您的位置:

使用 Calico K8s 构建更加安全和可靠的集群

一、概述

Calico K8s 是一种轻量级的网络策略引擎,它为 Kubernetes 环境提供了高效和可扩展的网络连接,同时提高了集群的安全性,并保证了诸如 MTU 等细节问题。

二、集成 Calico K8s

为了在 Kubernetes 环境中集成 Calico K8s,需要完成以下步骤:

1. 部署 etcd 集群


apiVersion: v1
kind: Service
metadata:
  name: etcd-svc
  labels:
    app: etcd
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - name: client
    port: 2379
    targetPort: 2379
  selector:
    app: etcd
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: etcd
spec:
  selector:
    matchLabels:
      app: etcd
  serviceName: etcd-svc
  replicas: 3
  template:
    metadata:
      labels:
        app: etcd
    spec:
      containers:
      - name: etcd
        image: quay.io/coreos/etcd:v3.2.13
        command:
        - /usr/local/bin/etcd
        args:
        - --name=$(HOSTNAME)
        - --advertise-client-urls=http://$(HOSTNAME).etcd:2379
        - --listen-client-urls=http://0.0.0.0:2379
        - --data-dir=/var/lib/etcd/
        ports:
        - containerPort: 2379
          name: client

2. 部署 Calico K8s


apiVersion: v1
kind: ServiceAccount
metadata:
  name: calico-kube-controllers
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: calico-kube-controllers
rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - nodes
      - endpoints
      - pods
    verbs:
      - get
      - list
      - watch
  - apiGroups: [""]
    resources:
      - services
      - endpoints
      - nodes
    verbs:
      - create
      - update
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: calico-kube-controllers
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: calico-kube-controllers
subjects:
- kind: ServiceAccount
  name: calico-kube-controllers
  namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: calico-config
  namespace: kube-system
data:
  veth_mtu: "1440"
  disable_policy: "false"
  policy: |-
    {"rules": [
      {"src": {"selector": "calico/k8s_ns == 'default'"}, "action": {"allow": {}}},
      {"src": {"selector": "calico/k8s_ns == 'kube-system'"}, "action": {"allow": {}}},
      {"src": {}, "dst": {}, "action": {"allow": {}}}
    ]}
  typha_service_name: "calico-typha"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: calico-typha
  namespace: kube-system
spec:
  replicas: 3
  selector:
    matchLabels:
      k8s-app: calico-typha
  template:
    metadata:
      labels:
        k8s-app: calico-typha
    spec:
      serviceAccount: calico-kube-controllers
      containers:
      - name: calico-typha
        image: quay.io/calico/typha:v3.10.1
        env:
        - name: TYPHA_LOGSEVERITYSYS
          value: "info"
        - name: K8S_API_ENDPOINT
          value: "https://kubernetes.default.svc"
        - name: CALICO_TYPHA_CONFIG
          value: |
            [Global]
              datastore_type = "etcdv3"
            [etcdv3]
              endpoints = "http://etcd-0.etcd:2379"
              transport = "etcd"
        ports:
        - name: peers
          containerPort: 5473
          protocol: TCP
        readinessProbe:
          exec:
            command:
            - /usr/bin/test
            - -e
            - /tmp/health
          periodSeconds: 10
        volumeMounts:
        - name: typha-certs
          mountPath: /typha-certs
          readOnly: true
      volumes:
        - name: typha-certs
          secret:
            secretName: etcd-certs
            optional: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: calico-kube-controllers
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: calico-kube-controllers
  template:
    metadata:
      labels:
        k8s-app: calico-kube-controllers
    spec:
      serviceAccountName: calico-kube-controllers
      containers:
      - name: calico-kube-controllers
        image: quay.io/calico/kube-controllers:v3.10.1
        env:
        - name: TYPHA_SERVICE_NAME
          value: "calico-typha.kube-system.svc.cluster.local"
        - name: CALICO_DISABLE_FILE_LOGGING
          value: "true"
        - name: CALICO_IPV4POOL_CIDR
          value: "10.0.0.0/16"
        - name: KUBECONFIG
          value: "/kubeconfig/kubeconfig"
        - name: CALICO_METRICS_PORT
          value: "9094"
        - name: CLUSTER_NAME
          value: "cluster.local"
        volumeMounts:
        - name: etcd-certs
          mountPath: /calico-secrets
          readOnly: true
        - name: policysync
          mountPath: /var/run/nodeagent
      volumes:
      - name: etcd-certs
        secret:
          secretName: etcd-certs
      - name: policysync
        hostPath:
          path: /var/run/nodeagent
      - name: kubeconfig
        secret:
          secretName: calico-kubeconfig

三、Calico K8s 的功能

1. 网络连接

Calico K8s 可以为 Kubernetes 集群提供高效和可扩展的网络连接,确保集群在不同节点和容器之间进行高效通信,同时处理复杂的网络拓扑结构。

2. 安全性

Calico K8s 可以提高 Kubernetes 集群的安全性,对网络流量进行细致的控制和策略管理,从而保护容器和集群免受网络攻击。

3. MTU

Calico K8s 可以为 Kubernetes 集群提供低延迟和高带宽的网络连接,并在处理 MTU 等细节问题时提供支持。

四、结论

Calico K8s 是一种轻量级的网络策略引擎,提供高效和可扩展的网络连接和复杂的网络拓扑结构,同时可以提高集群的安全性并保证诸如 MTU 等细节问题。因此,它是在 Kubernetes 环境中创建更加安全和可靠的集群的理想选择。