简介

Flannel是CoreOS团队针对Kubernetes设计的一个网络规划服务,简单来说,它的功能是让集群中的不同节点主机创建的Docker容器都具有全集群唯一的虚拟IP地址。
在默认的Docker配置中,每个节点上的Docker服务会分别负责所在节点容器的IP分配。这样导致的一个问题是,不同节点上容器可能获得相同的内外IP地址。并使这些容器之间能够之间通过IP地址相互找到,也就是相互ping通。

Flannel的设计目的就是为集群中的所有节点重新规划IP地址的使用规则,从而使得不同节点上的容器能够获得“同属一个内网”且”不重复的”IP地址,并让属于不同节点上的容器能够直接通过内网IP通信。

Flannel实质上是一种“覆盖网络(overlaynetwork)”,也就是将TCP数据包装在另一种网络包里面进行路由转发和通信,目前已经支持udp、vxlan、host-gw、aws-vpc、gce和alloc路由等数据转发方式,默认的节点间数据通信方式是UDP转发。

简单总结flanel特点

1.使集群中的不同Node主机创建的Docker容器都具有全集群唯一的虚拟IP地址。
2.建立一个覆盖网络(overlay network),通过这个覆盖网络,将数据包原封不动的传递到目标容器。覆盖网络是建立在另一个网络之上并由其基础设施支持的虚拟网络。覆盖网络通过将一个分组封装在另一个分组内来将网络服务与底层基础设施分离。在将封装的数据包转发到端点后,将其解封装。
3.创建一个新的虚拟网卡flannel0接收docker网桥的数据,通过维护路由表,对接收到的数据进行封包和转发(vxlan)。
4.etcd保证了所有node上flanned所看到的配置是一致的。同时每个node上的flanned监听etcd上的数据变化,实时感知集群中node的变化。
flannel对网络要求提出的解决办法
1.flannel利用Kubernetes API或者etcd用于存储整个集群的网络配置,根据配置记录集群使用的网段。
2.flannel在每个主机中运行flanneld作为agent,它会为所在主机从集群的网络地址空间中,获取一个小的网段subnet,本主机内所有容器的IP地址都将从中分配。

