问题
######## 补充了下 arp 相关的信息
root@k8s-ctrl:~/kubespray1-31# kgp | grep vm-pinger
default calico-vm-pinger-7hwrh 1/1 Running 0 14h 10.198.0.102 k8s-work1 <none> <none>
default calico-vm-pinger-hglh8 1/1 Running 0 14h 10.198.0.103 k8s-work2 <none> <none>
default calico-vm-pinger-kv6vg 1/1 Running 0 14h 10.198.0.101 k8s-ctrl <none> <none>
default ovn-vm-pinger-9k55v 1/1 Running 0 13h 10.198.10.1 k8s-work1 <none> <none>
default ovn-vm-pinger-9wzlr 1/1 Running 0 13h 10.198.10.2 k8s-ctrl <none> <none>
default ovn-vm-pinger-qqb8d 1/1 Running 0 13h 10.198.10.3 k8s-work2 <none> <none>
root@k8s-ctrl:~/kubespray1-31# k exec -it -n default ovn-vm-pinger-qqb8d -- bash
root@ovn-vm-pinger-qqb8d:/#
root@ovn-vm-pinger-qqb8d:/#
root@ovn-vm-pinger-qqb8d:/#
root@ovn-vm-pinger-qqb8d:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.198.255.254 0.0.0.0 UG 0 0 0 eth0
10.198.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
root@ovn-vm-pinger-qqb8d:/# ip route del 10.198.0.0/16
root@ovn-vm-pinger-qqb8d:/#
root@ovn-vm-pinger-qqb8d:/# ping -c 3 10.198.0.101
PING 10.198.0.101 (10.198.0.101) 56(84) bytes of data.
64 bytes from 10.198.0.101: icmp_seq=1 ttl=62 time=1.07 ms
64 bytes from 10.198.0.101: icmp_seq=2 ttl=62 time=0.277 ms
64 bytes from 10.198.0.101: icmp_seq=3 ttl=62 time=0.311 ms
--- 10.198.0.101 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2012ms
rtt min/avg/max/mdev = 0.277/0.552/1.068/0.365 ms
root@ovn-vm-pinger-qqb8d:/# ping -c 3 10.198.0.102
PING 10.198.0.102 (10.198.0.102) 56(84) bytes of data.
64 bytes from 10.198.0.102: icmp_seq=1 ttl=62 time=1.08 ms
64 bytes from 10.198.0.102: icmp_seq=2 ttl=62 time=0.265 ms
64 bytes from 10.198.0.102: icmp_seq=3 ttl=62 time=0.231 ms
--- 10.198.0.102 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2030ms
rtt min/avg/max/mdev = 0.231/0.525/1.080/0.392 ms
root@ovn-vm-pinger-qqb8d:/# ping -c 3 10.198.0.103
PING 10.198.0.103 (10.198.0.103) 56(84) bytes of data.
64 bytes from 10.198.0.103: icmp_seq=1 ttl=62 time=0.832 ms
64 bytes from 10.198.0.103: icmp_seq=2 ttl=62 time=0.056 ms
64 bytes from 10.198.0.103: icmp_seq=3 ttl=62 time=0.040 ms
--- 10.198.0.103 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2025ms
rtt min/avg/max/mdev = 0.040/0.309/0.832/0.369 ms
root@ovn-vm-pinger-qqb8d:/#
exit
root@k8s-ctrl:~/kubespray1-31# k exec -it -n default calico-vm-pinger-7hwrh -- bash
root@calico-vm-pinger-7hwrh:/#
root@calico-vm-pinger-7hwrh:/#
root@calico-vm-pinger-7hwrh:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 169.254.1.1 0.0.0.0 UG 0 0 0 eth0
169.254.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
root@calico-vm-pinger-7hwrh:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
3: eth0@if34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default qlen 1000
link/ether 8e:15:e9:5a:39:a5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.198.0.102/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::8c15:e9ff:fe5a:39a5/64 scope link
valid_lft forever preferred_lft forever
root@calico-vm-pinger-7hwrh:/# ping -c 3 10.198.0.101
PING 10.198.0.101 (10.198.0.101) 56(84) bytes of data.
