Kubernetes Network

-

 CNI (Container Network Interface )


Steps of container network setup

1. Create network namespace

2. Create bridge network/interface

3. Create VETH Pairs (Pipe, Virtual Cable)

4. Attach vEth to Namespace

5. Attach Other vEth to Bridge

6. Assign IP Address 

7. Bring the interfaces up

8. Enable NAT-IP Masquerade


All the container system are using the same logic, it combine to a standard - CNI. Used by rkt / Mesos / k8s

1. Container Runtime must create network namespace

2. Identify network the container must attach to

3. Container runtime to invoke network plugin (bridge) when container is added

4. Container runtime to invoke network plugin (bridge) when container is deleted

5. Json format of the network configuration

6. Must support command line arguments add / del / check

7. Must support parameters container id, network ns etc…

8. Must manage ip address assignment to pods

9. Must return results in a specific format


K8S Cluster Network

Master + Work nodes 

https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#check-required-ports


Master

2379: etcd service

6443: kube api service

10250: kubelet service

10251: kube scheduler service

10252: kube controller manager service


Double master

2380: two etcd service sync


Work nodes

10250: kubelet service

30000 - 32767: service 


Related commands

#ip link

#ip addr

#ip addr add 192.168.1.10/24 dev eth0

#ip route

#ip route add 192.168.1.0/24 via 192.168.2.1

#cat /proc/sys/net/ipv4/ip_forward

#arp

#netstat -plnt

#route


Pod Network

Every pod has an IP address

Every pod should communicate with other pod in same node

Every pod should communicate with other pod in other node without NAT


Kubelet create the pod. It will follow the configuration to create network for it.

Config: --cni-conf-dir=/etc/cni/net.d

Script: --cni-bin-dir=/etc/cni/bin

Execute: ./net-script.sh add <container> <namespace>


K8S CNI

K8S Config CNI: kubelet configuration file 

Check #ps -aux |grep kubelet

Related configuration

1. --network-plugin

2. --cni-conf-dir

3. --cni-bin-dir


In /opt/cni/bin, list all available network solution for K8S

In /etc/cni/net.d, list which plugin is install in this k8s cluster 


For example. In /etc/cni/net.d file 10-weave.conf 

Content of it is 

{

  "name": "weave",

  "type": "weave-net",

  "hairpinMode": true

}


The execute command when create of delete pod is /opt/cni/bin/weave-net


Check service & ip address range : ip addr | grep weave

CNI Weaveworks

Work logic

1. Setup agent in every nodes

2. Agent get the information of nodes

3. Communicate each other

Setup weave

1. Make weave as daemonset 

2. Deploy weave as pod


#kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base 64|tr -d '\n')"

#kubectl get pods -n kube-system

#kubectl logs <weave pod name> weave -n kube-system


IP Address Management (IPAM)

CNI Plugins doing the ip address assignment


Weaveworks --> 10.32.0.0/12 network range (10.32.0.1 - 10.47.255.254)


Kubernetes Network

Single node internal subnet - 10.244.0.0

IP address assign to pod in node - 10.244.0.1 


Cluster network - using existing solution provide by network companies

Node 1: 10.244.1.0 subnet

Node 2: 10.244.2.0 subnet


Services

Request Inside Node can curl the pod service

Request outside Node need service to support


Kube-proxy: forward the request from service to pod

By default iptables

Check: # kubectl logs <kube proxy pod name> -n kube-system


When service start, it will get one cluster-IP

Cluster-ip range is define in kube-api-server configuration

--service-cluster-ip-range


10.96.0.0/12 --> 10.96.0.0 - 10.111.255.255


Find the service ip by checking iptables

#iptables -L -t net | grep <service name>

Also can check in kube-proxy log

NodePort

Range: 30000-32767

Example yaml file

apiVersion: v1

kind: Service

metadata:

name: myapp-service

spec: 

type: NodePort

ports:

- targetPort: 80

  port: 80

  nodePort: 30080

selector:

app: myapp

type: front-end


create #kubectl create -f <yaml file>

check #kubectl get services


ClusterIP

Service communicate between each other inside cluster


Example yaml file

apiVersion: v1

kind: Service

metadata:

  labels:

    tier: msg

  name: messaging-service

spec:

  type: ClusterIP

  ports:

  - port: 6379

    protocol: TCP

    targetPort: 6379

  selector:

    tier: msg


Loadbalance 


Example yaml file

apiVersion: v1

kind: Service

metadata:

name: front-end

spec:

type: Loadbalance

ports:

