Cilium 官方文档翻译(8) IPAM CRD backed模式

已于 2022-11-20 03:54:09 修改
阅读量407 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: 基于eBPF的高性能容器网络Cilium 文章标签: kubernetes 云原生 网络
于 2022-11-20 03:53:32 首次发布
原文链接:https://docs.cilium.io/en/stable/concepts/networking/ipam/crd/

CRD-Backed

cilium 的CRD-Backed 模式IPAM通过kubernetes自定义资源CRD提供了一种扩展IP地址管理的接口。它允许每个节点可配置并将IPAM委托给外部operator。

架构

image.png

启动该模式后,cilium agent运行时会监听与节点同名的ciliumnodes.cilium.io自定义对象。
当自定义资源更新时,每个节点的可用IP地址池会通过spec.ipam.available数据域列出。当从池中删除一个已分配的IP时,这个已经分配的IP会继续被pod使用不会立即被回收,但是无法再被重用。
在IP地址池申请分配了一个IP地址时,已分配的IP地址会被纪录在status.ipam.inuse数据域。

节点状态更新最多每15秒运行一次。因此,如果同时调度多个POD,状态部分的更新可能会滞后

配置

cilium IPAM的CRD-Backed 模式可以通过cilium-configConfigMap 中设置ipam: crd或者通过helm 选项--ipam=crd开启。启用CRD-Backed 模式后,agent将等待与Kubernetes节点名称匹配的CiliumNode自定义资源变为可用,其中至少有一个IP地址列为可用。启用连接健康检查时,必须至少有两个IP地址可用。
agent 在等待时会打印以下日志

Waiting for initial IP to become available in '<node-name>' custom resource

Enable CRD IPAM mode

  1. 在kubernetes中安装cilium
  2. 使用--ipam=crd选项运行Cilium,或在Cilium配置ConfigMap中设置ipam: crd
  3. 重启cilium,cilium将自动注册CRD(如果还不可用)。
msg="Waiting for initial IP to become available in 'k8s1' custom resource" subsys=ipam
  1. 验证CRD是否已注册:
$ kubectl get crds
NAME                              CREATED AT
[...]
ciliumnodes.cilium.io             2019-06-08T12:26:41Z

Create a CiliumNode CR

  1. 导入以下自定义资源,使cilium agent有可用IP。
apiVersion: "cilium.io/v2"
kind: CiliumNode
metadata:
  name: "k8s1"
spec:
  ipam:
    pool:
      192.168.1.1: {}
      192.168.1.2: {}
      192.168.1.3: {}
      192.168.1.4: {}
  1. 验证cilium agent是否正确启动
$ cilium status --all-addresses
KVStore:                Ok   etcd: 1/1 connected, has-quorum=true: https://192.168.60.11:2379 - 3.3.12 (Leader)
[...]
IPAM:                   IPv4: 2/4 allocated,
Allocated addresses:
  192.168.1.1 (router)
  192.168.1.3 (health)
  1. 验证status.IPAM.used部分:
$ kubectl get cn k8s1 -o yaml
apiVersion: cilium.io/v2
kind: CiliumNode
metadata:
  name: k8s1
  [...]
spec:
  ipam:
    pool:
      192.168.1.1: {}
      192.168.1.2: {}
      192.168.1.3: {}
      192.168.1.4: {}
status:
  ipam:
    used:
      192.168.1.1:
        owner: router
      192.168.1.3:
        owner: health

目前地址池只允许使用单个IP地址。不支持CIDR。

权限

为了使自定义资源正常工作,需要以下附加权限。使用标准Cilium制品部署时,会自动授予这些权限:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cilium
rules:
- apiGroups:
  - cilium.io
  resources:
  - ciliumnodes
  - ciliumnodes/status
  verbs:
  - '*'

CRD 定义

CilumNode自定义资源以标准Kubernetes资源为模型,并分为specstatus部分:

type CiliumNode struct {
        [...]

        // Spec is the specification of the node
        Spec NodeSpec `json:"spec"`

        // Status it the status of the node
        Status NodeStatus `json:"status"`
}

IPAM 规范

spec部分嵌入了一个IPAM特定字段,该字段允许定义节点可用于分配的所有IP的列表:

// AllocationMap is a map of allocated IPs indexed by IP
type AllocationMap map[string]AllocationIP

// NodeSpec is the configuration specific to a node
type NodeSpec struct {
        // [...]

        // IPAM is the address management specification. This section can be
        // populated by a user or it can be automatically populated by an IPAM
        // operator
        //
        // +optional
        IPAM IPAMSpec `json:"ipam,omitempty"`
}

// IPAMSpec is the IPAM specification of the node
type IPAMSpec struct {
        // Pool is the list of IPs available to the node for allocation. When
        // an IP is used, the IP will remain on this list but will be added to
        // Status.IPAM.InUse
        //
        // +optional
        Pool AllocationMap `json:"pool,omitempty"`
}

// AllocationIP is an IP available for allocation or already allocated
type AllocationIP struct {
        // Owner is the owner of the IP, this field is set if the IP has been
        // allocated. It will be set to the pod name or another identifier
        // representing the usage of the IP
        //
        // The owner field is left blank for an entry in Spec.IPAM.Pool
        // and filled out as the IP is used and also added to
        // Status.IPAM.InUse.
        //
        // +optional
        Owner string `json:"owner,omitempty"`

        // Resource is set for both available and allocated IPs, it represents
        // what resource the IP is associated with, e.g. in combination with
        // AWS ENI, this will refer to the ID of the ENI
        //
        // +optional
        Resource string `json:"resource,omitempty"`
}

IPAM 状态

status部分包含IPAM特定字段。IPAM状态报告该节点正在使用的所有地址:

// NodeStatus is the status of a node
type NodeStatus struct {
        // [...]

        // IPAM is the IPAM status of the node
        //
        // +optional
        IPAM IPAMStatus `json:"ipam,omitempty"`
}

// IPAMStatus is the IPAM status of a node
type IPAMStatus struct {
        // InUse lists all IPs out of Spec.IPAM.Pool which have been
        // allocated and are in use.
        //
        // +optional
        InUse AllocationMap `json:"used,omitempty"`
}
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值