IPAM
在云网络环境中,网络之间的通路固然重要,但是 IP 地址的管理也同样重要,否则在云网络环境中, 混乱的 IP 地址并不能给我们提供优良的通信和管理,所以我们这篇文档介绍 Calico IPAM ,我们看一下 Calico 中的 IPAM 的这些高级特性。 默认情况下,我们安装的就是 calico IPAM
[root@master ~]# cd /etc/cni/net.d/
[root@master net.d]# ls
10-calico.conflist calico-kubeconfig
[root@master net.d]# cat 10-calico.conflist
{
"name": "k8s-pod-network",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "calico",
"log_level": "info",
"log_file_path": "/var/log/calico/cni/cni.log",
"datastore_type": "kubernetes",
"nodename": "master.whale.com",
"mtu": 0,
"ipam": {
"type": "calico-ipam" ### 本字段显示的就是使用的 calico-ipam
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
}
},
{
"type": "portmap",
"snat": true,
"capabilities": {"portMappings": true}
},
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
}
]
}
基于拓扑分配 IP 地址
assign-ip-addresses-topology
可以理解为针对某些特定的节点,分配不同的 IP池,从而分配到不同的 IP 地址。 比如我们针对 机架分配 IP 池。
-------------------
| router |
-------------------
| |
--------------- ---------------
| rack-1 | | rack-2 |
--------------- ---------------
| kube-node-1 | | kube-node-2 |
- - - - - - - - - - - - - - - -
1.node 节点分配标签
[root@master net.d]# kubectl label node node1.whale.com rack=1
node/node1.whale.com labeled
[root@master net.d]# kubectl label node node2.whale.com rack=2
node/node2.whale.com labeled
[root@master net.d]# kubectl label node master.whale.com rack=1
node/master.whale.com labeled
2.删除默认分配的 IPPool
默认的 IPPool 已经占据了所有可分配的IP地址,所以需要先删除掉,然后我们新建新池
[root@master net.d]# calicoctl get ippool
NAME CIDR SELECTOR
default-ipv4-ippool 10.244.0.0/16 all()
# 备份保存
[root@master net.d]# calicoctl get ippool default-ipv4-ippool -o yaml --export > default-ipv4-ippool.yaml
# 删除
[root@master net.d]# calicoctl delete ippools default-ipv4-ippool
Successfully deleted 1 'IPPool' resource(s)
[root@master net.d]# calicoctl get ippools
NAME CIDR SELECTOR
3.为每个机架创建新的 IPPOOL
这个地方需要根据上一步创建的备份内容具体修改 cidr
部分和 nodeSelector
部分即可,因为我本地是 BGP 的模式,所以和 默认的 IPIP 模式有一些差别。
calicoctl create -f -<<>< span="">
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: rack-1-ippool
spec:
allowedUses:
- Workload
- Tunnel
cidr: 10.244.1.0/24
ipipMode: Never
natOutgoing: true
vxlanMode: Never
nodeSelector: rack == "1"
EOF
calicoctl create -f -<<>< span="">
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: rack-2-ippool
spec:
allowedUses:
- Workload
- Tunnel
cidr: 10.244.2.0/24
ipipMode: Never
natOutgoing: true
vxlanMode: Never
nodeSelector: rack == "2"
EOF
[root@master net.d]# calicoctl get ippools -o wide
NAME CIDR NAT IPIPMODE VXLANMODE DISABLED DISABLEBGPEXPORT SELECTOR
rack-1-ippool 10.244.1.0/24 true Never Never false false rack == "1"
rack-2-ippool 10.244.2.0/24 true Never Never false false rack == "2" <><>
4.验证 pod 遵守了配置
[root@master net.d]# kubectl scale deployment cni-test --replicas=5
[root@master net.d]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cni-test-777bbd57c8-9w8wm 1/1 Running 0 3m7s 10.244.1.192 master.whale.com
cni-test-777bbd57c8-csjpq 1/1 Running 0 3m7s 10.244.2.1 node2.whale.com
cni-test-777bbd57c8-hhf72 1/1 Running 0 3m7s 10.244.2.0 node2.whale.com
cni-test-777bbd57c8-nlx8p 1/1 Running 0 3m7s 10.244.1.128 node1.whale.com
cni-test-777bbd57c8-th74g 1/1 Running 0 3m7s 10.244.1.129 node1.whale.com
5.注意
Calico IPAM 不会将 IP 地址重新分配给已经运行的工作负载。若要使用新配置的 IP 池中的 IP 地址更新正在运行的工作负载,必须重新创建它们。我们建议在投入生产之前或在维护窗口期间这样做。
POD 配置静态 IP 地址
在 calico 中,通过增加注解的方式,可以配置静态 IP 地址 注意,我们配置的ip 地址必须是 ippool 池中的地址
# 查看是否含有默认的 ippool
[root@master net.d]# calicoctl get ippool -o wide
NAME CIDR NAT IPIPMODE VXLANMODE DISABLED DISABLEBGPEXPORT SELECTOR
default-ipv4-ippool 10.244.0.0/16 true Never Never false false all()
[root@master net.d]# cat calico_static.yaml
apiVersion: v1
kind: Pod
metadata:
name: calico-static-pod
labels:
app: myapp
annotations:
cni.projectcalico.org/ipAddrs: "[\"10.244.11.1\"]"
spec:
containers:
- name: static-container
image: burlyluo/nettoolbox
[root@master net.d]# kubectl apply -f calico_static.yaml
[root@master net.d]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
calico-static-pod 1/1 Running 0 2m35s 10.244.11.1 node2.whale.com
迁移至另一个 IPPOOL
如果您按照这些步骤操作,现有的 pod 连接将不会受到影响。(如果在创建和验证新池之前删除旧的 IP 池,现有的 pods 将受到影响。)当 pod 被删除时,应用程序可能暂时不可用(取决于应用程序的类型) 。
1.添加一个新的 ippool
注意: 强烈建议您的 Calico IP 池位于 Kubernetes 集群 CIDR 中。如果 pods IPs 是从 Kubernetes 集群 CIDR 之外分配的,那么一些流量可能会不必要地应用 NAT,从而导致意外的行为。
k8s CIDR:10.244.0.0/16
当前默认 CIDR:10.244.1.0/24
迁移新的 CIDR:10.244.22.0/24
[root@master net.d]# calicoctl get ippool -o wide
NAME CIDR NAT IPIPMODE VXLANMODE DISABLED DISABLEBGPEXPORT SELECTOR
default-ipv4-ippool 10.244.1.0/24 true Never Never false false all()
[root@master net.d]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cni-test-777bbd57c8-dnprz 1/1 Running 0 47s 10.244.1.129 node1.whale.com
cni-test-777bbd57c8-kx6jx 1/1 Running 0 47s 10.244.1.1 node2.whale.com
cni-test-777bbd57c8-kxc2p 1/1 Running 0 47s 10.244.1.192 master.whale.com
cni-test-777bbd57c8-nr6hf 1/1 Running 0 47s 10.244.1.0 node2.whale.com
cni-test-777bbd57c8-t2f5b 1/1 Running 0 47s 10.244.1.128 node1.whale.com
创建一个新的 IPPOOL
[root@master net.d]# cat new-ipv4.yaml
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
creationTimestamp: null
name: new-22
spec:
allowedUses:
- Workload
- Tunnel
blockSize: 26
cidr: 10.244.22.0/24
ipipMode: Never
natOutgoing: true
disabled: false
nodeSelector: all()
vxlanMode: Never
[root@master net.d]# calicoctl apply -f new-ipv4.yaml
Successfully applied 1 'IPPool' resource(s)
[root@master net.d]# calicoctl get ippool -o wide
NAME CIDR NAT IPIPMODE VXLANMODE DISABLED DISABLEBGPEXPORT SELECTOR
default-ipv4-ippool 10.244.1.0/24 true Never Never false false all()
new-22 10.244.22.0/24 true Never Never false false all()
2.禁用旧的 IPPOOL
注意: 禁用 IP 池只能防止新的 IP 地址分配; 它不会影响现有 pod 的网络。
[root@master net.d]# calicoctl get ippool default-ipv4-ippool -o yaml --export > default-ipv4-ippool.yaml
[root@master net.d]# cat default-ipv4-ippool.yaml
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
creationTimestamp: null
name: default-ipv4-ippool
spec:
allowedUses:
- Workload
- Tunnel
blockSize: 26
cidr: 10.244.1.0/24
ipipMode: Never
natOutgoing: true
disabled: true
nodeSelector: all()
vxlanMode: Never
# 查看默认的IPPOOL DISABLED 是否为 true
[root@master net.d]# calicoctl apply -f default-ipv4-ippool.yaml
Successfully applied 1 'IPPool' resource(s)
[root@master net.d]# calicoctl get ippool -o wide
NAME CIDR NAT IPIPMODE VXLANMODE DISABLED DISABLEBGPEXPORT SELECTOR
default-ipv4-ippool 10.244.1.0/24 true Never Never true false all()
new-22 10.244.22.0/24 true Never Never false false all()
3. 创建 pod 验证此 IPPOOL
创建 pod 验证是否在 10.244.22.0/24 网段
[root@master net.d]# kubectl run nginx --image=nginx
[root@master net.d]# kubectl get pod nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 58s 10.244.22.128 node1.whale.com
4.迁移之前老 IPPOOL 中的 pod
如果是deployment 或者 statefulset 等其他控制的pod,只需要将之前的pod 删除,验证新创建的 pod 是否在此网段即可。
# 之前都在 10.244.1.0/24 网段
[root@master net.d]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cni-test-777bbd57c8-dnprz 1/1 Running 0 10m 10.244.1.129 node1.whale.com
cni-test-777bbd57c8-kx6jx 1/1 Running 0 10m 10.244.1.1 node2.whale.com
cni-test-777bbd57c8-kxc2p 1/1 Running 0 10m 10.244.1.192 master.whale.com
cni-test-777bbd57c8-nr6hf 1/1 Running 0 10m 10.244.1.0 node2.whale.com
cni-test-777bbd57c8-t2f5b 1/1 Running 0 10m 10.244.1.128 node1.whale.com
# 删除pod ,触发重新创建机制
[root@master net.d]# kubectl get pod --no-headers | awk '{print $1}' | xargs kubectl delete pod -
# 验证新创建的 pod 在 10.244.22.0/24 网段
# 至此,迁移 IPPOOL 成功
[root@master net.d]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cni-test-777bbd57c8-2q55d 1/1 Running 0 51s 10.244.22.0 node2.whale.com
cni-test-777bbd57c8-fw94d 1/1 Running 0 51s 10.244.22.192 master.whale.com
cni-test-777bbd57c8-hl5lk 1/1 Running 0 51s 10.244.22.130 node1.whale.com
cni-test-777bbd57c8-ppfph 1/1 Running 0 51s 10.244.22.129 node1.whale.com
cni-test-777bbd57c8-tk6wg 1/1 Running 0 51s 10.244.22.1 node2.whale.com
5.删除旧的 IPPOOL
现在您已经验证了 pods 正在从新的范围获得 IPs,您可以安全地删除旧池。
[root@master net.d]# calicoctl delete ippool default-ipv4-ippool