Cilium Native Routing with KubeProxyReplacement 模式
1.Cilium2.Cilium Native Routing with kubeProxy 模式
3.Cilium Native Routing with KubeProxyReplacement 模式
4.Cilium Native Routing with eBPF 模式5.Cilium VxLAN with eBPF 模式6.Cilium IPSec with kubeProxy 模式7.Cilium WireGuard with kubeProxy 模式8.Cilium Socket LB 特性9.Cilium DSR 特性(转载)10.Cilium Dual Stack 双栈特性(转载)11.Cilium LB IPAM概念(转载)12.Cilium Ingress 特性(转载)13.Cilium Gateway API 特性(转载)14.BGP 协议(转载)15.Cilium BGP ControlePlane(转载)16.Cilium Cluster Mesh(转载)Cilium Native Routing with KubeProxyReplacement 模式
一、环境信息
| 主机 | IP |
|---|---|
| ubuntu | 172.16.94.141 |
| 软件 | 版本 |
|---|---|
| docker | 26.1.4 |
| helm | v3.15.0-rc.2 |
| kind | 0.18.0 |
| kubernetes | 1.23.4 |
| ubuntu os | Ubuntu 20.04.6 LTS |
| kernel | 5.11.5 内核升级文档 |
二、安装服务
kind 配置文件信息
root@kind:~# cat install.sh
#!/bin/bash
date
set -v
# 1.prep noCNI env
cat <<EOF | kind create cluster --name=cilium-kubeproxy-replacement --image=kindest/node:v1.23.4 --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
# kind 默认使用 rancher cni,cni 我们需要自己创建
disableDefaultCNI: true
# kind 安装 k8s 集群需要禁用 kube-proxy 安装,是 cilium 代替 kube-proxy 功能
kubeProxyMode: "none"
nodes:
- role: control-plane
- role: worker
- role: worker
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.evescn.com"]
endpoint = ["https://harbor.evescn.com"]
EOF
# 2.remove taints
controller_node_ip=`kubectl get node -o wide --no-headers | grep -E "control-plane|bpf1" | awk -F " " '{print $6}'`
kubectl taint nodes $(kubectl get nodes -o name | grep control-plane) node-role.kubernetes.io/master:NoSchedule-
kubectl get nodes -o wide
# 3.install cni
helm repo add cilium https://helm.cilium.io > /dev/null 2>&1
helm repo update > /dev/null 2>&1
# Direct Routing Options(--set kubeProxyReplacement=strict --set tunnel=disabled --set autoDirectNodeRoutes=true --set ipv4NativeRoutingCIDR="10.0.0.0/8")
helm install cilium cilium/cilium \
--set k8sServiceHost=$controller_node_ip \
--set k8sServicePort=6443 \
--version 1.13.0-rc5 \
--namespace kube-system \
--set debug.enabled=true \
--set debug.verbose=datapath \
--set monitorAggregation=none \
--set ipam.mode=cluster-pool \
--set cluster.name=cilium-kubeproxy-replacement \
--set kubeProxyReplacement=strict \
--set tunnel=disabled \
--set autoDirectNodeRoutes=true \
--set ipv4NativeRoutingCIDR="10.0.0.0/8"
# 4.install necessary tools
for i in $(docker ps -a --format "table {{.Names}}" | grep cilium)
do
echo $i
docker cp /usr/bin/ping $i:/usr/bin/ping
docker exec -it $i bash -c "sed -i -e 's/jp.archive.ubuntu.com\|archive.ubuntu.com\|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list"
docker exec -it $i bash -c "apt-get -y update >/dev/null && apt-get -y install net-tools tcpdump lrzsz bridge-utils >/dev/null 2>&1"
done
--set 参数解释
-
--set kubeProxyReplacement=strict- 含义: 启用 kube-proxy 替代功能,并以严格模式运行。
- 用途: Cilium 将完全替代 kube-proxy 实现服务负载均衡,提供更高效的流量转发和网络策略管理。
-
--set tunnel=disabled- 含义: 禁用隧道模式。
- 用途: 禁用后,Cilium 将不使用 vxlan 技术,直接在主机之间路由数据包,即 direct-routing 模式。
-
--set autoDirectNodeRoutes=true- 含义: 启用自动直接节点路由。
- 用途: 使 Cilium 自动设置直接节点路由,优化网络流量。
-
--set ipv4NativeRoutingCIDR="10.0.0.0/8"- 含义: 指定用于 IPv4 本地路由的 CIDR 范围,这里是
10.0.0.0/8。 - 用途: 配置 Cilium 使其知道哪些 IP 地址范围应该通过本地路由进行处理,不做 snat , Cilium 默认会对所用地址做 snat。
- 含义: 指定用于 IPv4 本地路由的 CIDR 范围,这里是
- 安装
k8s集群和cilium服务
# ./install.sh
Creating cluster "cilium-kubeproxy-replacement" ...
