendawo idlula ochungechungeni lwe-PREROUTING - INPUT.
- Ithrafikhi evela kwinqubo yomsingathi wendawo idlula ku-OUTPUT - POSTROUTING chain.
I-Calico inikeza izinketho zenqubomgomo ezikuvumela ukuthi usebenzise izinqubomgomo kuwo wonke amaketango. Sinalokho engqondweni, ake sibheke izinketho ezihlukene zokucushwa kwenqubomgomo ezitholakala e-Calico. Izinombolo ezisohlwini lwezinketho ezingezansi zihambisana nezinombolo ezisemdwebeni ongenhla.
- Inqubomgomo yendawo yokuphela komsebenzi (pod).
- Inqubomgomo yephoyinti lokugcina lomsingathi
- Inketho ye-ApplyOnForward
- Inqubomgomo ye-PreDNAT
- Inqubomgomo Engalandeliwe
Ake siqale ngokubheka ukuthi izinqubomgomo zisetshenziswa kanjani ezindaweni zokugcina zomsebenzi (ama-Kubernetes pods noma ama-OpenStack VM), bese sibheka izinketho zenqubomgomo zezindawo zokugcina.
Amaphoyinti okuphela komsebenzi
Inqubomgomo Yephoyinti Lokugcina Lomthwalo Womsebenzi (1)
Lena inketho yokuvikela i-kubernetes pods yakho. I-Calico isekela ukusebenza ne-Kubernetes NetworkPolicy, kodwa futhi inikeza izinqubomgomo ezengeziwe - i-Calico NetworkPolicy kanye ne-GlobalNetworkPolicy. I-Calico idala iketango le-pod ngayinye (umthwalo womsebenzi) namahhuku ku-INPUT kanye neketango LOKUPHUMA lomthwalo womsebenzi kuthebula lokuhlunga leketango PHAMBILI.
I-Host Endpoints
Inqubomgomo yephoyinti lokugcina lomsingathi (2)
Ngokungeziwe ku-CNI (isixhumanisi esibonakalayo senethiwekhi), izinqubomgomo ze-Calico zinikeza ikhono lokuvikela umsingathi ngokwakhe. Ku-Calico, ungakha iphoyinti lokugcina ngokucacisa inhlanganisela yesixhumi esibonakalayo somsingathi futhi, uma kunesidingo, izinombolo zembobo. Ukusebenzisa inqubomgomo yaleli bhizinisi kufinyelelwa kusetshenziswa ithebula lokuhlunga kumaketango we-INPUT kanye ne-OUTPUT. Njengoba ungabona emdwebeni, (2) asebenza ezinqubweni zasendaweni ku-node/umsingathi. Okusho ukuthi, uma udala inqubomgomo esebenza endaweni yokugcina yosokhaya, ngeke ithinte ithrafikhi eya/kusuka kumaphodi akho. Kodwa ihlinzeka ngesixhumi esibonakalayo/i-syntax eyodwa yokuvimbela ithrafikhi yomsingathi wakho nama-pods usebenzisa izinqubomgomo ze-Calico. Lokhu kwenza kube lula kakhulu inqubo yokuphatha izinqubomgomo zenethiwekhi ehlukahlukene. Ukulungisa izinqubomgomo zezindawo zokugcina zomsingathi ukuze kuthuthukiswe ukuphepha kweqoqo kungenye indaba ebalulekile yokusetshenziswa.
Inqubomgomo ye-ApplyOnForward (3)
Inketho ye-ApplyOnForward iyatholakala kunqubomgomo yenethiwekhi yomhlaba wonke ye-Calico ukuze kuvunyelwe izinqubomgomo ukuthi zisetshenziswe kuyo yonke ithrafikhi edlula endaweni yokugcina yosokhaya, okuhlanganisa ithrafikhi ezodluliselwa umsingathi. Lokhu kufaka ithrafikhi edluliselwa ku-pod yasendaweni nanoma yikuphi kwenye indawo kunethiwekhi. I-Calico idinga ukuthi lesi silungiselelo sinikwe amandla kuzinqubomgomo ezisebenzisa i-PreDNAT futhi ezingalandelelwe, bona izigaba ezilandelayo. Ngaphezu kwalokho, i-ApplyOnForward ingasetshenziselwa ukuqapha ithrafikhi yosokhaya ezimeni lapho kusetshenziswa umzila obonakalayo noma isofthiwe ye-NAT.
