參考http://aspirer.wang/?p=1205锦庸，使用kubeasz部署kubernetes，只涉及容器在節(jié)點(diǎn)間通信

測(cè)試環(huán)境

準(zhǔn)備三臺(tái)虛擬機(jī)(CentOS7.5)

k8s-master:10.25.151.100
k8s-node-1:10.25.151.103
k8s-node-2:10.25.151.104

準(zhǔn)備工作(主節(jié)點(diǎn)上進(jìn)行)

• 下載安裝必要軟件

# yum install git python-pip -y
# pip install pip --upgrade -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com
# pip install --no-cache-dir ansible -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com

• 配置密鑰并輸入登錄各個(gè)節(jié)點(diǎn)的root密碼

# ssh-keygen -t rsa -b 2048 (三個(gè)回車)
# ssh-copy-id 10.25.151.100
# ssh-copy-id 10.25.151.101
# ssh-copy-id 10.25.151.102

• 獲取kubeasz

# git clone https://github.com/gjmzj/kubeasz.git
# ll
total 213968
-rw-------. 1 root root      1518 Mar 26 02:18 anaconda-ks.cfg
drwxr-xr-x. 2 root root      4096 Mar 11 09:02 bin
-rw-r--r--. 1 root root 219093842 Mar 27  2019 k8s.1-13-4.tar.gz
drwxr-xr-x. 3 root root        36 Mar 26 04:29 kubeasz

• 拷貝文件

# mkdir -p /etc/ansible
# mv kubeasz/* /etc/ansible

• 下載k8s二進(jìn)制包 https://pan.baidu.com/s/1c4RFaA, 本例使用k8s.1-13-4.tar.gz
• 解壓縮并拷貝到ansible/bin下面

# tar zxvf k8s.1-13-4.tar.gz 
bin/
bin/loopback
bin/kubelet
bin/docker-init
bin/docker-compose
bin/docker-proxy
bin/portmap
bin/containerd-shim
bin/etcd
bin/containerd
bin/helm
bin/cfssl-certinfo
bin/kube-proxy
bin/kube-controller-manager
bin/cfssljson
bin/bridge
bin/ctr
bin/kube-apiserver
bin/docker
bin/etcdctl
bin/kubectl
bin/dockerd
bin/cfssl
bin/calicoctl
bin/readme.md
bin/host-local
bin/kube-scheduler
bin/runc
bin/flannel
#
# mkdir -p /etc/ansible
# mv bin/* /etc/ansible/bin
mv: overwrite ‘/etc/ansible/bin/readme.md’? y
#

• 配置ansible的hosts文件

# cd /etc/ansible
# cp example/hosts.allinone.example hosts
編輯后
# cat hosts 
# 集群部署節(jié)點(diǎn)：一般為運(yùn)行ansible 腳本的節(jié)點(diǎn)
# 變量 NTP_ENABLED (=yes/no) 設(shè)置集群是否安裝 chrony 時(shí)間同步
[deploy]
10.25.151.100 NTP_ENABLED=no

# etcd集群請(qǐng)?zhí)峁┤缦翹ODE_NAME，注意etcd集群必須是1,3,5,7...奇數(shù)個(gè)節(jié)點(diǎn)
[etcd]
10.25.151.100 NODE_NAME=etcd1

[kube-master]
10.25.151.100

[kube-node]
10.25.151.103
10.25.151.104

# 參數(shù) NEW_INSTALL：yes表示新建，no表示使用已有harbor服務(wù)器
# 如果不使用域名募舟，可以設(shè)置 HARBOR_DOMAIN=""
[harbor]
#192.168.1.8 HARBOR_DOMAIN="harbor.yourdomain.com" NEW_INSTALL=no

# 【可選】外部負(fù)載均衡档址，用于自有環(huán)境負(fù)載轉(zhuǎn)發(fā) NodePort 暴露的服務(wù)等
[ex-lb]
#192.168.1.6 LB_ROLE=backup EX_VIP=192.168.1.250
#192.168.1.7 LB_ROLE=master EX_VIP=192.168.1.250