✓ Ensuring node image (kindest/node:v1.23.4) 🖼
✓ Preparing nodes 📦 📦 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing StorageClass 💾
✓ Joining worker nodes 🚜
Set kubectl context to "kind-cilium-kubeproxy-replacement"
You can now use your cluster with:
kubectl cluster-info --context kind-cilium-kubeproxy-replacement
Not sure what to do next? 😅 Check out https://kind.sigs.k8s.io/docs/user/quick-start/
- 查看安装的服务
root@kind:~# kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system cilium-2jwcw 1/1 Running 0 4m15s
kube-system cilium-2xvsw 1/1 Running 0 4m15s
kube-system cilium-operator-dd757785c-q8rnw 1/1 Running 0 4m15s
kube-system cilium-operator-dd757785c-wtf4w 1/1 Running 0 4m15s
kube-system cilium-q4h4z 1/1 Running 0 4m15s
kube-system coredns-64897985d-2tmk6 1/1 Running 0 6m9s
kube-system coredns-64897985d-bjgfx 1/1 Running 0 6m10s
kube-system etcd-cilium-kubeproxy-replacement-control-plane 1/1 Running 0 6m25s
kube-system kube-apiserver-cilium-kubeproxy-replacement-control-plane 1/1 Running 0 6m27s
kube-system kube-controller-manager-cilium-kubeproxy-replacement-control-plane 1/1 Running 0 6m25s
kube-system kube-scheduler-cilium-kubeproxy-replacement-control-plane 1/1 Running 0 6m25s
local-path-storage local-path-provisioner-5ddd94ff66-k8d66 1/1 Running 0 6m10s
查看
Pod服务信息,发现没有kube-proxy服务,因为我们设置了kubeProxyReplacement=strict,那么cilium将完全替代kube-proxy实现服务负载均衡。并且在kind安装k8s集群的时候也需要设置禁用kube-proxy安装kubeProxyMode: "none"
cilium 配置信息
root@kind:~# kubectl -n kube-system exec -it ds/cilium -- cilium status
KVStore: Ok Disabled
Kubernetes: Ok 1.23 (v1.23.4) [linux/amd64]
Kubernetes APIs: ["cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "core/v1::Namespace", "core/v1::Node", "core/v1::Pods", "core/v1::Service", "discovery/v1::EndpointSlice", "networking.k8s.io/v1::NetworkPolicy"]
KubeProxyReplacement: Strict [eth0 172.18.0.4 (Direct Routing)]
Host firewall: Disabled
CNI Chaining: none
CNI Config file: CNI configuration file management disabled
Cilium: Ok 1.13.0-rc5 (v1.13.0-rc5-dc22a46f)
NodeMonitor: Listening for events on 128 CPUs with 64x4096 of shared memory
Cilium health daemon: Ok
IPAM: IPv4: 5/254 allocated from 10.0.0.0/24,
IPv6 BIG TCP: Disabled
BandwidthManager: Disabled
Host Routing: Legacy
Masquerading: IPTables [IPv4: Enabled, IPv6: Disabled]
Controller Status: 31/31 healthy
Proxy Status: OK, ip 10.0.0.84, 0 redirects active on ports 10000-20000
Global Identity Range: min 256, max 65535
Hubble: Ok Current/Max Flows: 4095/4095 (100.00%), Flows/s: 9.15 Metrics: Disabled
Encryption: Disabled
Cluster health: 3/3 reachable (2024-06-26T09:52:50Z)
KubeProxyReplacement: Strict [eth0 172.18.0.3 (Direct Routing)]- Cilium 完全接管所有 kube-proxy 功能,包括服务负载均衡、NodePort 和其他网络策略管理。这种配置适用于你希望最大限度利用 Cilium 的高级网络功能,并完全替代 kube-proxy 的场景。此模式提供更高效的流量转发和更强大的网络策略管理。
