kubernetesinstallciliumCilium简介Cilium是一种开源软件,用于在使用Kubernetes、Docker和Mesos等Linux容器管理平台部署的应用程序服务之间透明地配置和保护网络和API连接。Cilium基于一种名为BPF的新Linux内核技术,可以在Linux内部动态插入强大的安全性、可见性和网络控制逻辑。除了提供传统的网络级安全性之外,BPF的灵活性还支持API和进程级的安全性,以保护容器或容器内的通信。由于BPF在Linux内核中运行,因此无需对应用程序代码或容器配置进行任何更改即可应用和更新Cilium安全策略。1安装helm[root@k8s-master01~]#curl-fsSL-oget_helm.shhttps://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3[root@k8s-master01~]#chmod700get_helm.sh[root@k8s-master01~]#./get_helm.sh2安装cilium[root@k8s-master01~]#helmrepoaddciliumhttps://helm.cilium.io[root@k8s-master01~]#helminstallciliumcilium/cilium--namespacekube-system--sethubble.relay.enabled=true--sethubble.ui.enabled=true--setprometheus.enabled=true--setoperator.prometheus.enabled=true--sethubble.enabled=true--sethubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}"名称:ciliumLAST部署时间:2000年9月11日星期日:04:302022NAMESPACE:kube-systemSTATUS:deployedREVISION:1TESTSUITE:NoneNOTES:您已成功安装CiliumwithHubble。您的发布版本为1.12.1。如需任何进一步的帮助,请访问https://docs.cilium.io/en/v1.12/gettinghelp[root@k8s-master01~]#3查看[root@k8s-master01~]#kubectl获取pod-A|grepcilkube-systemcilium-gmr6c1/1运行05m3skube-systemcilium-kzgdj1/1运行05m3skube-systemcilium-operator-69b677f97c-6pw4k1/1运行05m3skube-systemcilium-operator-69b677f97c-xzzdk1/1Running05m3skube-systemcilium-q2rnr1/1Running05m3skube-systemcilium-smx5v1/1Running05m3skube-systemcilium-tdjq41/1Running05m3s[root@k8s-master01~]#4下载专属监控面板[root@k8s-master01yaml]#wgethttps://raw.githubusercontent.com/cilium/cilium/1.12.1/examples/kubernetes/addons/prometheus/monitoring-example.yaml[root@k8s-master01yaml]#[root@k8s-master01yaml]#kubectlapply-fmonitoring-example.yamlnamespace/cilium-monitoringcreatedserviceaccount/prometheus-k8s创建的configmap/grafana-config创建的configmap/grafana-cilium-dashboard创建的configmap/grafana-cilium-operator-dashboard创建的configmap/grafana-hubble-dashboard创建的configmap/prometheus创建的clusterrole.rbac.authorization.k8s.io/prometheus创建的clusterrolebinding.rbac.authorization.k8s.io/prometheuscreatedservice/grafanacreatedservice/prometheuscreateddeployment.apps/grafanacreateddeployment.apps/prometheuscreated[root@k8s-master01yaml]#5下载部分测试用例[root@k8s-master01yaml]#wgethttps://raw.githubusercontent.com/cilium/cilium/master/examples/kubernetes/connectivity-check/connectivity-check.yaml[root@k8s-master01yaml]#sed-i"s#google.com#oiox.cn#g"connectivity-check.yaml[root@k8s-master01yaml]#kubectlapply-fconnectivity-check.yamldeployment.apps/echo-acreateddeployment.apps/echo-bcreateddeployment.apps/echo-b-hostcreateddeployment。