64 bytes from 10.198.0.101: icmp_seq=1 ttl=62 time=0.274 ms
64 bytes from 10.198.0.101: icmp_seq=2 ttl=62 time=0.256 ms
64 bytes from 10.198.0.101: icmp_seq=3 ttl=62 time=0.239 ms
--- 10.198.0.101 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.239/0.256/0.274/0.014 ms
root@calico-vm-pinger-7hwrh:/# ping -c 3 10.198.0.102
PING 10.198.0.102 (10.198.0.102) 56(84) bytes of data.
64 bytes from 10.198.0.102: icmp_seq=1 ttl=64 time=0.018 ms
64 bytes from 10.198.0.102: icmp_seq=2 ttl=64 time=0.016 ms
64 bytes from 10.198.0.102: icmp_seq=3 ttl=64 time=0.014 ms
--- 10.198.0.102 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2014ms
rtt min/avg/max/mdev = 0.014/0.016/0.018/0.001 ms
root@calico-vm-pinger-7hwrh:/# ping -c 3 10.198.10.1
PING 10.198.10.1 (10.198.10.1) 56(84) bytes of data.
64 bytes from 10.198.10.1: icmp_seq=1 ttl=62 time=0.803 ms
64 bytes from 10.198.10.1: icmp_seq=2 ttl=62 time=0.056 ms
64 bytes from 10.198.10.1: icmp_seq=3 ttl=62 time=0.057 ms
--- 10.198.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2019ms
rtt min/avg/max/mdev = 0.056/0.305/0.803/0.351 ms
root@calico-vm-pinger-7hwrh:/# ping -c 3 10.198.10.2
PING 10.198.10.2 (10.198.10.2) 56(84) bytes of data.
64 bytes from 10.198.10.2: icmp_seq=1 ttl=62 time=1.32 ms
64 bytes from 10.198.10.2: icmp_seq=2 ttl=62 time=0.284 ms
64 bytes from 10.198.10.2: icmp_seq=3 ttl=62 time=0.271 ms
--- 10.198.10.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2012ms
rtt min/avg/max/mdev = 0.271/0.623/1.315/0.489 ms
root@calico-vm-pinger-7hwrh:/# ping -c 3 10.198.10.3
PING 10.198.10.3 (10.198.10.3) 56(84) bytes of data.
64 bytes from 10.198.10.3: icmp_seq=1 ttl=62 time=1.31 ms
64 bytes from 10.198.10.3: icmp_seq=2 ttl=62 time=0.338 ms
64 bytes from 10.198.10.3: icmp_seq=3 ttl=62 time=0.294 ms
--- 10.198.10.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2017ms
rtt min/avg/max/mdev = 0.294/0.646/1.308/0.467 ms
root@calico-vm-pinger-7hwrh:/# arping 10.198.10.3
arping: lookup dev: No matching interface found using getifaddrs().
arping: Unable to automatically find interface to use. Is it on the local LAN?
arping: Use -i to manually specify interface. Guessing interface eth0.
ARPING 10.198.10.3
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.3): index=0 time=4.955 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.3): index=1 time=3.414 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.3): index=2 time=3.164 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.3): index=3 time=3.331 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.3): index=4 time=3.539 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.3): index=5 time=2.998 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.3): index=6 time=3.331 usec
^C
--- 10.198.10.3 statistics ---
7 packets transmitted, 7 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.003/0.004/0.005/0.001 ms
root@calico-vm-pinger-7hwrh:/# arping 10.198.10.2
arping: lookup dev: No matching interface found using getifaddrs().
arping: Unable to automatically find interface to use. Is it on the local LAN?
arping: Use -i to manually specify interface. Guessing interface eth0.
ARPING 10.198.10.2
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.2): index=0 time=4.996 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.2): index=1 time=3.211 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.2): index=2 time=3.586 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.2): index=3 time=4.630 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.2): index=4 time=3.211 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.2): index=5 time=3.420 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.2): index=6 time=3.128 usec
^C
--- 10.198.10.2 statistics ---
7 packets transmitted, 7 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.003/0.004/0.005/0.001 ms
^Xroot@calico-vm-pinger-7hwrh:/# arping 10.198.10.1
arping: lookup dev: No matching interface found using getifaddrs().
arping: Unable to automatically find interface to use. Is it on the local LAN?
arping: Use -i to manually specify interface. Guessing interface eth0.
