前言

  • CNI是Container Network Interface的是一个标准的,通用的接口。现在容器平台:docker,kubernetes,mesos,容器网络解决方案:flannel,calico,weave。只要提供一个标准的接口,就能为同样满足该协议的所有容器平台提供网络功能,而CNI正是这样的一个标准接口协议。
  • CNI用于连接容器管理系统和网络插件。提供一个容器所在的network namespace,将network interface插入该network namespace中(比如veth的一端),并且在宿主机做一些必要的配置(例如将veth的另一端加入bridge中),最后对namespace中的interface进行IP和路由的配置

Kubernetes主要存在4种类型的通信:

  1. container-to-container:发生在Pod内部,借助于lo实现;
  2. Pod-to-Pod: Pod间的通信,k8s自身并未解决该类通信,而是借助于CNI接口,交给第三方解决方案;CNI之前的接口叫kubenet;
  3. Service-to-Pod:借助于kube-proxy生成的iptables或ipvs规则完成;
  4. ExternalClients-to-Service:引入集群外部流量 hostPort、hostNletwork、nodeport/service,、loadbalancer/service、 exteralP/service、 Ingres;

Flannel简介

  • Flannel是CoreOS团队针对Kubernetes设计的一个网络规划服务,简单来说,它的功能是让集群中的不同节点主机创建的Docker容器都具有全集群唯一的虚拟IP地址。
  • 在默认的Docker配置中,每个节点上的Docker服务会分别负责所在节点容器的IP分配。这样导致的一个问题是,不同节点上容器可能获得相同的内外IP地址。并使这些容器之间能够之间通过IP地址相互找到,也就是相互ping通。
  • Flannel的设计目的就是为集群中的所有节点重新规划IP地址的使用规则,从而使得不同节点上的容器能够获得“同属一个内网”且”不重复的”IP地址,并让属于不同节点上的容器能够直接通过内网IP通信。
  • Flannel实质上是一种“覆盖网络(overlaynetwork)”,也就是将TCP数据包装在另一种网络包里面进行路由转发和通信,目前已经支持udp、vxlan、host-gw、aws-vpc、gce和alloc路由等数据转发方式,默认的节点间数据通信方式是UDP转发。

简单总结Flannel特点

  1. 使集群中的不同Node主机创建的Docker容器都具有全集群唯一的虚拟IP地址。
  2. 建立一个覆盖网络(overlay network),通过这个覆盖网络,将数据包原封不动的传递到目标容器。覆盖网络是建立在另一个网络之上并由其基础设施支持的虚拟网络。覆盖网络通过将一个分组封装在另一个分组内来将网络服务与底层基础设施分离。在将封装的数据包转发到端点后,将其解封装。
  3. 创建一个新的虚拟网卡flannel0接收docker网桥的数据,通过维护路由表,对接收到的数据进行封包和转发(vxlan)。
  4. etcd保证了所有node上flanned所看到的配置是一致的。同时每个node上的flanned监听etcd上的数据变化,实时感知集群中node的变化。

Flannel支持三种Pod网络模型,每个模型在flannel中称为一种"backend":

  • vxlan: Pod与Pod经由隧道封装后通信,各节点彼此间能通信就行,不要求在同一个二层网络; 缺点:由于经过2次封装,吞吐量相对变低,优点:不要求节点处于同一个2层网络
  • vwlan directrouting:位于同一个二层网络上的、但不同节点上的Pod间通信,无须隧道封装;但非同一个二层网络上的节点上的Pod间通信,仍须隧道封装; 最优的方案
  • host-gw: Pod与Pod不经隧道封装而直接通信,要求各节点位于同一个二层网络; #吞吐量最大 但需要在同个2层网络中

Flannel 下载安装地址

https://github.com/flannel-io...

示例1: 部署flannel 以Vxlan类型运行

#查看flannel部署清单yaml文件中有关于网络类型的描述
[root@k8s-master plugin]# cat kube-flannel.yml
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    app: flannel
data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "flannel",  #完成虚拟网络
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",  #端口映射 如:NodePort
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan"  #默认为vxlan模式
      }
    }

[root@k8s-master plugin]# kubectl apply -f  kube-flannel.yml
  • vxlan模式下 路由表Pod地址指向flannel.1
[root@k8s-master plugin]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0  #本机虚拟网络接口
10.244.1.0      10.244.1.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.2.0      10.244.2.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.3.0      10.244.3.0      255.255.255.0   UG    0      0        0 flannel.1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4


