因为Kubernetes官方用的flannel无法实现多租户环境下的网络隔离,建立起来的pod之间实际可以相互访问,而Calico可以实现,因此周末找个时间试了一下大概的过程。
前面的kubernetes安装掠过
Calico安装
下载yaml文件
http://docs.projectcalico.org/v2.3/getting-started/kubernetes/installation/hosted/calico.yaml
http://docs.projectcalico.org/v2.3/getting-started/kubernetes/installation/rbac.yaml
下载镜像文件
quay.io/calico/node:v1.3.0
quay.io
/calico/cni:v1.9.1
quay.io
/calico/kube-policy-controller:v0.6.0
# 国内镜像
jicki
/node:v1.3.0
jicki
/cni:v1.9.1
jicki
/kube-policy-controller:v0.6.0
修改calico.yaml的如下部分
etcd_endpoints: "https://192.168.44.108:2379" etcd_ca:
"/calico-secrets/etcd-ca" etcd_cert:
"/calico-secrets/etcd-cert" etcd_key:
"/calico-secrets/etcd-key"
# 这里面要写入 base64 的信息
# 分别执行括号内的命令,填写到 etcd
-key , etcd-cert, etcd-ca 中,不用括号。
data:
etcd
-key: (cat /etc/kubernetes/ssl/etcd-key.pem | base64 | tr -d '\n') etcd
-cert: (cat /etc/kubernetes/ssl/etcd.pem | base64 | tr -d '\n') etcd
-ca: (cat /etc/kubernetes/ssl/ca.pem | base64 | tr -d '\n')
- name: CALICO_IPV4POOL_CIDR value:
"10.233.0.0/16"
建立pod
[iyunv@k8s-master-1 ~]# kubectl apply -f calico.yaml
configmap
"calico-config" created
secret
"calico-etcd-secrets" created
daemonset
"calico-node" created
deployment
"calico-policy-controller" created
serviceaccount
"calico-policy-controller" created
serviceaccount
"calico-node" created
[iyunv@k8s
-master-1 ~]# kubectl apply -f rbac.yaml
验证,如果你只有一个node节点,calico-node应该是1,然后下面的calico-node也会相应少一个
[iyunv@k8s-master-1 calico]# kubectl get ds -n kube-system
NAME DESIRED CURRENT READY UP
-TO-DATE AVAILABLE NODE-SELECTOR AGE
calico
-node 2 2 2 2 2 <none> 41s
[iyunv@k8s
-master-1 calico]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
calico
-node-04kd8 2/2 Running 0 1m
calico
-node-pkbwq 2/2 Running 0 1m
calico
-policy-controller-4282960220-mcdm7 1/1 Running 0 1m
Kubelet和Kube-proxy
相应的node上的kubelet和kube-proxy的修改为
[iyunv@calico-node1 ~]# cat /etc/systemd/system/kubelet.service
[Unit]
Description
=kubernetes Kubelet
Documentation
=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/local/bin/kubelet \
--address=192.168.44.109 \
--hostname-override=calico-node1 \
--pod-infra-container-image=docker.io/jicki/pause-amd64:3.0 \
--experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
--require-kubeconfig \
--cert-dir=/etc/kubernetes/ssl \
--cluster_dns=10.254.0.2 \
--cluster_domain=cluster.local. \
--hairpin-mode promiscuous-bridge \
--allow-privileged=true \
--serialize-image-pulls=false \
--logtostderr=true \
--cgroup-driver=systemd \
--network-plugin=cni \
--v=2
ExecStopPost=/sbin/iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 4194 -j ACCEPT
ExecStopPost=/sbin/iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 4194 -j ACCEPT
ExecStopPost=/sbin/iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 4194 -j ACCEPT
ExecStopPost=/sbin/iptables -A INPUT -p tcp --dport 4194 -j DROP
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
kube-proxy
[iyunv@calico-node1 ~]# cat /etc/systemd/system/kube-proxy.service
[Unit]
Description
=kubernetes Kube-Proxy Server
Documentation
=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
WorkingDirectory=/var/lib/kube-proxy
ExecStart=/usr/local/bin/kube-proxy \
--bind-address=192.168.44.109 \
--hostname-override=calico-node1 \
--cluster-cidr=10.254.0.0/16 \
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig \
--logtostderr=true \
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
安装calicoctl
下载
https://github.com/projectcalico/calicoctl/releases/download/v1.3.0/calicoctl
[iyunv@k8s-master-1 ~]# mv calicoctl /usr/local/bin
[iyunv@k8s
-master-1 ~]# cd /usr/local/bin
[iyunv@k8s
-master-1 ~]# chmod +x calicoctl
[iyunv@k8s
-master-1 ~]# calicoctl version
Version: v1.
