calico

calico是一个安全的 L3 网络和网络策略提供者。

calico使用bgp的原因:why bgp not ospf

有关BGP rr的介绍

安装方式

标准托管安装(ETCD存储)

  • 需要提前安装etcd集群

# 创建calico连接etcd的secret
kubectl create secret generic calico-etcd-secrets \
--from-file=etcd-key=/etc/kubernetes/ssl/kubernetes-key.pem \
--from-file=etcd-cert=/etc/kubernetes/ssl/kubernetes.pem \
--from-file=etcd-ca=/etc/kubernetes/ssl/ca.pem

# 部署
kubectl create -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/calico.yaml

# rbac
kubectl apply -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/rbac.yaml

kubeadm 托管部署

依赖

  • k8s1.7+

  • 没有其他cni插件 (华为开源的CNI-Genie可以同时运行多个CNI)

  • --pod-network-cidr参数需要和calico ip pool保持一致

  • --service-cidr 不能和calico ip pool重叠

部署

kubectl apply -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml

Kubernetes 数据存储托管安装(不需要etcd)

依赖

  • 暂时不支持ipam,推荐使用 host-local ipam与pod cidr结合使用

  • 默认使用node-to-node mesh模式

  • k8s1.7+

  • 配置使用CNI

  • controller-manager配置cluster-cidr

部署

# rbac
kubectl create -f  https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml

# 部署
kubectl create -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml

仅使用网络策略

kubectl create -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.7/calico.yaml

canal旨在让用户能够轻松地将Calico和flannel网络作为一个统一的网络解决方案进行部署.

kubectl apply -f https://raw.githubusercontent.com/projectcalico/canal/master/k8s-install/1.7/rbac.yaml
kubectl apply -f https://raw.githubusercontent.com/projectcalico/canal/master/k8s-install/1.7/canal.yaml

配置

环境设置

# etcd数据存储
export ETCD_ENDPOINTS=http://xxx:2379
# k8s数据存储
export DATASTORE_TYPE=kubernetes KUBECONFIG=~/.kube/config

typha模式

k8s数据存储模式超过50各节点推荐启用typha,Typha组件可以帮助Calico扩展到大量的节点,而不会对Kubernetes API服务器造成过度的影响。
修改typha_service_name "none"改为"calico-typha"。

禁用snat

calicoctl get ipPool -o yaml | sed 's/natOutgoing: true/natOutgoing: false/g' | calicoctl apply -f -

关闭node-to-node mesh (节点网络全互联)

cat << EOF
apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
  name: default
spec:
  logSeverityScreen: Info
  nodeToNodeMeshEnabled: false
  asNumber: 64512
EOF | calicoctl apply -f -

calicoctl node status

创建IP Pool

calicoctl get ippool default-ipv4-ippool -o yaml

配置bird服务

yum install bird
service bird start

cat >> /etc/bird.conf < EOF
log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
log stderr all;

# Override router ID
router id 172.26.6.1;


filter import_kernel {
if ( net != 0.0.0.0/0 ) then {
   accept;
   }
reject;
}

# Turn on global debugging of all protocols
debug protocols all;

# This pseudo-protocol watches all interface up/down events.
protocol device {
  scan time 2;    # Scan interfaces every 2 seconds
}

protocol bgp {
  description "172.26.6.2";
  local as 64512;
  neighbor 172.26.6.2 as 64512;
  multihop;
  rr client;
  graceful restart;
  import all;
  export all;
}
protocol bgp {
  description "172.26.6.3";
  local as 64512;
  neighbor 172.26.6.3 as 64512;
  multihop;
  rr client;
  graceful restart;
  import all;
  export all;
}
EOF

IP-IN-IP

calicoctl get ippool default-ipv4-ippool -o yaml > pool.yaml
# 修改Off/Always/CrossSubnet
calicoctl apply -f pool.yaml
例:
# 所有工作负载

$ calicoctl apply -f - << EOF
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: ippool-ipip-1
spec:
  cidr: 192.168.0.0/16
  ipipMode: Always
  natOutgoing: true
EOF

# CrossSubnet

$ calicoctl apply -f - << EOF
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: ippool-cs-1
spec:
  cidr: 192.168.0.0/16
  ipipMode: CrossSubnet
  natOutgoing: true
EOF


#通过修改配置文件环境变量
CALICO_IPV4POOL_IPIP 参数值 Off, Always, CrossSubnet
如果您的网络结构执行源/目标地址检查,并在未识别这些地址时丢弃流量,则可能需要启用工作负载间流量的IP-in-IP封装

bgp peer

查看状态

calicoctl node status

配置全局 bgp peer(rr)

cat << EOF | calicoctl create -f -
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
  name: bgppeer-global-3040
spec:
  peerIP: 172.26.6.1
  asNumber: 64567
EOF

# 删除
$ calicoctl delete bgpPeer 172.26.6.1

特定 BGP peer

$ cat << EOF | calicoctl create -f -
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
  name: bgppeer-node-aabbff
spec:
  peerIP: aa:bb::ff
  node: node1
  asNumber: 64514
EOF

calicoctl delete bgpPeer aa:bb::ff --scope=node --node=node1
calicoctl get bgpPeer

Last updated