[all:vars]
# ---------集群主要參數(shù)---------------
#集群部署模式：allinone, single-master, multi-master
DEPLOY_MODE=allinone

#集群 MASTER IP盹兢，自動(dòng)生成
MASTER_IP="{{ groups['kube-master'][0] }}"
KUBE_APISERVER="https://{{ MASTER_IP }}:6443"

# 集群網(wǎng)絡(luò)插件，目前支持calico, flannel, kube-router, cilium
CLUSTER_NETWORK="flannel"

# 服務(wù)網(wǎng)段 (Service CIDR）守伸，注意不要與內(nèi)網(wǎng)已有網(wǎng)段沖突
SERVICE_CIDR="10.68.0.0/16"

# POD 網(wǎng)段 (Cluster CIDR）绎秒，注意不要與內(nèi)網(wǎng)已有網(wǎng)段沖突
CLUSTER_CIDR="172.20.0.0/16"

# 服務(wù)端口范圍 (NodePort Range)
NODE_PORT_RANGE="20000-40000"

# kubernetes 服務(wù) IP (預(yù)分配，一般是 SERVICE_CIDR 中第一個(gè)IP)
CLUSTER_KUBERNETES_SVC_IP="10.68.0.1"

# 集群 DNS 服務(wù) IP (從 SERVICE_CIDR 中預(yù)分配)
CLUSTER_DNS_SVC_IP="10.68.0.2"

# 集群 DNS 域名
CLUSTER_DNS_DOMAIN="cluster.local."

# ---------附加參數(shù)--------------------
#默認(rèn)二進(jìn)制文件目錄
bin_dir="/opt/kube/bin"

#證書目錄
ca_dir="/etc/kubernetes/ssl"

#部署目錄尼摹，即 ansible 工作目錄
base_dir="/etc/ansible"
#

• 確認(rèn)節(jié)點(diǎn)網(wǎng)絡(luò)可達(dá)

# ansible all -m ping
10.25.151.104 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
10.25.151.100 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
10.25.151.103 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

• 查看playbook

# ll
total 88
-rw-r--r--.  1 root root   499 Mar 26 04:19 01.prepare.yml
-rw-r--r--.  1 root root    58 Mar 26 04:19 02.etcd.yml
-rw-r--r--.  1 root root    87 Mar 26 04:19 03.docker.yml
-rw-r--r--.  1 root root   532 Mar 26 04:19 04.kube-master.yml
-rw-r--r--.  1 root root    72 Mar 26 04:19 05.kube-node.yml
-rw-r--r--.  1 root root   346 Mar 26 04:19 06.network.yml
-rw-r--r--.  1 root root    77 Mar 26 04:19 07.cluster-addon.yml
-rw-r--r--.  1 root root  1521 Mar 26 04:19 11.harbor.yml
-rw-r--r--.  1 root root   411 Mar 26 04:19 22.upgrade.yml
-rw-r--r--.  1 root root  1394 Mar 26 04:19 23.backup.yml
-rw-r--r--.  1 root root  1391 Mar 26 04:19 24.restore.yml
-rw-r--r--.  1 root root  1723 Mar 26 04:19 90.setup.yml
-rw-r--r--.  1 root root  5941 Mar 26 04:19 99.clean.yml
-rw-r--r--.  1 root root 10283 Mar 26 04:19 ansible.cfg
drwxr-xr-x.  2 root root  4096 Mar 26 04:32 bin
drwxr-xr-x.  4 root root    36 Mar 26 04:19 dockerfiles
drwxr-xr-x.  8 root root    92 Mar 26 04:19 docs
drwxr-xr-x.  2 root root    47 Mar 26 04:19 down
drwxr-xr-x.  2 root root   254 Mar 26 04:19 example
-rw-r--r--.  1 root root  1884 Mar 26 04:34 hosts
drwxr-xr-x. 14 root root   218 Mar 26 04:19 manifests
drwxr-xr-x.  2 root root   245 Mar 26 04:19 pics
-rw-r--r--.  1 root root  5056 Mar 26 04:19 README.md
drwxr-xr-x. 22 root root  4096 Mar 26 04:19 roles
drwxr-xr-x.  2 root root   272 Mar 26 04:19 tools
[root@k8s-master ansible]# 

