submariner最佳实践
文档编辑记录
| 作者 | 版本 | 日期 | 备注 |
|---|---|---|---|
| 杨庆彪 | v0.1 | 2019-04-09 | submariner_v0.0.1测试 |
环境准备
安装Rancher Server,使用Rancher Server部署三个Kubernetes集群
Client 主机安装 kubectl 和 helm 客户端
环境版本
OS:Ubuntu16.04.6(4.4.0-31-generic)
Docker:18.09.3
Rancher:v2.2.1
kubectl:v1.14.0
helm:v2.13.1
Submariner:v0.0.1
节点内容
Node1:Rancher Server
192.168.254.101
Node2:Custom Kubernetes v1.13.5-rancher1-2;Etcd Control Work;Canal;Cluster01
192.168.254.102
Node3:Custom Kubernetes v1.13.5-rancher1-2;Work;Canal;Cluster01
192.168.254.103
Node4:Custom Kubernetes v1.13.5-rancher1-2;Etcd Control Work;Canal;Cluster02
192.168.254.104
Node5:Custom Kubernetes v1.13.5-rancher1-2;Etcd Control Work;Canal;Cluster03
192.168.254.105
集群配置
Cluster01
在创建Cluster01时,yaml文件保持默认配置。
Cluster02
在创建Cluster02时,在yaml文件中这些内容下:
services:
kube-api:
增加以下内容:
service_cluster_ip_range: 10.53.0.0/16
kube-controller:
cluster_cidr: 10.52.0.0/16
service_cluster_ip_range: 10.53.0.0/16
kubelet:
cluster_domain: cluster02.local
cluster_dns_server: 10.53.0.10
Cluster03
在创建Cluster03时,在yaml文件中这些内容下:
services:
kube-api:
增加以下内容:
service_cluster_ip_range: 10.63.0.0/16
kube-controller:
cluster_cidr: 10.62.0.0/16
service_cluster_ip_range: 10.63.0.0/16
kubelet:
cluster_domain: cluster03.local
cluster_dns_server: 10.63.0.10
Submariner
介绍
Submariner是一种用于连接不同Kubernetes集群 overlay 网络的工具。已经针对Flannel、Canal进行过测试,目标是与任何 CNI 网络组件相兼容,它利用现成的组件(如strongSwan / Charon)在每个Kubernetes集群之间建立IPsec隧道。
请注意,Submariner处于pre-alpha阶段,目前不建议于生产目的。
包含两个主要的自定义资源定义Custom Resource Definitions (CRDs).
- submariner (Deployment)
- submariner-route-agent (DaemonSet)
工作原理
略
先决条件
- 至少3个Kubernetes集群,其中一个被指定为中央代理,可供所有连接集群访问;
- 不同的集群需要使用不同的CIDR(以及不同的kubernetes DNS后缀)。这是为了防止流量选择器/策略/路由冲突。
- 各集群之间的节点要通过网络可达;Submariner可支持1:1 NAT设置;
- 了解每个群集的网络配置
- 需要支持crd-install hook的helm版本(v2.12.1 +)
部署过程
初使化Helm和Tiller
1、分别下载三个集群的config文件,放置在.kube目录,分别为cluster01、cluster02、culster03
2、为客户机的 Helm 添加 repo
helm repo add submariner-latest [https://releases.rancher.com/submariner-charts/latest](https://releases.rancher.com/submariner-charts/latest)
3、为所有集群初使化Tiller
kubectl --kubeconfig=cluster01 --n kube-system create serviceaccount tiller
kubectl --kubeconfig=cluster01 create clusterrolebinding tiller \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller
helm --kubeconfig=cluster01 init --service-account tiller
kubectl --kubeconfig=cluster02 --n kube-system create serviceaccount tiller
kubectl --kubeconfig=cluster02 create clusterrolebinding tiller \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller
helm --kubeconfig=cluster02 init --service-account tiller
kubectl --kubeconfig=cluster03 --n kube-system create serviceaccount tiller
kubectl --kubeconfig=cluster03 create clusterrolebinding tiller \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller
helm --kubeconfig=cluster03 init --service-account tiller
安装submariner-k8s-broker
1、在Cluster01上安装Submariner K8s Broker
SUBMARINER_BROKER_NS=submariner-k8s-broker
helm --kubeconfig=cluster01 install submariner-latest/submariner-k8s-broker \
--name ${SUBMARINER_BROKER_NS} \
--namespace ${SUBMARINER_BROKER_NS}
2、安装完成后得到以下信息
NOTES:
The Submariner Kubernetes Broker is now setup.