3.0
Build date:
Git commit: d2babb6
## 创建 calicoctl 配置文件
# 配置文件, 在 安装了 calico 网络的 机器下
[iyunv@k8s
-master-1 ~]# mkdir /etc/calico
[iyunv@k8s
-master-1 ~]# vi /etc/calico/calicoctl.cfg
apiVersion: v1
kind: calicoApiConfig
metadata:
spec:
datastoreType:
"etcdv2" etcdEndpoints:
"https://192.168.44.108:2379" etcdKeyFile:
"/etc/kubernetes/ssl/etcd-key.pem" etcdCertFile:
"/etc/kubernetes/ssl/etcd.pem" etcdCACertFile:
"/etc/kubernetes/ssl/ca.pem"
# 查看 calico 状态
[iyunv@k8s
-master-2 ~]# calicoctl node status
Calico process
is running.
IPv4 BGP status
+--------------+-------------------+-------+----------+-------------+
| PEER ADDRESS | PEER TYPE | STATE | SINCE | INFO |
+--------------+-------------------+-------+----------+-------------+
| 10.6.0.188 | node-to-node mesh | up | 10:05:39 | Established |
+--------------+-------------------+-------+----------+-------------+
这里要注意下,查看节点状态需要在安装calico pod的机器上运行,如果只有一个node,会显示找不到ipv4 BGP,折腾了很久一直出不来这个表,后来又安装了一个节点后就出来了,双方指到各自的地址。
网络策略
我用一个节点验证
先建立namespace
apiVersion: v1
kind: Namespace
metadata:
name: ns
-calico1 labels:
user: calico1
---
apiVersion: v1
kind: Namespace
metadata:
name: ns
-calico2
然后创建一个nginx,使用了一个user:ericnie的label.
[iyunv@calico-master calico]# cat nginx.yaml
apiVersion: extensions
/v1beta1
kind: Deployment
metadata:
name: ca1
-nginxnamespace: ns-calico2
spec:
replicas:
1 template:
metadata:
labels:
name: nginx
user: ericnie
spec:
containers:
- name: nginx image: nginx:alpine
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: ca1-nginx-svc
namespace: ns-calico2
labels:
user: ericnie
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx
再建立一个tomcat的pod,用来访问nginx
[iyunv@calico-master calico]# cat tomcat.yaml
apiVersion: extensions
/v1beta1
kind: Deployment
metadata:
name: tomcat
namespace: ns-calico2 labels:
user: ericnie
spec:
replicas:
1 template:
metadata:
labels:
name: tomcat
spec:
containers:
- name: tomcat image: tomcat:
9.0-jre8 imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
从tomcat中访问nginx,无论tomcat是否是ns-calico2的namespace都是联通的。
[iyunv@calico-master calico]# kubectl get pods -n ns-calico2 -o wide
NAME READY STATUS RESTARTS AGE IP NODE
ca1
-nginx-2981719527-9zxw6 1/1 Running 0 23m 10.233.63.139 calico-node1
tomcat
-3717491931-b5tl5 1/1 Running 0 23m 10.233.63.140 calico-node1
[iyunv@calico
-master calico]# kubectl exec -it tomcat-3717491931-b5tl5 -n ns-calico2 bash
root@tomcat
-3717491931-b5tl5:/usr/local/tomcat# curl http://10.233.63.139
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
现在修改一下ns-calico2的策略,也就是当前缺省会拒绝任何pod的访问。
[iyunv@calico-master calico]# cat ns-calico2.yaml
apiVersion: v1
kind: Namespace
metadata:
name: ns
-calico2 labels:
user: ericnie
annotations:
net.beta.kubernetes.io
/network-policy: | {
"ingress": {"isolation": "DefaultDeny" }
}
通过tomcat pod验证,确实访问不了
再建立一个策略,允许有label, user: ericnie的pod进行访问
[iyunv@calico-master calico]# cat net-policy.yaml
apiVersion: extensions
/v1beta1
kind: NetworkPolicy
metadata:
name: calico1
-network-policynamespace: ns-calico2
spec:
podSelector:
matchLabels:
user: ericnie
ingress:
- from:- namespaceSelector: matchLabels:
user: ericnie
- podSelector: matchLabels:
user: ericnie
建立起来以后验证,tomcat pod又能访问nginx了.
谢谢下面文章的指导
https://jicki.me/2017/07/25/kubernetes-1.7.2/#calico-%E7%BD%91%E7%BB%9C
http://blog.csdn.net/qq_34463875/article/details/74288175
运维网声明
1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网 享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com