# 1.Kubernetes Network应该以什么样的形式进入Kubernetes集群?# 2.Kubernetes Network需要解决什么场景下的网络通信问题?# 3.Kubernetes Network之CNI涉及逻辑是什么?# 4.如何尝试自己设计CNI?
1、Kubernetes network model
# 我们知道在原始Kubernetes的架构中并没有对网络做太多的或是太大的研发投入,所有我们在社区中就看到繁花似锦。具体的Network 为:https://github.com/containernetworking/cni# 具体的第三方提供的优秀的CNI如下列举:3rd party plugins1.Project Calico - a layer 3 virtual network3.Weave - a multi-host Docker network3.Contiv Networking - policy networking for various use cases4.SR-IOV5.Cilium - BPF & XDP for containers6.Infoblox - enterprise IP address management for containers7.Multus - a Multi plugin8.Romana - Layer 3 CNI plugin supporting network policy for Kubernetes9.CNI-Genie - generic CNI network plugin10.Nuage CNI - Nuage Networks SDN plugin for network policy kubernetes support11.Silk - a CNI plugin designed for Cloud Foundry12.Linen - a CNI plugin designed for overlay networks with Open vSwitch and fit in SDN/OpenFlow network environment13.Vhostuser - a Dataplane network plugin - Supports OVS-DPDK & VPP14.Amazon ECS CNI Plugins - a collection of CNI Plugins to configure containers with Amazon EC2 elastic network interfaces (ENIs)15.Bonding CNI - a Link aggregating plugin to address failover and high availability network16.ovn-kubernetes - an container network plugin built on Open vSwitch (OVS) and Open Virtual Networking (OVN) with support for both Linux and Windows17.Juniper Contrail / TungstenFabric - Provides overlay SDN solution, delivering multicloud networking, hybrid cloud networking, simultaneous overlay-underlay support, network policy enforcement, network isolation, service chaining and flexible load balancing18.Knitter - a CNI plugin supporting multiple networking for Kubernetes19.DANM - a CNI-compliant networking solution for TelCo workloads running on Kubernetes20.VMware NSX – a CNI plugin that enables automated NSX L2/L3 networking and L4/L7 Load Balancing; network isolation at the pod, node, and cluster level; and zero-trust security policy for your Kubernetes cluster.21.cni-route-override - a meta CNI plugin that override route information22.Terway - a collection of CNI Plugins based on alibaba cloud VPC/ECS network product23.Cisco ACI CNI - for on-prem and cloud container networking with consistent policy and security model.24.Kube-OVN - a CNI plugin that bases on OVN/OVS and provides advanced features like subnet, static ip, ACL, QoS, etc.25.Project Antrea - an Open vSwitch k8s CNI26.OVN4NFV-K8S-Plugin - a OVN based CNI controller plugin to provide cloud native based Service function chaining (SFC), Multiple OVN overlay networking27.Azure CNI - a CNI plugin that natively extends Azure Virtual Networks to containersThe CNI team also maintains some core plugins in a separate repository.#2.这里我们需要关注另外一个网站:https://www.cni.dev/docs/这有有更加详细的描述,供我们参考。
2.Kubernetes Network需要解决通信场景:
# 在我们既有的OpenStack的使用经验中,通常我们需要解决场景有:1.在Local主机上,不通vm之间的通信问题。2.本节点虚机对外通信问题。3.不同主机之间的vm通信问题。总结起来就一句话:需要解决vm的东西和南北通信问题。那对于Kubernetes这种分布式的资源管理平台,势必也会遇到这样的需求,所以,我们需要解决Pod的南北和东西的流量问题。只是在Kubernetes集群中我们特殊的引入了一种service的对象,所以,还需要了解和Service之间通信的问题,但是Service的通信问题,归根到底还是Pod之间的通信,所以,我们需要彻底弄清楚此模块。我们在OpenStack的对外的流量有vRouter,我们的kubernetes也需要有对应的能力,比如我们是Ingress 对象,这里只是一个生硬的对比,或许有些不合适,但是说明了我们分布式资源管理平台的通用性处理问题的角度上是一致的。
3.Kubernetes Network之CNI
我们知道Kubernetes网络是以CNI的形式进入Kubernetes中的,这点设计在Kubernetes中尤为突出,比如我们知道的CRI CNI CSI等等,都是以Plugin的形式呈现,好处我们这里不做展开讨论。我们着重说说Kubernetes CNI的结构:我们所面临或是熟知的CNI,均是以三大块呈现给客户的:1.网络CNI自述[如何定义自己这种CNI]2.网络CNI运作[如何创建网络资源]3.IPAM[如何进行地址管理]1.关于如何定义自己这种CNI,对应的目录为:/etc/cni/net.d[root@k8s-1 net.d]# lltotal 4[root@k8s-1 net.d]# lltotal 8-rw-r--r-- 1 root root 656 Nov 23 18:39 10-calico.conflist-rw------- 1 root root 2676 Nov 23 18:39 calico-kubeconfig[root@k8s-1 net.d]#[root@k8s-1 net.d]# pwd/etc/cni/net.d[root@k8s-1 net.d]#这个文件中即为定义我们此种CNI的配置文件:几乎所有的CNI的配置文件都大致长这个样子。所以这个形式需要记忆,这样对于理解其他的CNI有许多帮助。[root@k8s-1 net.d]# cat 10-calico.conflist{"name": "k8s-pod-network","cniVersion": "0.3.1","plugins": [{"type": "calico","log_level": "info","log_file_path": "/var/log/calico/cni/cni.log","datastore_type": "kubernetes","nodename": "k8s-1","mtu": 0,"ipam": {"type": "calico-ipam"},"policy": {"type": "k8s"},"kubernetes": {"kubeconfig": "/etc/cni/net.d/calico-kubeconfig"}},{"type": "portmap","snat": true,"capabilities": {"portMappings": true}},{"type": "bandwidth","capabilities": {"bandwidth": true}}]}那具体官方出处在哪里呢?# https://www.cni.dev/docs/spec/# https://kubernetes.io/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/具体涉及的字段和说明见此page,这里我们不做赘述,主要是需要弄清楚一个大致的概述,也就是一个大致的样子,然后用来理解其他CNI。2.网络CNI运作[如何创建网络资源]基于已有的知识我们知道,在Linux中我们通信的基础便是各自veth pair或是路由,或是iptables,或是 Bridge等等,这些对象使我们在Linux中通信通信的基础,这里具体的通信细节我们暂时不做介绍,将在Cilium中做详细的介绍。但是我们需要知道的是我们需要这些对象,所以创建这些资源就是我们 CNI的另外一个能力,负责把网络通信的这些"虚链接"给搭建出来,以实现通信的需求。所以我们需要去做ADD DEL 等等操作,所以一个二进制的对象就呼之欲出了,实际上我们的CNI中的实现套路均是如此,所以通过他们来添加我们所需要的"虚链接".当然我们也可以再次调用其他的CNI,比如x-CNI 调用 m-CNI这种情况。这种情况我们暂时不做过多介绍,我们将在Multus中做介绍。总的目的是实现建立这些"虚链接"即可。