设置Kubernetes的网络 [英] Setting up the network for Kubernetes

问题描述

我正在阅读 Kubernetes入门来自Scratch 指南，并已到达可怕的 网络部分 ，他们说：

I'm reading the Kubernetes "Getting Started from Scratch" Guide and have arrived at the dreaded Network Section, where they state:

Kubernetes imposes the following fundamental requirements on any networking implementation
(barring any intentional network segmentation policies):
* all containers can communicate with all other containers without NAT
* all nodes can communicate with all containers (and vice-versa) without NAT
* the IP that a container sees itself as is the same IP that others see it as

我的第一个混乱来源是：这个不同于标准Docker模式的 那么3个Kubernetes要求？

My first source of confusion is: How is this different than the "standard" Docker model? How is Docker different w.r.t. those 3 Kubernetes requirements?

然后，文章总结GCE如何实现这些要求：

The article then goes on to summarize how GCE achieves these requirements:

对于Google Compute Engine集群配置脚本，我们使用高级路由为每个VM分配一个子网（默认为/ 24 - 254个IP）。绑定该子网的任何流量将由GCE网络结构直接路由到VM。这是除了分配给虚拟机的主IP地址之外，NAT被用于出站互联网访问。一个linux桥（称为cbr0）被配置为存在于该子网上，并被传递到docker的-bridge标志。

For the Google Compute Engine cluster configuration scripts, we use advanced routing to assign each VM a subnet (default is /24 - 254 IPs). Any traffic bound for that subnet will be routed directly to the VM by the GCE network fabric. This is in addition to the "main" IP address assigned to the VM, which is NAT'ed for outbound internet access. A linux bridge (called cbr0) is configured to exist on that subnet, and is passed to docker's --bridge flag.

我的问题这里是：这个段落的哪个要求来自上面3段？更重要的是，如何实现的要求？我想我只是不了解每个虚拟机如何实现1-subnet：容器集装箱通信，节点容器通信和静态IP。

My question here is: Which requirement(s) from the 3 above does this paragraph address? More importantly, how does it achieve the requirement(s)? I guess I just don't understand how 1-subnet-per-VM accomplishes: container-container communication, node-container communication, and static IP.

而且，作为一个奖金/拉伸的关注：为什么马拉松不一样网络关注，Kubernetes在这里解决了什么？

And, as a bonus/stretch concern: Why doesn't Marathon suffer from the same networking concerns as what Kubernetes is addressing here?

推荐答案

Docker的标准网络配置从您的选择的默认值。只要它与主机上的任何接口都不冲突，Docker就可以了。

Docker's standard networking configuration picks a container subnet for you out of its chosen defaults. As long as it doesn't conflict with any interfaces on your host, Docker is okay with it.

然后，Docker插入一个允许容器对话的iptables MASQUERADE规则外部世界使用主机的默认界面。

Then, Docker inserts an iptables MASQUERADE rule that allows containers to talk to the external world using the host's default interface.

Kubernetes的3个要求被基于主机上使用的地址选择的事实所违反，这迫使要求使用MASQUERADE规则对所有容器流量进行NAT。

Kubernetes' 3 requirements are violated by the fact that subnets are chosen only based on addresses in use on the host, which forces the requirement to NAT all container traffic using the MASQUERADE rule.

考虑以下3个主机Docker设置（稍作突出重点）：

Consider the following 3-host Docker setup (a little contrived to highlight things):

eth0 ：10.1.2.3

eth0: 10.1.2.3

docker0 ：172.17.42.1/16

docker0: 172.17.42.1/16

container-A ：172.17.42.2

container-A: 172.17.42.2

eth0 ：10.1.2.4

eth0: 10.1.2.4

docker0 ：172.17.42.1/16

docker0: 172.17.42.1/16

container-B ：172.17.42.2

container-B: 172.17.42.2

eth0 ：172.17.42.2

eth0: 172.17.42.2

docker0 ：172.18 .42.1

docker0: 172.18.42.1

让我们来说说 container-B 想要访问 container-A 的端口80上的HTTP服务。您可以使Docker在主机1 上的某个地方露出 container-A 的端口80。然后，容器B 可能会请求10.1.2.3:43210。这将在 container-A 的端口80上收到，但是看起来像10.1.2.4上的一些随机端口，因为在 Host 2 。这违反了所有容器在不使用NAT的情况下进行通信，而容器与其他要求相同。尝试直接从 Host 2 访问 container-A 的服务，并且您的节点可以与没有NAT 违规的容器通信。

Let's say container-B wants to access an HTTP service on port 80 of container-A. You can get docker to expose container-A's port 80 somewhere on Host 1. Then container-B might make a request to 10.1.2.3:43210. This will be received on container-A's port 80, but will look like it came from some random port on 10.1.2.4 because of the NAT on the way out of Host 2. This violates the all containers communicate without NAT and the container sees same IP as others requirements. Try to access container-A's service directly from Host 2 and you get your nodes can communicate with containers without NAT violation.

现在如果这些容器中的任何一个要与主机3 通话，那么它们是SOL（只是一个一般的参数，以便自动分配docker0子网）。

Now if either of those containers want to talk to Host 3, they're SOL (just a general argument for being careful with the auto-assigned docker0 subnets).

GCE / AWS / Flannel / ...上的Kubernetes方法是为每个主机VM分配一个从平面专用网络中雕刻的子网。没有子网与VM地址或彼此重叠。这使得容器和虚拟机无缝通信。

Kubernetes approach on GCE/AWS/Flannel/... is to assign each host VM a subnet carved out of a flat private network. No subnets overlap with VM addresses or with each other. This lets containers and VMs communicate NATlessly.

这篇关于设置Kubernetes的网络的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！