十一、Kubernetes学习笔记—网络模型、插件、策略

#使用以下命令查看docker原生的三种网络
[root@localhost ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
0efec019c899        bridge              bridge              local
40add8bb5f07        host                host                local
ad94f0b1cca6        none                null                local

#none网络，在该网络下的容器仅有lo网卡，属于封闭式网络，通常用于对安全性要求较高并且不需要联网的应用
[root@localhost ~]# docker run -it --network=none busybox
/ # ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

#host网络，共享宿主机的网络名称空间，容器网络配置和host一致，但是存在端口冲突的问题
[root@localhost ~]# docker run -it --network=host busybox
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:69:a7:23 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.4/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 84129sec preferred_lft 84129sec
    inet6 fe80::20c:29ff:fe69:a723/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 02:42:29:09:8f:dd brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:29ff:fe09:8fdd/64 scope link 
       valid_lft forever preferred_lft forever
/ # hostname
localhost

#bridge网络，Docker安装完成时会创建一个名为docker0的linux bridge，不指定网络时，创建的网络默认为桥接网络，都会桥接到docker0上。
[root@localhost ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.024229098fdd	no		

[root@localhost ~]# docker run -d nginx	#运行一个nginx容器
c760a1b6c9891c02c992972d10a99639d4816c4160d633f1c5076292855bbf2b

[root@localhost ~]# brctl show		
bridge name	bridge id		STP enabled	interfaces
docker0		8000.024229098fdd	no		veth3f1b114

#一个新的网络接口veth3f1b114桥接到了docker0上，veth3f1b114就是新创建的容器的虚拟网卡。进入容器查看其网络配置：
[root@localhost ~]# docker exec -it c760a1b6c98 bash
root@c760a1b6c989:/# apt-get update
root@c760a1b6c989:/# apt-get iproute
root@c760a1b6c989:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
38: eth0@if39: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

[root@k8s-master ~]# cat /etc/cni/net.d/10-flannel.conflist 
{
  "name": "cbr0",
  "plugins": [
    {
      "type": "flannel",
      "delegate": {
        "hairpinMode": true,
        "isDefaultGateway": true
      }
    },
    {
      "type": "portmap",
      "capabilities": {
        "portMappings": true
      }
    }
  ]
}

# kubelet调用第三方插件，进行网络地址的分配

[root@k8s-master:~# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/bc79dd1505b0c8681ece4de4c0d86c5cd2643275/Documentation/kube-flannel.yml
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.extensions/kube-flannel-ds-amd64 created
daemonset.extensions/kube-flannel-ds-arm64 created
daemonset.extensions/kube-flannel-ds-arm created
daemonset.extensions/kube-flannel-ds-ppc64le created
daemonset.extensions/kube-flannel-ds-s390x created

#输出如下结果表示flannel可以正常运行了
[root@k8s-master ~]# kubectl get daemonset -n kube-system
NAME              DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE SELECTOR                   AGE
kube-flannel-ds   3         3         3         3            3           beta.kubernetes.io/arch=amd64   202d
kube-proxy        3         3         3         3            3           beta.kubernetes.io/arch=amd64   202d

[root@k8s-master ~]# kubectl get node
NAME         STATUS    ROLES     AGE       VERSION
k8s-master   Ready     master    202d      v1.11.2
k8s-node01   Ready     <none>    202d      v1.11.2
k8s-node02   Ready     <none>    201d      v1.11.2

#master节点的flannel.1网络接口，其网段为：10.244.0.0
[root@k8s-master ~]# ifconfig flannel.1
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.244.0.0  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::31:5dff:fe01:4bc0  prefixlen 64  scopeid 0x20<link>
        ether 02:31:5d:01:4b:c0  txqueuelen 0  (Ethernet)
        RX packets 1659239  bytes 151803796 (144.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2115439  bytes 6859187242 (6.3 GiB)
        TX errors 0  dropped 10 overruns 0  carrier 0  collisions 0

