目錄
前言CNI簡介
Flannel簡介
示例1: 部署flannel 以Vxlan類型運行
示例2: 添加flannel網絡類型DirectRouting
示例3: 修改flannel網絡類型host-gw 需要注意host-gw只支持2層網絡

前言CNI簡介

• CNI是Container Network Interface的是一個標準的窖杀，通用的接口。現在容器平臺：docker裙士，kubernetes入客，mesos，容器網絡解決方案：flannel腿椎，calico桌硫，weave。只要提供一個標準的接口啃炸，就能為同樣滿足該協議的所有容器平臺提供網絡功能鞍泉，而CNI正是這樣的一個標準接口協議。

• CNI用于連接容器管理系統(tǒng)和網絡插件肮帐。提供一個容器所在的network namespace，將network interface插入該network namespace中（比如veth的一端），并且在宿主機做一些必要的配置（例如將veth的另一端加入bridge中）训枢，最后對namespace中的interface進行IP和路由的配置

Kubernetes主要存在4種類型的通信:

1. container-to-container:發(fā)生在Pod內部,借助于lo實現;
2. Pod-to-Pod: Pod間的通信托修，k8s自身并未解決該類通信，而是借助于CNI接口恒界，交給第三方解決方案;CNI之前的接口叫kubenet;
3. Service-to-Pod:借助于kube-proxy生成的iptables或ipvs規(guī)則完成;
4. ExternalClients-to-Service:引入集群外部流量 hostPort睦刃、hostNletwork、nodeport/service,十酣、loadbalancer/service涩拙、 exteralP/service、 Ingres;

Flannel簡介

• Flannel是CoreOS團隊針對Kubernetes設計的一個網絡規(guī)劃服務耸采，簡單來說兴泥，它的功能是讓集群中的不同節(jié)點主機創(chuàng)建的Docker容器都具有全集群唯一的虛擬IP地址。
  在默認的Docker配置中虾宇，每個節(jié)點上的Docker服務會分別負責所在節(jié)點容器的IP分配搓彻。這樣導致的一個問題是，不同節(jié)點上容器可能獲得相同的內外IP地址嘱朽。并使這些容器之間能夠之間通過IP地址相互找到旭贬，也就是相互ping通。
  Flannel的設計目的就是為集群中的所有節(jié)點重新規(guī)劃IP地址的使用規(guī)則搪泳，從而使得不同節(jié)點上的容器能夠獲得“同屬一個內網”且”不重復的”IP地址稀轨，并讓屬于不同節(jié)點上的容器能夠直接通過內網IP通信。
  Flannel實質上是一種“覆蓋網絡(overlaynetwork)”岸军，也就是將TCP數據包裝在另一種網絡包里面進行路由轉發(fā)和通信奋刽，目前已經支持udp、vxlan凛膏、host-gw杨名、aws-vpc、gce和alloc路由等數據轉發(fā)方式猖毫，默認的節(jié)點間數據通信方式是UDP轉發(fā)台谍。

簡單總結Flannel特點

1.使集群中的不同Node主機創(chuàng)建的Docker容器都具有全集群唯一的虛擬IP地址。
2.建立一個覆蓋網絡（overlay network）吁断，通過這個覆蓋網絡趁蕊，將數據包原封不動的傳遞到目標容器。覆蓋網絡是建立在另一個網絡之上并由其基礎設施支持的虛擬網絡仔役。覆蓋網絡通過將一個分組封裝在另一個分組內來將網絡服務與底層基礎設施分離掷伙。在將封裝的數據包轉發(fā)到端點后，將其解封裝又兵。
3.創(chuàng)建一個新的虛擬網卡flannel0接收docker網橋的數據任柜，通過維護路由表卒废，對接收到的數據進行封包和轉發(fā)（vxlan）。
4.etcd保證了所有node上flanned所看到的配置是一致的宙地。同時每個node上的flanned監(jiān)聽etcd上的數據變化摔认，實時感知集群中node的變化。

