gpt4 book ai didi

linux - 为什么 docker0 桥在带有法兰绒的 kubernetes 集群中出现?

转载 作者:太空宇宙 更新时间:2023-11-04 11:43:14 24 4
gpt4 key购买 nike

我有一个使用 kubadm 创建的 kubernetes 集群,其中有 1 个主节点和 2 个工作节点。法兰绒被用作网络插件。注意到 docker0 网桥在所有工作节点和主节点上都已关闭,但集群网络工作正常。如果我们在 kubernetes 集群中使用任何网络插件(如 flannel),docker0 网桥是否会按设计关闭?

docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:ad:8f:3a:99 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0

最佳答案

我正在发布来自 this 的社区维基答案所以线程,我相信它回答了你的问题。


这里有Docker和Kubernetes两种网络模型。

docker 模型

By default, Docker uses host-private networking. It creates a virtual bridge, called docker0 by default, and allocates a subnet from one of the private address blocks defined in RFC1918 for that bridge. For each container that Docker creates, it allocates a virtual Ethernet device (called veth) which is attached to the bridge. The veth is mapped to appear as eth0 in the container, using Linux namespaces. The in-container eth0 interface is given an IP address from the bridge’s address range.

The result is that Docker containers can talk to other containers only if they are on the same machine (and thus the same virtual bridge). Containers on different machines can not reach each other - in fact they may end up with the exact same network ranges and IP addresses.

Kubernetes 模型

Kubernetes imposes the following fundamental requirements on any networking implementation (barring any intentional network segmentation policies):

  • 所有容器都可以在没有 NAT 的情况下与所有其他容器通信
  • 所有节点都可以在没有 NAT 的情况下与所有容器通信(反之亦然)
  • 容器将自己视为的 IP 与其他人将其视为的 IP 相同

Kubernetes applies IP addresses at the Pod scope - containers within a Pod share their network namespaces - including their IP address. This means that containers within a Pod can all reach each other’s ports on localhost. This does imply that containers within a Pod must coordinate port usage, but this is no different than processes in a VM. This is called the “IP-per-pod” model. This is implemented, using Docker, as a “pod container” which holds the network namespace open while “app containers” (the things the user specified) join that namespace with Docker’s --net=container:<id> function.

As with Docker, it is possible to request host ports, but this is reduced to a very niche operation. In this case a port will be allocated on the host Node and traffic will be forwarded to the Pod. The Pod itself is blind to the existence or non-existence of host ports.

为了将平台与底层网络基础设施集成,Kubernetes 提供了一个名为 Container Networking Interface (CNI) 的插件规范。 .如果满足 Kubernetes 的基本要求,供应商可以随心所欲地使用网络堆栈,通常使用覆盖网络来支持多子网多区集群。

下面显示了如何通过 Flannel 实现覆盖网络这是一个受欢迎的CNI .

flannel

您可以阅读有关其他 CNI 的更多信息 here . Cluster Networking 中解释了 Kubernetes 方法文档。我还推荐阅读 Kubernetes Is Hard: Why EKS Makes It Easier for Network and Security Architects这解释了如何 Flannel作品,还有另一个article from Medium

希望这能回答您的问题。

关于linux - 为什么 docker0 桥在带有法兰绒的 kubernetes 集群中出现?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58641541/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com