calico网络模式

  • BGP

Calico项目提供的网络解决方案,与Flannel的host-gw模式几乎一样。也就是说,Calico也是基于路由表实现容器数据包转发,但不同于Flannel使用flanneld进程来维护路由信息的做法,而Calico项目使用BGP协议与fannel的host-gw模式的不同之处就是,它不会在宿主机上创建类似docker0、cni0这样的网桥设备,Veth Pair在宿主机的一端的接口直接暴露在宿主机上,并通过设置路由规则,将容器IP暴露到宿主机的通信路由上。

  • IPIP

ipip模式与flannel的vxlan模式类似,这个也是对数据包的一个封装

从字面来理解,就是把一个IP数据包又套在一个IP包里,即把 IP 层封装到 IP 层的一个 tunnel。它的作用其实基本上就相当于一个基于IP层的网桥!一般来说,普通的网桥是基于mac层的,根本不需 IP,而这个 ipip 则是通过两端的路由做一个 tunnel,把两个本来不通的网络通过点对点连接起来。

安装calico

[root@master ~]#  kubectl create -f https://docs.projectcalico.org/manifests/tigera-operator.yaml
[root@master ~]#  wget https://docs.projectcalico.org/manifests/custom-resources.yaml 
[root@master ~]#  vim custom-resources.yaml 
# This section includes base Calico installation configuration.
# For more information, see: https://docs.projectcalico.org/v3.17/reference/installation/api#operator.tigera.io/v1.Installation
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  # Configures Calico networking.
  calicoNetwork:
    # Note: The ipPools section cannot be modified post-install.
    ipPools:
    - blockSize: 26
      cidr: 10.244.0.0/16              # 修改cidr
      encapsulation: VXLANCrossSubnet => IPIP   # 修改xvlan为ipip(默认为ipip可以删除这条)
      natOutgoing: Enabled
      nodeSelector: all()
[root@master ~]# kubectl apply -f custom-resources.yaml
[root@master ~]# kubectl get pods -n calico-system
NAME                                       READY   STATUS    RESTARTS   AGE
calico-kube-controllers-546d44f5b7-6x746   1/1     Running   0          4m2s
calico-node-kh6cg                          1/1     Running   0          4m2s
calico-node-wl2hg                          1/1     Running   0          4m2s
calico-typha-6848b8fd67-7bpkm              1/1     Running   0          2m29s

安装calicoctl

[root@master ~]# wget -O /usr/sbin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v3.17.1/calicoctl
[root@master ~]# chmod +x /usr/sbin/calicoctl
[root@master ~]# mkdir /etc/calico
[root@master ~]# vim /etc/calico/calicoctl.cfg     使用etcd存储数据
apiVersion: projectcalico.org/v3
kind: CalicoAPIConfig
metadata:
spec:
  etcdEndpoints: https://127.0.0.1:2379
  etcdCACertFile: /etc/kubernetes/pki/etcd/ca.crt
  etcdCertFile: /etc/kubernetes/pki/etcd/client.crt
  etcdKeyFile:  /etc/kubernetes/pki/etcd/client.key

更改网络模式

[root@master ~]# calicoctl get ippool -o yaml >net
[root@master ~]# vim net
apiVersion: projectcalico.org/v3
items:
- apiVersion: projectcalico.org/v3
  kind: IPPool
  metadata:
    creationTimestamp: "2020-12-14T07:14:00Z"
    name: default-ipv4-ippool
    resourceVersion: "9479"
    uid: 93977cbe-a722-4197-9fb9-4ce808aceb94
  spec:
    # 此池使用的分配块的CIDR大小。块按需分配给主机,并用于汇总路由。该值只能在创建池时设置,IPv4为20至32(含),IPv6为116至128(含)
    blockSize: 26
    # 该池使用的IP范围
    cidr: 10.244.0.0/16
    # 定义何时使用网路模式,Never为BGP模式;Always为ipip模式,如果主机跨网段,设置为CrossSubnet
    ipipMode: Never
    # 默认为false,设置为true,允许容器nat出host
    natOutgoing: true
    nodeSelector: all()
    # vxlan隧道模式,不能与ipipMode同时使用。有三个值,跟ipipMode的一样
    vxlanMode: Never
kind: IPPoolList
metadata:
  resourceVersion: "13426"
[root@master ~]# calicoctl apply -f net
Successfully applied 1 'IPPool' resource(s)
[root@master ~]# calicoctl get ippool -o wide
NAME                  CIDR            NAT    IPIPMODE   VXLANMODE   DISABLED   SELECTOR   
default-ipv4-ippool   10.244.0.0/16   true   Never      Never       false      all()    
[root@master ~]# kubectl delete po -lk8s-app=calico-node -ncalico-system
pod "calico-node-b28vj" deleted
pod "calico-node-nlts5" deleted