Calico IPAM|Explained and Enhanced|解释与增强
Calico IPAM|Explained and Enhanced|解释与增强
Managing IP addresses is an essential, but often overlooked, aspect of container networking. Each networking plugin has its own approach to IP address management (IPAM, for short). The simplest approaches, such as that built into Kubernetes, assume the static allocation of a fixed set of addresses to each node. More advanced solutions, such as Calico, provide users more control and allow much finer-grained, dynamic IPAM.
essential 基本
aspect 方面,环节
overlooked 被忽略
approach 方法,途径
assume 假设/假定
管理 IP 地址是容器网络的一个重要方面,但经常被忽视。每个网络插件都有自己的 IP 地址管理方法(简称 IPAM)。最简单的方法,例如内置于 Kubernetes 中的方法,假定将一组固定地址静态分配给每个节点。更先进的解决方案,如Calico,为用户提供了更多的控制,并允许更细粒度的动态IPAM。
In our most recent release of Calico, v3.3, we introduced a collection of cool new IPAM features giving users even greater control. Today I’d like to take a closer look at these enhancements, what they’re capable of, and how they can be used together.
introduced 介绍,引入,引进
在我们最新版本的 Calico v3.3 中,我们引入了一系列很酷的新 IPAM 功能,为用户提供了更好的控制。今天,我想仔细看看这些增强功能,它们的功能以及如何将它们一起使用。
How does Calico’s IPAM work?
Calico的IPAM如何工作?
Before we get into the new features, let’s quickly go over how Calico’s IPAM works at a high level. It’s a pretty cool feature of Calico, even if it doesn’t usually make the headlines. Its primary goal is to provide efficient usage of the cluster’s IP address space in a way that’s flexible enough to meet a variety of deployment architectures.
make the headlines 成为头条新闻
efficient 有效
在进入新功能之前,让我们快速浏览一下Calico的IPAM如何在较高级别上工作。这是Calico的一个非常酷的功能,即使它通常不会成为头条新闻。其主要目标是以足够灵活的方式有效利用群集的 IP 地址空间,以满足各种部署体系结构。
At a high-level, Calico uses IP pools to define what IP ranges are valid to use for allocating pod IP addresses. IP Pools are configured by cluster administrators and applied using calicoctl. If using Calico’s overlay mode, they can be any private network IP range. Many users don’t use an overlay, however, and in that case the IP pools must use addresses that are available on the underlying network environment.
在较高级别上,Calico 使用 IP 池来定义哪些 IP 范围可用于分配 Pod IP 地址。IP 池由群集管理员使用 calicoctl 配置应用。如果使用Calico的覆盖模式,它们可以是任何专用网络IP范围。但是,许多用户不使用覆盖,在这种情况下,IP 池必须使用基础网络环境中可用的地址。
Within Calico’s IPAM engine, these IP pools are subdivided into smaller chunks – called blocks – which are then assigned to particular nodes in the cluster. Blocks are allocated dynamically to nodes as the number of running pods grows or shrinks. In particular, this means that Calico is much more efficient in its use of IP addresses when only a few pods are running on a node, and at the same time doesn’t impose any upper limit on the number of pods per node.
subdivided 细分
particular 特定
impose 施加,强加,征收
在 Calico 的 IPAM 引擎中,这些 IP 池被细分为较小的块(称为块),然后将其分配给群集中的特定节点。随着正在运行的 Pod 数量的增加或减少,块会动态分配给节点。特别是,这意味着当一个节点上只有几个 Pod 运行时,Calico 在使用 IP 地址方面的效率要高得多,同时不会对每个节点的 pod 数量施加任何上限。
So what’s new?
Calico v3.3 introduces two new enhancements to Calico IPAM:
Calico v3.3 为 Calico IPAM 引入了两个新的增强功能:
- Configurable block sizes: Until now, the number of IP addresses in each block has been fixed at 64 (or “/26” in CIDR notation). This default was chosen because it works well for most users. However, for some users under intense IP address pressure, or those with special-case needs, a smaller IP pool and block size may be required.
- 可配置的块大小:到目前为止,每个块中的IP地址数量已固定为64(或CIDR表示法中的"/26" 主机位占6位2的六次方)。选择此默认值是因为它适用于大多数用户。但是,对于某些处于强烈 IP 地址压力下的用户,或者有特殊情况需求的用户,可能需要较小的 IP 池和块大小。
- Per-namespace IP pools: Sometimes it is useful to define multiple pools of addresses within your cluster. Calico now allows you to assign a given IP pool to one or more Kubernetes namespaces. One way to make use of this is for assigning separate IP spaces to particular teams, users, or applications within a Kubernetes cluster, allowing external firewalls to be configured with static rules based on specific IP ranges. This extends Calico’s existing support for specifying IP pools on a per-pod and per-node basis.
- 每个命名空间的 IP 池:有时在集群中定义多个地址池很有用。Calico 现在允许您将给定的 IP 池分配给一个或多个 Kubernetes 命名空间。利用这一点的一种方法是为 Kubernetes 集群中的特定团队、用户或应用程序分配单独的 IP 空间,从而允许使用基于特定 IP 范围的静态规则配置额外防火墙。这扩展了 Calico 对基于每个 pod 和每个节点指定 IP 池的现有支持。
Suppose we want to provide a limited set of externally available IP addresses to applications in an “external” namespace, but want applications in the “private” namespace to use private IPs. We can do this by creating two small IP pools and assigning them to particular namespaces.
