KUBERNETES网络权威指南:基础.原理与实践

●目录 章 夯实基础：Linux 网络虚拟化 1 1.1 网络虚拟化基石：network namespace ············································.1 1.1.1 初识 network namespace ··················································.2 1.1.2 配置 network namespace ··················································.3 1.1.3 network namespace API 的使用 ···········································.6 1.1.4 小结 ·······································································.12 1.2 千呼万唤始出来：veth pair ·······················································.12 1.2.1 veth pair 内核实现·························································.14 1.2.2 容器与 host veth pair 的关系 ··············································.15 1.2.3 小结 ·······································································.17 1.3 连接你我他：Linux bridge ························································.17 1.3.1 Linux bridge 初体验 ·······················································.17 1.3.2 把 IP 让给 Linux bridge ···················································.21 1.3.3 将物理网卡添加到 Linux bridge ··········································.22 1.3.4 Linux bridge 在网络虚拟化中的应用 ·····································.25 1.3.5 网络接口的混杂模式 ·····················································.26 1.4 给用户态一个机会：tun/tap 设备·················································.28 1.4.1 tun/tap 设备的工作原理···················································.28 1.4.2 利用 tun 设备部署一个 ··············································.29 1.4.3 tun 设备编程 ······························································.31 1.5 iptables·············································································.34 1.5.1 祖师爷 netfilter ····························································.34 1.5.2 iptables 的三板斧：table、chain 和 rule ··································.36 1.5.3 iptables 的常规武器 ·······················································.39 1.6 初识 Linux 隧道：ipip ····························································.45 1.6.1 测试 ipip 隧道 ·····························································.46 1.6.2 ipip 隧道测试结果复盘 ···················································.49 1.6.3 小结 ·······································································.50 1.7 Linux 隧道网络的代表：VXLAN ················································.51 1.7.1 为什么需要 VXLAN ······················································.51 1.7.2 VXLAN 协议原理简介 ···················································.52 1.7.3 VXLAN 组网必要信息 ···················································.54 1.7.4 VXLAN 基本配置命令 ···················································.55 1.7.5 VXLAN 网络实践·························································.56 1.7.6 分布式控制中心 ··························································.63 1.7.7 自维护 VTEP 组 ··························································.63 1.7.8 小结 ·······································································.68 1.8 物理网卡的分身术：Macvlan·····················································.68 1.8.1 Macvlan 五大工作模式解析 ··············································.68 1.8.2 测试使用 Macvlan 设备 ···················································.72 1.8.3 Macvlan 的跨机通信 ······················································.73 1.8.4 Macvlan 与 overlay 对比 ··················································.74 1.8.5 小结 ·······································································.75 1.9 Macvlan 的救护员：IPvlan························································.75 1.9.1 IPvlan 简介 ································································.75 1.9.2 测试 IPvlan ································································.77 1.9.3 Docker IPvlan 网络 ························································.78 1.9.4 小结 ·······································································.78 第 2 章 饮水思源：Docker 网络模型简介 79 2.1 主角登场：Linux 容器 ····························································.79 2.1.1 容器是什么································································.79 2.1.2 容器与虚拟机对比 ························································.80 2.1.3 小结 ·······································································.81 2.2 打开万花筒：Docker 的四大网络模式 ···········································.81 2.2.1 bridge 模式 ································································.82 2.2.2 host 模式 ··································································.83 2.2.3 container 模式 ·····························································.84 2.2.4 none 模式··································································.85 2.3 常用的 Docker 网络技巧 ·······················································.85 2.3.1 查看容器 IP ·······························································.85 2.3.2 端口映射 ··································································.86 2.3.3 访问外网 ··································································.87 2.3.4 DNS 和主机名 ····························································.87 2.3.5 自定义网络································································.88 2.3.6 发布服务 ··································································.90 2.3.7 docker link：两两互联 ····················································.91 2.4 容器网络的个标准：CNM···················································.93 