Kubernetes/K8S基础使用方法总结——网络配置

因为Flannel安装和使用简单便捷，但没有网络策略功能；而Calico具有网络策略功能，但部署和使用较复杂。所以，我们一般将Flannel和Calico联合使用。

为了提高Flannel的性能，我们一般需要设置它的Back参数打开Directrouting功能选项，在flannel配置文件中内容

:|{"Network":"10.244.0.0/16","Back":{"Type":"vxlan"}}

更改为

:|{"Network":"10.244.0.0/16","Back":{"Type":"vxlan","Directrouting":true}}

1.安装Calico

安装仅提供网络策略的Calico，InstallingCalicoforpolicyandflannel(akaCanal)fornetworking，安装方法如下：（若需要相关yaml配置清单文件和image镜像可联系作者）

EnsurethattheKubernetescontrollermanagerhasthefollowingflagsset:
--cluster-cidr=your-pod-cidrand--allocate-node-cidrs=:Onkubeadm,youcanpass--pod-network-cidr=your-pod-cidrtokubeadmtosetbothKubernetescontrollerflags.

DownloadtheflannelnetworkingmanifestfortheKubernetesAPIdatastore.
$curl

/16,,nochangesarerequired-Cal,makesureyouuncommenttheCALICO_IPV4POOL_CIDRvariableinthemanifestandsetittothesamevalueasyourchosenpodCIDR.

IssuethefollowingcommandtoinstallCalico.$

Ifyouwishtoenforceapplicationlayerpoliciesandsecureworkload-to-workloadcommunicationswithmutualTLSauthentication,continuetoEnableapplicationlayerpolicy(optional).

2.Calico网络策略制定格式

对象networkpolicy，简称netpol

[root@master1calico]:NetworkPolicyVERSION:/v1RESOURCE:specObjectDESCRIPTION::egress[]pod(andclusterpolicyotherwiseallowsthetraffic),ORifthetrafficmatchesatleastoneegressrule(andservessolelytoensurethatthepodsitselectsareisolatedbydefault).[]d(andclusterpolicyotherwiseallowsthetraffic),ORifthetrafficsourceisthepod'slocalnode,ORifthetrafficmatchesatleastoneingressrule(andservessolelytoensurethatthepodsitselectsareisolatedbydefault)podSelectorObje,[]"Ingress","Egress",or"Ingress,Egress".Ifthisfieldisnotspecified,itwilldefaultbasedontheexistenceofIngressorEgressrules;policiesthatcontainanEgresssectionareassumedtoaffectEgress,andallpolicies(whetherornottheycontainanIngresssection),youmustexplicitlyspecifypolicyTypes["Egress"].Likewise,ifyouwanttowriteapolicythatspecifiesthatnoegressisallowed,youmustspecifyapolicyTypesvaluethatinclude"Egress"(sincesuchapolicywouldnotincludeanEgresssectionandwouldotherwisedefaulttojust["Ingress"]).

常用选项ingress、egress、podSelector、policyTypes。

3.Calico网络策略功能演示

创建两个名称空间，制定网络策略，在两个名称空间中相互访问，以此做演示，显示Calico网络策略的功能使用方式。

1).创建两个名称空间

[root@master1calico]kubectlcreatensprodnamespace/prodcreated

2).分别在两个名称空间中创建pod资源

apiVersion:v1kind:Podmetadata:name:calico-pod1spec:containers:-name:myappimage:ikubernetes/myapp:v1

创建pod

[root@master1calico]/calico-pod1created

3).创建网络策略

apiVersion:/v1kind:NetworkPolicymetadata:name:deny-all-ingressspec:podSelector:{}policyTypes:-Ingress

创建和查看

[root@master1calico]kubectlgetnetpol-ndevNAMEPOD-SELECTORAGEdeny-all-ingressnone17s[root@master1calico]kubectlgetpods-ndev-owideNAMEREADYSTATUSRESTARTSAGEIPNODENOMINATEDNODEREADINESSGATEScalico-pod11/1[root@master1calico]^C[root@master1calico]#|Version:v1|ahref=""PodName/a

5).修改网络规则

如下打开了所有ingress访问