#node1节点的flannel.1网络接口，其网段为：10.244.1.0
[root@k8s-node01 ~]# ifconfig flannel.1
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.244.1.0  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::2806:4ff:fe71:2253  prefixlen 64  scopeid 0x20<link>
        ether 2a:06:04:71:22:53  txqueuelen 0  (Ethernet)
        RX packets 136904  bytes 16191144 (15.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 180775  bytes 512637365 (488.8 MiB)
        TX errors 0  dropped 8 overruns 0  carrier 0  collisions 0

#node2节点的flannel.1网络接口，其网段为：10.244.2.0
[root@k8s-node02 ~]# ifconfig flannel.1
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.244.2.0  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::58b7:7aff:fe8d:2d  prefixlen 64  scopeid 0x20<link>
        ether 5a:b7:7a:8d:00:2d  txqueuelen 0  (Ethernet)
        RX packets 9847824  bytes 12463823121 (11.6 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2108796  bytes 185073173 (176.4 MiB)
        TX errors 0  dropped 13 overruns 0  carrier 0  collisions 0

#启动一个nginx容器，副本为3
[root@k8s-master ~]# kubectl run nginx --image=nginx:1.14 --port=80 --replicas=3
deployment.apps/nginx created

#查看Pod
[root@k8s-master ~]# kubectl get pods -o wide |grep nginx
nginx-5bd76bcc4f-8s64s                1/1       Running    0          2m        10.244.2.85    k8s-node02
nginx-5bd76bcc4f-mr6k5                1/1       Running    0          2m        10.244.1.146   k8s-node01
nginx-5bd76bcc4f-pb257                1/1       Running    0          2m        10.244.0.17    k8s-master

[root@k8s-master ~]# ifconfig cni0
cni0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.244.0.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::848a:beff:fe44:4959  prefixlen 64  scopeid 0x20<link>
        ether 0a:58:0a:f4:00:01  txqueuelen 1000  (Ethernet)
        RX packets 2772994  bytes 300522237 (286.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3180562  bytes 928687288 (885.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

#可以看到有一veth的网络接口桥接在cni0网桥上
[root@k8s-master ~]# brctl show cni0
bridge name	bridge id		STP enabled	interfaces
cni0		8000.0a580af40001	no		veth020fafae

#宿主机ping测试访问Pod ip
[root@k8s-master ~]# ping 10.244.0.17
PING 10.244.0.17 (10.244.0.17) 56(84) bytes of data.
64 bytes from 10.244.0.17: icmp_seq=1 ttl=64 time=0.291 ms
64 bytes from 10.244.0.17: icmp_seq=2 ttl=64 time=0.081 ms
^C
--- 10.244.0.17 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.055/0.129/0.291/0.094 ms

[root@k8s-master ~]# kubectl exec -it nginx-5bd76bcc4f-pb257 -- /bin/bash
root@nginx-5bd76bcc4f-pb257:/# ping 10.244.1.146
PING 10.244.1.146 (10.244.1.146) 56(84) bytes of data.
64 bytes from 10.244.1.146: icmp_seq=1 ttl=62 time=1.44 ms
64 bytes from 10.244.1.146: icmp_seq=2 ttl=62 time=0.713 ms
64 bytes from 10.244.1.146: icmp_seq=3 ttl=62 time=0.713 ms
64 bytes from 10.244.1.146: icmp_seq=4 ttl=62 time=0.558 ms
^C
--- 10.244.1.146 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.558/0.858/1.448/0.346 ms

[root@k8s-master ~]# ip route
......
10.244.1.0/24 via 10.244.1.0 dev flannel.1 onlink 
10.244.2.0/24 via 10.244.2.0 dev flannel.1 onlink 
......

#在宿主机和容器内都进行ping另外一台主机上的Pod ip并进行抓包
[root@k8s-master ~]# ping -c 10 10.244.1.146
[root@k8s-master ~]# kubectl exec -it nginx-5bd76bcc4f-pb257 -- /bin/bash
root@nginx-5bd76bcc4f-pb257:/# ping 10.244.1.146 

[root@k8s-master ~]# tcpdump -i flannel.1 -nn host 10.244.1.146
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on flannel.1, link-type EN10MB (Ethernet), capture size 262144 bytes

