聊聊吧2021（聊聊吧）

引言

最近听好多朋友说，cilium很强，势必将成为主流。因其使用了ebpf，性能好，而且支持网络策略。于是，决定花点时间学习一下。在通过官网文档学习过程中，发现使用cilium作为CNI，居然可以不用安装kube-proxy了。这让我想起来，之前在面试中被问到的一个问题，面试官问我:kube-proxy是否可以不用安装，是否有其他替代品。这下不就有答案了嘛。

顺便吐槽一下，看官方文档学习，是真的有点难(毕竟全英文);不过还是建议大家看官方文档学习，不要翻译成中文哦。那么接下来，就由我来实操一下。

环境说明

正文

在master上初始化集群，并通过添加--skip-phases=addon/kube-proxy参数忽略kube-proxy的安装

1. kubeadminit--apiserver-advertise-address=10.211.55.50--image-repositoryregistry.aliyuncs.com/google_containers--kubernetes-versionv1.21.3--service-cidr=10.96.0.0/12--pod-network-cidr=10.244.0.0/16--ignore-preflight-errors=all--skip-phases=addon/kube-proxy

在两个node上执行kubeadm join，加入集群

1. kubeadmjoin10.211.55.50:6443--tokenouez6j.02ms269v8i4psl7p--discovery-token-ca-cert-hashsha256:5fdafe0fe1adb3b60cd7bc33f033f028279a94a3944816424cc7f5bb498f6868

使用helm(v3)来安装cilium。先添加cilium库

1. helmrepoaddciliumhttps://helm.cilium.io/

使用如下命令安装cilium，添加kubeProxyReplacement=strict参数

1. helminstallciliumcilium/cilium--version1.10.3--namespacekube-system--setkubeProxyReplacement=strict--setk8sServiceHost=10.211.55.50--setk8sServicePort=6443

检查cilium安装结果

1. #查看ciliumagent,以daemonset方式部署在每个node节点上
2. root@cilium1:/#kubectl-nkube-systemgetpods-lk8s-app=cilium
3. NAMEREADYSTATUSRESTARTSAGE
4. cilium-8gwg21/1Running08m4s
5. cilium-t9ffc1/1Running08m39s
6. cilium-x42r61/1Running08m16s
8. #查看cilumoperator
9. root@cilium1:~#kubectlgetpo-A-owide|grepcilium-operator
10. kube-systemcilium-operator-5df88875-867hd1/1Running541h172.16.88.47cilium3<none><none>
11. kube-systemcilium-operator-5df88875-9kx8c1/1Running541h172.16.88.253cilium2<none><none>

检查是否有kube-proxy组件。可以发现并没有该组件

1. root@cilium1:/#kubectlgetpo-nkube-system
2. NAMEREADYSTATUSRESTARTSAGE
3. cilium-8gwg21/1Running010m
4. cilium-operator-5df88875-867hd1/1Running527h
5. cilium-operator-5df88875-9kx8c1/1Running527h
6. cilium-t9ffc1/1Running011m
7. cilium-x42r61/1Running010m
8. coredns-59d64cd4d4-hbwg41/1Running127h
9. coredns-59d64cd4d4-l2pmt1/1Running127h
10. etcd-cilium11/1Running227h
11. kube-apiserver-cilium11/1Running227h
12. kube-controller-manager-cilium11/1Running227h
13. kube-scheduler-cilium11/1Running227h

检查cilium状态，确保安装正确

1. root@cilium1:/#kubectlexec-nkube-systemcilium-t9ffc--ciliumstatus
2. Defaultedcontainer"cilium-agent"outof:cilium-agent,mount-cgroup(init),clean-cilium-state(init)
3. KVStore:OkDisabled
4. Kubernetes:Ok1.21(v1.21.3)[linux/amd64]
5. KubernetesAPIs:["cilium/v2::CiliumClusterwideNetworkPolicy","cilium/v2::CiliumEndpoint","cilium/v2::CiliumNetworkPolicy","cilium/v2::CiliumNode","core/v1::Namespace","core/v1::Node","core/v1::Pods","core/v1::Service","discovery/v1::EndpointSlice","networking.k8s.io/v1::NetworkPolicy"]
6. KubeProxyReplacement:Strict[eth010.211.55.50(DirectRouting)]
7. Cilium:Ok1.10.3(v1.10.3-4145278)
8. NodeMonitor:Listeningforeventson8CPUswith64x4096ofsharedmemory
9. Ciliumhealthdaemon:Ok
10. IPAM:IPv4:2/254allocatedfrom10.0.0.0/24,
11. BandwidthManager:Disabled
12. HostRouting:Legacy
13. Masquerading:BPF[eth0]10.0.0.0/24[IPv4:Enabled,IPv6:Disabled]
14. ControllerStatus:20/20healthy
15. ProxyStatus:OK,ip10.0.0.41,0redirectsactiveonports10000-20000
16. Hubble:OkCurrent/MaxFlows:817/4095(19.95%),Flows/s:0.95Metrics:Disabled
17. Encryption:Disabled
18. Clusterhealth:3/3reachable(2021-08-07T15:29:05Z)