You can retrieve the server URL by running
$ SUBMARINER_BROKER_URL=$(kubectl -n default get endpoints kubernetes -o jsonpath="{.subsets[0].addresses[0].ip}:{.subsets[0].ports[0].port}")
The broker client token and CA can be retrieved by running
$ SUBMARINER_BROKER_CA=$(kubectl -n submariner-k8s-broker get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='submariner-k8s-broker-client')].data['ca\.crt']}")
$ SUBMARINER_BROKER_TOKEN=$(kubectl -n submariner-k8s-broker get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='submariner-k8s-broker-client')].data.token}"|base64 --decode)
3、将以上内容稍做修改并执行
SUBMARINER_BROKER_URL=$(kubectl --kubeconfig=cluster01 -n default get endpoints kubernetes -o jsonpath="{.subsets[0].addresses[0].ip}:{.subsets[0].ports[0].port}")
SUBMARINER_BROKER_CA=$(kubectl --kubeconfig=cluster01 -n submariner-k8s-broker get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='submariner-k8s-broker-client')].data['ca\.crt']}")
SUBMARINER_BROKER_TOKEN=$(kubectl --kubeconfig=cluster01 -n submariner-k8s-broker get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='submariner-k8s-broker-client')].data.token}"|base64 --decode)
4、验证submariner-k8s-broker,如果有返回内容则为正常
echo $SUBMARINER_BROKER_URL
echo $SUBMARINER_BROKER_CA
echo $SUBMARINER_BROKER_TOKEN
安装submariner
1、为Submariner生成预共享密钥。此密钥将用于所有群集,请妥善保管。
SUBMARINER_PSK=$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)
echo $SUBMARINER_PSK
60uLoyLmQXmeoV717IAduTnF3qPT4gS8ibdzOflj7uVR4w50wnjWFAqM4GMqLzq6
2、在每个集群使用注释标记网关节点
kubectl --kubeconfig=cluster02 label node node node4 "submariner.io/gateway=true"
kubectl --kubeconfig=cluster03 label node node node5 "submariner.io/gateway=true"
3、在每个集群中安装Submariner
helm --kubeconfig=cluster02 install submariner-latest/submariner \
--name submariner \
--namespace submariner \
--set ipsec.psk="${SUBMARINER_PSK}" \
--set broker.server="${SUBMARINER_BROKER_URL}" \
--set broker.token="${SUBMARINER_BROKER_TOKEN}" \
--set broker.namespace="${SUBMARINER_BROKER_NS}" \
--set broker.ca="${SUBMARINER_BROKER_CA}" \
\
--set submariner.clusterId="cluster02" \
--set submariner.clusterCidr="10.52.0.0/16" \
--set submariner.serviceCidr="10.53.0.0/16" \
--set submariner.natEnabled="false"
helm --kubeconfig=cluster03 install submariner-latest/submariner \
--name submariner \
--namespace submariner \
--set ipsec.psk="${SUBMARINER_PSK}" \
--set broker.server="${SUBMARINER_BROKER_URL}" \
--set broker.token="${SUBMARINER_BROKER_TOKEN}" \
--set broker.namespace="${SUBMARINER_BROKER_NS}" \
--set broker.ca="${SUBMARINER_BROKER_CA}" \
\
--set submariner.clusterId="cluster03" \
--set submariner.clusterCidr="10.62.0.0/16" \
--set submariner.serviceCidr="10.63.0.0/16" \
--set submariner.natEnabled="false"
4、部署完成查看效果
Cluster01的NameSpace中有submariner-k8s-broker
Cluser02 和 Cluster03 的 System 下 Workloads 中有,如果没有把Namespace中的submariner移动到System下
Kubernetes跨集群通信测试
分别在Cluster02和Cluster03中部署一个busybox容器,进入这两个容器的命令行进行Ping测试
Cluster02 busybox的IP为 10.52.0.10
Cluster03 busybox的IP为 10.62.0.10
两集群互通,测试完成