Qaphela ukuthi uma udinga ukusebenzisa inqubomgomo yenethiwekhi efanayo kuzo zombili izinqubo zosokhaya nama-pods, awudingi ukusebenzisa inketho ye-ApplyOnForward. Odinga ukukwenza nje ukudala ilebula ye-hostendpoint edingekayo kanye nendawo yokugcina umsebenzi (pod). I-Calico ihlakaniphe ngokwanele ukuze isebenzise inqubomgomo ngokusekelwe kumalebula, ngokunganaki uhlobo lwephoyinti lokugcina (iphoyinti lokusingatha noma umthwalo womsebenzi).
Inqubomgomo ye-PreDNAT (4)
Ku-Kubernetes, izimbobo zebhizinisi lesevisi zingavezwa ngaphandle kusetshenziswa inketho ye-NodePorts noma, ngokuzikhethela (uma usebenzisa i-Calico), ngokuzikhangisa kusetshenziswa ama-IP we-Cluster noma izinketho zama-IP zangaphandle. I-Kube-proxy ibhalansisa ithrafikhi engenayo eboshelwe kusevisi kuma-pods wesevisi ehambisanayo kusetshenziswa i-DNAT. Ngokunikezwa lokhu, uzisebenzisa kanjani izinqubomgomo zethrafikhi eza ngama-NodePorts? Ukuqinisekisa ukuthi lezi zinqubomgomo zisetshenziswa ngaphambi kokuthi ithrafikhi icutshungulwe yi-DNAT (okuyimephu phakathi komsingathi:imbobo nesevisi ehambisanayo), i-Calico inikeza ipharamitha ye-globalNetworkPolicy ebizwa ngokuthi "preDNAT: true".
Uma i-pre-DNAT inikwe amandla, lezi zinqubomgomo zisetshenziswa ku-(4) kumdwebo - kuthebula le-mangle le-PREROUTING chain - ngokushesha ngaphambi kwe-DNAT. Ukuhleleka okujwayelekile kwezinqubomgomo akulandelwa lapha, njengoba ukusetshenziswa kwalezi zinqubomgomo kwenzeka ngaphambi kwesikhathi kakhulu endleleni yokucubungula ithrafikhi. Kodwa-ke, izinqubomgomo ze-preDNAT zihlonipha ukuhleleka kokusetshenziswa phakathi kwazo.
Uma udala izinqubomgomo nge-pre-DNAT, kubalulekile ukuqaphela mayelana nethrafikhi ofuna ukuyicubungula futhi uvumele iningi ukuthi linqatshwe. Ithrafikhi emakwe ngokuthi 'ivumelekile' kunqubomgomo yangaphambi kwe-DNAT ngeke isabhekwa inqubomgomo ye-hostendpoint, kuyilapho ithrafikhi ehluleka inqubomgomo yangaphambi kwe-DNAT izoqhubeka ngamaketango asele.
I-Calico ikwenze kwaba isibopho ukunika amandla inketho ye-applyOnForward uma usebenzisa i-preDNAT, njengoba ngokwencazelo indawo yethrafikhi ayikakhethwa. Ithrafikhi ingaqondiswa kunqubo yomsingathi, noma ingadluliselwa ku-pod noma kwenye indawo.
Inqubomgomo Engalandelwanga (5)
Amanethiwekhi nezinhlelo zokusebenza zingaba nomehluko omkhulu ekuziphatheni. Kwezinye izimo ezimbi kakhulu, izinhlelo zokusebenza zingase zikhiqize ukuxhumana okuningi okuhlala isikhathi esifushane. Lokhu kungabangela ukuphikisana (ingxenye eyinhloko yesitaki senethiwekhi ye-Linux) ukuthi iphele inkumbulo. Ngokwesiko, ukuze usebenzise lezi zinhlobo zezinhlelo zokusebenza ku-Linux, kuzodingeka ulungiselele mathupha noma ukhubaze i-contrack, noma ubhale imithetho ye-iptables ukuze udlule i-contrack. Inqubomgomo engalandelwanga ku-Calico inketho elula nesebenza kahle uma ufuna ukucubungula ukuxhumana ngokushesha okukhulu. Isibonelo, uma usebenzisa i-mass noma njengesinyathelo esengeziwe sokuvikela .
Funda lokhu (noma ) ukuze uthole ulwazi olwengeziwe, okuhlanganisa ukuhlolwa kokusebenza kusetshenziswa inqubomgomo engalandelelwe.