利用ansible集群安裝

• 可以分步安裝(某步失敗可以重復(fù)再執(zhí)行一下),或者

# ansible-playbook 01.prepare.yml
# ansible-playbook 02.etcd.yml
# ansible-playbook 03.docker.yml
# ansible-playbook 04.kube-master.yml
# ansible-playbook 05.kube-node.yml
# ansible-playbook 06.network.yml

• 一步安裝

# ansible-playbook 90.setup.yml

• 安裝完畢后见芹，需要重新連接或是新開終端才能使用快捷命令(不用全路徑)
• 查看集群狀態(tài)

[root@localhost ~]# kubectl get node
NAME            STATUS   ROLES    AGE   VERSION
10.25.151.100   Ready    master   16h   v1.13.4
10.25.151.103   Ready    node     16h   v1.13.4
10.25.151.104   Ready    node     16h   v1.13.4
[root@localhost ~]# 
[root@localhost ~]# kubectl get componentstatus
NAME                 STATUS    MESSAGE              ERROR
scheduler            Healthy   ok                   
controller-manager   Healthy   ok                   
etcd-0               Healthy   {"health": "true"}   
[root@localhost ~]# kubectl cluster-info
Kubernetes master is running at https://10.25.151.100:6443

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[root@localhost ~]# 
[root@localhost ~]# kubectl get pod --all-namespaces
NAMESPACE     NAME                          READY   STATUS    RESTARTS   AGE
kube-system   kube-flannel-ds-amd64-dtsgm   1/1     Running   0          54m
kube-system   kube-flannel-ds-amd64-hfnr6   1/1     Running   0          54m
kube-system   kube-flannel-ds-amd64-pnh4m   1/1     Running   0          54m
[root@localhost ~]# 
[root@localhost ~]# kubectl get svc --all-namespaces
NAMESPACE   NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
default     kubernetes   ClusterIP   10.68.0.1    <none>        443/TCP   16h
[root@localhost ~]# 

• 查看flannel子網(wǎng)信息(以master為例)

# cat /run/flannel/subnet.env 
FLANNEL_NETWORK=172.20.0.0/16
FLANNEL_SUBNET=172.20.0.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=true

• 確認(rèn)每個(gè)節(jié)點(diǎn)docker0/flannel的IP地址

100上
docker0 172.17.0.1/16
flannel.1 172.20.0.0/32

103上
docker0 172.17.0.1/16
flannel.1 172.20.1.0/32

104上
docker0 172.17.0.1/16
flannel.1 172.20.2.0/32

• flannel的使用說明文檔的路徑

/etc/ansible/docs/setup/network-plugin/flannel.md

驗(yàn)證網(wǎng)絡(luò)

節(jié)點(diǎn)上啟動(dòng)pod

• 隨便哪個(gè)節(jié)點(diǎn)上拉一個(gè)busybox的小鏡像

# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
697743189b6d: Pull complete 
Digest: sha256:061ca9704a714ee3e8b80523ec720c64f6209ad3f97c0ff7cb9ec7d19f15149f
Status: Downloaded newer image for busybox:latest
[root@localhost ~]# 
[root@localhost ~]# docker images
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
busybox                              latest              d8233ab899d4        5 weeks ago         1.2MB
jmgao1983/flannel                    v0.11.0-amd64       ff281650a721        8 weeks ago         52.6MB
mirrorgooglecontainers/pause-amd64   3.1                 da86e6ba6ca1        15 months ago       742kB
[root@localhost ~]#

• 創(chuàng)建三個(gè)busybox的pod

# kubectl run test --image=busybox --replicas=3 sleep 30000
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
deployment.apps/test created
# 
# kubectl get pod --all-namespaces -o wide|head -n 4
NAMESPACE     NAME                          READY   STATUS    RESTARTS   AGE   IP              NODE            NOMINATED NODE   READINESS GATES
default       test-568866f478-6z87m         1/1     Running   0          29s   172.20.2.2      10.25.151.104   <none>           <none>
default       test-568866f478-q7fft         1/1     Running   0          29s   172.20.1.2      10.25.151.103   <none>           <none>
default       test-568866f478-sgb5l         1/1     Running   0          29s   172.20.0.2      10.25.151.100   <none>           <none>