#宿主机ping后抓包情况如下：
22:22:35.737977 IP 10.244.0.0 > 10.244.1.146: ICMP echo request, id 29493, seq 1, length 64
22:22:35.738902 IP 10.244.1.146 > 10.244.0.0: ICMP echo reply, id 29493, seq 1, length 64
22:22:36.739042 IP 10.244.0.0 > 10.244.1.146: ICMP echo request, id 29493, seq 2, length 64
22:22:36.739789 IP 10.244.1.146 > 10.244.0.0: ICMP echo reply, id 29493, seq 2, length 64

#容器ping后抓包情况如下：
22:33:49.295137 IP 10.244.0.17 > 10.244.1.146: ICMP echo request, id 837, seq 1, length 64
22:33:49.295933 IP 10.244.1.146 > 10.244.0.17: ICMP echo reply, id 837, seq 1, length 64
22:33:50.296736 IP 10.244.0.17 > 10.244.1.146: ICMP echo request, id 837, seq 2, length 64
22:33:50.297222 IP 10.244.1.146 > 10.244.0.17: ICMP echo reply, id 837, seq 2, length 64
22:33:51.297556 IP 10.244.0.17 > 10.244.1.146: ICMP echo request, id 837, seq 3, length 64
22:33:51.298054 IP 10.244.1.146 > 10.244.0.17: ICMP echo reply, id 837, seq 3, length 64
#可以看到报文都是经过flannel.1网络接口进入2层隧道进而转发

[root@k8s-master ~]# vim kube-flannel.yml 
......
 net-conf.json: |
    {
      "Network": "10.244.0.0/16",	#默认网段
      "Backend": {
        "Type": "vxlan",
        "Directrouting": true	#增加
      }
    }
......

[root@k8s-master ~]# kubectl apply -f kube-flannel.yml 
clusterrole.rbac.authorization.k8s.io/flannel configured
clusterrolebinding.rbac.authorization.k8s.io/flannel configured
serviceaccount/flannel unchanged
configmap/kube-flannel-cfg configured
daemonset.extensions/kube-flannel-ds-amd64 created
daemonset.extensions/kube-flannel-ds-arm64 created
daemonset.extensions/kube-flannel-ds-arm created
daemonset.extensions/kube-flannel-ds-ppc64le created
daemonset.extensions/kube-flannel-ds-s390x created

#查看路由信息
[root@k8s-master ~]# ip route
......
10.244.1.0/24 via 192.168.56.12 dev eth0 
10.244.2.0/24 via 192.168.56.13 dev eth0 
......

target 		prot 	opt 	source 				destination 
ACCEPT 		all 	-- 	10. 244. 0. 0/ 16 		0. 0. 0. 0/ 0 
ACCEPT 		all 	-- 	0. 0. 0. 0/ 0 		    10. 244. 0. 0/ 16

[root@k8s-master ~]# tcpdump -i flannel.1 -nn host 10.244.1.146
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on flannel.1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

[root@k8s-master ~]# tcpdump -i eth0 -nn host 10.244.1.146
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:48:52.376393 IP 10.244.0.17 > 10.244.1.146: ICMP echo request, id 839, seq 1, length 64
22:48:52.376877 IP 10.244.1.146 > 10.244.0.17: ICMP echo reply, id 839, seq 1, length 64
22:48:53.377005 IP 10.244.0.17 > 10.244.1.146: ICMP echo request, id 839, seq 2, length 64
22:48:53.377621 IP 10.244.1.146 > 10.244.0.17: ICMP echo reply, id 839, seq 2, length 64

22:50:28.647490 IP 192.168.56.11 > 10.244.1.146: ICMP echo request, id 46141, seq 1, length 64
22:50:28.648320 IP 10.244.1.146 > 192.168.56.11: ICMP echo reply, id 46141, seq 1, length 64
22:50:29.648958 IP 192.168.56.11 > 10.244.1.146: ICMP echo request, id 46141, seq 2, length 64
22:50:29.649380 IP 10.244.1.146 > 192.168.56.11: ICMP echo reply, id 46141, seq 2, length 64

[root@k8s-master ~]# vim kube-flannel.yml 
......
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "host-gw"
      }
    }
......

