k8s使用kube-router网络插件并监控流量状态-低调大师

k8s使用kube-router网络插件并监控流量状态

2018-12-16 617

简介

kube-router是一个新的k8s的网络插件，使用lvs做服务的代理及负载均衡，使用iptables来做网络的隔离策略。部署简单，只需要在每个节点部署一个daemonset即可，高性能，易维护。支持pod间通信，以及服务的代理。

安装

# 本次实验重新创建了集群，使用之前测试其他网络插件的集群环境没有成功 # 可能是由于环境干扰，实验时需要注意 # 创建kube-router目录下载相关文件
mkdir kube-router && cd kube-router
wget https://raw.githubusercontent.com/cloudnativelabs/kube-router/master/daemonset/kubeadm-kuberouter.yaml
wget https://raw.githubusercontent.com/cloudnativelabs/kube-router/master/daemonset/kubeadm-kuberouter-all-features.yaml

# 以下两种部署方式任选其一 # 1. 只启用 pod网络通信，网络隔离策略 功能
kubectl apply -f kubeadm-kuberouter.yaml

# 2. 启用 pod网络通信，网络隔离策略，服务代理 所有功能 # 删除kube-proxy和其之前配置的服务代理
kubectl apply -f kubeadm-kuberouter-all-features.yaml
kubectl -n kube-system delete ds kube-proxy

# 在每个节点上执行
docker run --privileged --net=host registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy-amd64:v1.10.2 kube-proxy --cleanup

# 查看
kubectl get pods --namespace kube-system
kubectl get svc --namespace kube-system
复制代码

测试

# 启动用于测试的deployment
kubectl run nginx --replicas=2 --image=nginx:alpine --port=80
kubectl expose deployment nginx --type=NodePort --name=example-service-nodeport
kubectl expose deployment nginx --name=example-service

# dns及访问测试
kubectl run curl --image=radial/busyboxplus:curl -i --tty
nslookup kubernetes
nslookup example-service
curl example-service

# 清理
kubectl delete svc example-service example-service-nodeport
kubectl delete deploy nginx curl
复制代码

监控相关数据并可视化

重新部署kube-router

# 修改yml文件
cp kubeadm-kuberouter-all-features.yaml kubeadm-kuberouter-all-features.yaml.ori
vim kubeadm-kuberouter-all-features.yaml
...
spec:
 template:
 metadata:
 labels:
 k8s-app: kube-router
 tier: node
 annotations:
 scheduler.alpha.kubernetes.io/critical-pod: '' # 添加如下参数，让prometheus收集数据
 prometheus.io/scrape: "true"
 prometheus.io/path: "/metrics"
 prometheus.io/port: "8080"
 spec:
 serviceAccountName: kube-router
 serviceAccount: kube-router
 containers:
 - name: kube-router
 image: cloudnativelabs/kube-router
 imagePullPolicy: Always
 args:
		# 添加如下参数开启metrics
 - --metrics-path=/metrics
 - --metrics-port=8080
 - --run-router=true
 - --run-firewall=true
 - --run-service-proxy=true
 - --kubeconfig=/var/lib/kube-router/kubeconfig
...