Host Routing: Legacy- 使用传统的主机路由。
Masquerading: IPTables [IPv4: Enabled, IPv6: Disabled]- 使用 iptables 进行 IP 伪装(NAT),IPv4 伪装启用,IPv6 伪装禁用。
k8s 集群安装 Pod 测试网络
root@kind:~# cat cni.yaml
apiVersion: apps/v1
kind: DaemonSet
#kind: Deployment
metadata:
labels:
app: cilium-with-replacement
name: cilium-with-replacement
spec:
#replicas: 1
selector:
matchLabels:
app: cilium-with-replacement
template:
metadata:
labels:
app: cilium-with-replacement
spec:
containers:
- image: harbor.dayuan1997.com/devops/nettool:0.9
name: nettoolbox
securityContext:
privileged: true
---
apiVersion: v1
kind: Service
metadata:
name: serversvc
spec:
type: NodePort
selector:
app: cilium-with-replacement
ports:
- name: cni
port: 80
targetPort: 80
nodePort: 32000
root@kind:~# kubectl apply -f cni.yaml
daemonset.apps/cilium-with-replacement created
service/serversvc created
root@kind:~# kubectl run net --image=harbor.dayuan1997.com/devops/nettool:0.9
pod/net created
- 查看安装服务信息
root@kind:~# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cilium-with-replacement-hbvkm 1/1 Running 0 62s 10.0.2.204 cilium-kubeproxy-replacement-worker2 <none> <none>
cilium-with-replacement-vhhzl 1/1 Running 0 62s 10.0.0.142 cilium-kubeproxy-replacement-control-plane <none> <none>
cilium-with-replacement-xtzwx 1/1 Running 0 62s 10.0.1.15 cilium-kubeproxy-replacement-worker <none> <none>
net 1/1 Running 0 2s 10.0.2.32 cilium-kubeproxy-replacement-worker2 <none> <none>
root@kind:~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 22m
serversvc NodePort 10.96.18.68 <none> 80:32000/TCP 76s
三、测试网络
同节点 Pod 网络通讯
Pod节点信息
## ip 信息
# kubectl exec -it net -- ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 62:38:09:24:7b:fd brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.2.32/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6038:9ff:fe24:7bfd/64 scope link
valid_lft forever preferred_lft forever
## 路由信息
# kubectl exec -it net -- ip r s
default via 10.0.2.184 dev eth0 mtu 1500
10.0.2.184 dev eth0 scope link
查看 Pod 信息发现在 cilium 中主机的 IP 地址为 32 位掩码,意味着该 IP 地址是单个主机的唯一标识,而不是一个子网。这个主机访问其他 IP 均会走路由到达
Pod节点所在Node节点信息
# docker exec -it cilium-kubeproxy-replacement-worker2 bash
## ip 信息
root@cilium-kubeproxy-replacement-worker2:/# ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: cilium_net@cilium_host: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether da:dc:10:5e:63:bd brd ff:ff:ff:ff:ff:ff
inet6 fe80::d8dc:10ff:fe5e:63bd/64 scope link
valid_lft forever preferred_lft forever
3: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether de:18:2a:12:05:3d brd ff:ff:ff:ff:ff:ff
inet 10.0.2.184/32 scope link cilium_host
valid_lft forever preferred_lft forever
inet6 fe80::dc18:2aff:fe12:53d/64 scope link
valid_lft forever preferred_lft forever