[root@k8s-master ~]# kubectl apply -f kube-flannel.yml 

#查看路由表信息，可以看到其报文的发送方向都是和Directrouting是一样的
[root@k8s-master ~]# ip route
......
10.244.1.0/24 via 192.168.56.12 dev eth0 
10.244.2.0/24 via 192.168.56.13 dev eth0 
.....

#进行ping包测试
[root@k8s-master ~]# ping -c 2 10.244.1.146

#在eth0上进行抓包
[root@k8s-master ~]# tcpdump -i eth0 -nn host 10.244.1.146
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:11:05.556972 IP 192.168.56.11 > 10.244.1.146: ICMP echo request, id 59528, seq 1, length 64
23:11:05.557794 IP 10.244.1.146 > 192.168.56.11: ICMP echo reply, id 59528, seq 1, length 64
23:11:06.558231 IP 192.168.56.11 > 10.244.1.146: ICMP echo request, id 59528, seq 2, length 64
23:11:06.558610 IP 10.244.1.146 > 192.168.56.11: ICMP echo reply, id 59528, seq 2, length 64

[root@k8s-master /]# wget https://docs.projectcalico.org/manifests/calico.yaml

[root@k8s-master /]# kubectl apply -f calico.yaml
[root@k8s-master /]# kubectl  get pods -n kube-system  | grep calico
calico-kube-controllers-578894d4cd-gfhbq     1/1     Running   0          1m
calico-node-9tkdh                            1/1     Running   0          1m
calico-node-cn5x4                            1/1     Running   0          1m
calico-node-d7tqf                            1/1     Running   0          1m

[root@k8s-master src]# wget https://github.com/projectcalico/calicoctl/releases/download/v3.14.2/calicoctl-linux-amd64
[root@k8s-master src]# mv calicoctl-linux-amd64  calicoctl
[root@k8s-master src]# chmod +x calicoctl 
[root@k8s-master src]# mv calicoctl  /usr/bin/

# 查看BGP建立的邻接关系状态
[root@k8s-master src]# calicoctl node  status
Calico process is running.

IPv4 BGP status
+--------------+-------------------+-------+------------+-------------+
| PEER ADDRESS |     PEER TYPE     | STATE |   SINCE    |    INFO     |
+--------------+-------------------+-------+------------+-------------+
| 192.168.1.42 | node-to-node mesh | up    | 2020-07-24 | Established |
| 192.168.1.43 | node-to-node mesh | up    | 2020-07-24 | Established |
+--------------+-------------------+-------+------------+-------------+

# 获取自治系统的编号
[root@k8s-master calico]# calicoctl get node --output=wide
NAME                 ASN       IPV4              IPV6   
k8s-master.nnv5.cn   (64512)   192.168.1.41/24          
k8s-node01.nnv5.cn   (64512)   192.168.1.42/24          
k8s-node02.nnv5.cn   (64512)   192.168.1.43/24


# 添加禁用node-to-node模式的配置文件
[root@k8s-master calico]# vim bgp.yaml
apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
  name: default
spec:
  logSeverityScreen: Info
  nodeToNodeMeshEnabled: false
  asNumber: 64512
  
  
# 应用配置文件
[root@k8s-master calico]# calicoctl create -f bgp.yaml 
Successfully created 1 'BGPConfiguration' resource(s)


# 查看邻接信息
[root@k8s-master calico]# calicoctl node status 
Calico process is running.
IPv4 BGP status
No IPv4 peers found.
IPv6 BGP status
No IPv6 peers found.


# ping测试其他节点的pod的ip验证网络已经断开
[root@k8s-master calico]# ping 10.244.214.14
PING 10.244.214.14 (10.244.214.14) 56(84) bytes of data.
^C
--- 10.244.214.14 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

[root@k8s-master calico]# kubectl label node k8s-master.nnv5.cn route-reflector=true
node/k8s-master.nnv5.cn labeled