Like:[root@k8s-1 bin]# pwd/opt/cni/bin[root@k8s-1 bin]# lltotal 167524-rwxr-xr-x 1 root root 4159518 Nov 23 18:39 bandwidth-rwxr-xr-x. 1 root root 3581192 Sep 10 2020 bridge-rwxr-xr-x 1 root root 36564992 Nov 23 18:39 calico # 比如我们这里的calico-rwxr-xr-x 1 root root 36564992 Nov 23 18:39 calico-ipam #-rwxr-xr-x. 1 root root 9837552 Sep 10 2020 dhcp-rwxr-xr-x. 1 root root 4699824 Sep 10 2020 firewall-rwxr-xr-x 1 root root 3069556 Nov 23 18:39 flannel-rwxr-xr-x. 1 root root 3274160 Sep 10 2020 host-device-rwxr-xr-x 1 root root 3614480 Nov 23 18:39 host-local-rwxr-xr-x 1 root root 36564992 Nov 23 18:39 install-rwxr-xr-x. 1 root root 3377272 Sep 10 2020 ipvlan-rwxr-xr-x 1 root root 3209463 Nov 23 18:39 loopback-rwxr-xr-x. 1 root root 3440168 Sep 10 2020 macvlan-rwxr-xr-x 1 root root 3939867 Nov 23 18:39 portmap-rwxr-xr-x. 1 root root 3528800 Sep 10 2020 ptp-rwxr-xr-x. 1 root root 2849328 Sep 10 2020 sbr-rwxr-xr-x. 1 root root 2503512 Sep 10 2020 static-rwxr-xr-x 1 root root 3356587 Nov 23 18:39 tuning-rwxr-xr-x. 1 root root 3377120 Sep 10 2020 vlan[root@k8s-1 bin]#所以我们安装一种新的CNI以后,就会看到:/opt/cni/bin 和 /etc/cni/net.d所以我们可以总结为:
# 那有了这些"虚链接",我们实际上还有一个非常重要的对象,那就是IP地址先关的对象,所以,在CNI中我们称其为:CNI IPAM。IPAM:IPAM: IP address allocationdhcp : Runs a daemon on the host to make DHCP requests on behalf of a containerhost-local : Maintains a local database of allocated IPsstatic : Allocates static IPv4/IPv6 addresses to containerswhereabouts:a cluster-wide IPAM tool.From:https://www.cni.dev/plugins/current/ipam/host-local/这里我们给一个DEMO:{"ipam": {"type": "host-local","ranges": [[{"subnet": "10.10.0.0/16","rangeStart": "10.10.1.20","rangeEnd": "10.10.3.50","gateway": "10.10.0.254"},{"subnet": "172.16.5.0/24"}],[{"subnet": "3ffe:ffff:0:01ff::/64","rangeStart": "3ffe:ffff:0:01ff::0010","rangeEnd": "3ffe:ffff:0:01ff::0020"}]],"routes": [{ "dst": "0.0.0.0/0" },{ "dst": "192.168.0.0/16", "gw": "10.10.5.1" },{ "dst": "3ffe:ffff:0:01ff::1/64" }],"dataDir": "/run/my-orchestrator/container-ipam-state"}}# from :https://www.cni.dev/plugins/current/ipam/host-local/这里我们重点介绍两种常用的IPAM,一个是static,一个是whereabouts。# https://www.cni.dev/plugins/current/ipam/host-local/# https://github.com/k8snetworkplumbingwg/whereabouts4.如何实现CNI?
4.如何实现CNI?
https://www.altoros.com/blog/kubernetes-networking-writing-your-own-simple-cni-plug-in-with-bash/
这里引用国外一篇帖子。
https://github.com/morvencao/minicni 这里再给出一个DEMO,how to DIY CNI.
实现一个 CNI 网络插件只需要一个配置文件和一个可执行文件:
配置文件描述插件的版本、名称、描述等基本信息;
可执行文件会被上层的容器管理平台调用,一个 CNI 可执行文件需要实现将容器加入到网络的 ADD 操作以及将容器从网络中删除的 DEL 操作等;
Kubernetes 使用 CNI 网络插件的基本工作流程是:
kubelet 先创建 pause 容器创建对应的网络命名空间;
根据配置调用具体的 CNI 插件,可以配置成 CNI 插件链来进行链式调用;
当 CNI 插件被调用时,它根据环境变量以及命令行参数来获得网络命名空间、容器的网络设备等必要信息,然后执行 ADD 或者其他操作;
CNI 插件给 pause 容器配置正确的网络,pod 中其他的容器都是复用 pause 容器的网络;
若有收获,就点个赞吧
0 人点赞
