Introduction to deploying Calico Network Calico Components:
- The Felix:calico agent runs on each node, setting network information for the container: IP, routing Rules, iptable rules, etc.
- Etcd:calico Back-End storage
- BIRD:BGP Client: Responsible for broadcasting Felix's routing information set on each node to the Calico network (via the BGP Protocol).
- BGP Route Reflector: Hierarchical routing distribution for large-scale clusters.
- Calico:calico command-line administration Tools
Deployment of Calico:
Refer to official documents: https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/hosted
- Download the deployed Yaml file:
wget Https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/rbac.yaml
wget Https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/calico.yaml
- For RBAC files, you can create them directly without making changes:
$ kubectl create -f calico-rbac.yaml clusterrole "calico-kube-controllers" createdclusterrolebinding "calico-kube-controllers" createdclusterrole "calico-node" createdclusterrolebinding "calico-node" created
Configure Calico
$ vim calico.yamldata:#Configure this with the location of your etcd cluster.etcd_endpoints: "https://10.3.1.15:2379,https://10.3.1.16:2379,https://10.3.1.17:2379"#If you‘re using TLS enabled etcd uncomment the following.#You must also populate the Secret below with these files. etcd_ca: "/calico-secrets/etcd-ca" #取消原来的注释即可etcd_cert: "/calico-secrets/etcd-cert"etcd_key: "/calico-secrets/etcd-key"....apiVersion: v1kind: Secrettype: Opaquemetadata:name: calico-etcd-secretsnamespace: kube-systemdata: etcd-key: (cat /etc/kubernetes/ssl/etcd-key.pem | base64 | tr -d ‘\n‘) #将输出结果填写在这里etcd-cert: (cat /etc/kubernetes/ssl/etcd.pem | base64 | tr -d ‘\n‘) #将输出结果填写在这里etcd-ca: (cat /etc/kubernetes/ssl/ca.pem | base64 | tr -d ‘\n‘) #将输出结果填写在这里#如果etcd没用启用tls则为null #上面是必须要修改的参数,文件中有一个参数是设置pod network地址的,根据实际情况做修改:- name: CALICO_IPV4POOL_CIDR value: "192.168.0.0/16"
Some main parameters of Configmap are as follows:
- Etcd_endpoints:calico uses ETCD to save the network topology and state, which specifies the address of the ETCD, which can be used by K8s master Etcd, or it can be built separately. The back end of the Calico_backend:calico, which defaults to bird.
- Cni_network_config: A network configuration that complies with the MLM specification, where Type=calico indicates that Kubelet is looking for an executable file named/opt/cni/bin from Cni_path (the default is calico) for allocation of container IP addresses.
- ETCD If TLS security authentication is configured, you will also need to specify the appropriate CA, cert, key, and other files
Key parameters for the Calico-node service deployed through Daemonset:
The main pod consists of the following two containers:
Calico-node:calico service program, used to set the network resources of the pod, to ensure that the pod network and each node interconnection, it also needs to run in Hostnetwork mode, directly use the host network.
INSTALL-CNI: Install the network binaries to the/opt/cni/bin directory on each node, and install the corresponding configuration file into the/ETC/CNI/NET.D directory.
Main parameters of Calico-node service:
- Calico_ipv4pool_cidr:calico the IP address pool of ipam, the IP address of the pod will be allocated from that pool.
- ALICO_IPV4POOL_IPIP: If Ipip mode is enabled, Calico will create a tunl0 virtual tunnel on node when Ipip mode is enabled.
- Felix_logseverityscreen: Log level.
- Felix_ipv6support: Whether IPV6 is enabled.
- The IP pool can use two modes: BGP or IPIP. When you use Ipip mode, the calico_ipv4pool_ipip= "always" is set to "off" when you do not use Ipip mode, and BGP mode is used.
- IPIP is a mode that makes a tunnel between each node's routes and then connects the two networks, and when Ipip mode is enabled, Calico creates a virtual network interface called "Tunl0" on each node.
4. Create:
$ kubectl create-f calico.yaml configmap "Calico-config" Createdsecret "Calico-etcd-secrets" Createddaemonset "Calico-node" createddeployment "Calico-kube-controllers" Createddeployment " Calico-policy-controller "Createdserviceaccount" Calico-kube-controllers "Createdserviceaccount" Calico-node " createdcalico# kubectl get deployment,pod-n kube-system NAME desired current up-to-date AVAILABLE agedeploy/calico-kube-controllers 1 1 1 1 4mdeploy/calico-policy-con Troller 0 0 0 0 4mNAME Ready STATUS Restarts AGEPO/CALICO-KUBE-CONTROLLERS-56D9F8C44C-6HFTD 1/1 Running 0 4mpo/calico-node-6k827 2/2 Running 0 4MPO/CALICO-NODE-WFBPZ 2/2 Running 0 4m#calico-node uses Daemonset, which launches a
on each node.
The resources created are as follows:
Daemonset:
Name:calico-node runs two containers in this pod.
Hostnetwork:true
Serviceaccountname:calico-node
#两个容器: name: calico-node image: quay.io/calico/node:v2.6.5 name: install-cni image: quay.io/calico/cni:v1.11.2 command: ["/install-cni.sh"]
Deployment
name ---calico-kube-controllers replicas: 1 #网络策略控制器 serviceAccountName: calico-kube-controllers containers: name: calico-kube-controllers image: quay.io/calico/kube-controllers:v1.0.2
5. Modify the Kubelet configuration:
Set the startup parameters for the Kubelet service on each node:--NETWORK-PLUGIN=CNI, you might want to add these two parameters:
- --CNI-CONF-DIR:CNI plug-in profile directory, default to/etc/cni/net.d the contents of the configuration file in this directory need to meet the requirements of the MLM specification
- --CNI-BIN-DIR:CNI Plugin's executable directory, default to/opt/cni/bin
- Set the startup parameters for the Kube-apiserver service on master:--allow-privileged=true (because Calico-node needs to run in privileged mode on each node), after Setup, restart Kubelet.
This completes the setting of the node container network through Calico, in the subsequent pod creation process, Kubelet will call calico through the MLM interface to perform pod network settings including IP address, routing rules, iptables rules.
- Verify the network connectivity between each node:
A tunl0 interface is generated on the host after the Kubelet is started.#第一台Node查看:[email protected]# ip route192.168.77.192/26 via 10.3.1.17 dev tunl0 proto bird onlink #第二台Node查看:[email protected]# ip route192.168.150.192/26 via 10.3.1.16 dev tunl0
Each node is automatically set to the other node on the Pod network routing, the path to the other nodes are through the Tunl0 interface, this is the IPIP mode. If you set calico_ipv4pool_ipip= "off", that is, the IPIP mode is not used, Calico will not create a Tunl0 network interface, and the routing rules are forwarded directly using the physical machine NIC as the router.
Deployment of kubernetes Calico Network update