部署nginx来测试一下网络联通性

1. #nginxdeploymentyaml文件
2. catdeployment-nginx.yaml
3. apiVersion:apps/v1
4. kind:Deployment
5. metadata:
6. name:nginx
7. spec:
8. selector:
9. matchLabels:
10. run:nginx
11. replicas:4
12. template:
13. metadata:
14. labels:
15. run:nginx
16. spec:
17. containers:
18. -name:nginx
19. image:nginx
20. ports:
21. -containerPort:80
23. #创建nginxdeployment
24. kubectlcreate-fdeployment-nginx.yaml
26. #查看部署结果
27. root@cilium1:/#kubectlgetpo-owide
28. NAMEREADYSTATUSRESTARTSAGEIPNODENOMINATEDNODEREADINESSGATES
29. nginx-649c4b9857-8f2v51/1Running126h10.0.2.212cilium2<none><none>
30. nginx-649c4b9857-mhsxs1/1Running126h10.0.1.23cilium3<none><none>
31. nginx-649c4b9857-qw2jj1/1Running126h10.0.2.69cilium2<none><none>
32. nginx-649c4b9857-vj9w21/1Running126h10.0.1.126cilium3

创建一个nodeport service来验证service的可访问

1. #创建service
2. kubectlexposedeploymentnginx--type=NodePort--port=80
4. #查看service
5. root@cilium1:/#kubectlgetsvcnginx
6. NAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGE
7. nginxNodePort10.97.209.103<none>80:31126/TCP26h

验证nodeport、cluster可访问

1. #通过nodeport
2. root@cilium1:/#curl127.0.0.1:31126
3. <!DOCTYPEhtml>
4. <html>
5. <head>
6. <title>Welcometonginx!</title>
8. #通过service:port
9. root@cilium1:/#curl10.97.209.103
10. <!DOCTYPEhtml>
11. <html>
12. <head>
13. <title>Welcometonginx!</title>
15. #检查iptables发现为空
16. root@cilium1:/#iptables-save|grepKUBE-SVC
17. root@cilium1:/#
19. #检查ciliunservice
20. root@cilium1:/#kubectlexec-nkube-systemcilium-t9ffc--ciliumservicelist
21. Defaultedcontainer"cilium-agent"outof:cilium-agent,mount-cgroup(init),clean-cilium-state(init)
22. IDFrontendServiceTypeBackend
23. 110.96.0.1:443ClusterIP1=>172.16.88.57:6443
24. 210.96.0.10:9153ClusterIP1=>10.0.2.229:9153
25. 2=>10.0.2.80:9153
26. 310.96.0.10:53ClusterIP1=>10.0.2.229:53
27. 2=>10.0.2.80:53
28. 410.97.209.103:80ClusterIP1=>10.0.2.69:80
29. 2=>10.0.1.23:80
30. 3=>10.0.1.126:80
31. 4=>10.0.2.212:80
32. 5172.16.88.57:31126NodePort1=>10.0.2.69:80
33. 2=>10.0.1.23:80
34. 3=>10.0.1.126:80
35. 4=>10.0.2.212:80
36. 60.0.0.0:31126NodePort1=>10.0.2.69:80
37. 2=>10.0.1.23:80
38. 3=>10.0.1.126:80
39. 4=>10.0.2.212:80

从上面的安装和测试结果来，虽然我们没有安装k8s的kube-proxy组件，但是集群依然正常。说明kube-proxy组件确实是可以被替代的。

总结

以上虽然完成了kubernetes without kube-proxy的搭建和测试工作，但还是有很多事情没说明。比如使用cilium的系统要求、cilium是什么、有几种组网模式、网络策略。不过请不要着急，期待我后续的文章。

参考

https://docs.cilium.io/en/v1.10/gettingstarted/kubeproxy-free/#kubernetes-without-kube-proxy

https://kubernetes.io/docs/concepts/cluster-administration/addons/

https://helm.sh/docs/intro/install/

原文链接：https://mp.weixin.qq.com/s/riGA59hkViC8HR1CFbuFHA

如果您对该产品感兴趣，请填写办理（客服微信：xiaoxiongyidong）

您的姓名 *

身份证号码 *

手机号码 *

选择地区 *

详细地址 *

留言备注 *