# 重新部署
kubectl delete ds kube-router -n kube-system
kubectl apply -f kubeadm-kuberouter-all-features.yaml

# 测试获取metrics
curl http://127.0.0.1:8080/metrics
复制代码

部署prometheus

复制如下内容到prometheus.yml文件

--- apiVersion: v1 kind: ConfigMap metadata:  name: prometheus  namespace: kube-system data: prometheus.yml: |-  global:  scrape_interval: 15s  scrape_configs: # scrape config for API servers  - job_name: 'kubernetes-apiservers'  kubernetes_sd_configs:  - role: endpoints  scheme: https  tls_config:  ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token  relabel_configs:  - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]  action: keep  regex: default;kubernetes;https # scrape config for nodes (kubelet)  - job_name: 'kubernetes-nodes'  scheme: https  tls_config:  ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token  kubernetes_sd_configs:  - role: node  relabel_configs:  - action: labelmap  regex: __meta_kubernetes_node_label_(.+)  - target_label: __address__  replacement: kubernetes.default.svc:443  - source_labels: [__meta_kubernetes_node_name]  regex: (.+)  target_label: __metrics_path__  replacement: /api/v1/nodes/${1}/proxy/metrics # Scrape config for Kubelet cAdvisor. # # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics # (those whose names begin with 'container_') have been removed from the # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to # retrieve those metrics. # # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with # the --cadvisor-port=0 Kubelet flag). # # This job is not necessary and should be removed in Kubernetes 1.6 and # earlier versions, or it will cause the metrics to be scraped twice.  - job_name: 'kubernetes-cadvisor'  scheme: https  tls_config:  ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token  kubernetes_sd_configs:  - role: node  relabel_configs:  - action: labelmap  regex: __meta_kubernetes_node_label_(.+)  - target_label: __address__  replacement: kubernetes.default.svc:443  - source_labels: [__meta_kubernetes_node_name]  regex: (.+)  target_label: __metrics_path__  replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor # scrape config for service endpoints.  - job_name: 'kubernetes-service-endpoints'  kubernetes_sd_configs:  - role: endpoints  relabel_configs:  - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]  action: keep  regex: true  - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]  action: replace  target_label: __scheme__  regex: (https?)  - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]  action: replace  target_label: __metrics_path__  regex: (.+)  - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]  action: replace  target_label: __address__  regex: ([^:]+)(?::\d+)?;(\d+)  replacement: $1:$2  - action: labelmap  regex: __meta_kubernetes_service_label_(.+)  - source_labels: [__meta_kubernetes_namespace]  action: replace  target_label: kubernetes_namespace  - source_labels: [__meta_kubernetes_service_name]  action: replace  target_label: kubernetes_name # Example scrape config for pods  - job_name: 'kubernetes-pods'  kubernetes_sd_configs:  - role: pod  relabel_configs:  - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]  action: keep  regex: true  - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]  action: replace  target_label: __metrics_path__  regex: (.+)  - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]  action: replace  regex: ([^:]+)(?::\d+)?;(\d+)  replacement: $1:$2  target_label: __address__  - action: labelmap  regex: __meta_kubernetes_pod_label_(.+)  - source_labels: [__meta_kubernetes_namespace]  action: replace  target_label: namespace  - source_labels: [__meta_kubernetes_pod_name]  action: replace  target_label: pod_name --- apiVersion: v1 kind: Service metadata:  annotations: prometheus.io/scrape: 'true'  labels:  name: prometheus  name: prometheus  namespace: kube-system spec:  selector:  app: prometheus  type: NodePort  ports:  - name: prometheus  protocol: TCP  port: 9090 --- apiVersion: extensions/v1beta1 kind: Deployment metadata:  name: prometheus  namespace: kube-system spec:  replicas: 1  selector:  matchLabels:  app: prometheus  template:  metadata:  name: prometheus  labels:  app: prometheus  annotations: sidecar.istio.io/inject: "false"  spec:  serviceAccountName: prometheus  containers:  - name: prometheus  image: docker.io/prom/prometheus:v2.2.1  imagePullPolicy: IfNotPresent  args:  - '--storage.tsdb.retention=6h'  - '--config.file=/etc/prometheus/prometheus.yml'  ports:  - name: web  containerPort: 9090  volumeMounts:  - name: config-volume  mountPath: /etc/prometheus  volumes:  - name: config-volume  configMap:  name: prometheus --- apiVersion: v1 kind: ServiceAccount metadata:  name: prometheus  namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata:  name: prometheus rules: - apiGroups: [""]  resources:  - nodes  - services  - endpoints  - pods  - nodes/proxy  verbs: ["get", "list", "watch"] - apiGroups: [""]  resources:  - configmaps  verbs: ["get"] - nonResourceURLs: ["/metrics"]  verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata:  name: prometheus roleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: prometheus subjects: - kind: ServiceAccount  name: prometheus  namespace: kube-system --- 复制代码

部署测试

# 部署
kubectl apply -f prometheus.yml

# 查看
kubectl get pods --namespace kube-system
kubectl get svc --namespace kube-system

# 访问prometheus # 输入 kube_router 关键字查找 看有无提示出现
prometheusNodePort=$(kubectl get svc -n kube-system | grep prometheus | awk '{print $5}' | cut -d '/' -f 1 | cut -d ':' -f 2)
nodeName=$(kubectl get no | grep '<none>' | head -1 | awk '{print $1}')
nodeIP=$(ping -c 1 $nodeName | grep PING | awk '{print $3}' | tr -d '()')
echo "http://$nodeIP:"$prometheusNodePort 复制代码

部署grafana

复制如下内容到grafana.yml文件

--- apiVersion: v1 kind: Service metadata:  name: grafana  namespace: kube-system spec:  type: NodePort  ports:  - port: 3000  protocol: TCP  name: http  selector:  app: grafana --- apiVersion: extensions/v1beta1 kind: Deployment metadata:  name: grafana  namespace: kube-system spec:  replicas: 1  template:  metadata:  labels:  app: grafana  spec:  serviceAccountName: grafana  containers:  - name: grafana  image: grafana/grafana  imagePullPolicy: IfNotPresent  ports:  - containerPort: 3000  volumeMounts:  - mountPath: /var/lib/grafana  name: grafana-data  volumes:  - name: grafana-data  emptyDir: {} --- apiVersion: v1 kind: ServiceAccount metadata:  name: grafana  namespace: kube-system --- 复制代码

