本文转载自微信公众号《运维开发故事》,作者夕阳。转载本文请联系运维开发故事公众号。简介最近听很多朋友说cilium很强大,势必会成为主流。因为使用了ebpf,所以性能好,支持网络策略。所以,我决定花一些时间学习它。在通过官网文档学习的过程中,发现使用cilium作为CNI是不需要安装kube-proxy的。这让我想起了之前在面试中被问到的一个问题。面试官问我:kube-proxy可以不用安装吗,有没有其他的替代方案。现在没有答案。顺便说一句,从官方文档中学习真的很难(毕竟都是英文的);但我还是建议大家看官方文档学习,不要翻译成中文。那么,让我练习一下。环境描述序列号项目描述1kubernetes版本v1.21.32cilium版本v1.10.33kubernetes安装方法kubeadm4cilium网络方式vxlan5osubuntu18.046kubernetesclusterscale1master,2nodetext在master上初始化集群,并添加--skip-phases=addon/kube-proxy参数忽略kube-proxy安装kubeadmin--apiserver-advertise-address=10.211.55.50--image-repositoryregistry.aliyuncs.com/google_containers--kubernetes-versionv1.21.3--service--cidr=10.96.0.0/12--pod-network-cidr=10.244.0.0/16--ignore-preflight-errors=all--skip-phases=addon/kube-proxy在两个节点上执行kubeadmjoin,加入集群kubeadmjoin10.211.55.50:6443--tokenouez6j.02ms269v8i4psl7p--discovery-token-ca-cert-hashsha256:5fdafe0fe1adb3b60cd7bc33f033f028279a94a3944816424cc7f5bb498f6868使用helm(v3)来安装cilium先添加cilium库helmrepoaddciliumhttps://helm.cilium.io/使用如下命令安装cilium,添加kubeProxyReplacement=strict参数helminstallciliumcilium/cilium--version1.10.3--namespacekube-system--setkubeProxyReplacement=strict--setk8sServiceHost=10.211.55.50--setk8sServicePort=6443Checkciliuminstallationresults#Viewciliumagent,deployedoneachnodenodeasdaemonsetroot@cilium1:/#kubectl-nkube-systemgetpods-lk8s-app=ciliumNAMEREADYSTATUSRESTARTSAGEcilium-8gwg21/1Running08m4scilium-t9ffc1/1Running08m39scilium-x42r61/1Running08m16s#查看cilumoperatorroot@cilium1:~#kubectlgetpo-A-owide|grepcilium-operatorkube-systemcilium-operator-5df88875-867hd1/1Running541h172.16.88.47cilium3kube-systemcilium-operator-5df88875-9kx8c1/1Running541h172.16.88.253cilium2Checkifthereisakube-proxycomponent.可以发现并没有该组件root@cilium1:/#kubectlgetpo-nkube-systemNAMEREADYSTATUSRESTARTSAGEcilium-8gwg21/1Running010mcilium-operator-5df88875-867hd1/1Running527hcilium-operator-5df88875-9kx8c1/1Running527hcilium-t9ffc1/1Running011mcilium-x42r61/1Running010mcoredns-59d64cd4d4-hbwg41/1Running127hcoredns-59d64cd4d4-l2pmt1/1Running127hetcd-cilium11/1Running227hkube-apiserver-cilium11/1Running227hkube-controller-manager-cilium11/1Running227hkube-scheduler-cilium11/1Running227h检查cilium状态,确保安装正确root@cilium1:/#kubectlexec-nkube-systemcilium-t9ffc--ciliumstatusDefaultedcontainer"cilium-agent"outof:cilium-agent,mount-cgroup(init),clean-cilium-state(init)KVStore:OkDisabledKubernetes:Ok1.21(v1.21.3)[linux/amd64]KubernetesAPIs:["cilium/v2::CiliumClusterwideNetworkPolicy","cilium/v2::CiliumEndpoint","cilium/v2::CiliumNetworkPolicy","cilium/v2::CiliumNode","core/v1::Namespace","core/v1::Node","core/v1::Pods","core/