[root@k8s-master calico]#  calicoctl get node k8s-master.nnv5.cn -o yaml > k8s-master.yaml
[root@k8s-master calico]# vim k8s-master.yaml 
apiVersion: projectcalico.org/v3
kind: Node
metadata:
  annotations:
    projectcalico.org/kube-labels: '{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/os":"linux","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"k8s-master.nnv5.cn","kubernetes.io/os":"linux","node-role.kubernetes.io/master":"","route-reflector":"true"}'
  creationTimestamp: "2020-07-24T07:36:29Z"
  labels:
    beta.kubernetes.io/arch: amd64
    beta.kubernetes.io/os: linux
    kubernetes.io/arch: amd64
    kubernetes.io/hostname: k8s-master.nnv5.cn
    kubernetes.io/os: linux
    node-role.kubernetes.io/master: ""
    route-reflector: "true"
  name: k8s-master.nnv5.cn
  resourceVersion: "764936"
  uid: 23827993-3031-4e33-9f13-e826d07f7f16
spec:
  bgp:
    ipv4Address: 192.168.1.41/24
    routeReflectorClusterID: 244.0.0.1   # 集群ID（随意一个，不存在就行）
  orchRefs:
  - nodeName: k8s-master.nnv5.cn
    orchestrator: k8s
status: {}

[root@k8s-master calico]# calicoctl apply -f k8s-master.yaml 
Successfully applied 1 'Node' resource(s)

# 配置BGPPeer资源，告诉Node节点路由反射器。
[root@k8s-master calico]# vim BGPPeer.yaml
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
  name: peer-with-route-reflectors
spec:
  nodeSelector: all()    #所有的节点
  peerSelector: route-reflector == 'true'


# 应用资源清单
[root@k8s-master calico]# calicoctl apply -f BGPPeer.yaml 
Successfully applied 1 'BGPPeer' resource(s)


# 查看bgppeer
[root@k8s-master calico]# calicoctl get bgppeer
NAME                         PEERIP   NODE    ASN   
peer-with-route-reflectors            all()   0


# 查看节点邻接状态（Master和两个节点建立连接，两个Node只和master建立连接）
[root@k8s-master calico]# calicoctl node status
Calico process is running.
IPv4 BGP status
+--------------+---------------+-------+----------+-------------+
| PEER ADDRESS |   PEER TYPE   | STATE |  SINCE   |    INFO     |
+--------------+---------------+-------+----------+-------------+
| 192.168.1.42 | node specific | up    | 05:44:18 | Established |
| 192.168.1.43 | node specific | up    | 05:44:18 | Established |
+--------------+---------------+-------+----------+-------------+
[root@k8s-node02 ~]# calicoctl node status 
Calico process is running.
IPv4 BGP status
+--------------+---------------+-------+----------+-------------+
| PEER ADDRESS |   PEER TYPE   | STATE |  SINCE   |    INFO     |
+--------------+---------------+-------+----------+-------------+
| 192.168.1.41 | node specific | up    | 05:44:19 | Established |
+--------------+---------------+-------+----------+-------------+
[root@k8s-node01 kubernetes]# calicoctl  node status
Calico process is running.
IPv4 BGP status
+--------------+---------------+-------+----------+-------------+
| PEER ADDRESS |   PEER TYPE   | STATE |  SINCE   |    INFO     |
+--------------+---------------+-------+----------+-------------+
| 192.168.1.41 | node specific | up    | 05:44:19 | Established |
+--------------+---------------+-------+----------+-------------+


# ping一个Pod的IP地址验证，发现网络通了。
[root@k8s-master calico]# ping 10.244.214.14
PING 10.244.214.14 (10.244.214.14) 56(84) bytes of data.
64 bytes from 10.244.214.14: icmp_seq=1 ttl=63 time=1.63 ms
64 bytes from 10.244.214.14: icmp_seq=2 ttl=63 time=0.378 ms