2.4.1 CNM 标准 ·································································.93 2.4.2 体验 CNM 接口 ···························································.94 2.4.3 Libnetwork·································································.95 2.4.4 Libnetwork 扩展···························································.97 2.4.5 小结 ·······································································.98 2.5 天生不易：容器组网的挑战 ······················································.99 2.5.1 容器网络挑战综述 ························································.99 2.5.2 Docker 的解决方案 ·······················································.101 2.5.3 第三方容器网络插件 ·····················································.102 2.5.4 小结 ·······································································.103 2.6 如何做好技术选型：容器组网方案沙场点兵 ····································.103 2.6.1 隧道方案 ··································································.104 2.6.2 路由方案 ··································································.104 2.6.3 容器网络组网类型 ························································.106 2.6.4 关于容器网络标准接口···················································.107 2.6.5 小结 ·······································································.108 第 3 章 标准的胜利：Kubernetes 网络原理与实践 109 3.1 容器基础设施的代言人：Kubernetes·············································.109 3.1.1 Kubernetes 简介 ···························································.109 3.1.2 Kubernetes 能做什么 ······················································.111 3.1.3 如何用 Kubernetes ························································.113 3.1.4 Docker 在 Kubernetes 中的角色 ··········································.113 3.2 终于等到你：Kubernetes 网络 ····················································.114 3.2.1 Kubernetes 网络基础 ······················································.114 3.2.2 Kubernetes 网络架构综述·················································.115 3.2.3 Kubernetes 主机内组网模型 ··············································.117 3.2.4 Kubernetes 跨节点组网模型 ··············································.118 3.2.5 Pod 的 hosts 文件··························································.120 3.2.6 Pod 的 hostname ···························································.121 3.3 Pod 的核心：pause 容器 ··························································.124 3.4 打通 CNI 与 Kubernetes：Kubernetes 网络驱动··································.131 3.4.1 即将完成历史使命：Kubenet·············································.131 3.4.2 网络生态步：CNI ···················································.133 3.5 找到你并不容易：从集群内访问服务············································.139 3.5.1 Kubernetes Service 详解···················································.141 3.5.2 Service 的三个 port························································.145 3.5.3 你的服务适合哪种发布形式··············································.146 3.5.4 Kubernetes Service 发现···················································.150 3.5.5 特殊的无头 Service ·······················································.151 3.5.6 怎么访问本地服务 ························································.153 3.6 找到你并不容易：从集群外访问服务············································.154 3.6.1 Kubernetes Ingress·························································.155 3.6.2 小结 ·······································································.157 3.7 你的名字：通过域名访问服务 ···················································.158 3.7.1 DNS 服务基本框架 ·······················································.158 3.7.2 域名解析基本原理 ························································.159 3.7.3 DNS 使用··································································.161 3.7.4 调试 DNS··································································.166 3.8 Kubernetes 网络策略：为你的应用保驾护航 ····································.167 3.8.1 网络策略应用举例 ························································.168 3.8.2 小结 ·······································································.172 3.9 前方高能：Kubernetes 网络故障定位指南 ·······································.173 3.9.1 IP 转发和桥接·····························································.173 3.9.2 Pod CIDR 冲突 ····························································.175 3.9.3 hairpin ·····································································.176 3.9.4 查看 Pod IP 地址 ··························································.176 3.9.5 故障排查工具 ·····························································.178 3.9.6 为什么不推荐使用 SNAT ·················································.180 第 4 章 刨根问底：Kubernetes 网络实现机制 183 4.1 岂止 iptables：Kubernetes Service 官方实现细节探秘 ···························.183 4.1.1 userspace 模式·····························································.184 4.1.2 iptables 模式·······························································.186 4.1.3 IPVS 模式 ·································································.191 4.1.4 iptables VS. IPVS ··························································.198 4.1.5 conntrack ··································································.199 4.1.6 小结 ·······································································.200 4.2 Kubernetes 极客们的日常：DIY 一个 Ingress Controller·························.201 4.2.1 Ingress