5: lxc_health@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether c6:60:02:0a:62:2f brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::c460:2ff:fe0a:622f/64 scope link
valid_lft forever preferred_lft forever
13: lxc3d8b8c4b9039@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1e:0e:95:4f:d1:32 brd ff:ff:ff:ff:ff:ff link-netns cni-4fde611b-ba69-ea8c-256a-2655cf743623
inet6 fe80::1c0e:95ff:fe4f:d132/64 scope link
valid_lft forever preferred_lft forever
15: lxc89eb07782005@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8e:b6:63:bb:41:3e brd ff:ff:ff:ff:ff:ff link-netns cni-1d4bc46a-77cd-aa33-cd3e-5df5335d2f00
inet6 fe80::8cb6:63ff:febb:413e/64 scope link
valid_lft forever preferred_lft forever
17: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fc00:f853:ccd:e793::2/64 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe12:2/64 scope link
valid_lft forever preferred_lft forever
## 路由信息
root@cilium-kubeproxy-replacement-worker2:/# ip r s
default via 172.18.0.1 dev eth0
10.0.0.0/24 via 172.18.0.4 dev eth0
10.0.1.0/24 via 172.18.0.3 dev eth0
10.0.2.0/24 via 10.0.2.184 dev cilium_host src 10.0.2.184
10.0.2.184 dev cilium_host scope link
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.2
Pod节点进行ping包测试,查看宿主机路由信息,发现并在数据包会在通过10.0.2.0/24 via 10.0.2.184 dev cilium_host src 10.0.2.184路由信息转发
root@kind:~# kubectl exec -it net -- ping 10.0.2.204 -c 1
PING 10.0.2.204 (10.0.2.204): 56 data bytes
64 bytes from 10.0.2.204: seq=0 ttl=63 time=0.787 ms
--- 10.0.2.204 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.787/0.787/0.787 ms
Pod节点eth0网卡抓包
net~$ tcpdump -pne -i eth0
10:12:51.034229 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 98: 10.0.2.32 > 10.0.2.204: ICMP echo request, id 47, seq 0, length 64
10:12:51.034733 8e:b6:63:bb:41:3e > 62:38:09:24:7b:fd, ethertype IPv4 (0x0800), length 98: 10.0.2.204 > 10.0.2.32: ICMP echo reply, id 47, seq 0, length 64
Node节点cilium_host网卡抓包
root@cilium-kubeproxy-replacement-worker2:/# tcpdump -pne -i cilium_host
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on cilium_host, link-type EN10MB (Ethernet), snapshot length 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
通过抓包发现,我们无法在 cilium_host 网卡上抓到数据包信息,但是同节点的 Pod 通讯正常,查看前面 Pod eth0 网卡抓包信息,发现下一条mac 地址为: 8e:b6:63:bb:41:3e ,对比 Node 节点信息,发现是 lxc89eb07782005 网卡 mac 地址,并且通过网卡 id 信息,可以确定他们互为 veth pair 网卡
Node节点lxc89eb07782005网卡抓包
root@cilium-kubeproxy-replacement-worker2:/# tcpdump -pne -i lxc89eb07782005
10:12:51.034229 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 98: 10.0.2.32 > 10.0.2.204: ICMP echo request, id 47, seq 0, length 64
10:12:51.034732 8e:b6:63:bb:41:3e > 62:38:09:24:7b:fd, ethertype IPv4 (0x0800), length 98: 10.0.2.204 > 10.0.2.32: ICMP echo reply, id 47, seq 0, length 64
