calico | ipip 宿主机网卡抓包｜容器IP

Why does my container have a route to 169.254.1.1?

In a Calico network, each host acts as a gateway router for the workloads that it hosts. In container deployments, Calico uses 169.254.1.1 as the address for the Calico router. By using a link-local address, Calico saves precious IP addresses and avoids burdening the user with configuring a suitable address.

While the routing table may look a little odd to someone who is used to configuring LAN networking, using explicit routes rather than subnet-local gateways is fairly common in WAN networking.

How do I view Calico CNI logs?

The Calico CNI plugin emits logs to stderr, which are then logged out by the kubelet. Where these logs end up depend on how your kubelet is configured. For deployments using systemd, you can do this via journalctl.

The log level can be configured via the CNI network configuration file, by changing the value of the key log_level. See Configuring the Calico CNI plugins for more information.

Why can’t I see the 169.254.1.1 address mentioned above on my host?

Calico tries hard to avoid interfering with any other configuration on the host. Rather than adding the gateway address to the host side of each workload interface, Calico sets the proxy_arp flag on the interface. This makes the host behave like a gateway, responding to ARPs for 169.254.1.1 without having to actually allocate the IP address to the interface.

Why do all cali* interfaces have the MAC address ee:ee:ee:ee:ee:ee?

In some setups the kernel is unable to generate a persistent MAC address and so Calico assigns a MAC address itself. Since Calico uses point-to-point routed interfaces, traffic does not reach the data link layer so the MAC Address is never used and can therefore be the same for all the cali* interfaces.

Can I prevent my Kubernetes pods from initiating outgoing connections?

Yes! The Kubernetes NetworkPolicy API added support for egress policies in v1.8. You can also use calicoctl to configure egress policy to prevent Kubernetes pods from initiating outgoing connections based on the full set of supported Calico policy primitives including labels, Kubernetes namespaces, CIDRs, and ports.

I’ve heard Calico uses proxy ARP, doesn’t proxy ARP cause a lot of problems?

It can, but not in the way that Calico uses it.

In container deployments, Calico only uses proxy ARP for resolving the 169.254.1.1 address. The routing table inside the container ensures that all traffic goes via the 169.254.1.1 gateway so that is the only IP that will be ARPed by the container.

https://projectcalico.docs.tigera.io/reference/faq#how-do-i-get-network-traffic-into-and-out-of-my-calico-cluster

https://www.sobyte.net/post/2022-03/how-the-kubernetes-network-plugin-works/

https://www.securityandit.com/network/kubernetes-network-cluster-architecture/

https://itnext.io/kubernetes-network-deep-dive-7492341e0ab5

https://blog.csdn.net/qq_38473097/article/details/106790303

https://danielmiessler.com/study/tcpdump/#host

https://projectcalico.docs.tigera.io/reference/faq#how-do-i-get-network-traffic-into-and-out-of-my-calico-cluster

https://www.itsupportwale.com/blog/tcpdump-examples/

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/configuring-ip-tunnels_configuring-and-managing-networking

http://cs.uccs.edu/~scold/iptunnel.htm

https://serverfault.com/questions/1094896/route-traffic-through-ipip-tunnels

https://github.com/apprenda/kismatic/blob/master/docs/troubleshooting-calico.md

https://www.cnblogs.com/orchidzjl/p/14908131.html