可以看到這三個(gè)pod啟動(dòng)在不同的節(jié)點(diǎn)上了

默認(rèn)容器跨節(jié)點(diǎn)通信使用UDP封裝

• 登錄本地的pod,查看IP和路由

[root@localhost ~]# docker ps | grep busybox
cac2bc7afd61        busybox                                  "sleep 30000"            19 minutes ago      Up 19 minutes                           k8s_test_test-568866f478-sgb5l_default_3c4e60ff-5104-11e9-b02f-005056a921d2_0
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# docker exec -ti  cac2bc7afd61   /bin/sh
/ # 
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1450 qdisc noqueue 
    link/ether 9e:c3:f5:14:6e:ac brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.2/24 scope global eth0
       valid_lft forever preferred_lft forever
/ # 
/ # ip route
default via 172.20.0.1 dev eth0 
172.20.0.0/24 dev eth0 scope link  src 172.20.0.2 
172.20.0.0/16 via 172.20.0.1 dev eth0
/ # 

網(wǎng)關(guān)172.20.0.1是cni0的IP

• 從這個(gè)容器去ping其它節(jié)點(diǎn)的容器,是通的

/ # ifconfig | grep 172
          inet addr:172.20.0.2  Bcast:0.0.0.0  Mask:255.255.255.0
/ # 
/ # ping 172.20.2.2 -s 1200
PING 172.20.2.2 (172.20.2.2): 1200 data bytes
1208 bytes from 172.20.2.2: seq=0 ttl=62 time=0.973 ms
1208 bytes from 172.20.2.2: seq=1 ttl=62 time=0.581 ms

• 跟蹤路由,可以看到是container(master)->cni0(master)->flannel.1(node-2)->container(node-2)

/ # traceroute 172.20.2.2
traceroute to 172.20.2.2 (172.20.2.2), 30 hops max, 46 byte packets
 1  172.20.0.1 (172.20.0.1)  0.017 ms  0.120 ms  0.009 ms
 2  172.20.2.0 (172.20.2.0)  0.970 ms  1.123 ms  0.339 ms
 3  172.20.2.2 (172.20.2.2)  0.411 ms  3.236 ms  2.842 ms
/ # 

• 在master的物理口抓包，可以看到ICMP報(bào)文被封裝為UDP報(bào)文

# tcpdump -i ens160 -enn 'ip[2:2] > 1200 and  ip[2:2] < 1500'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
02:28:05.870909 00:50:56:a9:21:d2 > 00:50:56:a9:5e:81, ethertype IPv4 (0x0800), length 1292: 10.25.151.100.40238 > 10.25.151.104.8472: OTV, flags [I] (0x08), overlay 0, instance 1
e2:70:a7:b2:ef:fc > 5a:b8:85:c1:65:2f, ethertype IPv4 (0x0800), length 1242: 172.20.0.2 > 172.20.2.2: ICMP echo request, id 6400, seq 888, length 1208
02:28:05.871346 00:50:56:a9:5e:81 > 00:50:56:a9:21:d2, ethertype IPv4 (0x0800), length 1292: 10.25.151.104.34945 > 10.25.151.100.8472: OTV, flags [I] (0x08), overlay 0, instance 1
5a:b8:85:c1:65:2f > e2:70:a7:b2:ef:fc, ethertype IPv4 (0x0800), length 1242: 172.20.2.2 > 172.20.0.2: ICMP echo reply, id 6400, seq 888, length 1208
02:28:06.871170 00:50:56:a9:21:d2 > 00:50:56:a9:5e:81, ethertype IPv4 (0x0800), length 1292: 10.25.151.100.40238 > 10.25.151.104.8472: OTV, flags [I] (0x08), overlay 0, instance 1

• 抓包后用wireshark解析蠢涝，可以看到原始IP報(bào)文被封裝在UDP玄呛，外層IP是node的IP

flannel_udp.png