[root@k8s-node1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      10.244.0.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.1.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0  #本机虚拟网络接口
10.244.2.0      10.244.2.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.3.0      10.244.3.0      255.255.255.0   UG    0      0        0 flannel.1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4

[root@k8s-master plugin]# ip neighbour|grep flannel.1  #生成的永久neighbour信息 提高路由效率
10.244.1.0 dev flannel.1 lladdr ba:98:1c:fa:3a:51 PERMANENT
10.244.3.0 dev flannel.1 lladdr da:29:42:38:29:55 PERMANENT
10.244.2.0 dev flannel.1 lladdr fa:48:c1:29:0b:dd PERMANENT

[root@k8s-master plugin]# bridge fdb show flannel.1|grep flannel.1
ba:98:1c:fa:3a:51 dev flannel.1 dst 192.168.54.171 self permanent
22:85:29:77:e1:00 dev flannel.1 dst 192.168.54.173 self permanent
fa:48:c1:29:0b:dd dev flannel.1 dst 192.168.54.172 self permanent
da:29:42:38:29:55 dev flannel.1 dst 192.168.54.173 self permanent

#抓包flannel网络 其中 udp 8472为flannel网络默认端口

[root@k8s-node3 ~]# tcpdump -i eth4 -nn udp port 8472
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
17:08:15.113389 IP 192.168.54.172.46879 > 192.168.54.173.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.2.9 > 10.244.3.92: ICMP echo request, id 2816, seq 61, length 64
17:08:15.113498 IP 192.168.54.173.55553 > 192.168.54.172.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.3.92 > 10.244.2.9: ICMP echo reply, id 2816, seq 61, length 64
17:08:16.114359 IP 192.168.54.172.46879 > 192.168.54.173.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.2.9 > 10.244.3.92: ICMP echo request, id 2816, seq 62, length 64
17:08:16.114447 IP 192.168.54.173.55553 > 192.168.54.172.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.3.92 > 10.244.2.9: ICMP echo reply, id 2816, seq 62, length 64
17:08:17.115558 IP 192.168.54.172.46879 > 192.168.54.173.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.2.9 > 10.244.3.92: ICMP echo request, id 2816, seq 63, length 64
17:08:17.115717 IP 192.168.54.173.55553 > 192.168.54.172.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.3.92 > 10.244.2.9: ICMP echo reply, id 2816, seq 63, length 64

17:08:18.117498 IP 192.168.54.172.46879 > 192.168.54.173.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.2.9 > 10.244.3.92: ICMP echo request, id 2816, seq 64, length 64
  • 可以看到10.244.2.9 > 10.244.3.92 Pod间的传输 通过封装从节点192.168.54.172.46879 传输到节点 192.168.54.173.8472 经过一层数据封装

示例2: 添加flannel网络类型DirectRouting

  • 添加DirectRouting后,2层网络节点会使用宿主机网络接口直接通信,3层网络的节点会使用Vxlan 隧道封装后通信,组合使用是flannel最理想的网络类型
  • 因为测试环境所有节点都处于同一2层网络,所以从路由表无法看到和flannel.1接口同时存在
[root@k8s-master ~]# kubectl get cm -n kube-system
NAME                                 DATA   AGE
coredns                              1      57d
extension-apiserver-authentication   6      57d
kube-flannel-cfg                     2      57d
kube-proxy                           2      57d
kubeadm-config                       2      57d
kubelet-config-1.19                  1      57d
[root@k8s-master ~]# kubectl edit cm kube-flannel-cfg  -n kube-system