- targetPort: 80

  port: 80

selector:

app: myapp

type: front-end

K8S DNS 

Service create, DNS add one record

Full name is: webserver.apps.svc.cluster.local

Check: #host web-service


Pod name DNS record


Kube DNS

K8S DNS Service: kube-dns

Kube-dns config file: kubectl exec coredns-78fcdf6894-2gmdp -n kube-system ps

By default /etc/coredns/Corefile


Find the DNS information in kubelet service /var/lib/kubelet/config.yaml 


From pod level do nslookup to another item

#kubectl exec -it <pod name> nslookup <item name>


Ingress

Inside cluster to handle ssl / redirect request to service


Deploy ingress - Ingress controller

Check #kubectl get pod --all-namespaces | grep ingress

3rd party applications - nginx


1. namespace yaml file 

https://github.com/tomshenhao/kubernetes-learning/blob/master/ingress/namespace.yaml

2. configmap yaml file

https://github.com/tomshenhao/kubernetes-learning/blob/master/ingress/configmap.yaml

3. service account yaml file

https://github.com/tomshenhao/kubernetes-learning/blob/master/ingress/service-account.yaml

4. role yaml file

https://github.com/tomshenhao/kubernetes-learning/blob/master/ingress/role.yaml

5. role binding yaml file

https://github.com/tomshenhao/kubernetes-learning/blob/master/ingress/rolebinding.yaml

6. Ingress-controller yaml file

https://github.com/tomshenhao/kubernetes-learning/blob/master/ingress/ingress-controller.yaml

7. Ingress-Service yaml file

https://github.com/tomshenhao/kubernetes-learning/blob/master/ingress/ingress-service.yaml


Config ingress - Ingress resources


Create #kubectl create -f <yaml file>

Check #kubectl get ingress

Check #kubectl describe ingress <ingress name>


1. Ingress resource 

https://github.com/tomshenhao/kubernetes-learning/blob/master/ingress/ingress-resource.yaml

Related services:

Namespace: app-space

Service1: wear-service 

Port: 8080

Service2: video-service

Port:8080


Comments

Post a Comment

Popular posts from this blog

Nginx Proxy & Load Balance & LNMP

-
Nginx Proxy Service E-commerce website Server 1: provide image request response (  apache / nginx ) Server 2: provide dynamic request response ( php-fpm / apache-php ) Server 3: provide static request response ( apache / nginx ) Server 4: provide data request response ( mysql ) It need one additional nginx server 1. Install nginx 2. proxy to specific server Example location / {      proxy_pass http://192.168.199.187:80/; } location /bbs/ {      proxy_pass http://192.168.199.187:80/bbs/; } location ~* \.(jpg|png|gif)$  {      proxy_pass http://172.16.100.7; } Enhance the log information and specific the hostname location / {      proxy_pass  http://192.168.199.187:80/;      proxy_set_header <parameter name>  $host;  (client requst the hostname )      proxy_set_header <parameter name> $remote_addr; ...
Read more

Snort+barnyard2+Snorby CentOS 6.5_64 Installation

-
#download packages: daq-2.0.2.tar.gz ImageMagicK-6.8.9-8.tar.gz oinkmaster-2.0.tar.gz ruby-1.9.3-p547.tar.gz snort-2.9.6.2.tar.gz snortrules-snapshot-2962.tar.gz MySQL-server-5.5.40-1.rhel5.x86_64.rpm MySQL-client-5.6.21-1.rhel5.x86_64.rpm MySQL-devel-5.6.21-1.rhel5.x86_64.rpm MySQL-shared-5.6.21-1.rhel5.x86_64.rpm epel-release-6-8.noarch.rpm barnyard2-2.1.13.tar.gz #install yum package rpm -ivh epel-release-6-8.noarch.rpm yum install gcc-c++ patch readline readline-devel zlib zlib-devel flex git yum install libyaml-devel libffi-devel openssl-devel make  yum install bzip2 autoconf automake libtool bison iconv-devel libxml2-devel libxslt  yum install gcc g++ build-essential libssl-devel libreadline5-devel zlib1g-devel linux-headers-generic libsqlite3-devel libxslt-devel curl-devel sqlite-devel yum --enablerepo=epel install jasper jasper-libs jasper-devel #Mysql install yum remove mysql mysql-libs rpm -ivh MySQL-server-5.5.40-1.rh...
Read more

ORACLE Error

-
Image
oracle official error explanation  http://docs.oracle.com/cd/E11882_01/server.112/e17766/toc.htm 从服务器下载ALERT日志文件,传输方式需要选择"ASCII" ORA-01078: failure in processing system parameters 发生场景:新建数据库第一次启动时 SQL> startup ORA-01078: failure in processing system parameters LRM-00109: could not open parameter file ‘/home/oracle/oracle/product/10.2.0/db_1/dbs/initorcl.ora’ 原因:oracle_sid没有配置正确 解决方案: 1. 修改oracle用户.bash_profile文件中ORACLE_SID后的内容; 2. 重新已oracle用户登录; ORA-01157: cannot identify/lock data file string - see DBWR trace file  Cause: The background process was either unable to find one of the data files or failed to lock it because the file was already in use. The database will prohibit access to this file but other files will be unaffected. However the first instance to open the database will need to access all online data files. Accompanying error from the operating system describes why the file could not be identified. Action: Have operating system make file ...
Read more