说说k8s网络

1、k8s组件 k8s的组件分为两大部分:控制平面组件和节点组件。 控制平面组件包括: kube-apiserver:API server,可以水平扩展。 etcd:后端存储。 kube-scheduler:决策新创建的Pod在哪个Node上运行。 kube-controller-manager:controller进程,观测Object的状态,current state -> desired state。 节点组件包括: kubelet:运行Pod。 kube-proxy:网络代理, k8s中Service的部分实现,负责维护节点上的网络规则。 Container runtime:Docker、containerd、CRI-O。 2、k8s网络需要解决的问题 k8s对任何CNI实现有如下规定: Pod与Pod之间的通信无须使用NAT 节点与Pod之间的通信无须使用NAT Pod与其他Pod看到自身的IP相同 k8s中的Service负责对内、对外暴露网络访问,想让应用能够在集群内外正常访问,需要解决下面的几个问题: 容器与容器的通信 Pod与Pod的通信 Pod与Service的通信 Internet与Service的通信 3、容器与容器的通信 在Linux中,使用Namespace机制实现内核级别资源的隔离,目前提供六种Namespace: Mount: 隔离文件系统挂载点 UTS: 隔离主机名和域名信息 IPC: 隔离进程间通信 PID: 隔离进程的ID Network: 隔离网络资源 User: 隔离用户和用户组的ID 网络命名空间netns存在一个root network namespace,默认情况下,Linux将每个进程的netns设置为root,以提供网络访问。 对于Docker,Pod使用同一个网络命名空间,Pod之间通过Namespace隔离,Pod内的容器共享网络命名空间,Docker负责创建网络命名空间,应用容器使用-network加入该网络命名空间,容器之间通过localhost通信。 4、Pod与Pod的通信 k8s中,每个Pod拥有一个真实的IP,Pod之间通过IP通信。 (本节图片来源:Kevin Sookocheff Blog) 5、Pod与Service的通信 Pod随着时间,可能消失、重启,那么直接使用Pod IP进行访问,在动态变化的环境中会存在网络问题。k8s中使用Service解决这个问题。(本节图片来源:Kevin Sookocheff Blog) 创建一个新的Service Object,实际上是创建了一个虚拟IP和一系列网络规则。 kube-proxy负责维护、更新、删除、添加网络规则,其支持的代理模式有: userspace iptables(默认) ipvs kernelspace (windows) ...

2021-06-06 · Jerry Wang

K8s Yaml配置文件

1、Redis Deployment部署示例yaml 先来看一个部署yaml示例文件: # application/guestbook/redis-master-deployment.yaml apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: redis-master labels: app: redis spec: selector: matchLabels: app: redis role: master tier: backend replicas: 1 template: metadata: labels: app: redis role: master tier: backend spec: containers: - name: master image: redis # or just image: redis resources: requests: cpu: 100m memory: 100Mi ports: - containerPort: 6379 通过执行命令kubectl create -f redis-master-deployment.yaml,可以创建1个Redis master Pod。如果我想通过yaml文件创建3个Pod,怎么办? ...

2019-11-18 · Jerry Wang

K8s官网留言板demo

https://kubernetes.io/docs/tutorials/stateless-application/guestbook/#start-up-the-redis-master 1、部署redis-master Deployment Step1 编辑redis-master-deployment.yaml # application/guestbook/redis-master-deployment.yaml apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: redis-master labels: app: redis spec: selector: matchLabels: app: redis role: master tier: backend replicas: 1 template: metadata: labels: app: redis role: master tier: backend spec: containers: - name: master image: redis # or just image: redis resources: requests: cpu: 100m memory: 100Mi ports: - containerPort: 6379 Step2 执行命令 # 创建Deployment kubectl create -f redis-master-deployment.yaml # 查看pods kubectl get pods 2、部署redis-master Service Step1 编辑redis-master-service.yaml # application/guestbook/redis-master-service.yaml apiVersion: v1 kind: Service metadata: name: redis-master labels: app: redis role: master tier: backend spec: ports: - port: 6379 targetPort: 6379 selector: app: redis role: master tier: backend Step2 执行命令 # 创建DService kubectl create -f redis-master-service.yaml # 查看service kubectl get services 3、部署redis-slave Deployment Step1 编辑redis-slave-deployment.yaml # application/guestbook/redis-slave-deployment.yaml apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: redis-slave labels: app: redis spec: selector: matchLabels: app: redis role: slave tier: backend replicas: 2 template: metadata: labels: app: redis role: slave tier: backend spec: containers: - name: slave image: gcr.io/google_samples/gb-redisslave:v3 resources: requests: cpu: 100m memory: 100Mi env: - name: GET_HOSTS_FROM value: dns # Using `GET_HOSTS_FROM=dns` requires your cluster to # provide a dns service. As of Kubernetes 1.3, DNS is a built-in # service launched automatically. However, if the cluster you are using # does not have a built-in DNS service, you can instead # access an environment variable to find the master # service's host. To do so, comment out the 'value: dns' line above, and # uncomment the line below: # value: env ports: - containerPort: 6379 Step2 执行命令 kubectl create -f redis-slave-deployment.yaml kubectl get pods 4、部署redis slave Service Step1 编辑redis-slave-service.yaml # application/guestbook/redis-slave-service.yaml apiVersion: v1 kind: Service metadata: name: redis-slave labels: app: redis role: slave tier: backend spec: ports: - port: 6379 selector: app: redis role: slave tier: backend Step2 执行命令 kubectl create -f redis-slave-service.yaml kubectl get services 5、部署guestbook Deployment Step1 编辑frontend-deployment.yaml # application/guestbook/frontend-deployment.yaml apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: frontend labels: app: guestbook spec: selector: matchLabels: app: guestbook tier: frontend replicas: 3 template: metadata: labels: app: guestbook tier: frontend spec: containers: - name: php-redis image: gcr.io/google-samples/gb-frontend:v6 # 官网上使用的是v4版,在使用中出现ImageInspectErr,镜像出现问题,升级为v6 resources: requests: cpu: 100m memory: 100Mi env: - name: GET_HOSTS_FROM value: dns # Using `GET_HOSTS_FROM=dns` requires your cluster to # provide a dns service. As of Kubernetes 1.3, DNS is a built-in # service launched automatically. However, if the cluster you are using # does not have a built-in DNS service, you can instead # access an environment variable to find the master # service's host. To do so, comment out the 'value: dns' line above, and # uncomment the line below: # value: env ports: - containerPort: 80 Step2 执行命令 kubectl create -f frontend-deployment.yaml kubectl get pods 6、部署guestbook Service Step1 编辑frontend-service.yaml # application/guestbook/frontend-service.yaml apiVersion: v1 kind: Service metadata: name: frontend labels: app: guestbook tier: frontend spec: # comment or delete the following line if you want to use a LoadBalancer type: NodePort # if your cluster supports it, uncomment the following to automatically create # an external load-balanced IP for the frontend service. # type: LoadBalancer ports: - port: 80 selector: app: guestbook tier: frontend Step2 执行命令 kubectl create -f frontend-service.yaml kubectl get services 然后使用node的IP和端口,就可以访问服务了。 ...

2019-10-20 · Jerry Wang

K8s集群搭建

1、节点 节点 IP master 192.168.124.100 node1 192.168.124.101 node2 192.168.124.102 node3 192.168.124.103 2、docker安装 安装使用官方源,安装命令如下: # 下载仓库 cd /etc/yum.repos.d wget https://download.docker.com/linux/centos/docker-ce.repo yum makecache fast # 安装docker yum install docker-ce docker-ce-cli containerd.io # 启动docker systemctl enable docker && systemctl start docker 3、kubernetes安装 # 所有节点执行 # 添加仓库 cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF # 更新yum cache yum makecache fast # kubeadm初始化会报错, 需要执行下列命令 # 1、关闭firewalld systemctl diable firewalld && systemctl stop firewalld # 2、关闭selinux setenforce 0 && sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # 3、关闭swap swapoff -a && sed -i '/ swap / s/^/#/' /etc/fstab # 4、设置网络 touch /etc/sysctl.d/k8s.conf cat > /etc/sysctl.d/k8s.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 EOF modprobe br_netfilter && sysctl -p /etc/sysctl.d/k8s.conf # master节点执行 yum install kubeadm kubectl kubelet # 所有node节点执行 yum install kubeadm kubelet # 启动实际运行容器的服务kubelet systemctl enable kubelet && systemctl start kubelet # 现在执行kubelet会报错,不用管 # kubeadm init或join之后,systemd会自动拉起kubelet # kubeadm是集群管理工具 # kubelet负责运行pods # kubectl是客户端,负责和kube-apiserver通信 # 用类比解释的话,kubectl是curl,kube-apiserver是服务器 # kube-controller-manager是控制器 # kube-scheduler是调度器 # kube-proxy负责网络通信 # pause是pod空闲运行的镜像 # etcd用于分布式存储集群信息 # 由于kubeadm使用镜像拉起k8s,但是被墙了,所以在可以翻墙的主机上下载镜像,然后使用下列命令导出镜像 # docker save -o package.tar.gz image1:latest # 使用下面命令导入镜像 # docker load -i package.tar.gz # 获取需要下载的镜像列表 kubeadm config images list # 输出如下,master表示在主节点安装,node表示在从节点安装 k8s.gcr.io/kube-apiserver:v1.16.1 # master k8s.gcr.io/kube-controller-manager:v1.16.1 # master k8s.gcr.io/kube-scheduler:v1.16.1 # master k8s.gcr.io/kube-proxy:v1.16.1 # master node k8s.gcr.io/pause:3.1 # node k8s.gcr.io/etcd:3.3.15-0 # master k8s.gcr.io/coredns:1.6.2 # master node # 很不幸,被墙了 # 用可以翻墙的主机用docker pull拉取镜像,上传本地即可 # 镜像的打包使用save命令 # 镜像的导入使用load命令 # 下载好镜像,导入完毕 # 在master节点执行 kubeadm init --kubernetes-version=v1.16.1 --apiserver-advertise-address=192.168.124.100 --pod-network-cidr=10.244.0.0/16 # 执行成功后,会提示进行如下操作 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config # 节点加入集群操作 kubeadm join 192.168.124.100:6443 --token ba04v7.y9ki5jgbss8gs0jx \ --discovery-token-ca-cert-hash sha256:8404de0f262daf02de05aad96415c79c2ff39b91ce3ee28cd8248426166123a9 # k8s的网络模型是扁平化的,即pod之间需要能够直接访问,在谷歌的实现中,已经支持扁平化网络模型 # 但是我们创建的集群,不满足这种网络模型,所以需要借助插件或者进行主机配置之后才能满足 # 刚开始学习建议使用flannel,减少障碍,后期有需要进行调研学习 # 安装flannel kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml # 在master执行 kubectl get nodes # 输出,暂时配置了两个节点 NAME STATUS ROLES AGE VERSION master Ready master 50m v1.16.1 node1 Ready <none> 27m v1.16.1 # 没有安装flannel之前,查看nodes,会提示STATUS为NotReady。 # 至此,k8s的基本安装就结束了。 # 是不是很简单 # 后续会继续分享k8s的学习

2019-10-15 · Jerry Wang