  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan",
        "DirectRouting": true   #添加
      }
    }
  • 重启Pod 正式环境用蓝绿更新
[root@k8s-master ~]# kubectl get pod -n kube-system  --show-labels
NAME                                 READY   STATUS    RESTARTS   AGE     LABELS
coredns-f9fd979d6-l9zck              1/1     Running   16         57d     k8s-app=kube-dns,pod-template-hash=f9fd979d6
coredns-f9fd979d6-s8fp5              1/1     Running   15         57d     k8s-app=kube-dns,pod-template-hash=f9fd979d6
etcd-k8s-master                      1/1     Running   12         57d     component=etcd,tier=control-plane
kube-apiserver-k8s-master            1/1     Running   16         57d     component=kube-apiserver,tier=control-plane
kube-controller-manager-k8s-master   1/1     Running   40         57d     component=kube-controller-manager,tier=control-plane
kube-flannel-ds-6sppx                1/1     Running   1          7d23h   app=flannel,controller-revision-hash=585c88d56b,pod-template-generation=2,tier=node
kube-flannel-ds-j5g9s                1/1     Running   3          7d23h   app=flannel,controller-revision-hash=585c88d56b,pod-template-generation=2,tier=node
kube-flannel-ds-nfz77                1/1     Running   1          7d23h   app=flannel,controller-revision-hash=585c88d56b,pod-template-generation=2,tier=node
kube-flannel-ds-sqhq2                1/1     Running   1          7d23h   app=flannel,controller-revision-hash=585c88d56b,pod-template-generation=2,tier=node
kube-proxy-42vln                     1/1     Running   4          25d     controller-revision-hash=565786c69c,k8s-app=kube-proxy,pod-template-generation=1
kube-proxy-98gfb                     1/1     Running   3          21d     controller-revision-hash=565786c69c,k8s-app=kube-proxy,pod-template-generation=1
kube-proxy-nlnnw                     1/1     Running   4          17d     controller-revision-hash=565786c69c,k8s-app=kube-proxy,pod-template-generation=1
kube-proxy-qbsw2                     1/1     Running   4          25d     controller-revision-hash=565786c69c,k8s-app=kube-proxy,pod-template-generation=1
kube-scheduler-k8s-master            1/1     Running   38         57d     component=kube-scheduler,tier=control-plane
metrics-server-6849f98b-fsvf8        1/1     Running   15         8d      k8s-app=metrics-server,pod-template-hash=6849f98b
[root@k8s-master ~]# kubectl delete pod -n kube-system -l app=flannel
pod "kube-flannel-ds-6sppx" deleted
pod "kube-flannel-ds-j5g9s" deleted
pod "kube-flannel-ds-nfz77" deleted
pod "kube-flannel-ds-sqhq2" deleted
[root@k8s-master ~]# 
  • 再次查看master、node路由表
[root@k8s-master ~]# route -n  
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0
10.244.1.0      10.244.1.0      255.255.255.0   UG    0      0        0 eth4
10.244.2.0      192.168.54.172  255.255.255.0   UG    0      0        0 eth4
10.244.3.0      192.168.54.173  255.255.255.0   UG    0      0        0 eth4
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4
[root@k8s-node1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      192.168.54.170  255.255.255.0   UG    0      0        0 eth4
10.244.1.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0
10.244.2.0      192.168.54.172  255.255.255.0   UG    0      0        0 eth4
10.244.3.0      192.168.54.173  255.255.255.0   UG    0      0        0 eth4
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4

#网络相关的Pod的IP会直接通过宿主机网络接口地址

[root@k8s-master ~]# kubectl get pod -n kube-system -o wide
NAME                                 READY   STATUS    RESTARTS   AGE     IP              NODE         NOMINATED NODE   READINESS GATES
coredns-f9fd979d6-l9zck              1/1     Running   16         57d     10.244.0.42     k8s-master   <none>           <none>
coredns-f9fd979d6-s8fp5              1/1     Running   15         57d     10.244.0.41     k8s-master   <none>           <none>
etcd-k8s-master                      1/1     Running   12         57d     192.168.4.170   k8s-master   <none>           <none>
kube-apiserver-k8s-master            1/1     Running   16         57d     192.168.4.170   k8s-master   <none>           <none>
kube-controller-manager-k8s-master   1/1     Running   40         57d     192.168.4.170   k8s-master   <none>           <none>
kube-flannel-ds-d79nx                1/1     Running   0          2m12s   192.168.4.170   k8s-master   <none>           <none>
kube-flannel-ds-m48m7                1/1     Running   0          2m14s   192.168.4.172   k8s-node2    <none>           <none>
kube-flannel-ds-pxmnf                1/1     Running   0          2m14s   192.168.4.171   k8s-node1    <none>           <none>
kube-flannel-ds-vm9kt                1/1     Running   0          2m19s   192.168.4.173   k8s-node3    <none>           <none>
kube-proxy-42vln                     1/1     Running   4          25d     192.168.4.172   k8s-node2    <none>           <none>  #使用宿主机网络接口
kube-proxy-98gfb                     1/1     Running   3          21d     192.168.4.173   k8s-node3    <none>           <none>
kube-proxy-nlnnw                     1/1     Running   4          17d     192.168.4.171   k8s-node1    <none>           <none>
kube-proxy-qbsw2                     1/1     Running   4          25d     192.168.4.170   k8s-master   <none>           <none>
kube-scheduler-k8s-master            1/1     Running   38         57d     192.168.4.170   k8s-master   <none>           <none>
metrics-server-6849f98b-fsvf8        1/1     Running   15         8d      10.244.2.250    k8s-node2    <none>           <none>
  • 抓包查看数据封装

