一、概述
Calico K8s 是一種輕量級的網絡策略引擎,它為 Kubernetes 環境提供了高效和可擴展的網絡連接,同時提高了集群的安全性,並保證了諸如 MTU 等細節問題。
二、集成 Calico K8s
為了在 Kubernetes 環境中集成 Calico K8s,需要完成以下步驟:
1. 部署 etcd 集群
apiVersion: v1
kind: Service
metadata:
name: etcd-svc
labels:
app: etcd
spec:
type: ClusterIP
clusterIP: None
ports:
- name: client
port: 2379
targetPort: 2379
selector:
app: etcd
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: etcd
spec:
selector:
matchLabels:
app: etcd
serviceName: etcd-svc
replicas: 3
template:
metadata:
labels:
app: etcd
spec:
containers:
- name: etcd
image: quay.io/coreos/etcd:v3.2.13
command:
- /usr/local/bin/etcd
args:
- --name=$(HOSTNAME)
- --advertise-client-urls=http://$(HOSTNAME).etcd:2379
- --listen-client-urls=http://0.0.0.0:2379
- --data-dir=/var/lib/etcd/
ports:
- containerPort: 2379
name: client
2. 部署 Calico K8s
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-kube-controllers
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-kube-controllers
rules:
- apiGroups: [""]
resources:
- namespaces
- nodes
- endpoints
- pods
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- services
- endpoints
- nodes
verbs:
- create
- update
- apiGroups: ["extensions", "networking.k8s.io"]
resources:
- networkpolicies
verbs:
- get
- list
- watch
- create
- update
- delete
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-kube-controllers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-kube-controllers
subjects:
- kind: ServiceAccount
name: calico-kube-controllers
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-config
namespace: kube-system
data:
veth_mtu: "1440"
disable_policy: "false"
policy: |-
{"rules": [
{"src": {"selector": "calico/k8s_ns == 'default'"}, "action": {"allow": {}}},
{"src": {"selector": "calico/k8s_ns == 'kube-system'"}, "action": {"allow": {}}},
{"src": {}, "dst": {}, "action": {"allow": {}}}
]}
typha_service_name: "calico-typha"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: calico-typha
namespace: kube-system
spec:
replicas: 3
selector:
matchLabels:
k8s-app: calico-typha
template:
metadata:
labels:
k8s-app: calico-typha
spec:
serviceAccount: calico-kube-controllers
containers:
- name: calico-typha
image: quay.io/calico/typha:v3.10.1
env:
- name: TYPHA_LOGSEVERITYSYS
value: "info"
- name: K8S_API_ENDPOINT
value: "https://kubernetes.default.svc"
- name: CALICO_TYPHA_CONFIG
value: |
[Global]
datastore_type = "etcdv3"
[etcdv3]
endpoints = "http://etcd-0.etcd:2379"
transport = "etcd"
ports:
- name: peers
containerPort: 5473
protocol: TCP
readinessProbe:
exec:
command:
- /usr/bin/test
- -e
- /tmp/health
periodSeconds: 10
volumeMounts:
- name: typha-certs
mountPath: /typha-certs
readOnly: true
volumes:
- name: typha-certs
secret:
secretName: etcd-certs
optional: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: calico-kube-controllers
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: calico-kube-controllers
template:
metadata:
labels:
k8s-app: calico-kube-controllers
spec:
serviceAccountName: calico-kube-controllers
containers:
- name: calico-kube-controllers
image: quay.io/calico/kube-controllers:v3.10.1
env:
- name: TYPHA_SERVICE_NAME
value: "calico-typha.kube-system.svc.cluster.local"
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
- name: CALICO_IPV4POOL_CIDR
value: "10.0.0.0/16"
- name: KUBECONFIG
value: "/kubeconfig/kubeconfig"
- name: CALICO_METRICS_PORT
value: "9094"
- name: CLUSTER_NAME
value: "cluster.local"
volumeMounts:
- name: etcd-certs
mountPath: /calico-secrets
readOnly: true
- name: policysync
mountPath: /var/run/nodeagent
volumes:
- name: etcd-certs
secret:
secretName: etcd-certs
- name: policysync
hostPath:
path: /var/run/nodeagent
- name: kubeconfig
secret:
secretName: calico-kubeconfig三、Calico K8s 的功能
1. 網絡連接
Calico K8s 可以為 Kubernetes 集群提供高效和可擴展的網絡連接,確保集群在不同節點和容器之間進行高效通信,同時處理複雜的網絡拓撲結構。
2. 安全性
Calico K8s 可以提高 Kubernetes 集群的安全性,對網絡流量進行細緻的控制和策略管理,從而保護容器和集群免受網絡攻擊。
3. MTU
Calico K8s 可以為 Kubernetes 集群提供低延遲和高帶寬的網絡連接,並在處理 MTU 等細節問題時提供支持。
四、結論
Calico K8s 是一種輕量級的網絡策略引擎,提供高效和可擴展的網絡連接和複雜的網絡拓撲結構,同時可以提高集群的安全性並保證諸如 MTU 等細節問題。因此,它是在 Kubernetes 環境中創建更加安全和可靠的集群的理想選擇。
原創文章,作者:MUEHH,如若轉載,請註明出處:https://www.506064.com/zh-hant/n/368679.html
微信掃一掃 
支付寶掃一掃 