Controller 的通用框架 ············································.202 4.2.2 Nginx Ingress Controller 详解 ·············································.202 4.2.3 小结 ·······································································.209 4.3 沧海桑田：Kubernetes DNS 架构演进之路 ······································.209 4.3.1 Kube-dns 的工作原理 ·····················································.209 4.3.2 上位的 CoreDNS ··························································.212 4.3.3 Kube-dns VS. CoreDNS ···················································.217 4.3.4 小结 ·······································································.220 4.4 你的安全我负责：使用 Calico 提供 Kubernetes 网络策略·······················.220 4.4.1 部署一个带 Calico 的 Kubernetes 集群 ···································.221 4.4.2 测试 Calico 网络策略 ·····················································.225 第 5 章 百花齐放：Kubernetes 网络插件生态 228 5.1 从入门到放弃：Docker 原生网络的不足·········································.228 5.2 CNI 标准的胜出：从此江湖没有 CNM ··········································.229 5.2.1 CNI 与 CNM 的转换 ······················································.230 5.2.2 CNI 的工作原理···························································.231 5.2.3 为什么 Kubernetes 不使用 Libnetwork ···································.235 5.3 Kubernetes 网络插件鼻祖 flannel ·················································.238 5.3.1 flannel 简介································································.239 5.3.2 flannel 安装配置 ··························································.241 5.3.3 flannel backend 详解 ······················································.244 5.3.4 flannel 与 etcd ·····························································.256 5.3.5 小结 ·······································································.257 5.4 大三层网络插件：Calico ····················································.257 5.4.1 Calico 简介 ································································.258 5.4.2 Calico 的隧道模式 ························································.263 5.4.3 安装 Calico ································································.263 5.4.4 Calico 报文路径 ···························································.2 5.4.5 Calico 使用指南 ···························································.267 5.4.6 为什么 Calico 网络选择 BGP ·············································.272 5.4.7 小结 ·······································································.274 5.5 Weave：支持数据加密的网络插件 ···············································.276 5.5.1 Weave 简介································································.276 5.5.2 Weave 实现原理···························································.277 5.5.3 Weave 安装································································.278 5.5.4 Weave 网络通信模型 ·····················································.280 5.5.5 Weave 的应用示例 ························································.282 5.5.6 小结 ·······································································.288 5.6 Cilium：为微服务网络连接安全而生 ············································.288 5.6.1 为什么使用 Cilium ························································.289 5.6.2 以 API 为中心的微服务安全 ·············································.294 5.6.3 BPF 优化的数据平面性能 ················································.295 5.6.4 试用 Cilium：网络策略···················································.297 5.6.5 小结 ·······································································.299 5.7 Kubernetes 多网络的先行者：CNI-Genie ········································.299 5.7.1 为什么需要 CNI-Genie····················································.300 5.7.2 CNI-Genie 功能速递 ······················································.302 5.7.3 容器多 IP ··································································.303 第 6 章 Kubernetes 网络下半场：Istio 305 6.1 微服务架构的大地震：sidecar 模式 ··············································.305 6.1.1 你真的需要 Service Mesh 吗··············································.306 6.1.2 sidecar 模式 ·······························································.307 6.1.3 Service Mesh 与 sidecar ···················································.307 6.1.4 Kubernetes Service VS. Service Mesh ·····································.309 6.1.5 Service Mesh 典型实现之 Linkerd ········································.310 6.2 Istio：新一代微服务架构潮流···············································.312 6.2.1 Istio 简介 ··································································.312 6.2.2 Istio 安装 ··································································.313 6.2.3 Istio 路由规则的实现 ·····················································.317 6.3 一切尽在不言中：Istio sidecar 透明注入·········································.319 6.3.1 Init 容器 ···································································.319 6.3.2 sidecar 注入示例 ··························································.319 6.3.3 手工注入 sidecar ··························································.326 6.3.4 自动注入 sidecar ··························································.327 6.3.5 从应用容器到 sidecar 代理的通信········································.329 6.4 不再为 iptables 脚本所困：Istio CNI 插件 ·······································.330 6.5 除了微服务，Istio 还能做更多 ···················································.331