Flannel支持三種Pod網絡模型宅粥，每個模型在flannel中稱為一種"backend":

• vxlan: Pod與Pod經由隧道封裝后通信参袱，各節(jié)點彼此間能通信就行，不要求在同一個二層網絡; 缺點:由于經過2次封裝,吞吐量相對變低,優(yōu)點:不要求節(jié)點處于同一個2層網絡
• vwlan directrouting:位于同一個二層網絡上的秽梅、但不同節(jié)點上的Pod間通信抹蚀，無須隧道封裝;但非同一個二層網絡上的節(jié)點上的Pod間通信，仍須隧道封裝; 最優(yōu)的方案
• host-gw: Pod與Pod不經隧道封裝而直接通信企垦，要求各節(jié)點位于同一個二層網絡; #吞吐量最大 但需要在同個2層網絡中

Flannel 下載安裝地址

https://github.com/flannel-io/flannel

示例1: 部署flannel 以Vxlan類型運行

#查看flannel部署清單yaml文件中有關于網絡類型的描述
[root@k8s-master plugin]# cat kube-flannel.yml
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    app: flannel
data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "flannel",  #完成虛擬網絡
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",  #端口映射 如:NodePort
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan"  #默認為vxlan模式
      }
    }

[root@k8s-master plugin]# kubectl apply -f  kube-flannel.yml

• vxlan模式下 路由表Pod地址指向flannel.1

[root@k8s-master plugin]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0  #本機虛擬網絡接口
10.244.1.0      10.244.1.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.2.0      10.244.2.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.3.0      10.244.3.0      255.255.255.0   UG    0      0        0 flannel.1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4


[root@k8s-node1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      10.244.0.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.1.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0  #本機虛擬網絡接口
10.244.2.0      10.244.2.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.3.0      10.244.3.0      255.255.255.0   UG    0      0        0 flannel.1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4

[root@k8s-master plugin]# ip neighbour|grep flannel.1  #生成的永久neighbour信息 提高路由效率
10.244.1.0 dev flannel.1 lladdr ba:98:1c:fa:3a:51 PERMANENT
10.244.3.0 dev flannel.1 lladdr da:29:42:38:29:55 PERMANENT
10.244.2.0 dev flannel.1 lladdr fa:48:c1:29:0b:dd PERMANENT

[root@k8s-master plugin]# bridge fdb show flannel.1|grep flannel.1
ba:98:1c:fa:3a:51 dev flannel.1 dst 192.168.54.171 self permanent
22:85:29:77:e1:00 dev flannel.1 dst 192.168.54.173 self permanent
fa:48:c1:29:0b:dd dev flannel.1 dst 192.168.54.172 self permanent
da:29:42:38:29:55 dev flannel.1 dst 192.168.54.173 self permanent

#抓包flannel網絡 其中 udp 8472為flannel網絡默認端口
[root@k8s-node3 ~]# tcpdump -i eth4 -nn udp port 8472
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
17:08:15.113389 IP 192.168.54.172.46879 > 192.168.54.173.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.2.9 > 10.244.3.92: ICMP echo request, id 2816, seq 61, length 64
17:08:15.113498 IP 192.168.54.173.55553 > 192.168.54.172.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.3.92 > 10.244.2.9: ICMP echo reply, id 2816, seq 61, length 64
17:08:16.114359 IP 192.168.54.172.46879 > 192.168.54.173.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.2.9 > 10.244.3.92: ICMP echo request, id 2816, seq 62, length 64
17:08:16.114447 IP 192.168.54.173.55553 > 192.168.54.172.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.3.92 > 10.244.2.9: ICMP echo reply, id 2816, seq 62, length 64
17:08:17.115558 IP 192.168.54.172.46879 > 192.168.54.173.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.2.9 > 10.244.3.92: ICMP echo request, id 2816, seq 63, length 64
17:08:17.115717 IP 192.168.54.173.55553 > 192.168.54.172.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.3.92 > 10.244.2.9: ICMP echo reply, id 2816, seq 63, length 64