# 通过netstat命令查看节点间calico-node的连接
[root@k8s-master calico]# netstat -natp | grep bird
tcp        0      0 0.0.0.0:179             0.0.0.0:*               LISTEN      18238/bird          
tcp        0      0 192.168.1.41:179        192.168.1.42:57510      ESTABLISHED 18238/bird          
tcp        0      0 192.168.1.41:179        192.168.1.43:52459      ESTABLISHED 18238/bird
[root@k8s-node01 kubernetes]# netstat -natp | grep bird
tcp        0      0 0.0.0.0:179             0.0.0.0:*               LISTEN      14387/bird          
tcp        0      0 192.168.1.42:57510      192.168.1.41:179        ESTABLISHED 14387/bird 
[root@k8s-node02 ~]# netstat -natp | grep bird
tcp        0      0 0.0.0.0:179             0.0.0.0:*               LISTEN      15181/bird          
tcp        0      0 192.168.1.43:52459      192.168.1.41:179        ESTABLISHED 15181/bird

# 首先为 k8s-node01.nnv5 这个节点打上 route-reflector=true 的标签
[root@k8s-master calico]# kubectl label node k8s-node01.nnv5.cn route-reflector=true
node/k8s-node01.nnv5.cn labeled


# 生成k8s-node01.nnv5.cn节点作为路由反射器的配置文件，添加和上面RR一致的集群ID并应用配置文件
[root@k8s-master calico]# calicoctl get node k8s-node01.nnv5.cn -o yaml > k8s-node01.yaml
[root@k8s-master calico]# vim k8s-node01.yaml 
apiVersion: projectcalico.org/v3
kind: Node
metadata:
  annotations:
    projectcalico.org/kube-labels: '{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/os":"linux","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"k8s-node01.nnv5.cn","kubernetes.io/os":"linux"}'
  creationTimestamp: "2020-07-24T07:37:07Z"
  labels:
    beta.kubernetes.io/arch: amd64
    beta.kubernetes.io/os: linux
    kubernetes.io/arch: amd64
    kubernetes.io/hostname: k8s-node01.nnv5.cn
    kubernetes.io/os: linux
  name: k8s-node01.nnv5.cn
  resourceVersion: "772347"
  uid: 4d733662-e5bb-48d6-921d-203bae330c0f
spec:
  bgp:
    ipv4Address: 192.168.1.42/24
    routeReflectorClusterID: 244.0.0.1   # 集群ID（必须和上面的那个RR设置为一致才可以）
  orchRefs:
  - nodeName: k8s-node01.nnv5.cn
    orchestrator: k8s
status: {}



# 应用反射路由器资源清单
[root@k8s-master calico]# calicoctl apply -f k8s-node01.yaml  
Failed to apply 'Node' resource: [update conflict: Node(k8s-node01.nnv5.cn)]
# 这里应用失败，我的解决办法是删除自动生成文件中 k8s-node01.yaml 的：creationTimestamp、resourceVersion、status这三个字段重新应用资源清单就可以了。
[root@k8s-master calico]# calicoctl apply -f k8s-node01.yaml 
Successfully applied 1 'Node' resource(s)


# 查看节点邻接状态（两个RR之间 master节点和node01节点互相建立连接，node02节点分别会和master和node01节点建立连接）
[root@k8s-master calico]# calicoctl  node status 
IPv4 BGP status
+--------------+---------------+-------+----------+-------------+
| PEER ADDRESS |   PEER TYPE   | STATE |  SINCE   |    INFO     |
+--------------+---------------+-------+----------+-------------+
| 192.168.1.43 | node specific | up    | 05:44:18 | Established |
| 192.168.1.42 | node specific | up    | 07:01:21 | Established |
+--------------+---------------+-------+----------+-------------+
[root@k8s-node01 kubernetes]# calicoctl  node status
IPv4 BGP status
+--------------+---------------+-------+----------+-------------+
| PEER ADDRESS |   PEER TYPE   | STATE |  SINCE   |    INFO     |
+--------------+---------------+-------+----------+-------------+
| 192.168.1.41 | node specific | up    | 07:01:21 | Established |
| 192.168.1.43 | node specific | up    | 07:03:05 | Established |
+--------------+---------------+-------+----------+-------------+
[root@k8s-node02 ~]# calicoctl  node status
IPv4 BGP status
+--------------+---------------+-------+----------+-------------+
| PEER ADDRESS |   PEER TYPE   | STATE |  SINCE   |    INFO     |
+--------------+---------------+-------+----------+-------------+
| 192.168.1.41 | node specific | up    | 05:44:20 | Established |
| 192.168.1.42 | node specific | up    | 07:03:07 | Established |
+--------------+---------------+-------+----------+-------------+