在 lxc89eb07782005 网卡抓包到了数据包传输信息,表示数据包送到了 Node 节点,但是却没有按照路由信息送到 cilium_host 网卡,实质上是 cilium 底层的代码实现了数据包劫持,当发送数据包是同节点时,还未走的查询 routing 路由表信息时,就完成了数据包的转发,送往了目的 Pod 节点的 veth pair 网卡
- 查看
10.0.2.204Pod主机信息
root@kind:~# kubectl exec -it cilium-with-replacement-hbvkm -- ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 76:51:a5:5f:2b:1b brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.2.204/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::7451:a5ff:fe5f:2b1b/64 scope link
valid_lft forever preferred_lft forever
查看 eth0 信息,可以确定在 Pod 的 eth0 网卡在宿主机的 veth pair 网卡位 id = 13 的网卡,查看前面 Node 节点信息发现为: 13: lxc3d8b8c4b9039@if12
Node节点lxc3d8b8c4b9039网卡抓包
root@cilium-kubeproxy-replacement-worker2:/# tcpdump -pne -i lxc3d8b8c4b9039
10:14:14.584364 1e:0e:95:4f:d1:32 > 76:51:a5:5f:2b:1b, ethertype IPv4 (0x0800), length 98: 10.0.2.32 > 10.0.2.204: ICMP echo request, id 53, seq 0, length 64
10:14:14.584377 76:51:a5:5f:2b:1b > 1e:0e:95:4f:d1:32, ethertype IPv4 (0x0800), length 98: 10.0.2.204 > 10.0.2.32: ICMP echo reply, id 53, seq 0, length 64
在此网卡上抓起到了数据包信息,目的 mac 76:51:a5:5f:2b:1b 为 10.0.2.204 Pod 主机 eth0 网卡 mac 信息,即此数据包时送往目标 IP 的数据包信息
总结:同节点
Pod通讯,数据包通过veth pair送往Node节点后, Node 节点上运行的cilium代码实现了数据包劫持,当发送数据包是同节点时,还未走到查询Node节点routing路由表信息时,就完成了数据包的转发,送往了目的Pod节点的veth pair网卡
不同节点 Pod 网络通讯
-
Pod节点信息,查看前面: 同节点Pod网络通讯 -
Pod节点所在Node节点信息,查看前面: 同节点Pod网络通讯 -
Pod节点进行ping包测试,查看宿主机路由信息,发现并在数据包会在通过10.0.1.0/24 via 172.18.0.3 dev eth0路由信息转发
root@kind:~# kubectl exec -it net -- ping 10.0.1.15 -c 1
PING 10.0.1.15 (10.0.1.15): 56 data bytes
64 bytes from 10.0.1.15: seq=0 ttl=60 time=1.153 ms
--- 10.0.1.15 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.153/1.153/1.153 ms
Node节点cilium-kubeproxy-replacement-worker2lxc89eb07782005网卡抓包
root@cilium-kubeproxy-replacement-worker2:/# tcpdump -pne -i lxc89eb07782005
10:40:08.611228 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 98: 10.0.2.32 > 10.0.1.15: ICMP echo request, id 82, seq 0, length 64
10:40:08.611928 8e:b6:63:bb:41:3e > 62:38:09:24:7b:fd, ethertype IPv4 (0x0800), length 98: 10.0.1.15 > 10.0.2.32: ICMP echo reply, id 82, seq 0, length 64
Pod 节点数据出来后,还是先到达了 veth pair 网卡。
Node节点cilium-kubeproxy-replacement-worker2eth0网卡抓包
root@cilium-kubeproxy-replacement-worker2:/# tcpdump -pne -i eth0 icmp
10:40:18.228122 02:42:ac:12:00:02 > 02:42:ac:12:00:03, ethertype IPv4 (0x0800), length 98: 10.0.2.32 > 10.0.1.15: ICMP echo request, id 88, seq 0, length 64
10:40:18.228499 02:42:ac:12:00:03 > 02:42:ac:12:00:02, ethertype IPv4 (0x0800), length 98: 10.0.1.15 > 10.0.2.32: ICMP echo reply, id 88, seq 0, length 64
查看 eth0 网卡抓包信息,发现数据包下一跳 mac 02:42:ac:12:00:03 ,按照之前的路由信息,分析此地址应该为 172.18.0.3 节点 eth0 mac 地址
查看 cilium-kubeproxy-replacement-worker2 节点 mac 信息
root@cilium-kubeproxy-replacement-worker2:/#arp -n
