Kube-router是基于Kubernetes網(wǎng)絡(luò)設(shè)計(jì)的一個(gè)集負(fù)載均衡器们豌、防火墻和容器網(wǎng)絡(luò)的綜合方案。
主要功能
1. 基于IPVS/LVS的負(fù)載均衡器 | --run-service-proxy
kube-router采用Linux內(nèi)核的IPVS模塊為K8s提供Service的代理伙狐。
更多的詳情可以參考:
2. 容器網(wǎng)絡(luò) | --run-router
kube-router利用BGP協(xié)議和Go的GoBGP庫(kù)和為容器網(wǎng)絡(luò)提供直連的方案。因?yàn)橛昧嗽腒ubernetes API去構(gòu)建容器網(wǎng)絡(luò),意味著在使用kube-router時(shí)典蜕,不需要在你的集群里面引入其他依賴(lài)畦韭。
同樣的疼蛾,kube-router在引入容器CNI時(shí)也沒(méi)有其它的依賴(lài),官方的“bridge”插件就能滿(mǎn)足kube-rouetr的需求艺配。
更多關(guān)于BGP協(xié)議在Kubernetes中的使用可以參考:
3. 網(wǎng)絡(luò)策略管理 | --run-firewall
采用了kube-router的Kubernetes很容易通過(guò)添加標(biāo)簽到kube-router的方式使用網(wǎng)路策略功能察郁。kube-router使用了ipset操作iptables衍慎,以保證防火墻的規(guī)則對(duì)系統(tǒng)性能有較低的影響。
Kube-router支持networking.k8s.io/NetworkPolicy的API或者其他基于網(wǎng)絡(luò)策略的V1/GA語(yǔ)義皮钠。
更多關(guān)于kube-router防火墻的功能可以參考:
負(fù)載均衡器
kube-router的負(fù)載均衡器功能稳捆,會(huì)在物理機(jī)上創(chuàng)建一個(gè)虛擬的kube-dummy-if網(wǎng)卡,然后利用k8s的watch APi實(shí)時(shí)更新svc和ep的信息麦轰。svc的cluster_ip會(huì)綁定在kube-dummy-if網(wǎng)卡上乔夯,作為lvs的virtual server的地址。realserver的ip則通過(guò)ep獲取到容器的IP地址款侵。
一個(gè)單純的負(fù)載均衡器部署如下:
kubw-router.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-router-cfg
namespace: kube-system
labels:
tier: node
k8s-app: kube-router
data:
cni-conf.json: |
{
"name":"kubernetes",
"type":"bridge",
"bridge":"kube-bridge",
"isDefaultGateway":true,
"ipam": {
"type":"host-local"
}
}
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: kube-router
namespace: kube-system
labels:
k8s-app: kube-router
spec:
template:
metadata:
labels:
k8s-app: kube-router
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
containers:
- name: kube-router
image: cloudnativelabs/kube-router
args: ["--run-router=false", "--run-firewall=false", "--run-service-proxy=true", "--kubeconfig=/var/lib/kube-router/kubeconfig", "--masquerade-all", "--ipvs-sync-period=5s", "--iptables-sync-period=10s"]
securityContext:
privileged: true
imagePullPolicy: Always
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: cni-conf-dir
mountPath: /etc/kubernetes/cni/net.d
- name: kubeconfig
mountPath: /var/lib/kube-router/kubeconfig
readOnly: true
- name: cert
mountPath: /etc/kubernetes/ssl
initContainers:
- name: install-cni
image: busybox
imagePullPolicy: Always
command:
- /bin/sh
- -c
- set -e -x;
if [ ! -f /etc/kubernetes/cni/net.d/10-kuberouter.conf ]; then
TMP=/etc/kubernetes/cni/net.d/.tmp-kuberouter-cfg;
cp /etc/kube-router/cni-conf.json ${TMP};
mv ${TMP} /etc/kubernetes/cni/net.d/10-kuberouter.conf;
fi
volumeMounts:
- name: cni-conf-dir
mountPath: /etc/kubernetes/cni/net.d
- name: kube-router-cfg
mountPath: /etc/kube-router
hostNetwork: true
nodeSelector:
kube: router
volumes:
- name: lib-modules
hostPath:
path: /lib/modules
- name: cni-conf-dir
hostPath:
path: /etc/kubernetes/cni/net.d
- name: kube-router-cfg
configMap:
name: kube-router-cfg
- name: kubeconfig
hostPath:
path: /var/lib/kube-router/kubeconfig
- name: cert
hostPath:
path: /etc/kubernetes/ssl
調(diào)整負(fù)載均衡的策略支持以下4種方式:
- 最少連接數(shù)
kubectl annotate service my-service "kube-router.io/service.scheduler=lc"
- 輪詢(xún)
kubectl annotate service my-service "kube-router.io/service.scheduler=rr"
- 源地址哈希
kubectl annotate service my-service "kube-router.io/service.scheduler=sh"
- 目的地址哈希
kubectl annotate service my-service "kube-router.io/service.scheduler=dh"