Uma usetha inketho ethi "doNotTrack: true" ku-Calico globalNetworkPolicy, iba inqubomgomo **engalandelelwe** futhi isetshenziswa ngaphambi kwesikhathi epayipini lokucubungula iphakethe le-Linux. Uma ubheka umdwebo ongenhla, izinqubomgomo ezingalandeleliwe zisetshenziswa kumaketango e-PREROUTING kanye ne-OUTPUT kuthebula elingahluziwe ngaphambi kokuthi kuqalwe ukulandelwa kokuxhumeka (i-conntrack). Uma iphakethe livunyelwe yinqubomgomo engalandeleliwe, imakwa ukuze kukhubazwe ukulandela ngomkhondo koxhumano kulelo phakethe. Kusho ujuthi:
- Inqubomgomo engalandelwanga isetshenziswa ngokwesisekelo sephakethe ngalinye. Awukho umqondo wokuxhumana (noma ukugeleza). Ukuntuleka kokuxhumana kunemiphumela eminingana ebalulekile:
- Uma ufuna ukuvumela kokubili isicelo nethrafikhi yempendulo, udinga umthetho kukho kokubili okungenayo naphumayo (njengoba i-Calico ngokuvamile isebenzisa i-contrack ukumaka ithrafikhi yokuphendula njengokuvunyelwe).
- Inqubomgomo engalandelwanga ayisebenzi ku-Kubernetes imithwalo yomsebenzi (ama-pods), ngoba kulokhu ayikho indlela yokulandelela uxhumano oluphumayo kusuka ku-pod.
- I-NAT ayisebenzi ngendlela efanele ngamaphakethe angalandeliwe (njengoba i-kernel igcina imephu ye-NAT ngokuhlangana).
- Uma udlula umthetho othi "vumela konke" kunqubomgomo engalandelelwanga, wonke amaphakethe azomakwa njengangakhokhiwe. Lokhu cishe akukona okufunayo ngaso sonke isikhathi, ngakho-ke kubalulekile ukukhetha kakhulu amaphakethe avunyelwe izinqubomgomo ezingalandeleliwe (futhi uvumele ithrafikhi eminingi ukuthi idlule kuzinqubomgomo ezilandelwayo ezijwayelekile).
- Izinqubomgomo ezingalandelwanga zisetshenziswa ekuqaleni kwepayipi lokucubungula iphakethe. Lokhu kubaluleke kakhulu ukukuqonda lapho udala izinqubomgomo ze-Calico. Ungaba nenqubomgomo ye-pod ene-oda:1 kanye nenqubomgomo engalandelelwanga ene-oda:1000. Ngeke kube nandaba. Inqubomgomo Engalandelwanga izosetshenziswa ngaphambi kwenqubomgomo ye-pod. Izinqubomgomo ezingalandelwanga zihlonipha umyalelo wokubulawa kuphela phakathi kwazo.
Ngenxa yokuthi enye yezinjongo zenqubomgomo ye-doNotTrack iwukusebenzisa inqubomgomo kusenesikhathi epayipini lokucubungula iphakethe le-Linux, i-Calico ikwenza kube isibopho ukucacisa inketho ye-applyOnForward lapho usebenzisa i-doNotTrack. Ngokubhekisela kumdwebo wokucubungula iphakethe, qaphela ukuthi inqubomgomo engalandelwanga(5) isetshenziswa ngaphambi kwanoma yiziphi izinqumo zomzila. Ithrafikhi ingaqondiswa kunqubo yomsingathi, noma ingadluliselwa ku-pod noma kwenye indawo.
Imiphumela
Sibheke izinketho zenqubomgomo ezihlukahlukene (Iphoyinti lokugcina, i-ApplyOnForward, i-preDNAT, ne-Utracked) ku-Calico nokuthi zisetshenziswa kanjani endleleni yokucubungula iphakethe. Ukuqonda ukuthi basebenza kanjani kusiza ekwakheni izinqubomgomo ezisebenzayo neziphephile. Nge-Calico ungasebenzisa inqubomgomo yenethiwekhi yomhlaba wonke esebenza kulebula (iqembu lama-node nama-pods) futhi usebenzise izinqubomgomo ezinamapharamitha ahlukahlukene. Lokhu kuvumela ochwepheshe bezokuvikela nabaklama benethiwekhi ukuthi bavikele kalula "yonke into" (izinhlobo ze-endpoint) ngesikhathi esisodwa besebenzisa ulimi lwenqubomgomo olulodwa olunezinqubomgomo ze-Calico.
Abonga: Ngithanda ukubonga ΠΈ ukubuyekezwa kanye nolwazi olubalulekile.
Source: www.habr.com