calico 架构
组件清单
组件 | 版本 |
---|---|
k8s集群 | 1.14 |
calico-kube-controller | 3.8.9 |
calico-node | 3.8.9 |
calicoctl | 3.8.9 |
docker | 18.09.6 |
etcd | v3 |
其中calico-node 包含了相同版本的CNI(即calico-cni 和calico-ipam)
基本架构图
基本架构基于calico-BGP 的网络互联方式,BGP 互联地址 && Node管理IP都在同一网段,避免和业务网段冲突
部署
部署方式使用容器化部署,配置文件采用configmap+secretmap方式进行部署
资源文件:https://docs.projectcalico.org/v3.8/manifests/calico-etcd.yaml
a. calico配置
--- # secretmap,主要存放etcd的TLS的加密配置,获取方式:cat| base64 -w 0 apiVersion: v1 kind: Secret type: Opaque metadata: name: calico-etcd-secrets namespace: kube-system data: # Populate the following with etcd TLS configuration if desired, but leave blank if # not using TLS for etcd. # The keys below should be uncommented and the values populated with the base64 # encoded contents of each file that would be associated with the TLS data. # Example command for encoding a file contents: cat| base64 -w 0 # etcd-key: null # etcd-cert: null # etcd-ca: null --- # configmap, calico的基本配置,包含CNI的配置 kind: ConfigMap apiVersion: v1 metadata: name: calico-config namespace: kube-system data: # Configure this with the location of your etcd cluster. etcd_endpoints: "http://:" # If you're using TLS enabled etcd uncomment the following. # You must also populate the Secret below with these files. etcd_ca: "" # "/calico-secrets/etcd-ca" etcd_cert: "" # "/calico-secrets/etcd-cert" etcd_key: "" # "/calico-secrets/etcd-key" # Typha is disabled. typha_service_name: "none" # Configure the backend to use. calico_backend: "bird" # Configure the MTU to use veth_mtu: "1440" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. cni_network_config: |- { "name": "k8s-pod-network", "cniVersion": "0.3.1", "plugins": [ { "type": "calico", "log_level": "info", "etcd_endpoints": "__ETCD_ENDPOINTS__", "etcd_key_file": "__ETCD_KEY_FILE__", "etcd_cert_file": "__ETCD_CERT_FILE__", "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__", "mtu": __CNI_MTU__, "ipam": { "type": "calico-ipam" }, "policy": { "type": "k8s" }, "kubernetes": { "kubeconfig": "__KUBECONFIG_FILEPATH__" } }, { "type": "portmap", "snat": true, "capabilities": {"portMappings": true} } ] }
b. calico-node
calico 采用daemonset 部署,采用的是默认的nodeSelector–>beta.kubernetes.io/os: linux, 部署calico-node 会在部署时候在node 安装对应的cni 和 calico ipam 插件,默认通过容器的本地文件系统映射到物理服务器的对应目录,node启动完在本地的/opt/cni/bin 下可以找到对应的二进制文件,yml 里定义的ipv4pool 是默认的ipv4 ippool,可以不进行修改,在calico 部署完成后编写对应的ippool 资源文件创建实际使用的,另外需要禁用ipip, CALICO_IPV4POOL_IPIP 改为off.
kind: DaemonSet apiVersion: apps/v1 metadata: name: calico-node namespace: kube-system labels: k8s-app: calico-node spec: selector: matchLabels: k8s-app: calico-node updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: k8s-app: calico-node annotations: # This, along with the CriticalAddonsOnly toleration below, # marks the pod as a critical add-on, ensuring it gets # priority scheduling and that its resources are reserved # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' spec: nodeSelector: beta.kubernetes.io/os: linux hostNetwork: true tolerations: # Make sure calico-node gets scheduled on all nodes. - effect: NoSchedule operator: Exists # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly operator: Exists - effect: NoExecute operator: Exists serviceAccountName: calico-node # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 priorityClassName: system-node-critical initContainers: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni image: calico/cni:v3.8.9 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. - name: CNI_CONF_NAME value: "10-calico.conflist" # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: calico-config key: cni_network_config # The location of the etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # CNI MTU Config variable - name: CNI_MTU valueFrom: configMapKeyRef: name: calico-config key: veth_mtu # Prevents the container from sleeping forever. - name: SLEEP value: "false" volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir - mountPath: /calico-secrets name: etcd-certs securityContext: privileged: true # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver image: calico/pod2daemon-flexvol:v3.8.9 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver securityContext: privileged: true containers: # Runs calico-node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node image: calico/node:v3.8.9 env: # The location of the etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # Location of the CA certificate for etcd. - name: ETCD_CA_CERT_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_ca # Location of the client key for etcd. - name: ETCD_KEY_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_key # Location of the client certificate for etcd. - name: ETCD_CERT_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_cert # Set noderef for node controller. - name: CALICO_K8S_NODE_REF valueFrom: fieldRef: fieldPath: spec.nodeName # Choose the backend to use. - name: CALICO_NETWORKING_BACKEND valueFrom: configMapKeyRef: name: calico-config key: calico_backend # Cluster type to identify the deployment type - name: CLUSTER_TYPE value: "k8s,bgp" # Auto-detect the BGP IP address. - name: IP value: "autodetect" # Enable IPIP - name: CALICO_IPV4POOL_IPIP value: "Off" # Set MTU for tunnel device used if ipip is enabled - name: FELIX_IPINIPMTU valueFrom: configMapKeyRef: name: calico-config key: veth_mtu # The default IPv4 pool to create on startup if none exists. Pod IPs will be # chosen from this range. Changing this value after installation will have # no effect. This should fall within `--cluster-cidr`. - name: CALICO_IPV4POOL_CIDR value: "192.168.0.0/16" # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" # Set Felix logging to "info" - name: FELIX_LOGSEVERITYSCREEN value: "info" - name: FELIX_HEALTHENABLED value: "true" securityContext: privileged: true resources: requests: cpu: 250m livenessProbe: exec: command: - /bin/calico-node - -felix-live - -bird-live periodSeconds: 10 initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: exec: command: - /bin/calico-node - -bird-ready - -felix-ready periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock readOnly: false - mountPath: /var/run/calico name: var-run-calico readOnly: false - mountPath: /var/lib/calico name: var-lib-calico readOnly: false - mountPath: /calico-secrets name: etcd-certs - name: policysync mountPath: /var/run/nodeagent volumes: # Used by calico-node. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico - name: var-lib-calico hostPath: path: /var/lib/calico - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d # Mount in the etcd TLS secrets with mode 400. # See https://kubernetes.io/docs/concepts/configuration/secret/ - name: etcd-certs secret: secretName: calico-etcd-secrets defaultMode: 0400 # Used to create per-pod Unix Domain Sockets - name: policysync hostPath: type: DirectoryOrCreate path: /var/run/nodeagent # Used to install Flex Volume Driver - name: flexvol-driver-host hostPath: type: DirectoryOrCreate path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds ---
c. calico-kube-controllers
kube-controller 用于管理所有的BGP路由,node信息, 直接deployment部署即可, 网络通过hostNetwork 暴露服务,由于controller均通过etcd 进行信息注册,拉取,所以本地不必暴露端口
apiVersion: apps/v1 kind: Deployment metadata: name: calico-kube-controllers namespace: kube-system labels: k8s-app: calico-kube-controllers spec: # The controllers can only have a single active instance. replicas: 1 selector: matchLabels: k8s-app: calico-kube-controllers strategy: type: Recreate template: metadata: name: calico-kube-controllers namespace: kube-system labels: k8s-app: calico-kube-controllers annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: nodeSelector: beta.kubernetes.io/os: linux tolerations: # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly operator: Exists - key: node-role.kubernetes.io/master effect: NoSchedule serviceAccountName: calico-kube-controllers priorityClassName: system-cluster-critical # The controllers must run in the host network namespace so that # it isn't governed by policy that would prevent it from working. hostNetwork: true containers: - name: calico-kube-controllers image: calico/kube-controllers:v3.8.9 env: # The location of the etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # Location of the CA certificate for etcd. - name: ETCD_CA_CERT_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_ca # Location of the client key for etcd. - name: ETCD_KEY_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_key # Location of the client certificate for etcd. - name: ETCD_CERT_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_cert # Choose which controllers to run. - name: ENABLED_CONTROLLERS value: policy,namespace,serviceaccount,workloadendpoint,node volumeMounts: # Mount in the etcd TLS secrets. - mountPath: /calico-secrets name: etcd-certs readinessProbe: exec: command: - /usr/bin/check-status - -r volumes: # Mount in the etcd TLS secrets with mode 400. # See https://kubernetes.io/docs/concepts/configuration/secret/ - name: etcd-certs secret: secretName: calico-etcd-secrets defaultMode: 0400
d. rbac
剩下的都是K8S的一些rbac的权限资源以及一些serviceaccount的资源,直接apply即可,上述搭建只需要修改掉etcd的TLS加密配置,关闭IPIP,直接apply calico-etcd.yaml,需要特殊修改的话可以修改对应的label和路径。
配置
calico的网络互联架构一般分2类,一类是node-to-node-mesh,意思就是所有的calico-node 互相互建BGP邻居,当节点在100个以内的情况下,可以使用,因为配置非常简单,但当节点大于100 个的时候,不建议使用这种网状的网络结构,首先路由数量就很多,所有节点互联同样也会导致出现故障后很难进行快速排查,另外一类是Route Reflector, 通过K8S的标签技术指定1台或者多台node 作为RR,该AS内的所有节点会和该RR进行BGP邻居的建立,使n-t-n-m的网状网络变成星状网络了,并且部署多台RR同样也可以解决冗余等问题。
关闭node-to-node-mesh
首先关闭node-to-node-mesh模式,该操作前请确保集群内没有业务在跑,一旦关闭,pod会瞬间断网
cat rr_mode.yaml: apiVersion: projectcalico.org/v3 kind: BGPConfiguration metadata: name: default spec: logServerityScreen: Info nodeToNodeMeshEnabled: false asNumber: 64512 calicoctl apply -f rr_mode.yaml
配置rr节点
在配置节点作为RR的时候,需要给node打标签,可以自定义,表明这台node开启rr,后续需要使用,这里使用route-reflector作为label
cat rr01.yaml apiVersion: projectcalico.org/v3 kind: Node metadata: creationTimestamp: null name: sa-k8s001.stg.bx labels: route-reflector: true spec: bgp: ipv4Address: 21.68.137.248/23 routeReflectorClusterID: 224.0.0.1 orchRefs: - nodeName: sa-k8smaster001 orchestrator: k8s calicoctl apply -f rr01.yaml
配置全局BGPPeer
配置全局BGP PEER,选定所有node,peer 选择所有node标签route-reflector = true的node节点
cat peerWithRR.yaml: apiVersion: projectcalico.org/v3 kind: BGPPeer metadata: name: peer-with-rr spec: nodeSelector: all() peerSelector: route-reflector == 'true' calicoctl apply -f peerWithRR.yaml
配置RR和交换机互联
交换机的互联地址需要提前规划好,并在calico的ipam所在etcd内挖掉对应IP
cat peerToSw.yaml: apiVersion: projectcalico.org/v3 kind: BGPPeer metadata: name: peer-to-switch spec: peerIP: 21.68.137.240 nodeSelector: route-reflector == 'true' asNumber : 64512 calicoctl apply -f peerToSw.yaml