v1::Service","discovery/v1::EndpointSlice","networking.k8s.io/v1::NetworkPolicy"]KubeProxyReplacement:Strict[eth010.211.55.50(DirectRouting)]Cilium:Ok1.10.3(v1.10.3-4145278)NodeMonitor:Listeningforeventson8CPUswith64x4096ofsharedmemoryCiliumhealthdaemon:OkIPAM:IPv4:2/254allocatedfrom10.0.0.0/24,BandwidthManager:DisabledHostRouting:LegacyMasquerading:BPF[eth0]10.0.0.4:6[IPv:D]已禁用]ControllerStatus:20/20healthyProxyStatus:OK,ip10.0.0.41,0redirectsactiveonports10000-20000Hubble:OkCurrent/MaxFlows:817/4095(19.95%),Flows/s:0.95Metrics:DisabledEncryption:DisabledClusterhealth:3/3reachable(2021-0-07T15:29:05Z)部分nginx来测试一下网络连接#nginxdeploymentyaml文件catdeployment-nginx.yamlapiVersion:apps/v1kind:Deploymentmetadata:name:nginxspec:selector:matchLabels:run:nginxreplicas:4template:label:meruntadatanginxspec:containers:-name:nginximage:nginxports:-containerPort:80#创建nginxdeploymentkubectlcreate-fdeployment-nginx.yaml#查看部署结果root@cilium1:/#kubectlgetpo-owideNAMEREADYSTATUSRESTARTSAGEIPNODENOMINATEDNODEREADINESSGATESnginx-649c4b9857-8f2v51/1Running126h10.0.2.212cilium2nginx-649c4b9857-mhsxs1/1Running126h10.0.1.23cilium3nginx-649c4b9857-qw2jj1/1Running126h10.0.2.69cilium2nginx-649c4b9857-vj9w21/1Running126h10.0.1.126cilium3创建nodeport服务验证服务可访问性-port=80#Viewserviceroot@cilium1:/#kubectlgetsvcnginxNAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGEnginexNodePort10.97.209.10380:31126/TCP26h验证nodeport,集群可以访问#vianodeportroot@cilium1:/#curl127.0.0.1:31126Welcometonginx!#viaservice:portroot@cilium1:/#curl10.97.209.103Welcometonginx!#Checkiptables发现它是空的root@cilium1:/#iptables-保存|grepKUBE-SVCroot@cilium1:/##checkciliunserviceroot@cilium1:/#kubectlexec-nkube-systemcilium-t9ffc--ciliumservicelistDefaultedcontainer"cilium-agent"outof:cilium-agent,mount-cgroup(init),clean-cilium-state(init)IDFrontendServiceTypeBackend110.96.0.1:443ClusterIP1=>172.16.88.57:6443210.96.0.10:9153ClusterIP1=>10.0.2.229:91532=>10.0.2.80:9153310.95.0.10:53.20.9>10.0.2.80:53410.97.209.103:80ClusterIP1=>10.0.2.69:802=>10.0.1.23:803=>10.0.1.126:804=>10.0.2.212:805172.16.88.57:31126NodePort1=>10.0.2。10.0.1.23:803=>10.0.1.126:804=>10.0.2.212:8060.0.0.0:31126NodePort1=>10.0.2.69:802=>10.0.1.23:803=>10.0.1.126:804=>10.0.2.212:80从上面的安装测试结果来看,虽然我们没有安装k8s的kube-proxy组件,但是集群还是正常的,说明kube-proxy组件确实可以更换。综上所述,虽然上面已经完成了没有kube-proxy的kubernetes的搭建和测试,但是还有很多地方没有说明。比如使用cilium的系统要求,什么是cilium,几种组网方式,组网策略等。不过请不要着急,期待我后续的文章。参考https://docs.cilium.io/en/v1.10/gettingstarted/kubeproxy-free/#kubernetes-without-kube-proxyhttps://kubernetes.io/docs/concepts/cluster-administration/addons/https://helm.sh/docs/intro/install/
