docker:
k8s
- :pod,lo
- pod: pod ip <--> pod ip 直连
- podservice
- servicenodeport ingress loadblance
CNI
- flannel
- calico
- kube-router
:
虚拟网桥
MacVLAN
SR-IOR
podpod
flannel
kubelet /etc/cni/net.d/10-flannel.conflist --help
flannel
vxlan
1.
overray, vxlan overray,,nodevxlan overrayhost_gw,
nodenode_gatewaynodeIP,
udp
flannel
Network: flannelcidrpod10.244.0.0/16 -->master: 10.244.0.0/24 node1:10.244.1.0/24 .. node255:10.244.255.0/24
Subnetlen:network24
Subnetmin: 10.244.10.0/24
Subnetmax: 10.244.100.0/24
Backend:vxlan(vxlandirectrouting), host-gw, udp
查看网桥
brctl show cni0
node
nodepod ping
yum install tcpdump -y
tcpdump -i cni0 icmp
pod -->node1cni0 --->node1flannel.1 -->node2flannel.1-->node2
ip route show
10.244.1.0/24 via 10.244.1.0 dev flannel.1 onlink
10.244.2.0/24 via 10.244.2.0 dev flannel.1 onlink
tcpdump -i flannel.1 -nn
node
12:18:23.231595 IP node2.55445 > node1.otv: OTV, flags [I] (0x08), overlay 0, instance 1
IP myapp-1.myapp-svc.default.svc.cluster.local > myapp-0.myapp-svc.default.svc.cluster.local: ICMP echo reply, id 3840, seq 20, length 64
overlayvxlanpod
实验
flannelvxlan-directrouting
jsonconfig
vim net-conf.json
{
}
2.edit
kubectl -n kube-system edit configmaps kube-flannel-cfg
"Backend": {
ip route show
flannel
yaml
kubectl delete -f kube-flannel.yml
kubectl apply -f kube-flannel.yml
ip route show
10.244.1.0/24 via 192.168.81.20 dev ens33
pod
kubectl delete -f deploy-demo.yaml
kubectl apply -f deploy-demo.yaml
kubectl exec -it myapp-deploy-55b78d8548-8dtpv -- /bin/sh
pod
node
overaynodeIP
flannelvxlan-directrouting
vim kube-flannel.yml
}
kubectl delete -f kube-flannel.yml
kubectl apply -f kube-flannel.yml
ip route show
10.244.1.0/24 via 192.168.81.20 dev ens33
10.244.2.0/24 via 192.168.81.30 dev ens33
canal
https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/flannel
kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/canal.yaml
kubectl get pods -n kube-system
控制网络策略
kubectl explain networkpolicy
kubectl explain networkpolicy.spec
出站
kubectl explain networkpolicy.spec.egress
kubectl explain networkpolicy.spec.egress.ports
kubectl explain networkpolicy.spec.egress.to
入站
kubectl explain networkpolicy.spec.ingress
policyTypes <[]string>
kubectl explain networkpolicy.spec.policyTypes
ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
spec:
pod
- Ingress ingress ingress,ingresspolicyType- engress,engress,engress
ns
kubectl create namespace dev
kubectl create namespace prod
创建规则
namespace
查询规则
验证
vim pod-a.yaml
apiVersion: v1
kind: Pod
metadata:
spec:
devpod
kubectl apply -f pod-a.yaml -n dev
devingress
kubectl apply -f pod-a.yaml -n prod
curl 10.244.1.8
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
vim ingress-def.yaml
spec:
ingress
kubectl apply -f ingress-def.yaml -n dev
打上标签
kubectl label pods pod1 app=myapp -n dev
vim allow-netpolicy-demo.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
spec:
pod pod
cidr
创建规则
egress
cp ingress-def.yaml egress-def.yaml
vim egress-def.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
spec:
egress,
prod
kubectl apply -f egress-def.yaml -n prod
测试
egress
vim egress-def.yaml
spec:
egress
测试
ping通
:
pod