假设我们希望为"外部"命名空间中的应用程序提供一组有限的外部可用 IP 地址,但希望"私有"命名空间中的应用程序使用私有 IP。为此,我们可以创建两个小型 IP 池并将其分配给特定的命名空间。
Step 1: Create the IP pools 步骤 1:创建 IP 池
Let’s start by creating the IP pools for our cluster – one for each namespace we intend to use. In this example, we’ll create two.
To do this, create a manifest file “pools.yaml” with the following contents:
让我们首先为群集创建 IP 池 - 我们打算使用的每个命名空间一个 IP 池。在此示例中,我们将创建两个。
为此,请创建一个清单文件"pools.yaml",其中包含以下内容:
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: external-pool
spec:
cidr: 172.16.0.0/26
blockSize: 29
ipipMode: Always
natOutgoing: true
---
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: internal-pool
spec:
cidr: 192.169.0.0/24
blockSize: 29
ipipMode: Always
natOutgoing: truecalicoctl apply -f pools.yaml
We just created two new IP pools. The external pool is limited to 64 addresses in total. The pools have the blockSize option set to 29, meaning that blocks allocated from those pools will be /29 CIDR blocks containing 8 addresses each.
我们刚刚创建了两个新的 IP 池。外部池总共限制为 64 个地址。池的 blockSize 选项设置为 29,这意味着从这些池分配的块将是 /29 个 CIDR 块(子网),每个块(子网)包含 8 (主机位数剩余3位,2的3次方)个地址。
Step 2: Assign each pool to a namespace
步骤 2:将每个池分配到一个命名空间
Now that we’ve created the pools, we can assign each one to a different Kubernetes namespace.
First, create two namespaces using kubectl:
现在我们已经创建了池,我们可以将每个池分配给不同的 Kubernetes 命名空间。
首先,使用 kubectl 创建两个命名空间:
kubectl create namespace external-ns
kubectl create namespace internal-nsThen annotate each namespace, telling Calico to use only the specified pools:
然后注释每个命名空间,告诉 Calico 仅使用指定的池:
kubectl annotate namespace external-ns "cni.projectcalico.org/ipv4pools"=‘[“external-pool"]’
kubectl annotate namespace internal-ns "cni.projectcalico.org/ipv4pools"=‘[“internal-pool"]’(As an aside, note that you can now reference the pool explicitly by name – that is also an enhancement in Calico v3.3.) (顺便说一句,请注意,您现在可以按名称显式引用池 - 这也是Calico v3.3中的增强功能。)
Step 3: Create some pods
步骤 3:创建一些容器
Now that we’ve configured the new namespaces, let’s launch some pods in each. In this example, we’ll launch three nginx pods in each namespace.
现在我们已经配置了新的命名空间,让我们在每个命名空间中启动一些 Pod。在这个例子中,我们将在每个命名空间中启动三个nginx pod。
kubectl run nginx --image nginx --namespace external-ns --replicas 3
kubectl run nginx --image nginx --namespace internal-ns --replicas 3Using kubectl, you can now view the assigned IP addresses – you’ll see that the pods in external-ns have IPs from 172.16.0.0/26, whereas pods within internal-ns have IPs from 192.169.0.0/24.
使用 kubectl,您现在可以查看分配的 IP 地址 – 您将看到 external-ns 中的 pod 具有来自 172.16.0.0/26 的 IP,而内部 ns 中的 Pod 具有来自 192.169.0.0/24 的 IP。
kubectl get pods -o wide -n external-ns
NAME READY STATUS RESTARTS AGE IP NODE
nginx-65899c769f-8pvlc 1/1 Running 0 2m 172.16.0.32 casey-crc-kadm-node-0
nginx-65899c769f-lrr2l 1/1 Running 0 2m 172.16.0.34 casey-crc-kadm-node-0
nginx-65899c769f-qt6nn 1/1 Running 0 2m 172.16.0.33 casey-crc-kadm-node-0
kubectl get pods -o wide -n internal-ns
NAME READY STATUS RESTARTS AGE IP NODE
nginx-65899c769f-jxdd6 1/1 Running 0 2m 192.169.0.34 casey-crc-kadm-node-0
nginx-65899c769f-xqzsc 1/1 Running 0 2m 192.169.0.33 casey-crc-kadm-node-0
nginx-65899c769f-zbbm5 1/1 Running 0 2m 192.169.0.32 casey-crc-kadm-node-0
Summary 总结
Calico already had some of the most advanced IPAM features in any container networking solution. With the new features in v3.3, Calico now provides even richer controls for cluster operators. For most users, the Calico IPAM defaults will continue to meet their needs well. For others who need the flexibility, you can now very easily control block size and assign IP addresses based on Kubernetes per-namespace, per-node, and per-pod pools.
Calico 已经在任何容器网络解决方案中拥有一些最先进的 IPAM 功能。借助 v3.3 中的新功能,Calico 现在为集群操作员提供了更丰富的控件。对于大多数用户来说,Calico IPAM默认值将继续很好地满足他们的需求。对于需要灵活性的其他人,您现在可以非常轻松地控制块大小,并根据每个命名空间、每个节点和每个 Pod 池的 Kubernetes 分配 IP 地址。
https://www.tigera.io/blog/calico-ipam-explained-and-enhanced/