  1. ---
  2. apiVersion: policy/v1beta1
  3. kind: PodSecurityPolicy
  4. metadata:
  5.   name: psp.flannel.unprivileged
  6.   annotations:
  7.     seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
  8.     seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  9.     apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
  10.     apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
  11. spec:
  12.   privileged: false
  13.   volumes:
  14.   - configMap
  15.   - secret
  16.   - emptyDir
  17.   - hostPath
  18.   allowedHostPaths:
  19.   - pathPrefix: "/etc/cni/net.d"
  20.   - pathPrefix: "/etc/kube-flannel"
  21.   - pathPrefix: "/run/flannel"
  22.   readOnlyRootFilesystem: false
  23.   # Users and groups
  24.   runAsUser:
  25.     rule: RunAsAny
  26.   supplementalGroups:
  27.     rule: RunAsAny
  28.   fsGroup:
  29.     rule: RunAsAny
  30.   # Privilege Escalation
  31.   allowPrivilegeEscalation: false
  32.   defaultAllowPrivilegeEscalation: false
  33.   # Capabilities
  34.   allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
  35.   defaultAddCapabilities: []
  36.   requiredDropCapabilities: []
  37.   # Host namespaces
  38.   hostPID: false
  39.   hostIPC: false
  40.   hostNetwork: true
  41.   hostPorts:
  42.   - min: 0
  43.     max: 65535
  44.   # SELinux
  45.   seLinux:
  46.     # SELinux is unused in CaaSP
  47.     rule: 'RunAsAny'
  48. ---
  49. kind: ClusterRole
  50. apiVersion: rbac.authorization.k8s.io/v1
  51. metadata:
  52.   name: flannel
  53. rules:
  54. - apiGroups: ['extensions']
  55.   resources: ['podsecuritypolicies']
  56.   verbs: ['use']
  57.   resourceNames: ['psp.flannel.unprivileged']
  58. - apiGroups:
  59.   - ""
  60.   resources:
  61.   - pods
  62.   verbs:
  63.   - get
  64. - apiGroups:
  65.   - ""
  66.   resources:
  67.   - nodes
  68.   verbs:
  69.   - list
  70.   - watch
  71. - apiGroups:
  72.   - ""
  73.   resources:
  74.   - nodes/status
  75.   verbs:
  76.   - patch
  77. ---
  78. kind: ClusterRoleBinding
  79. apiVersion: rbac.authorization.k8s.io/v1
  80. metadata:
  81.   name: flannel
  82. roleRef:
  83.   apiGroup: rbac.authorization.k8s.io
  84.   kind: ClusterRole
  85.   name: flannel
  86. subjects:
  87. - kind: ServiceAccount
  88.   name: flannel
  89.   namespace: kube-system
  90. ---
  91. apiVersion: v1
  92. kind: ServiceAccount
  93. metadata:
  94.   name: flannel
  95.   namespace: kube-system
  96. ---
  97. kind: ConfigMap
  98. apiVersion: v1
  99. metadata:
  100.   name: kube-flannel-cfg
  101.   namespace: kube-system
  102.   labels:
  103.     tier: node
  104.     app: flannel
  105. data:
  106.   cni-conf.json: |
  107.     {
  108.       "name": "cbr0",
  109.       "cniVersion": "0.3.1",
  110.       "plugins": [
  111.         {
  112.           "type": "flannel",
  113.           "delegate": {
  114.             "hairpinMode": true,
  115.             "isDefaultGateway": true
  116.           }
  117.         },
  118.         {
  119.           "type": "portmap",
  120.           "capabilities": {
  121.             "portMappings": true
  122.           }
  123.         }
  124.       ]
  125.     }
  126.   net-conf.json: |
  127.     {
  128.       "Network": "10.244.0.0/16",
  129.       "Backend": {
  130.         "Type": "vxlan"
  131.       }
  132.     }
  133. ---
  134. apiVersion: apps/v1
  135. kind: DaemonSet
  136. metadata:
  137.   name: kube-flannel-ds
  138.   namespace: kube-system
  139.   labels:
  140.     tier: node
  141.     app: flannel
  142. spec:
  143.   selector:
  144.     matchLabels:
  145.       app: flannel
  146.   template:
  147.     metadata:
  148.       labels:
  149.         tier: node
  150.         app: flannel
  151.     spec:
  152.       affinity:
  153.         nodeAffinity:
  154.           requiredDuringSchedulingIgnoredDuringExecution:
  155.             nodeSelectorTerms:
  156.             - matchExpressions:
  157.               - key: kubernetes.io/os
  158.                 operator: In
  159.                 values:
  160.                 - linux
  161.       hostNetwork: true
  162.       priorityClassName: system-node-critical
  163.       tolerations:
  164.       - operator: Exists
  165.         effect: NoSchedule
  166.       serviceAccountName: flannel
  167.       initContainers:
  168.       - name: install-cni-plugin
  169.        #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le and mips64le (dockerhub limitations may apply)
  170.         image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1
  171.         command:
  172.         - cp
  173.         args:
  174.         - -f
  175.         - /flannel
  176.         - /opt/cni/bin/flannel
  177.         volumeMounts:
  178.         - name: cni-plugin
  179.           mountPath: /opt/cni/bin
  180.       - name: install-cni
  181.        #image: flannelcni/flannel:v0.17.0 for ppc64le and mips64le (dockerhub limitations may apply)
  182.         image: rancher/mirrored-flannelcni-flannel:v0.17.0
  183.         command:
  184.         - cp
  185.         args:
  186.         - -f
  187.         - /etc/kube-flannel/cni-conf.json
  188.         - /etc/cni/net.d/10-flannel.conflist
  189.         volumeMounts:
  190.         - name: cni
  191.           mountPath: /etc/cni/net.d
  192.         - name: flannel-cfg
  193.           mountPath: /etc/kube-flannel/
  194.       containers:
  195.       - name: kube-flannel
  196.        #image: flannelcni/flannel:v0.17.0 for ppc64le and mips64le (dockerhub limitations may apply)
  197.         image: rancher/mirrored-flannelcni-flannel:v0.17.0
  198.         command:
  199.         - /opt/bin/flanneld
  200.         args:
  201.         - --ip-masq
  202.         - --kube-subnet-mgr
  203.         resources:
  204.           requests:
  205.             cpu: "100m"
  206.             memory: "50Mi"
  207.           limits:
  208.             cpu: "100m"
  209.             memory: "50Mi"
  210.         securityContext:
  211.           privileged: false
  212.           capabilities:
  213.             add: ["NET_ADMIN", "NET_RAW"]
  214.         env:
  215.         - name: POD_NAME
  216.           valueFrom:
  217.             fieldRef:
  218.               fieldPath: metadata.name
  219.         - name: POD_NAMESPACE
  220.           valueFrom:
  221.             fieldRef:
  222.               fieldPath: metadata.namespace
  223.         volumeMounts:
  224.         - name: run
  225.           mountPath: /run/flannel
  226.         - name: flannel-cfg
  227.           mountPath: /etc/kube-flannel/
  228.         - name: xtables-lock
  229.           mountPath: /run/xtables.lock
  230.       volumes:
  231.       - name: run
  232.         hostPath:
  233.           path: /run/flannel
  234.       - name: cni-plugin
  235.         hostPath:
  236.           path: /opt/cni/bin
  237.       - name: cni
  238.         hostPath:
  239.           path: /etc/cni/net.d
  240.       - name: flannel-cfg
  241.         configMap:
  242.           name: kube-flannel-cfg
  243.       - name: xtables-lock
  244.         hostPath:
  245.           path: /run/xtables.lock
  246.           type: FileOrCreate
  247. [root@k8smaster ~]#