Address HWtype HWaddress Flags Mask Iface
172.18.0.3 ether 02:42:ac:12:00:03 C eth0
172.18.0.1 ether 02:42:2f:fe:43:35 C eth0
172.18.0.4 ether 02:42:ac:12:00:04 C eth0
Node节点cilium-kubeproxy-replacement-workereth0网卡抓包
root@cilium-kubeproxy-replacement-worker:/# tcpdump -pne -i eth0
10:43:02.648720 02:42:ac:12:00:02 > 02:42:ac:12:00:03, ethertype IPv4 (0x0800), length 98: 10.0.2.32 > 10.0.1.15: ICMP echo request, id 100, seq 0, length 64
10:43:02.649112 02:42:ac:12:00:03 > 02:42:ac:12:00:02, ethertype IPv4 (0x0800), length 98: 10.0.1.15 > 10.0.2.32: ICMP echo reply, id 100, seq 0, length 64
查看 eth0 网卡抓包信息,数据包源 mac 02:42:ac:12:00:02 为 172.18.0.2 eth0 mac 地址,目的 mac 02:42:ac:12:00:03 ,为本机 eth0 mac 地址
查看 cilium-kubeproxy-replacement-worker 节点 ip 信息
root@cilium-kubeproxy-replacement-worker:/# ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: cilium_net@cilium_host: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 66:a1:f4:d3:f1:ab brd ff:ff:ff:ff:ff:ff
inet6 fe80::64a1:f4ff:fed3:f1ab/64 scope link
valid_lft forever preferred_lft forever
3: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 02:89:4e:78:94:3c brd ff:ff:ff:ff:ff:ff
inet 10.0.1.152/32 scope link cilium_host
valid_lft forever preferred_lft forever
inet6 fe80::89:4eff:fe78:943c/64 scope link
valid_lft forever preferred_lft forever
5: lxc_health@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ea:d9:f2:a9:ae:5a brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::e8d9:f2ff:fea9:ae5a/64 scope link
valid_lft forever preferred_lft forever
15: lxcd0c238daf9fe@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether be:06:69:82:a0:bc brd ff:ff:ff:ff:ff:ff link-netns cni-c70b15f3-69c3-a69f-969f-91a1f4b4686a
inet6 fe80::bc06:69ff:fe82:a0bc/64 scope link
valid_lft forever preferred_lft forever
19: eth0@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fc00:f853:ccd:e793::3/64 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe12:3/64 scope link
valid_lft forever preferred_lft forever
查看 cilium-kubeproxy-replacement-worker22 节点 route 信息
## 路由信息
root@cilium-kubeproxy-replacement-worker22:/# ip r s
default via 172.18.0.1 dev eth0
10.0.0.0/24 via 172.18.0.4 dev eth0
10.0.1.0/24 via 10.0.1.152 dev cilium_host src 10.0.1.152
10.0.1.152 dev cilium_host scope link
10.0.2.0/24 via 172.18.0.2 dev eth0
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.3
查看路由信息,数据包目的地址 10.0.0.53,会在通过 10.0.1.0/24 via 10.0.1.152 dev cilium_host src 10.0.1.152 路由信息转发,在 cilium_host 网卡抓包
root@cilium-kubeproxy-replacement-worker22:/# tcpdump -pne -i cilium_host
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on cilium_host, link-type EN10MB (Ethernet), snapshot length 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
