基于cilium的k8s ipv6集群搭建

long1318737396
181 阅读2分钟

www.kancloud.cn/pshizhsysu/…
www.kancloud.cn/pshizhsysu/…
blog.51cto.com/c959c/53326…
k -n kube-system patch ippools default-ipv6-ippool --type=merge --patch '{"spec":{"natOutgoing":true}}'
这次安装的都是最新版
cilium的强大就不用说了,这里用的alibaba linux3操作系统,cilium对内核版本有要求的,centos7系列需要升级内核版本。
image.png
依此执行下面命令:

yum install -y yum-utils
yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io -y
systemctl enable docker
systemctl restart docker

cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF

# 将 SELinux 设置为 permissive 模式(相当于将其禁用)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

sudo yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes

sudo systemctl enable --now kubelet
sudo systemctl restart kubelet

swapoff  -a
sed -i 's/.*swap.*/#&/' /etc/fstab
reboot -f
modprobe br_netfilter

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system

cat > /etc/docker/daemon.json <<EOF
{
 "exec-opts": ["native.cgroupdriver=systemd"],
 "log-driver": "json-file",
 #"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
 "log-opts": {
   "max-size": "100m",
   "max-file": "10"
  },
 "storage-driver": "overlay2",
 "storage-opts": [
   "overlay2.override_kernel_check=true"
  ],
  "live-restore": true
}
EOF
systemctl daemon-reload
systemctl restart docker
sudo systemctl restart kubelet

cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
ipvs_modules="ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_fo ip_vs_nq ip_vs_sed ip_vs_ftp nf_conntrack"
for kernel_module in \${ipvs_modules}; do
 /sbin/modinfo -F filename \${kernel_module} > /dev/null 2>&1
 if [ $? -eq 0 ]; then
 /sbin/modprobe \${kernel_module}
 fi
done
EOF

chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep ip_vs


images=`kubeadm config images list`
for i in $images;do   docker pull $i;done

kubeadm init --service-cidr 10.188.0.0/16,fd00:10:96::/108 --pod-network-cidr 10.244.0.0/16,2400:10:244::/48   64
kubeadm init --skip-phases=addon/kube-proxy

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

由于cilium可以丢弃kube-peoxy不基于ipvs转发,这里自行选择,该文档还是安装了kube-proxy

#下载cilium的程序
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
#这里配置下如下参数,因为我们自定义了自己的pod cidr不然默认是cluster-local使用了cilium的
pod cidr

cilium install --config ipam=kubernetes --config enable-ipv6=true --config kube-proxy-replacement=strict --config k8s-api-server=https://172.16.0.25:6443 
cilium status --wait

#可视化工具
export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
curl -L --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-amd64.tar.gz /usr/local/bin
rm hubble-linux-amd64.tar.gz{,.sha256sum}

cilium hubble enable
cilium hubble port-forward &
hubble status
hubble observe
cilium hubble enable --ui
cilium hubble ui

kubectl taint node cilium-istio node-role.kubernetes.io/master:NoSchedule-
kubectl taint node cilium-istio node-role.kubernetes.io/control-plane:NoSchedule-

可以直接查看网络转发情况
image.png
可视化的调用观察
image.png
image.png
进入cilium pod可以查看到服务列表
image.png
ipv6通信测试
对pod的以及svc的测试
ipv6地址需要在describe看到
image.png
node--->pod调用成功的,这里的pod的socket必须的监听IPV6的,不然有时候测试IPV4可以通但是IPV6不通的情况,可以进入容器的命名空间(nsenter -n -t $pid)看下地址监听情况。
image.png
image.png
打开ipv6的svc开关
image.png
image.png
请求测试:
image.png
参考:docs.cilium.io/en/stable/g…
www.yuque.com/docs/share/… 《cilium-config》

helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.11.2 --namespace kube-system \
   --set ipam.mode=kubernetes
  

kubectl run centos -it --image=alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3 -- bash

/dev/vdb /var/lib/container/ ext4 defaults 0 0
/var/lib/container/kubelet /var/lib/kubelet none defaults,bind 0 0
/var/lib/container/docker /var/lib/docker none defaults,bind 0 0
avatar
文章
阅读
粉丝