17:08:18.117498 IP 192.168.54.172.46879 > 192.168.54.173.8472: OTV, flags [I] (0x08), overlay 0, instance 1
IP 10.244.2.9 > 10.244.3.92: ICMP echo request, id 2816, seq 64, length 64

• 可以看到10.244.2.9 > 10.244.3.92 Pod間的傳輸 通過封裝從節(jié)點192.168.54.172.46879 傳輸到節(jié)點 192.168.54.173.8472 經過一層數據封裝

示例2: 添加flannel網絡類型DirectRouting

• 添加DirectRouting后,2層網絡節(jié)點會使用宿主機網絡接口直接通信,3層網絡的節(jié)點會使用Vxlan 隧道封裝后通信,組合使用是flannel最理想的網絡類型
• 因為測試環(huán)境所有節(jié)點都處于同一2層網絡,所以從路由表無法看到和flannel.1接口同時存在

[root@k8s-master ~]# kubectl get cm -n kube-system
NAME                                 DATA   AGE
coredns                              1      57d
extension-apiserver-authentication   6      57d
kube-flannel-cfg                     2      57d
kube-proxy                           2      57d
kubeadm-config                       2      57d
kubelet-config-1.19                  1      57d
[root@k8s-master ~]# kubectl edit cm kube-flannel-cfg  -n kube-system

  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan",
        "DirectRouting": true   #添加
      }
    }

• 重啟Pod 正式環(huán)境用藍綠更新

[root@k8s-master ~]# kubectl get pod -n kube-system  --show-labels
NAME                                 READY   STATUS    RESTARTS   AGE     LABELS
coredns-f9fd979d6-l9zck              1/1     Running   16         57d     k8s-app=kube-dns,pod-template-hash=f9fd979d6
coredns-f9fd979d6-s8fp5              1/1     Running   15         57d     k8s-app=kube-dns,pod-template-hash=f9fd979d6
etcd-k8s-master                      1/1     Running   12         57d     component=etcd,tier=control-plane
kube-apiserver-k8s-master            1/1     Running   16         57d     component=kube-apiserver,tier=control-plane
kube-controller-manager-k8s-master   1/1     Running   40         57d     component=kube-controller-manager,tier=control-plane
kube-flannel-ds-6sppx                1/1     Running   1          7d23h   app=flannel,controller-revision-hash=585c88d56b,pod-template-generation=2,tier=node
kube-flannel-ds-j5g9s                1/1     Running   3          7d23h   app=flannel,controller-revision-hash=585c88d56b,pod-template-generation=2,tier=node
kube-flannel-ds-nfz77                1/1     Running   1          7d23h   app=flannel,controller-revision-hash=585c88d56b,pod-template-generation=2,tier=node
kube-flannel-ds-sqhq2                1/1     Running   1          7d23h   app=flannel,controller-revision-hash=585c88d56b,pod-template-generation=2,tier=node
kube-proxy-42vln                     1/1     Running   4          25d     controller-revision-hash=565786c69c,k8s-app=kube-proxy,pod-template-generation=1
kube-proxy-98gfb                     1/1     Running   3          21d     controller-revision-hash=565786c69c,k8s-app=kube-proxy,pod-template-generation=1
kube-proxy-nlnnw                     1/1     Running   4          17d     controller-revision-hash=565786c69c,k8s-app=kube-proxy,pod-template-generation=1
kube-proxy-qbsw2                     1/1     Running   4          25d     controller-revision-hash=565786c69c,k8s-app=kube-proxy,pod-template-generation=1
kube-scheduler-k8s-master            1/1     Running   38         57d     component=kube-scheduler,tier=control-plane
metrics-server-6849f98b-fsvf8        1/1     Running   15         8d      k8s-app=metrics-server,pod-template-hash=6849f98b
[root@k8s-master ~]# kubectl delete pod -n kube-system -l app=flannel
pod "kube-flannel-ds-6sppx" deleted
pod "kube-flannel-ds-j5g9s" deleted
pod "kube-flannel-ds-nfz77" deleted
pod "kube-flannel-ds-sqhq2" deleted
[root@k8s-master ~]# 

