TOR Calico BGP搭建( 二 )


c. -kube-
kube- 用于管理所有的BGP路由 , node信息, 直接部署即可, 网络通过 暴露服务 , 由于均通过etcd 进行信息注册 , 拉取 , 所以本地不必暴露端口
apiVersion: apps/v1kind: Deploymentmetadata:name: calico-kube-controllersnamespace: kube-systemlabels:k8s-app: calico-kube-controllersspec:# The controllers can only have a single active instance.replicas: 1selector:matchLabels:k8s-app: calico-kube-controllersstrategy:type: Recreatetemplate:metadata:name: calico-kube-controllersnamespace: kube-systemlabels:k8s-app: calico-kube-controllersannotations:scheduler.alpha.kubernetes.io/critical-pod: ''spec:nodeSelector:beta.kubernetes.io/os: linuxtolerations:# Mark the pod as a critical add-on for rescheduling.- key: CriticalAddonsOnlyoperator: Exists- key: node-role.kubernetes.io/mastereffect: NoScheduleserviceAccountName: calico-kube-controllerspriorityClassName: system-cluster-critical# The controllers must run in the host network namespace so that# it isn't governed by policy that would prevent it from working.hostNetwork: truecontainers:- name: calico-kube-controllersimage: calico/kube-controllers:v3.8.9env:# The location of the etcd cluster.- name: ETCD_ENDPOINTSvalueFrom:configMapKeyRef:name: calico-configkey: etcd_endpoints# Location of the CA certificate for etcd.- name: ETCD_CA_CERT_FILEvalueFrom:configMapKeyRef:name: calico-configkey: etcd_ca# Location of the client key for etcd.- name: ETCD_KEY_FILEvalueFrom:configMapKeyRef:name: calico-configkey: etcd_key# Location of the client certificate for etcd.- name: ETCD_CERT_FILEvalueFrom:configMapKeyRef:name: calico-configkey: etcd_cert# Choose which controllers to run.- name: ENABLED_CONTROLLERSvalue: policy,namespace,serviceaccount,workloadendpoint,nodevolumeMounts:# Mount in the etcd TLS secrets.- mountPath: /calico-secretsname: etcd-certsreadinessProbe:exec:command:- /usr/bin/check-status- -rvolumes:# Mount in the etcd TLS secrets with mode 400.# See https://kubernetes.io/docs/concepts/configuration/secret/- name: etcd-certssecret:secretName: calico-etcd-secretsdefaultMode: 0400
d. rbac
剩下的都是K8S的一些rbac的权限资源以及一些的资源 , 直接apply即可 , 上述搭建只需要修改掉etcd的TLS加密配置 , 关闭IPIP , 直接apply -etcd.yaml , 需要特殊修改的话可以修改对应的label和路径 。
配置
的网络互联架构一般分2类 , 一类是node-to-node-mesh , 意思就是所有的-node 互相互建BGP邻居 , 当节点在100个以内的情况下 , 可以使用 , 因为配置非常简单 , 但当节点大于100 个的时候 , 不建议使用这种网状的网络结构 , 首先路由数量就很多 , 所有节点互联同样也会导致出现故障后很难进行快速排查 , 另外一类是Route , 通过K8S的标签技术指定1台或者多台node 作为RR , 该AS内的所有节点会和该RR进行BGP邻居的建立 , 使n-t-n-m的网状网络变成星状网络了 , 并且部署多台RR同样也可以解决冗余等问题 。
关闭node-to-node-mesh
首先关闭node-to-node-mesh模式 , 该操作前请确保集群内没有业务在跑 , 一旦关闭 , pod会瞬间断网
cat rr_mode.yaml:apiVersion: projectcalico.org/v3kind: BGPConfigurationmetadata:name: defaultspec:logServerityScreen: InfonodeToNodeMeshEnabled: falseasNumber: 64512calicoctl apply -f rr_mode.yaml
配置rr节点
在配置节点作为RR的时候 , 需要给node打标签 , 可以自定义 , 表明这台node开启rr , 后续需要使用 , 这里使用route-作为label
cat rr01.yamlapiVersion: projectcalico.org/v3kind: Nodemetadata:creationTimestamp: nullname: sa-k8s001.stg.bxlabels:route-reflector: truespec:bgp:ipv4Address: 21.68.137.248/23routeReflectorClusterID: 224.0.0.1orchRefs:- nodeName: sa-k8smaster001orchestrator: k8scalicoctl apply -f rr01.yaml