net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
创建测试 Pod
root@k8s-master:~# kubectl create deployment test --image nginx:alpine --replicas 3
deployment.apps/test created
root@k8s-master:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
test-7775d78886-9pld7 1/1 Running 0 85s 10.244.0.20 k8s-master <none> <none>
test-7775d78886-t9rvl 1/1 Running 0 85s 10.244.1.110 k8s-worker <none> <none>
test-7775d78886-xcz6j 1/1 Running 0 85s 10.244.1.109 k8s-worker <none> <none>
同节点 Pod 通信
10.244.1.110 => 10.244.1.109
查看源 Pod 的路由表
root@k8s-master:~# kubectl exec -it test-7775d78886-t9rvl -- sh
/ # ip route
default via 10.244.1.1 dev eth0
10.244.0.0/16 via 10.244.1.1 dev eth0
10.244.1.0/24 dev eth0 scope link src 10.244.1.110
查看源 Pod 对端 veth 的索引号
/ # apk add ethtool
/ # ethtool -S eth0
NIC statistics:
peer_ifindex: 10
在节点上查看该 veth,master cni0
表示该接口是附加到网桥 cni0 的一个接口
root@k8s-worker:~# ip addr show vethb3436908
10: vethb3436908@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
link/ether 0a:1c:9f:f1:6d:0e brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::c85:f0ff:fe1f:25a2/64 scope link
valid_lft forever preferred_lft forever
查看源 Pod 所在节点的路由表,数据包交由 cni0 处理
root@k8s-worker:~# ip route
default via 172.16.0.2 dev eth0 proto static
10.244.0.0/24 via 10.244.0.0 dev flannel.1 onlink
10.244.1.0/24 dev cni0 proto kernel scope link src 10.244.1.1
172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.155
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
查看 cni0 接口,它是一个 Linux bridge,不仅能学习 MAC 地址、转发二层数据包,还能根据路由表转发跨网段数据包,类似于一个三层交换机
root@k8s-worker:~# ip addr show cni0
6: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether 96:7a:5c:9b:9a:26 brd ff:ff:ff:ff:ff:ff
inet 10.244.1.1/24 brd 10.244.1.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::947a:5cff:fe9b:9a26/64 scope link
valid_lft forever preferred_lft forever
网络拓扑如下:
跨节点 Pod 通信
10.244.1.110 => 10.244.0.20
查看源 Pod 的路由表
/ # ip route
default via 10.244.1.1 dev eth0
10.244.0.0/16 via 10.244.1.1 dev eth0
10.244.1.0/24 dev eth0 scope link src 10.244.1.110
查看 cni0 接口
root@k8s-worker:~# ip addr show cni0
6: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether 96:7a:5c:9b:9a:26 brd ff:ff:ff:ff:ff:ff
inet 10.244.1.1/24 brd 10.244.1.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::947a:5cff:fe9b:9a26/64 scope link
valid_lft forever preferred_lft forever
查看源 Pod 所在节点的路由表,数据包将交由 flannel.1 处理
root@k8s-worker:~# ip route
default via 172.16.0.2 dev eth0 proto static
10.244.0.0/24 via 10.244.0.0 dev flannel.1 onlink
10.244.1.0/24 dev cni0 proto kernel scope link src 10.244.1.1
172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.155
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
查看 flannel.1 接口,它是一个 VxLAN 设备
root@k8s-worker:~# ip -d link show flannel.1
5: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/ether 7a:23:ee:e3:26:8d brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535
vxlan id 1 local 172.16.0.155 dev eth0 srcport 0 0 dstport 8472 nolearning ttl auto ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
root@k8s-worker:~# ip addr show flannel.1
5: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether 7a:23:ee:e3:26:8d brd ff:ff:ff:ff:ff:ff
inet 10.244.1.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::7823:eeff:fee3:268d/64 scope link
valid_lft forever preferred_lft forever
节点上抓取数据包
root@k8s-worker:~# tcpdump -i eth0 -w flannel-vxlan.pcap
源 Pod 访问目的 Pod
/ # curl 10.244.0.20
......
网络拓扑如下:
- flannel.1 设备 IP 地址的作用?
通过 ARP 请求获取对端的 fannel.1 设备的 MAC 地址,即内层数据包的目的 MAC 地址
root@k8s-worker:~# ip route
10.244.0.0/24 via 10.244.0.0 dev flannel.1 onlink
......
root@k8s-worker:~# arp -n
Address HWtype HWaddress Flags Mask Iface
......
10.244.0.0 ether 56:2a:93:06:79:72 CM flannel.1