参考calico官网:http://docs.projectcalico.org/v2.0/getting-started/kubernetes/installation/hosted/kubeadm/
上述链接介绍的是利用calico内置独立的etcd节点实现pod发现与存储的机制,过程中通过yaml文件描述的规则在Kubernetes master所在node上部署一个单节点的etcd集群,此etcd集群只供calico内部使用
贴一下我的配置:
# This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap apiVersion: v1 metadata: name: calico-config namespace: kube-system data: # The location of your etcd cluster. This uses the Service clusterIP # defined below. # 192.168.182.128是我虚拟机的地址 也就是Kubernetes master节点所在机器的地址,下面配置中用到的这个地址同理 etcd_endpoints: "http://192.168.182.128:6666" # True enables BGP networking, false tells Calico to enforce # policy only, using native networking. enable_bgp: "true" # The CNI network configuration to install on each node. cni_network_config: |- { "name": "k8s-pod-network", "type": "calico", "etcd_endpoints": "http://192.168.182.128:6666", "log_level": "info", "ipam": { "type": "calico-ipam" }, "policy": { "type": "k8s", "k8s_api_root": "https://192.168.182.128:6443", "k8s_auth_token": "" }, "kubernetes": { "kubeconfig": "/etc/kubernetes/kubelet.conf" } } # The default IP Pool to be created for the cluster. # Pod IP addresses will be assigned from this pool. ippool.yaml: | apiVersion: v1 kind: ipPool metadata: cidr: 10.1.0.0/16 spec: ipip: enabled: true nat-outgoing: true --- # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet # to force it to run on the master even when the master isn't schedulable, and uses # nodeSelector to ensure it only runs on the master. apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: calico-etcd namespace: kube-system labels: k8s-app: calico-etcd spec: template: metadata: labels: k8s-app: calico-etcd annotations: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, {"key":"CriticalAddonsOnly", "operator":"Exists"}] spec: # Only run this pod on the master. nodeSelector: kubeadm.alpha.kubernetes.io/role: master hostNetwork: true containers: - name: calico-etcd image: k8s/etcd:v3.0.15 env: - name: CALICO_ETCD_IP valueFrom: fieldRef: fieldPath: status.podIP command: ["/bin/sh","-c"] args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"] volumeMounts: - name: var-etcd mountPath: /var/etcd volumes: - name: var-etcd hostPath: path: /var/etcd --- # This manfiest installs the Service which gets traffic to the Calico # etcd. apiVersion: v1 kind: Service metadata: labels: k8s-app: calico-etcd name: calico-etcd namespace: kube-system spec: # Select the calico-etcd pod running on the master. selector: k8s-app: calico-etcd # This ClusterIP needs to be known in advance, since we cannot rely # on DNS to get access to etcd. clusterIP: None ports: - port: 6666 --- # This manifest installs the calico/node container, as well # as the Calico CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: calico-node namespace: kube-system labels: k8s-app: calico-node spec: selector: matchLabels: k8s-app: calico-node template: metadata: labels: k8s-app: calico-node annotations: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, {"key":"CriticalAddonsOnly", "operator":"Exists"}] spec: hostNetwork: true containers: # Runs calico/node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node image: calico/node:v1.0.2 env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # Enable BGP. Disable to enforce policy only. - name: CALICO_NETWORKING valueFrom: configMapKeyRef: name: calico-config key: enable_bgp # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" # Don't configure a default pool. This is done by the Job # below. - name: NO_DEFAULT_POOLS value: "true" # Auto-detect the BGP IP address. - name: IP value: "" securityContext: privileged: true volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /var/run/calico name: var-run-calico readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni image: quay.io/calico/cni:v1.5.5 command: ["/install-cni.sh"] env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: calico-config key: cni_network_config volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir volumes: # Used by calico/node. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d --- # This manifest deploys the Calico policy controller on Kubernetes. # See https://github.com/projectcalico/k8s-policy apiVersion: extensions/v1beta1 kind: Deployment metadata: name: calico-policy-controller namespace: kube-system labels: k8s-app: calico-policy spec: # The policy controller can only have a single active instance. replicas: 1 strategy: type: Recreate template: metadata: name: calico-policy-controller namespace: kube-system labels: k8s-app: calico-policy-controller annotations: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, {"key":"CriticalAddonsOnly", "operator":"Exists"}] spec: # The policy controller must run in the host network namespace so that # it isn't governed by policy that would prevent it from working. hostNetwork: true containers: - name: calico-policy-controller image: calico/kube-policy-controller:v0.5.2 env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # The location of the Kubernetes API. Use the default Kubernetes # service for API access. - name: K8S_API value: "https://kubernetes.default:443" # Since we're running in the host namespace and might not have KubeDNS # access, configure the container's /etc/hosts to resolve # kubernetes.default to the correct service clusterIP. - name: CONFIGURE_ETC_HOSTS value: "true" --- ## This manifest deploys a Job which performs one time # configuration of Calico apiVersion: batch/v1 kind: Job metadata: name: configure-calico namespace: kube-system labels: k8s-app: calico spec: template: metadata: name: configure-calico annotations: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, {"key":"CriticalAddonsOnly", "operator":"Exists"}] spec: hostNetwork: true restartPolicy: OnFailure containers: # Writes basic configuration to datastore. - name: configure-calico image: calico/ctl:v1.0.2 args: - apply - -f - /etc/config/calico/ippool.yaml volumeMounts: - name: config-volume mountPath: /etc/config env: # The location of the etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints volumes: - name: config-volume configMap: name: calico-config items: - key: ippool.yaml path: calico/ippool.yaml
通过kubectl命令安装calico
kubectl create -f calico.yaml
可以根据执行结果和kubectl系列命令查看相应的deployment和各个pod的运行状态以及出错信息。
如果一切正常,就可以创建测试pod进行ping通信测试了,官方给出的测试方法也可以:
kubectl create ns policy-demo
# Run the Pods. kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx
# Create the Service. kubectl expose --namespace=policy-demo deployment nginx --port=80
# Run a Pod and try to access the `nginx` Service. $ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false If you don't see a command prompt, try pressing enter. / # wget -q nginx -O -
如果看到nginx的回复说明网络已经通了, 注意前提是Kubernetes集群中已经运行dns服务
也可以直接在命令行发送ping:
kubectl exec -ti nginx-701339712-f2cdm --namespace=policy-demo ping 10.1.155.75
涉及到的docker镜像文件在国内网络环境下载很慢,如果有需要我可以贴上来。