部署测试

# 部署
kubectl apply -f grafana.yml

# 查看
kubectl get pods --namespace kube-system
kubectl get svc --namespace kube-system


# 访问grafana
grafanaNodePort=$(kubectl get svc -n kube-system | grep grafana | awk '{print $5}' | cut -d '/' -f 1 | cut -d ':' -f 2)
nodeName=$(kubectl get no | grep '<none>' | head -1 | awk '{print $1}')
nodeIP=$(ping -c 1 $nodeName | grep PING | awk '{print $3}' | tr -d '()')
echo "http://$nodeIP:"$grafanaNodePort # 默认用户密码
admin/admin
复制代码

导入并查看dashboard

# 下载官方dashboard的json文件
wget https://raw.githubusercontent.com/cloudnativelabs/kube-router/master/dashboard/kube-router.json
复制代码

创建名为Prometheus类型也为Prometheus的数据源，连接地址为http://prometheus:9090/

选择刚刚下载的json文件导入dashboard

查看dashboard

本文转自掘金- k8s使用kube-router网络插件并监控流量状态

微信关注我们

原文链接：https://yq.aliyun.com/articles/680077

转载内容版权归作者及来源网站所有！

低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。

k8s使用kube-router网络组件并实现网络隔离

简介本文章主要介绍k8s如何使用kube-router实现pod通信，服务代理，网络策略隔离等功能 kube-router是一个新的k8s的网络插件，使用lvs做服务的代理及负载均衡，使用iptables来做网络的隔离策略。部署简单，只需要在每个节点部署一个daemonset即可，高性能，易维护。支持pod间通信，以及服务的代理。环境说明本实验在已经安装配置好k8s集群基础之上进行实验，k8s安装参考博客其他文章。实验架构 lab1: master 11.11.11.111 lab2: node 11.11.11.112 lab3: node 11.11.11.113 复制代码安装 # 本次实验重新创建了集群，使用之前测试其他网络插件的集群环境没有成功 # 可能是由于环境干扰，实验时需要注意 # 创建kube-router目录下载相关文件 mkdir kube-router && cd kube-router rm -f generic-kuberouter-all-features.yaml wget https://raw.githubuserconte...

2018-12-17

579

简介 traefik 是一个前端负载均衡器，对于微服务架构尤其是 kubernetes 等编排工具具有良好的支持；同 nginx 等相比，traefik 能够自动感知后端容器变化，从而实现自动服务发现。 traefik部署在k8s上分为daemonset和deployment两种方式各有优缺点： daemonset 能确定有哪些node在运行traefik，所以可以确定的知道后端ip，但是不能方便的伸缩 deployment 可以更方便的伸缩，但是不能确定有哪些node在运行traefik所以不能确定的知道后端ip 一般部署两种不同类型的traefik: 面向内部(internal)服务的traefik，建议可以使用deployment的方式面向外部(external)服务的traefik，建议可以使用daemonset的方式建议使用traffic-type标签 traffic-type: external traffic-type: internal traefik相应地使用labelSelector traffic-type=internal traffic-type=ext...

2018-12-17

825

资源下载

更多资源

优质分享App

近一个月的开发和优化，本站点的第一个app全新上线。该app采用极致压缩，本体才4.36MB。系统里面做了大量数据访问、缓存优化。方便用户在手机上查看文章。后续会推出HarmonyOS的适配版本。

Mario

马里奥是站在游戏界顶峰的超人气多面角色。马里奥靠吃蘑菇成长，特征是大鼻子、头戴帽子、身穿背带裤，还留着胡子。与他的双胞胎兄弟路易基一起，长年担任任天堂的招牌角色。

Nacos

Nacos /nɑ:kəʊs/ 是 Dynamic Naming and Configuration Service 的首字母简称，一个易于构建 AI Agent 应用的动态服务发现、配置管理和AI智能体管理平台。Nacos 致力于帮助您发现、配置和管理微服务及AI智能体应用。Nacos 提供了一组简单易用的特性集，帮助您快速实现动态服务发现、服务配置、服务元数据、流量管理。Nacos 帮助您更敏捷和容易地构建、交付和管理微服务平台。

Rocky Linux

Rocky Linux（中文名：洛基）是由Gregory Kurtzer于2020年12月发起的企业级Linux发行版，作为CentOS稳定版停止维护后与RHEL（Red Hat Enterprise Linux）完全兼容的开源替代方案，由社区拥有并管理，支持x86_64、aarch64等架构。其通过重新编译RHEL源代码提供长期稳定性，采用模块化包装和SELinux安全架构，默认包含GNOME桌面环境及XFS文件系统，支持十年生命周期更新。