接上文: K8S V.1.10.0 二进制安装
1.calicoctl的下载和配置
这里的配置calicoctl版本使用的是v1.2.0-6-gd1c370c 下载地址为:
http://www.sadlar.cn/wp-content/uploads/2018/05/calicoctl.bin
如果使用最新版的calicoctl 使用方法参考:https://docs.projectcalico.org/v3.1/usage/configuration/bgp](https://docs.projectcalico.org/v3.1/usage/configuration/bgp
chmod +x calicoct ETCD_ENDPOINTS=http://calico-etcd-hostip:6666 这里假定交换机的asnumber是65000 asnumber需要和网络人员协调,共同配置,所以这里只贴出主机层面的配置参考
2.部署calico-etcd
- 给node节点打标签 #calico-etcd-hostip就是这个节点的ip
kubectl label node kube-master02 calico-etcd=calico-etcd #这一步配合calico.yaml里的node节点亲和
- 配置节点亲和
affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: calico-etcd operator: In values: ["calico-etcd"]
- 部署etcd:etcd-deployment.yaml
--- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: calico-etcd namespace: kube-system labels: k8s-app: calico-etcd spec: replicas: 1 template: metadata: labels: k8s-app: calico-etcd annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: calico-etcd operator: In values: ["calico-etcd"] # Only run this pod on the master. #tolerations: #- key: node-role.kubernetes.io/master # effect: NoSchedule # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. # This, along with the annotation above marks this pod as a critical add-on. #- key: CriticalAddonsOnly # operator: Exists #nodeSelector: # node-role.kubernetes.io/master: "" hostNetwork: true containers: - name: calico-etcd image: hub-dev.example.com/k8s/etcd:2.2.1 env: - name: CALICO_ETCD_IP valueFrom: fieldRef: fieldPath: status.podIP command: ["/bin/sh","-c"] args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"] volumeMounts: - name: var-etcd mountPath: /var/etcd volumes: - name: var-etcd hostPath: path: /var/etcd --- # This manifest installs the Service which gets traffic to the Calico # etcd. apiVersion: v1 kind: Service metadata: labels: k8s-app: calico-etcd name: calico-etcd namespace: kube-system spec: # Select the calico-etcd pod running on the master. selector: k8s-app: calico-etcd clusterIP: 10.225.0.222 ports: - port: 6666
- -应用:
kubectl apply -f etcd-deployment.yaml
3.calicoctl设置as号
calicoctl config set asNumber 65000
- 与附近机器建立per开关
calicoctl config get nodeToNodeMesh calicoctl config set nodeToNodeMesh on calicoctl config set nodeToNodeMesh off
4.与交换机10.255.72.254的asNumber: 65000建立bgp通信
10.255.72.254 是我这里的交换机对接节点,具体情况实际参考自己的网络环境。
- calico-bgp-netberhood.json
apiVersion: v1 kind: bgpPeer metadata: peerIP: 10.255.72.254 scope: global spec: asNumber: 65000
calicoctl create -f calico-bgp-netberhood.json
关闭pod网络访问外部的NAT,并宣告calico本身的网段
- calico-disable-nat-subnet.json
apiVersion: v1 kind: ipPool metadata: cidr: 10.229.0.0/16 spec: ipip: enabled: false nat-outgoing: false disabled: false
calicoctl create -f calico-disable-nat-subnet.json
5.创建calico部署
– calico-rbac.yaml
--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin subjects: - kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: calico-cni-plugin namespace: kube-system rules: - apiGroups: [""] resources: - pods - nodes verbs: - get --- apiVersion: v1 kind: ServiceAccount metadata: name: calico-cni-plugin namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: calico-policy-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-policy-controller subjects: - kind: ServiceAccount name: calico-policy-controller namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: calico-policy-controller namespace: kube-system rules: - apiGroups: - "" - extensions resources: - pods - namespaces - networkpolicies verbs: - watch - list --- apiVersion: v1 kind: ServiceAccount metadata: name: calico-policy-controller namespace: kube-system
– calico-configmap.yaml
--- kind: ConfigMap apiVersion: v1 metadata: name: calico-config namespace: kube-system data: etcd_endpoints: "http://10.255.73.197:6666" calico_backend: "bird" cni_network_config: |- { "name": "k8s-pod-network", "cniVersion": "0.1.0", "type": "calico", "etcd_endpoints": "__ETCD_ENDPOINTS__", "log_level": "info", "ipam": { "type": "calico-ipam" }, "policy": { "type": "k8s", "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" }, "kubernetes": { "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__" } }
– calico-Deployment.yaml
--- kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: calico-node namespace: kube-system labels: k8s-app: calico-node spec: selector: matchLabels: k8s-app: calico-node template: metadata: labels: k8s-app: calico-node annotations: # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler # reserves resources for critical add-on pods so that they can be rescheduled after # a failure. This annotation works in tandem with the toleration below. scheduler.alpha.kubernetes.io/critical-pod: '' spec: hostNetwork: true tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. # This, along with the annotation above marks this pod as a critical add-on. - key: CriticalAddonsOnly operator: Exists serviceAccountName: calico-cni-plugin containers: # Runs calico/node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node image: hub-dev.example.com/k8s/node:v1.3.0 env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # Enable BGP. Disable to enforce policy only. - name: CALICO_NETWORKING_BACKEND valueFrom: configMapKeyRef: name: calico-config key: calico_backend # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" # Configure the IP Pool from which Pod IPs will be chosen. - name: CALICO_IPV4POOL_CIDR value: "10.224.0.0/16" - name: CALICO_IPV4POOL_IPIP value: "always" # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" # Set Felix logging to "info" - name: FELIX_LOGSEVERITYSCREEN value: "info" # Auto-detect the BGP IP address. - name: IP value: "" securityContext: privileged: true resources: requests: cpu: 300m volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /var/run/calico name: var-run-calico readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni image: hub-dev.example.com/k8s/cni:v1.9.1 command: ["/install-cni.sh"] env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: calico-config key: cni_network_config volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir volumes: # Used by calico/node. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d --- # This manifest deploys the Calico policy controller on Kubernetes. # See https://github.com/projectcalico/k8s-policy apiVersion: extensions/v1beta1 kind: Deployment metadata: name: calico-policy-controller namespace: kube-system labels: k8s-app: calico-policy spec: # The policy controller can only have a single active instance. replicas: 1 strategy: type: Recreate template: metadata: name: calico-policy-controller namespace: kube-system labels: k8s-app: calico-policy-controller annotations: # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler # reserves resources for critical add-on pods so that they can be rescheduled after # a failure. This annotation works in tandem with the toleration below. scheduler.alpha.kubernetes.io/critical-pod: '' spec: # The policy controller must run in the host network namespace so that # it isn't governed by policy that would prevent it from working. hostNetwork: true tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. # This, along with the annotation above marks this pod as a critical add-on. - key: CriticalAddonsOnly operator: Exists serviceAccountName: calico-policy-controller containers: - name: calico-policy-controller image: hub-dev.example.com/k8s/kube-policy-controller:v0.6.0 env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # The location of the Kubernetes API. Use the default Kubernetes # service for API access. - name: K8S_API value: "https://kubernetes.default:443" # value: "https://10.255.73.73:6443" # Since we're running in the host namespace and might not have KubeDNS # access, configure the container's /etc/hosts to resolve # kubernetes.default to the correct service clusterIP. - name: CONFIGURE_ETC_HOSTS value: "true"
– 应用:
kubectl apply -f calico-configmap.yaml kubectl apply -f calico-rbac.yaml kubectl apply -f calico-Deployment.yaml
6. 查看node状态
calicoctl node status
7. 网络设备上的配置 这里以juniper为例:
set protocols bgp group peer-72-193 type internal set protocols bgp group peer-72-193 local-address 10.255.72.254 set protocols bgp group peer-72-193 neighbor 10.255.72.193
8.ip固定
– 使用如下配置给pod固定ip
annotations:
cni.projectcalico.org/ipAddrs: “[\”10.224.0.20\”]”
– 模版文件
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
annotations:
cni.projectcalico.org/ipAddrs: "[\"10.224.0.20\"]"
spec:
containers:
- name: myapp-container
image: busybox
command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600']