k8s pod多网卡multus(4)——multus隔离机制

ksj367043706
475 阅读1分钟

multus隔离配置:

  1. 可以配置multus的namespaceIsolation,来实现资源隔离
  2. 如果namespaceIsolation设置为true,则pod只能使用自己namespace的NetworkAttachmentDefinition。
  3. Default namespace是所有namespace都能使用的。
  4. 默认情况下namespaceIsolationfalse
  5. namespaceIsolation设置为true之后,默认只有default是全局访问的,可以通过配置globalNamespaces参数来设置全局的namespace,注意default 一定要在globalNamespaces
"globalNamespaces": "default,namespace-a,namespace-b",

下面举几个例子

1、创建net-attach-def,yaml如下:

[user@kube-master ~]$ cat cr.yml
   apiVersion: "k8s.cni.cncf.io/v1"
   kind: NetworkAttachmentDefinition
   metadata:
     name: macvlan-conf
   spec:
     config: '{
         "cniVersion":    "0.3.0",
         "type":    "macvlan",
         "master":    "eth0",
         "mode":    "bridge",
         "ipam": {
           "type":    "host-local",
           "subnet":    "192.168.1.0/24",
           "rangeStart":    "192.168.1.200",
           "rangeEnd":    "192.168.1.216",
           "routes": [
             { "dst":    "0.0.0.0/0" }
           ],
           "gateway":    "192.168.1.1"
         }
       }'

2、 在privilege ns中创建net-attach-def

kubectl create -f cr.yml -n privileged

3、在privilege ns中创建pod,可以看到,pod是可以创建成功的

kubectl get networkattachmentdefinition.k8s.cni.cncf.io -n privileged

4、 在development ns中创建pod,pod创建失败

[user@kube-master ~]$ cat example.pod.yml
apiVersion: v1
kind: Pod
metadata:
  name: samplepod
  annotations:
    k8s.v1.cni.cncf.io/networks: privileged/macvlan-conf
spec:
  containers:
  - name: samplepod
    command: ["/bin/bash", "-c", "sleep 2000000000000"]
    image: dougbtv/centos-network

# Create that pod.
[user@kube-master ~]$ kubectl create -f example.pod.yml -n development

在multus日志可以看到:

2018-12-18T21:41:32Z [error] GetNetworkDelegates: namespace isolation enabled, annotation violates permission, pod is in namespace development but refers to target namespace privileged

正确的使用方式

  1. 不指定net-attach-def的ns
  2. 指定相同名字ns的net-attach-def
# Create the same NetworkAttachmentDefinition as above,    however in the development namespace
[user@kube-master ~]$ kubectl create -f cr.yml -n development
networkattachmentdefinition.k8s.cni.cncf.io/macvlan-conf created
# Show the yaml for a sample pod which    references macvlan-conf without a namspace/ format
[user@kube-master ~]$ cat positive.example.pod
apiVersion: v1
kind: Pod
metadata:
 name: samplepod
 annotations:
   k8s.v1.cni.cncf.io/networks:    macvlan-conf
spec:
 containers:
 - name: samplepod
   command:    ["/bin/bash", "-c", "sleep    2000000000000"]
   image: dougbtv/centos-network
# Create that pod.
[user@kube-master ~]$ kubectl create -f positive.example.pod -n    development
pod/samplepod created
# We can see that this pod has been launched    successfully.
[user@kube-master ~]$ kubectl get pods -n development
NAME        READY   STATUS       RESTARTS   AGE
samplepod   1/1     Running   0             31s
avatar
文章
阅读
粉丝