一、概述
Calico K8s 是一种轻量级的网络策略引擎,它为 Kubernetes 环境提供了高效和可扩展的网络连接,同时提高了集群的安全性,并保证了诸如 MTU 等细节问题。
二、集成 Calico K8s
为了在 Kubernetes 环境中集成 Calico K8s,需要完成以下步骤:
1. 部署 etcd 集群
apiVersion: v1
kind: Service
metadata:
name: etcd-svc
labels:
app: etcd
spec:
type: ClusterIP
clusterIP: None
ports:
- name: client
port: 2379
targetPort: 2379
selector:
app: etcd
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: etcd
spec:
selector:
matchLabels:
app: etcd
serviceName: etcd-svc
replicas: 3
template:
metadata:
labels:
app: etcd
spec:
containers:
- name: etcd
image: quay.io/coreos/etcd:v3.2.13
command:
- /usr/local/bin/etcd
args:
- --name=$(HOSTNAME)
- --advertise-client-urls=http://$(HOSTNAME).etcd:2379
- --listen-client-urls=http://0.0.0.0:2379
- --data-dir=/var/lib/etcd/
ports:
- containerPort: 2379
name: client
2. 部署 Calico K8s
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-kube-controllers
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-kube-controllers
rules:
- apiGroups: [""]
resources:
- namespaces
- nodes
- endpoints
- pods
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- services
- endpoints
- nodes
verbs:
- create
- update
- apiGroups: ["extensions", "networking.k8s.io"]
resources:
- networkpolicies
verbs:
- get
- list
- watch
- create
- update
- delete
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-kube-controllers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-kube-controllers
subjects:
- kind: ServiceAccount
name: calico-kube-controllers
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-config
namespace: kube-system
data:
veth_mtu: "1440"
disable_policy: "false"
policy: |-
{"rules": [
{"src": {"selector": "calico/k8s_ns == 'default'"}, "action": {"allow": {}}},
{"src": {"selector": "calico/k8s_ns == 'kube-system'"}, "action": {"allow": {}}},
{"src": {}, "dst": {}, "action": {"allow": {}}}
]}
typha_service_name: "calico-typha"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: calico-typha
namespace: kube-system
spec:
replicas: 3
selector:
matchLabels:
k8s-app: calico-typha
template:
metadata:
labels:
k8s-app: calico-typha
spec:
serviceAccount: calico-kube-controllers
containers:
- name: calico-typha
image: quay.io/calico/typha:v3.10.1
env:
- name: TYPHA_LOGSEVERITYSYS
value: "info"
- name: K8S_API_ENDPOINT
value: "https://kubernetes.default.svc"
- name: CALICO_TYPHA_CONFIG
value: |
[Global]
datastore_type = "etcdv3"
[etcdv3]
endpoints = "http://etcd-0.etcd:2379"
transport = "etcd"
ports:
- name: peers
containerPort: 5473
protocol: TCP
readinessProbe:
exec:
command:
- /usr/bin/test
- -e
- /tmp/health
periodSeconds: 10
volumeMounts:
- name: typha-certs
mountPath: /typha-certs
readOnly: true
volumes:
- name: typha-certs
secret:
secretName: etcd-certs
optional: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: calico-kube-controllers
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: calico-kube-controllers
template:
metadata:
labels:
k8s-app: calico-kube-controllers
spec:
serviceAccountName: calico-kube-controllers
containers:
- name: calico-kube-controllers
image: quay.io/calico/kube-controllers:v3.10.1
env:
- name: TYPHA_SERVICE_NAME
value: "calico-typha.kube-system.svc.cluster.local"
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
- name: CALICO_IPV4POOL_CIDR
value: "10.0.0.0/16"
- name: KUBECONFIG
value: "/kubeconfig/kubeconfig"
- name: CALICO_METRICS_PORT
value: "9094"
- name: CLUSTER_NAME
value: "cluster.local"
volumeMounts:
- name: etcd-certs
mountPath: /calico-secrets
readOnly: true
- name: policysync
mountPath: /var/run/nodeagent
volumes:
- name: etcd-certs
secret:
secretName: etcd-certs
- name: policysync
hostPath:
path: /var/run/nodeagent
- name: kubeconfig
secret:
secretName: calico-kubeconfig三、Calico K8s 的功能
1. 网络连接
Calico K8s 可以为 Kubernetes 集群提供高效和可扩展的网络连接,确保集群在不同节点和容器之间进行高效通信,同时处理复杂的网络拓扑结构。
2. 安全性
Calico K8s 可以提高 Kubernetes 集群的安全性,对网络流量进行细致的控制和策略管理,从而保护容器和集群免受网络攻击。
3. MTU
Calico K8s 可以为 Kubernetes 集群提供低延迟和高带宽的网络连接,并在处理 MTU 等细节问题时提供支持。
四、结论
Calico K8s 是一种轻量级的网络策略引擎,提供高效和可扩展的网络连接和复杂的网络拓扑结构,同时可以提高集群的安全性并保证诸如 MTU 等细节问题。因此,它是在 Kubernetes 环境中创建更加安全和可靠的集群的理想选择。