通过抓包发现,我们无法在 cilium_host 网卡上抓到数据包信息。类似同节点的 Pod 通讯情况,也无法在 cilium_host 网卡上抓包,但是通讯正常。
- 目标
Podeth0网卡抓包
cilium-with-kubeproxy-zxtpj~$ tcpdump -pne -i eth0
10:45:19.070446 be:06:69:82:a0:bc > 6a:25:e6:a2:a8:ec, ethertype IPv4 (0x0800), length 98: 10.0.2.32 > 10.0.1.15: ICMP echo request, id 107, seq 0, length 64
10:45:19.070458 6a:25:e6:a2:a8:ec > be:06:69:82:a0:bc, ethertype IPv4 (0x0800), length 98: 10.0.1.15 > 10.0.2.32: ICMP echo reply, id 107, seq 0, length 64
- 目标
Podip信息
cilium-with-replacement-xtzwx~$ ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 6a:25:e6:a2:a8:ec brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.1.15/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6825:e6ff:fea2:a8ec/64 scope link
valid_lft forever preferred_lft forever
查看数据包信息中的源 mac 3a:44:a3:48:94:e1 ,发是 cilium-kubeproxy-replacement-worker 节点 lxcd0c238daf9fe 网卡 mac 地址。实质上还是 cilium 底层的代码实现了数据包劫持,当发送数据包是 Node 节点时,还未走到查询 Node 节点 routing 路由表信息时,就完成了数据包的转发,送往了目的 Pod 节点的 veth pair 网卡。lxcd0c238daf9fe 网卡和目标 Pod eth0 网卡互为 veth pair 网卡
Service 网络通讯
- 查看
Service信息
root@kind:~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 63m
serversvc NodePort 10.96.18.68 <none> 80:32000/TCP 42m
net服务上请求Pod所在Node节点32000端口
root@kind:~# kubectl exec -ti net -- curl 172.18.0.2:32000
PodName: cilium-with-replacement-xtzwx | PodIP: eth0 10.0.1.15/32
并在 net 服务 eth0 网卡 抓包查看
net~$ tcpdump -pne -i eth0
10:49:06.504713 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 74: 10.0.2.32.39204 > 10.0.1.15.80: Flags [S], seq 3323102457, win 64240, options [mss 1460,sackOK,TS val 3254307702 ecr 0,nop,wscale 7], length 0
10:49:06.505340 8e:b6:63:bb:41:3e > 62:38:09:24:7b:fd, ethertype IPv4 (0x0800), length 74: 10.0.1.15.80 > 10.0.2.32.39204: Flags [S.], seq 292579920, ack 3323102458, win 65160, options [mss 1460,sackOK,TS val 554604858 ecr 3254307702,nop,wscale 7], length 0
10:49:06.505351 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 66: 10.0.2.32.39204 > 10.0.1.15.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 3254307702 ecr 554604858], length 0
10:49:06.506761 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 146: 10.0.2.32.39204 > 10.0.1.15.80: Flags [P.], seq 1:81, ack 1, win 502, options [nop,nop,TS val 3254307704 ecr 554604858], length 80: HTTP: GET / HTTP/1.1
10:49:06.507358 8e:b6:63:bb:41:3e > 62:38:09:24:7b:fd, ethertype IPv4 (0x0800), length 66: 10.0.1.15.80 > 10.0.2.32.39204: Flags [.], ack 81, win 509, options [nop,nop,TS val 554604860 ecr 3254307704], length 0
10:49:06.507518 8e:b6:63:bb:41:3e > 62:38:09:24:7b:fd, ethertype IPv4 (0x0800), length 302: 10.0.1.15.80 > 10.0.2.32.39204: Flags [P.], seq 1:237, ack 81, win 509, options [nop,nop,TS val 554604860 ecr 3254307704], length 236: HTTP: HTTP/1.1 200 OK