[root@k8s-master plugin]# kubectl get pod -o wide
NAME                         READY   STATUS    RESTARTS   AGE   IP             NODE        NOMINATED NODE   READINESS GATES
client-1639                  1/1     Running   0          52s   10.244.1.222   k8s-node1   <none>           <none>
replicaset-demo-v1.1-lgf6b   1/1     Running   0          59m   10.244.1.221   k8s-node1   <none>           <none>
replicaset-demo-v1.1-mvvfq   1/1     Running   0          59m   10.244.3.169   k8s-node3   <none>           <none>
replicaset-demo-v1.1-tn49t   1/1     Running   0          59m   10.244.2.136   k8s-node2   <none>           <none>

root@k8s-master plugin]# kubectl exec replicaset-demo-v1.1-tn49t -it -- /bin/sh  #访问node3
[root@replicaset-demo-v1 /]# curl 10.244.3.169
iKubernetes demoapp v1.1 !! ClientIP: 10.244.2.136, ServerName: replicaset-demo-v1.1-mvvfq, ServerIP: 10.244.3.169!
[root@replicaset-demo-v1 /]# curl 10.244.3.169

#node3上抓包
[root@k8s-node3 ~]# tcpdump -i eth4 -nn tcp port 80


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
11:03:57.508877 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [S], seq 1760692242, win 64860, options [mss 1410,sackOK,TS val 4266124446 ecr 0,nop,wscale 7], length 0
11:03:57.509245 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [S.], seq 3150629627, ack 1760692243, win 64308, options [mss 1410,sackOK,TS val 1453973317 ecr 4266124446,nop,wscale 7], length 0
11:03:57.510198 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 4266124447 ecr 1453973317], length 0
11:03:57.510373 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [P.], seq 1:77, ack 1, win 507, options [nop,nop,TS val 4266124447 ecr 1453973317], length 76: HTTP: GET / HTTP/1.1
11:03:57.510427 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [.], ack 77, win 502, options [nop,nop,TS val 1453973318 ecr 4266124447], length 0
11:03:57.713241 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [P.], seq 1:18, ack 77, win 502, options [nop,nop,TS val 1453973521 ecr 4266124447], length 17: HTTP: HTTP/1.0 200 OK
11:03:57.713821 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [.], ack 18, win 507, options [nop,nop,TS val 4266124651 ecr 1453973521], length 0
11:03:57.733459 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [P.], seq 18:155, ack 77, win 502, options [nop,nop,TS val 1453973541 ecr 4266124651], length 137: HTTP
11:03:57.733720 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [FP.], seq 155:271, ack 77, win 502, options [nop,nop,TS val 1453973541 ecr 4266124651], length 116: HTTP
11:03:57.735862 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [.], ack 155, win 506, options [nop,nop,TS val 4266124671 ecr 1453973541], length 0
11:03:57.735883 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [F.], seq 77, ack 272, win 506, options [nop,nop,TS val 4266124672 ecr 1453973541], length 0
11:03:57.736063 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [.], ack 78, win 502, options [nop,nop,TS val 1453973543 ecr 4266124672], length 0
11:03:58.650891 IP 10.244.2.136.49662 > 10.244.3.169.80: Flags [S], seq 3494935965, win 64860, options [mss 1410,sackOK,TS val 4266125588 ecr 0,nop,wscale 7], length 0
  • 可以看到数据的传输没有再经过封装 直接通过Pod IP flannel网络传输

示例3: 修改flannel网络类型host-gw 需要注意host-gw只支持2层网络

  • 因为所有节点都处在2层网络中,理论上和前面添加DirectRouting 效果是一样的 就不累述

    [root@k8s-master plugin]# vim kube-flannel.yml
    ...
    net-conf.json: |
      {
        "Network": "10.244.0.0/16",
        "Backend": {
          "Type": "host-gw"  #修改类型为host-gw
        }
      }
    ...
    
    #查看路由表 
    [root@k8s-master plugin]# kubectl apply -f kube-flannel.yml
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
    10.244.0.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0
    10.244.1.0      192.168.54.171  255.255.255.0   UG    0      0        0 eth4
    10.244.2.0      192.168.54.172  255.255.255.0   UG    0      0        0 eth4
    10.244.3.0      192.168.54.173  255.255.255.0   UG    0      0        0 eth4
    172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
    192.168.4.0     0.0.0.0         255.255.255.0   U     102    0        0 eth0
    192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4

Bigyong
28 声望13 粉丝