• 再次查看master环壤、node路由表

[root@k8s-master ~]# route -n  
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0
10.244.1.0      10.244.1.0      255.255.255.0   UG    0      0        0 eth4
10.244.2.0      192.168.54.172  255.255.255.0   UG    0      0        0 eth4
10.244.3.0      192.168.54.173  255.255.255.0   UG    0      0        0 eth4
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4

[root@k8s-node1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      192.168.54.170  255.255.255.0   UG    0      0        0 eth4
10.244.1.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0
10.244.2.0      192.168.54.172  255.255.255.0   UG    0      0        0 eth4
10.244.3.0      192.168.54.173  255.255.255.0   UG    0      0        0 eth4
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4

#網絡相關的Pod的IP會直接通過宿主機網絡接口地址

[root@k8s-master ~]# kubectl get pod -n kube-system -o wide
NAME                                 READY   STATUS    RESTARTS   AGE     IP              NODE         NOMINATED NODE   READINESS GATES
coredns-f9fd979d6-l9zck              1/1     Running   16         57d     10.244.0.42     k8s-master   <none>           <none>
coredns-f9fd979d6-s8fp5              1/1     Running   15         57d     10.244.0.41     k8s-master   <none>           <none>
etcd-k8s-master                      1/1     Running   12         57d     192.168.4.170   k8s-master   <none>           <none>
kube-apiserver-k8s-master            1/1     Running   16         57d     192.168.4.170   k8s-master   <none>           <none>
kube-controller-manager-k8s-master   1/1     Running   40         57d     192.168.4.170   k8s-master   <none>           <none>
kube-flannel-ds-d79nx                1/1     Running   0          2m12s   192.168.4.170   k8s-master   <none>           <none>
kube-flannel-ds-m48m7                1/1     Running   0          2m14s   192.168.4.172   k8s-node2    <none>           <none>
kube-flannel-ds-pxmnf                1/1     Running   0          2m14s   192.168.4.171   k8s-node1    <none>           <none>
kube-flannel-ds-vm9kt                1/1     Running   0          2m19s   192.168.4.173   k8s-node3    <none>           <none>
kube-proxy-42vln                     1/1     Running   4          25d     192.168.4.172   k8s-node2    <none>           <none>  #使用宿主機網絡接口
kube-proxy-98gfb                     1/1     Running   3          21d     192.168.4.173   k8s-node3    <none>           <none>
kube-proxy-nlnnw                     1/1     Running   4          17d     192.168.4.171   k8s-node1    <none>           <none>
kube-proxy-qbsw2                     1/1     Running   4          25d     192.168.4.170   k8s-master   <none>           <none>
kube-scheduler-k8s-master            1/1     Running   38         57d     192.168.4.170   k8s-master   <none>           <none>
metrics-server-6849f98b-fsvf8        1/1     Running   15         8d      10.244.2.250    k8s-node2    <none>           <none>

• 抓包查看數據封裝

[root@k8s-master plugin]# kubectl get pod -o wide
NAME                         READY   STATUS    RESTARTS   AGE   IP             NODE        NOMINATED NODE   READINESS GATES
client-1639                  1/1     Running   0          52s   10.244.1.222   k8s-node1   <none>           <none>
replicaset-demo-v1.1-lgf6b   1/1     Running   0          59m   10.244.1.221   k8s-node1   <none>           <none>
replicaset-demo-v1.1-mvvfq   1/1     Running   0          59m   10.244.3.169   k8s-node3   <none>           <none>
replicaset-demo-v1.1-tn49t   1/1     Running   0          59m   10.244.2.136   k8s-node2   <none>           <none>

root@k8s-master plugin]# kubectl exec replicaset-demo-v1.1-tn49t -it -- /bin/sh  #訪問node3
[root@replicaset-demo-v1 /]# curl 10.244.3.169
iKubernetes demoapp v1.1 !! ClientIP: 10.244.2.136, ServerName: replicaset-demo-v1.1-mvvfq, ServerIP: 10.244.3.169!
[root@replicaset-demo-v1 /]# curl 10.244.3.169