10:49:06.507866 8e:b6:63:bb:41:3e > 62:38:09:24:7b:fd, ethertype IPv4 (0x0800), length 132: 10.0.1.15.80 > 10.0.2.32.39204: Flags [P.], seq 237:303, ack 81, win 509, options [nop,nop,TS val 554604860 ecr 3254307704], length 66: HTTP
10:49:06.508241 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 66: 10.0.2.32.39204 > 10.0.1.15.80: Flags [.], ack 303, win 500, options [nop,nop,TS val 3254307705 ecr 554604860], length 0
10:49:06.510714 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 66: 10.0.2.32.39204 > 10.0.1.15.80: Flags [F.], seq 81, ack 303, win 501, options [nop,nop,TS val 3254307708 ecr 554604860], length 0
10:49:06.511460 8e:b6:63:bb:41:3e > 62:38:09:24:7b:fd, ethertype IPv4 (0x0800), length 66: 10.0.1.15.80 > 10.0.2.32.39204: Flags [F.], seq 303, ack 82, win 509, options [nop,nop,TS val 554604864 ecr 3254307708], length 0
10:49:06.511469 62:38:09:24:7b:fd > 8e:b6:63:bb:41:3e, ethertype IPv4 (0x0800), length 66: 10.0.2.32.39204 > 10.0.1.15.80: Flags [.], ack 304, win 501, options [nop,nop,TS val 3254307708 ecr 554604864], length 0
抓包数据显示, net 服务使用 36788 端口和 10.0.1.15 80 端口进行 tcp 通讯。
* `KubeProxyReplacement: Strict [eth0 172.18.0.3 (Direct Routing)]`
* Cilium 完全接管所有 kube-proxy 功能,包括服务负载均衡、NodePort 和其他网络策略管理。这种配置适用于你希望最大限度利用 Cilium 的高级网络功能,并完全替代 kube-proxy 的场景。此模式提供更高效的流量转发和更强大的网络策略管理。
cilium 配置 KubeProxyReplacement: Strict [eth0 172.18.0.3 (Direct Routing)],通过配置信息确定 cilium 接管 kube-proxy 的功能,使用 cilium 实现 service 转发。我们可以先检查下默认 kube-proxy 的 conntrack 信息和 iptables 信息
- 先检查下
conntrack信息,发现没有链路信息
root@cilium-kubeproxy-replacement-worker2:/# conntrack -L | grep 32000
## 没有数据信息
iptables信息,也没有iptables规则信息
root@cilium-kubeproxy-replacement-worker2:/# iptables-save | grep 32000
## 没有数据信息
那么 cilium 是如何查询 service 信息,并返回后端 Pod ip 地址给请求方的?其实 cilium 把数据保存在自身内部,使用 cilium 子命令可以查询到 service 信息
cilium查询service信息
root@kind:~# kubectl -n kube-system exec cilium-2xvsw -- cilium service list
ID Frontend Service Type Backend
1 10.96.0.1:443 ClusterIP 1 => 172.18.0.4:6443 (active)
2 10.96.0.10:53 ClusterIP 1 => 10.0.0.221:53 (active)
2 => 10.0.0.200:53 (active)
3 10.96.0.10:9153 ClusterIP 1 => 10.0.0.221:9153 (active)
2 => 10.0.0.200:9153 (active)
4 10.96.134.23:443 ClusterIP 1 => 172.18.0.2:4244 (active)
11 10.96.18.68:80 ClusterIP 1 => 10.0.1.15:80 (active)
2 => 10.0.2.204:80 (active)
3 => 10.0.0.142:80 (active)
12 172.18.0.2:32000 NodePort 1 => 10.0.1.15:80 (active)
2 => 10.0.2.204:80 (active)
3 => 10.0.0.142:80 (active)
13 0.0.0.0:32000 NodePort 1 => 10.0.1.15:80 (active)
2 => 10.0.2.204:80 (active)
3 => 10.0.0.142:80 (active)
查看上面的 service 信息得到, 172.18.0.2:32000 后端有 3 个 ip 地址信息,并且后端端口为 80 , cilium 劫持到 Pod 需要访问 service 信息,即会查询该 service 对应的后端 Pod 地址和端口返回给客户端,让客户端使用此地址发起 http 请求
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏
· Manus爆火,是硬核还是营销?
2023-06-27 Python logging模块(转载)