ARPING 10.198.10.1
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.1): index=0 time=5.714 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.1): index=1 time=3.545 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.1): index=2 time=3.420 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.1): index=3 time=3.211 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.10.1): index=4 time=3.045 usec
^C
--- 10.198.10.1 statistics ---
5 packets transmitted, 5 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.003/0.004/0.006/0.001 ms
root@calico-vm-pinger-7hwrh:/# arping 10.198.0.101
arping: lookup dev: No matching interface found using getifaddrs().
arping: Unable to automatically find interface to use. Is it on the local LAN?
arping: Use -i to manually specify interface. Guessing interface eth0.
ARPING 10.198.0.101
42 bytes from ee:ee:ee:ee:ee:ee (10.198.0.101): index=0 time=6.131 usec
42 bytes from ee:ee:ee:ee:ee:ee (10.198.0.101): index=1 time=3.253 usec
^C
--- 10.198.0.101 statistics ---
2 packets transmitted, 2 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.003/0.005/0.006/0.001 ms
root@calico-vm-pinger-7hwrh:/#
可以看到 calico 直连路由都用不上 , 这种情况 calico 依赖二层的 arp 广播么?
Calico 在 IP-in-IP / VXLAN 模式下的数据平面行为。
逐步拆解:
🧩 你的路由表说明了什么
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 169.254.1.1 0.0.0.0 UG 0 0 0 eth0
169.254.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
这代表:
- Pod 的默认网关是
169.254.1.1(Calico 内部虚拟网关) - Pod 仅知道“我所有的包都交给 eth0 → 169.254.1.1”
- Pod 本身完全不感知底层的真实路由,也没有各 Node CIDR 的直连路由
🧠 那它靠什么通信?
这取决于 Calico 的封装模式。
| 模式 | 是否依赖 ARP | 原理 |
|---|---|---|
| BGP(无隧道) | ✅ 需要二层可达 | 每个节点宣告 PodCIDR,Pod 发包通过宿主机路由直接转发,依赖 ARP 解析对端节点的 MAC |
| IP-in-IP (默认) | ❌ 不依赖 ARP | Pod 包被宿主机封装成 IP-in-IP 隧道,目的地址为对端 Node IP,宿主机查宿主机路由表找到对端 Node 的下一跳(通常走物理网卡,不需 Pod 发 ARP) |
| VXLAN 模式 | ❌ 不依赖 ARP(除本机子网) | 宿主机维护 VNI 到 NodeIP 映射(通过 Calico node table 或 BGP update),封装为 VXLAN 帧发送到对端 Node;Pod 自己并不广播 ARP |
🧩 所以这个 Pod 会不会发 ARP?
不会(至少不会用于跨节点通信)。
-
对于 Pod → Pod(跨节点) :
- Pod 发包到 169.254.1.1(网关)
- veth 另一端(宿主机上)被 Calico 接管
- 宿主机
calico虚拟设备查 Calico 路由表 → 发现目标 Pod 在远端节点 - 宿主机进行封装(IP-in-IP 或 VXLAN)
- 不需要 Pod 自己发 ARP,也不会在 overlay 内层做二层广播
-
对于 Pod → 同节点的另一个 Pod:
- 通常同节点 Pod 之间会直连(
cali+接口之间),可能依赖本机内核的 FDB(但也不是 ARP 广播)
- 通常同节点 Pod 之间会直连(
🧩 总结
| 项目 | 说明 |
|---|---|
| Pod 路由表 | 只有一个默认路由指向 169.254.1.1 |
| 是否发 ARP | ❌ 不会(跨节点通信依靠宿主机封装,不在 Pod 层广播 ARP) |
| 依赖二层广播吗 | ❌ 不依赖(overlay 模式) |
| 谁在维护映射关系 | Calico node agent(Felix)维护 PodCIDR ↔ NodeIP 的映射,写入宿主机路由表或 VXLAN FDB |
| 特例 | 仅当运行在 BGP “no encapsulation” 模式下,Calico 才依赖二层 ARP |
✅ 结论一句话总结:
你看到的这种 Calico Pod 路由表(只有 169.254.1.1 网关)属于 overlay 模式(IPIP/VXLAN),
Calico 不依赖二层 ARP 广播,由宿主机 Calico 组件负责封装与路由。
如果你愿意,我可以帮你一键分析当前集群到底是 BGP / IPIP / VXLAN 模式 ——只需要贴一下这两条命令的输出:
kubectl get felixconfigurations -A -o yaml | grep -A3 vxlan
kubectl get ippools.crd.projectcalico.org -A -o yaml