# 通过netstat命令查看节点间calico-node的连接
[root@k8s-master /]# netstat -natp | grep bird
tcp        0      0 0.0.0.0:179             0.0.0.0:*               LISTEN      18238/bird          
tcp        0      0 192.168.1.41:179        192.168.1.42:27941      ESTABLISHED 18238/bird          
tcp        0      0 192.168.1.41:179        192.168.1.43:52459      ESTABLISHED 18238/bird
[root@k8s-node01 kubernetes]# netstat -natp | grep bird
tcp        0      0 0.0.0.0:179             0.0.0.0:*               LISTEN      14387/bird          
tcp        0      0 192.168.1.42:27941      192.168.1.41:179        ESTABLISHED 14387/bird          
tcp        0      0 192.168.1.42:179        192.168.1.43:34314      ESTABLISHED 14387/bird
[root@k8s-node02 ~]# netstat -natp | grep bird
tcp        0      0 0.0.0.0:179             0.0.0.0:*               LISTEN      15181/bird          
tcp        0      0 192.168.1.43:52459      192.168.1.41:179        ESTABLISHED 15181/bird          
tcp        0      0 192.168.1.43:34314      192.168.1.42:179        ESTABLISHED 15181/bird

[root@k8s-master src]# calicoctl node  status
Calico process is running.

IPv4 BGP status
+--------------+-------------------+-------+------------+-------------+
| PEER ADDRESS |     PEER TYPE     | STATE |   SINCE    |    INFO     |
+--------------+-------------------+-------+------------+-------------+
| 192.168.1.42 | node-to-node mesh | up    | 2020-07-24 | Established |
| 192.168.1.43 | node-to-node mesh | up    | 2020-07-24 | Established |
+--------------+-------------------+-------+------------+-------------+

[root@k8s-master /]# calicoctl get node
NAME                 
k8s-master.nnv5.cn   
k8s-node01.nnv5.cn   
k8s-node02.nnv5.cn 

[root@k8s-master /]# calicoctl get ippool
NAME                  CIDR            SELECTOR   
default-ipv4-ippool   10.244.0.0/16   all()

apiVersion: networking.k8s.io/v1		#定义API版本
kind: NetworkPolicy					   #定义资源类型
metadata:
  name: allow-myapp-ingress			    #定义NetwokPolicy的名字
  namespace: default
spec:								  #NetworkPolicy规则定义
  podSelector: 						   #匹配拥有标签app:myapp的Pod资源
    matchLabels:
      app: myapp
  policyTypes ["Ingress"]			    #NetworkPolicy类型，可以是Ingress，Egress，或者两者共存
  ingress:							  #定义入站规则
  - from:
    - ipBlock:						  #定义可以访问的网段
        cidr: 10.244.0.0/16
        except:						  #排除的网段
        - 10.244.3.0/24
    - podSelector:					  #选定当前default名称空间，标签为app:myapp可以入站
        matchLabels:
          app: myapp
    ports:							 #开放的协议和端口定义
    - protocol: TCP
      port: 80
  
#该网络策略就是将default名称空间中拥有标签"app=myapp"的Pod资源开放80/TCP端口给10.244.0.0/16网段，并排除10.244.3.0/24网段的访问，并且也开放给标签为app=myapp的所有Pod资源进行访问。  

[root@k8s-master ~]# mkdir network-policy-demo
[root@k8s-master ~]# cd network-policy-demo/
[root@k8s-master network-policy-demo]# vim httpd.yaml
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: httpd
spec:
  replicas: 3
  template:
    metadata:
      labels:
        run: httpd
    spec:
      containers:
      - name: httpd
        image: httpd:latest
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: httpd-svc
spec:
  type: NodePort
  selector:
    run: httpd
  ports:
  - protocol: TCP
    nodePort: 30000
    port: 8080
    targetPort: 80

