Calico OpenShift

calico 是容器网络的一种解决方案,也是当前最流行的方案之一。它完全利用路由规则实现动态组网,通过BGP协议通告路由。Calico BGP没有像ovs那样需要封包解包,所以它的网络性能更好。
管理calico网络免不了使用calicoctl工具,本篇介绍如何在OpenShift/Kubernetes环境下,配置calicoctl来管理集群网络。

calico元数据支持两种存储类:etcd与kubernetes

  1. 安装calicoctl
    1
    2
    $ curl -O -L https://github.com/projectcalico/calicoctl/releases/download/v3.10.0/calicoctl
    $ chmod a+x calicoctl
  2. 确认Calico部署时使用的元数据存储类型,查看calico-config
    1
    $ oc describe cm calico-config -n kube-system | grep datastore_type
    可以为kubernetesetcdv3。默认为etcdv3
    设置为kubernetes时表示直接使用k8s api存取数据库服务;

使用kubernetes类型

创建calicoctl访问的配置文件calicoctl.conf

1
2
3
4
5
6
7
8
9
$ mkdir /etc/calico
$ cat << EOF > /etc/calico/calicoctl.cfg
apiVersion: projectcalico.org/v3
kind: CalicoAPIConfig
metadata:
spec:
  datastoreType: "kubernetes"
  kubeconfig: "/root/.kube/config"
EOF

使用etcdv3类型

  1. 创建calicoctl访问的配置文件calicoctl.conf

for openshift

1
2
3
4
5
6
7
8
9
10
11
12
$ mkdir /etc/calico
$ cat << EOF > /etc/calico/calicoctl.cfg
apiVersion: projectcalico.org/v3
kind: CalicoAPIConfig
metadata:
spec:
  datastoreType: "etcdv3"
  etcdEndpoints: https://master1.example.com:2379
  etcdKeyFile: /etc/cni/net.d/calico-tls/etcd-key
  etcdCertFile: /etc/cni/net.d/calico-tls/etcd-cert
  etcdCACertFile: /etc/cni/net.d/calico-tls/etcd-ca
EOF

for kubernetes

1
2
3
4
5
6
7
8
9
10
11
12
$ mkdir /etc/calico
$ cat << EOF > /etc/calico/calicoctl.cfg
apiVersion: projectcalico.org/v3
kind: CalicoAPIConfig
metadata:
spec:
  datastoreType: "etcdv3"
  etcdEndpoints: https://master1.example.com:2379
  etcdKeyFile: /etc/kubernetes/pki/etcd/server.key
  etcdCertFile: /etc/kubernetes/pki/etcd/server.crt
  etcdCACertFile: /etc/kubernetes/pki/etcd/ca.crt
EOF
  1. 执行calicoctl获取workloadendpoints
    1
    2
    3
    4
    5
    $ ./calicoctl get workloadendpoints
    WORKLOAD                   NODE                        NETWORKS           INTERFACE         
    docker-registry-3-fr8zn    infra1.example.com    10.129.200.29/32   cali046d7771a9f   
    registry-console-3-bxbck   master1.example.com   10.131.9.210/32    cali6d8bb449db0
    $ ./calicoctl get workloadendpoints -a # 查看所有namespace下的workloadendpoints