apps/pod-to-acreateddeployment.apps/pod-to-external-1111createddeployment.apps/pod-to-a-denied-cnpcreateddeployment.apps/pod-to-a-allowed-cnpcreateddeployment.apps/pod-to-external-fqdn-allow-google-cnpcreateddeployment.apps/pod-to-b-多节点集群createddeployment.apps/pod-to-b-multi-node-headlesscreateddeployment.apps/host-to-b-multi-node-clusteripcreateddeployment.apps/host-to-b-multi-node-headlesscreateddeployment.apps/pod-to-b-multi-node-nodeportcreateddeployment.apps/pod-to-b-intra-node-nodeportcreatedservice/echo-acreatedservice/echo-bcreatedservice/echo-b-headlesscreatedservice/echo-b-host-headlesscreatedciliumnetworkpolicy.cilium.io/pod-to-a-denied-cnpcreatedciliumnetworkpolicy.cilium.io/pod-to-a-allowed-cnpcreatedciliumnetworkpolicy.cilium.io/pod-to-external-fqdn-allow-google-cnpcreated[root@k8s-master01yaml]#6查看pod[root@k8s-master01yaml]#kubectlgetpod-ANAMESPACENAMEREADYSTATUSRESTARTSAGEcilium-monitoringgrafana-59957b9549-6zzqh1/1运行010mcilium-monitoringprometheus-7c8c9684bb-4v9cl1/1运行010mdefaultchenby-75b5d7fbfb-7zjsr1/1运行027hdefaultchenby-75b5d7fbfb-hbdefault/hbv0runningr8-75b5d7fbfb-ppbzg1/1运行027hdefaultecho-a-6799dff547-pnx6w1/1运行010mdefaultecho-b-fc47b659c-4bdg91/1运行010mdefaultecho-b-host-67fcfd59b7-28r9s1/1运行010mdefaulthost-to-b-multi-node-clusterip-69c57975d6-z4j2z1/1运行010mdefaulthost-to-b-multi-node-headless-865899f7bb-frrmc1/1运行010mdefaultpod-to-a-allowed-cnp-5f9d7d4b9d-hcd8x1/1运行010mdefaultpod-to-a-denied-cnp-65cc5ff97b-2rzb81/1运行010mdefaultpod-to-a-dfc64f564-p7xcn1/1运行010mdefaultpod-to-b-intra-node-nodeport-677868746b-trk2l1/1运行010mdefaultpod-to-b-multi-node-clusterip-76bbbc677b-knfq21/1运行010mdefaultpod-to-b-multi-node-headless-698c6579fd-mmvd71/1运行010mdefaultpod-to-b-多节点节点端口5dc4b8cfd6-8dxmz1/1运行010mdefaultpod-to-external-1111-8459965778-pjt9b1/1运行010mdefaultpod-to-external-fqdn-allow-google-cnp-64df9fb89b-l9l4q1/1运行010mkube-systemcilium-7rfj61/1运行056skube-systemcilium-d4cch1/1运行056skube-systemcilium-h5x8r1/1运行056skube-systemcilium-operator-5dbddb6dbf-flpl51/1运行056skube-systemcilium-operator-5dbddb6dbf-gcznc1/1运行056skube-systemcilium-t2xlz1/1运行056skube-systemcilium-z65z71/1运行056skube-systemcoredns-665475b9f8-jkqn81/1运行1(36小时前)36hkube-systemhubble-relay-59d8575-9pl9z1/1运行056skube-systemhubble-ui-64d4995d57-nsv9j2/2运行056skube-systemmetrics-server-776f58c94b-c6zgs1/1Running1(36hago)37h[root@k8s-master01yaml]#7修改为NodePort[root@k8s-master01yaml]#kubectleditsvc-nkube-systemhubble-uiservice/hubble-ui编辑[root@k8s-master01yaml]#[root@k8s-master01yaml]#kubectleditsvc-ncilium-monitoringgrafanaservice/grafana编辑[root@k8s-master01yaml]#[root@k8s-master01yaml]#kubectleditsvc-ncilium-monitoringprometheusservice/prometheusedited[root@k8s-master01yaml]#type:NodePort8查看端口[root@k8s-master01yaml]#kubectlgetsvc-A|监视cilium-monitoringgrafanaNodePort10.100.250.17