[root@k8s-master network-policy-demo]# kubectl apply -f httpd.yaml 
deployment.apps/httpd unchanged
service/httpd-svc created
[root@k8s-master network-policy-demo]# kubectl get pods -o wide |grep httpd
httpd-75f655479d-882hz                1/1       Running    0          4m        10.244.0.2     k8s-master
httpd-75f655479d-h7lrr                1/1       Running    0          4m        10.244.2.2     k8s-node02
httpd-75f655479d-kzr5g                1/1       Running    0          4m        10.244.1.2     k8s-node01

[root@k8s-master network-policy-demo]# kubectl get svc httpd-svc
NAME        TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
httpd-svc   NodePort   10.99.222.179   <none>        8080:30000/TCP   4m

#启动一个busybox Pod，可以访问Service，也可以ping副本的Pod

[root@k8s-master ~]# kubectl run busybox --rm -it --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget httpd-svc:8080
Connecting to httpd-svc:8080 (10.99.222.179:8080)
index.html           100% |*********************************************************************************************|    45  0:00:00 ETA
/ # ping -c 2 10.244.1.2
PING 10.244.1.2 (10.244.1.2): 56 data bytes
64 bytes from 10.244.1.2: seq=0 ttl=63 time=0.507 ms
64 bytes from 10.244.1.2: seq=1 ttl=63 time=0.228 ms

--- 10.244.1.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.228/0.367/0.507 ms


#集群节点也可以访问Sevice和ping通副本Pod
[root@k8s-node01 ~]# curl 10.99.222.179:8080
<html><body><h1>It works!</h1></body></html>
[root@k8s-node01 ~]# ping -c 2 10.244.2.2
PING 10.244.2.2 (10.244.2.2) 56(84) bytes of data.
64 bytes from 10.244.2.2: icmp_seq=1 ttl=63 time=0.931 ms
64 bytes from 10.244.2.2: icmp_seq=2 ttl=63 time=0.812 ms

--- 10.244.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.812/0.871/0.931/0.066 ms

#集群外部访问192.168.56.11:30000也是通的
[root@localhost ~]# curl 192.168.56.11:30000
<html><body><h1>It works!</h1></body></html>

[root@k8s-master network-policy-demo]# vim policy-demo.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes: ["Ingress"]	
  #指明了Ingress生效规则，但不定义任何Ingress字段，因此不能匹配任何源端点，从而拒绝所有的入站流量

[root@k8s-master network-policy-demo]# kubectl apply -f policy-demo.yaml 
networkpolicy.networking.k8s.io/deny-all-ingress created
[root@k8s-master network-policy-demo]# kubectl get networkpolicy
NAME               POD-SELECTOR   AGE
deny-all-ingress   <none>         11s

#此时再去访问测试，是无法ping通，无法访问的
[root@k8s-master ~]# kubectl run busybox --rm -it --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget httpd-svc:8080
Connecting to httpd-svc:8080 (10.99.222.179:8080)
wget: can't connect to remote host (10.99.222.179): Connection timed out

[root@k8s-master network-policy-demo]# vim policy-demo.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: access-httpd
spec:
  podSelector: 
    matchLabels:
      run: httpd
  policyTypes: ["Ingress"]
  ingress:
  - from:
    - ipBlock:
        cidr: 10.244.0.0/16
        except:
        - 10.244.2.0/24
        - 10.244.1.0/24
    - podSelector:
        matchLabels:
          access: "true"
    ports:
    - protocol: TCP
      port: 80

[root@k8s-master network-policy-demo]# kubectl apply -f policy-demo.yaml 
networkpolicy.networking.k8s.io/access-httpd created
[root@k8s-master network-policy-demo]# kubectl get networkpolicy
NAME           POD-SELECTOR   AGE
access-httpd   run=httpd      6s

#创建带有标签的busybox pod访问，是可以正常访问的，但是因为仅开放了TCP协议，所以PING是无法ping通的
[root@k8s-master ~]# kubectl run busybox --rm -it --labels="access=true" --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget httpd-svc:8080
Connecting to httpd-svc:8080 (10.99.222.179:8080)
index.html           100% |*********************************************************************************************|    45  0:00:00 ETA
/ # ping -c 3 10.244.0.2
PING 10.244.0.2 (10.244.0.2): 56 data bytes

--- 10.244.0.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss