一、原则
- 1.同一个主机上的容器直接走宿主机网桥
- 2.同一机架上的容器访问只走TOR交换机
- 3.不同机架上容器访问走核心交换机
二、网络拓扑图
这是一个3层互通的模型:
- 主机和tor交换机连接同一个AS IBGP 路由反射器模式
- TOR和核心交换机之间不通过AS走EBGP ,为了防止TOR交换机同步所有路由造成性能低下,需要配置只出不进的学习规则:
三、具体实际操作
TOR 为Cisco N5K
feature bgp #禁止非calico网段路由发送给calico node ip prefix-list calico seq 5 permit 10.254.0.0/16 le 32 ip prefix-list calico seq 6 permit 10.253.0.0/16 le 32 ip prefix-list calico seq 10 deny 0.0.0.0/0 le 32 router bgp 65000 cluster-id 10.1.1.1 address-family ipv4 unicast network 10.1.2.0/24 network 192.168.2.0/24 maximum-paths ibgp 16 #calico nodes neighbor 192.168.2.21 remote-as 65000 update-source Vlan100 address-family ipv4 unicast route-reflector-client prefix-list calico out advertisement-interval 5 neighbor 192.168.2.22 remote-as 65000 update-source Vlan100 address-family ipv4 unicast route-reflector-client prefix-list calico out neighbor 192.168.2.23 remote-as 65000 update-source Vlan100 address-family ipv4 unicast route-reflector-client prefix-list calico out # RR2 neighbor 192.168.2.101 remote-as 65000 update-source Vlan100 address-family ipv4 unicast route-reflector-client
TOR 配置 RR(路由反射器配置),IBGP 为了防止环路,只能单向同步,学习的规则不能传递,这这时就需要报TOR做成放射器,同步所有机器的路由(node-to-node-mesh 耗费网路资源)
四、k8s calico node 节点配置
1.安装calico k8s ds(略)
CALICO_IPV4POOL_CIDR: Calico IPAM的IP地址池,Pod的IP地址将从该池中进行分配。
设置 CALICO_IPV4POOL_IPIP=”off,不使用IPIP模式时,设置为”off”,此时将使用BGP模式。
2.配置calico
#关闭 node-2-node 配置AS apiVersion: projectcalico.org/v3 kind: BGPConfiguration metadata: name: default spec: logSeverityScreen: Info nodeToNodeMeshEnabled: false asNumber: 65000
配置bgpPeer
# peerIP 为tor 交换机地址 更多配置可以查看calicoctl resource 定义 apiVersion: projectcalico.org/v3 kind: BGPPeer metadata: name: test-rr spec: peerIP: 10.16.33.253 asNumber: 65000
关闭calico natOutgoing 使用CrossSubnet模式
#运行calico服务后,默认含1个192.168.0.0/16的ipv4地址池,1个64位的ipv6的地址池,后续网络分配即地址池获取; #NAT:容器获得的地址是否可nat出host; #IPIP:ipip是在宿主机网络不完全支持bgp时,一种妥协的overlay机制,在宿主机创建1个”tunl0”虚拟端口;设置为false时,路由即纯bgp模式,理论上ipip模式的网络传输性能低于纯bgp模式;设置为true时,又分ipip always模式(纯ipip模式)与ipip cross-subnet模式(ipip-bgp混合模式),后者指“同子网内路由采用bgp,跨子网路由采用ipip”
[root@calico-node1 ~]# calicoctl get ipPool -o wide
apiVersion: projectcalico.org/v3 kind: IPPool metadata: name: default-ipv4-ippool spec: cidr: 10.253.0.0/16 ipipMode: CrossSubnet natOutgoing: false nodeSelector: all()
查看node 状态
[root@k8s ~]# calicoctl node status Calico process is running. IPv4 BGP status -------------- ----------- ------- ---------- ------------- | PEER ADDRESS | PEER TYPE | STATE | SINCE | INFO | -------------- ----------- ------- ---------- ------------- | 10.16.33.253 | global | up | 02:10:45 | Established | -------------- ----------- ------- ---------- -------------
查看node 的路由表查看反射器是否生效
[root@k8s ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.16.33.254 0.0.0.0 UG 0 0 0 em1 10.16.33.0 0.0.0.0 255.255.255.0 U 100 0 0 em1 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.29.64 0.0.0.0 255.255.255.192 U 0 0 0 * 192.168.29.65 0.0.0.0 255.255.255.255 UH 0 0 0 cali61f72b0d182 192.168.29.66 0.0.0.0 255.255.255.255 UH 0 0 0 cali821736526fc 192.168.43.0 10.16.33.3 255.255.255.192 UG 0 0 0 tunl0 192.168.64.64 10.16.33.2 255.255.255.192 UG 0 0 0 tunl0 192.168.144.192 10.16.33.4 255.255.255.192 UG 0 0 0 tunl0
五、k8s calico 暴露SVC地址
1、在Kubernetes API服务器中设置服务群集IP范围(默认值为10.0.0.0/24):
$ kube-apiserver --service-cluster-ip-range <服务CIDR范围>
2、在calico -node守护程序集中设置环境变量CALICO_ ADVERTISE_CLUSTER_IPS 。
kubectl patch ds -n kube-system calico-node --patch \ '{"spec": {"template": {"spec": {"containers": [{"name": "calico-node", "env": [{"name": "CALICO_ADVERTISE_CLUSTER_IPS", "value": "10.224.0.0/16"}]}]}}}}'
3、RR上启用maximum-path。
router bgp 65000 cluster-id 10.1.1.1 address-family ipv4 unicast network 10.1.2.0/24 network 192.168.2.0/24 maximum-paths ibgp 16
Core1# show ip route bgp-65000 10.254.0.0/16, ubest/mbest: 3/0 *via 192.168.2.21, [200/0], 14:07:23, bgp-65000, internal, tag 65000 *via 192.168.2.22, [200/0], 14:10:41, bgp-65000, internal, tag 65000 *via 192.168.2.23, [200/0], 14:11:33, bgp-65000, internal, tag 65000
文章目录