Leo Zhang
菩提本无树,明镜亦非台!
Kubernetes实战总结 - 部署Calico网络

什么是Calico?

Calico是针对容器,虚拟机和基于主机的本机工作负载的开源网络和网络安全解决方案。

Calico支持广泛的平台,包括Kubernetes,OpenShift,Docker EE,OpenStack和裸机服务。

Calico将灵活的网络功能与无处不在的安全性实施相结合,以提供具有本地Linux内核性能和真正的云原生可扩展性的解决方案。

Calico为开发人员和集群运营商提供了一致的经验和功能集,无论是在公共云中还是本地运行,在单个节点上还是在数千个节点集群中运行。

 

两种网络模式

IPIP网络

流量:tunlo设备封装数据,形成隧道,承载流量。

适用网络类型:适用于互相访问的pod不在同一个网段中,跨网段访问的场景。外层封装的ip能够解决跨网段的路由问题。

效率:流量需要tunl0设备封装,效率略低。

 

BGP网络

流量:使用路由信息导向流量

适用网络类型:适用于互相访问的pod在同一个网段,适用于大型网络。

效率:原生hostGW,效率高。

 

更多参考>>> https://www.cnblogs.com/goldsunshine/p/10701242.html

 

部署安装

1)确保Calico可以在主机上进行管理calitunl接口,如果主机上存在NetworkManage,请配置NetworkManager。

NetworkManager会为默认网络名称空间中的接口操纵路由表,在该默认名称空间中,固定了Calico veth对以连接到容器,这可能会干扰Calico代理正确路由的能力。

在以下位置创建以下配置文件,以防止NetworkManager干扰接口:

vim /etc/NetworkManager/conf.d/calico.conf
[keyfile]
unmanaged-devices=interface-name:cali*;interface-name:tunl*

 

2)首先下载calica.yaml部署文件,然后更改 CALICO_IPV4POOL_IPIP 为 Never 使用 BGP 模式,

另外增加 IP_AUTODETECTION_METHOD 为 interface 使用匹配模式,默认是first-found模式,在复杂网络环境下还是有出错的可能。

wget https://docs.projectcalico.org/manifests/calico.yaml

vim calico.yaml

# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
  value: "k8s,bgp"
# IP automatic detection
- name: IP_AUTODETECTION_METHOD
  value: "interface=en.*"
# Auto-detect the BGP IP address.
- name: IP
  value: "autodetect"
# Enable IPIP
- name: CALICO_IPV4POOL_IPIP
  value: "Never"

 

你会看到以下输出:

configmap "calico-config" created
customresourcedefinition.apiextensions.k8s.io "felixconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "ipamblocks.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "blockaffinities.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "ipamhandles.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "bgppeers.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "bgpconfigurations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "ippools.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "hostendpoints.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "clusterinformations.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworkpolicies.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "globalnetworksets.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "networksets.crd.projectcalico.org" created
customresourcedefinition.apiextensions.k8s.io "networkpolicies.crd.projectcalico.org" created
clusterrole.rbac.authorization.k8s.io "calico-kube-controllers" created
clusterrolebinding.rbac.authorization.k8s.io "calico-kube-controllers" created
clusterrole.rbac.authorization.k8s.io "calico-node" created
clusterrolebinding.rbac.authorization.k8s.io "calico-node" created
daemonset.extensions "calico-node" created
serviceaccount "calico-node" created
deployment.extensions "calico-kube-controllers" created
serviceaccount "calico-kube-controllers" created

 

3)使用以下命令确认所有Pod正在运行。

watch kubectl get pods --all-namespaces

等到每个calico全部Running即可。

NAMESPACE    NAME                                       READY  STATUS   RESTARTS  AGE
kube-system  calico-kube-controllers-6ff88bf6d4-tgtzb   1/1    Running  0         2m45s
kube-system  calico-node-24h85                          1/1    Running  0         2m43s
kube-system  calico-node-45k48                          1/1    Running  0         2m43s
kube-system  coredns-846jhw23g9-9af73                   1/1    Running  0         4m5s
kube-system  coredns-846jhw23g9-hmswk                   1/1    Running  0         4m5s
kube-system  etcd-jbaker-1                              1/1    Running  0         6m22s
kube-system  kube-apiserver-jbaker-1                    1/1    Running  0         6m12s
kube-system  kube-controller-manager-jbaker-1           1/1    Running  0         6m16s
kube-system  kube-proxy-8fzp2                           1/1    Running  0         5m16s
kube-system  kube-scheduler-jbaker-1                    1/1    Running  0         5m41s

按CTRL + C退出watch。

 

4)如果是切换网络插件,需要清理每个节点上之前残留的路由表和网桥,以避免和calico冲突。

ip link
ip link delete flannel.1
ip route
ip route delete 10.244.0.0/24 via 10.4.7.21 dev eth0

卸载其他网路插件之后,最好重启所有节点,这样系统会重置网卡规则,旧规则自动就会被清理了。 

 

故障排除和诊断

Errors when running sudo calicoctl

Error: calico/node is not ready: BIRD is not ready: BGP not established with 10.0.0.1

Linux conntrack table is out of space

 

 

作者:Leozhanggg

出处:https://www.cnblogs.com/leozhanggg/p/12930006.html

本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。

 

posted on 2020-05-21 12:46  LeoZhanggg  阅读(13589)  评论(0编辑  收藏  举报

Copyright © 2024 LeoZhanggg
Powered by .NET 8.0 on Kubernetes Powered By博客园