#node3上抓包
[root@k8s-node3 ~]# tcpdump -i eth4 -nn tcp port 80


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
11:03:57.508877 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [S], seq 1760692242, win 64860, options [mss 1410,sackOK,TS val 4266124446 ecr 0,nop,wscale 7], length 0
11:03:57.509245 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [S.], seq 3150629627, ack 1760692243, win 64308, options [mss 1410,sackOK,TS val 1453973317 ecr 4266124446,nop,wscale 7], length 0
11:03:57.510198 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 4266124447 ecr 1453973317], length 0
11:03:57.510373 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [P.], seq 1:77, ack 1, win 507, options [nop,nop,TS val 4266124447 ecr 1453973317], length 76: HTTP: GET / HTTP/1.1
11:03:57.510427 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [.], ack 77, win 502, options [nop,nop,TS val 1453973318 ecr 4266124447], length 0
11:03:57.713241 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [P.], seq 1:18, ack 77, win 502, options [nop,nop,TS val 1453973521 ecr 4266124447], length 17: HTTP: HTTP/1.0 200 OK
11:03:57.713821 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [.], ack 18, win 507, options [nop,nop,TS val 4266124651 ecr 1453973521], length 0
11:03:57.733459 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [P.], seq 18:155, ack 77, win 502, options [nop,nop,TS val 1453973541 ecr 4266124651], length 137: HTTP
11:03:57.733720 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [FP.], seq 155:271, ack 77, win 502, options [nop,nop,TS val 1453973541 ecr 4266124651], length 116: HTTP
11:03:57.735862 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [.], ack 155, win 506, options [nop,nop,TS val 4266124671 ecr 1453973541], length 0
11:03:57.735883 IP 10.244.2.136.49656 > 10.244.3.169.80: Flags [F.], seq 77, ack 272, win 506, options [nop,nop,TS val 4266124672 ecr 1453973541], length 0
11:03:57.736063 IP 10.244.3.169.80 > 10.244.2.136.49656: Flags [.], ack 78, win 502, options [nop,nop,TS val 1453973543 ecr 4266124672], length 0
11:03:58.650891 IP 10.244.2.136.49662 > 10.244.3.169.80: Flags [S], seq 3494935965, win 64860, options [mss 1410,sackOK,TS val 4266125588 ecr 0,nop,wscale 7], length 0

• 可以看到數據的傳輸沒有再經過封裝 直接通過Pod IP flannel網絡傳輸

示例3: 修改flannel網絡類型host-gw 需要注意host-gw只支持2層網絡

• 因為所有節(jié)點都處在2層網絡中,理論上和前面添加DirectRouting 效果是一樣的 就不累述

[root@k8s-master plugin]# vim kube-flannel.yml
...
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "host-gw"  #修改類型為host-gw
      }
    }
...

#查看路由表 
[root@k8s-master plugin]# kubectl apply -f kube-flannel.yml
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.54.2    0.0.0.0         UG    101    0        0 eth4
10.244.0.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0
10.244.1.0      192.168.54.171  255.255.255.0   UG    0      0        0 eth4
10.244.2.0      192.168.54.172  255.255.255.0   UG    0      0        0 eth4
10.244.3.0      192.168.54.173  255.255.255.0   UG    0      0        0 eth4
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.4.0     0.0.0.0         255.255.255.0   U     102    0        0 eth0
192.168.54.0    0.0.0.0         255.255.255.0   U     101    0        0 eth4