diff --git a/docs/en/docs/network/images/cilium_speedup001.png b/docs/en/docs/network/images/cilium_speedup001.png new file mode 100644 index 0000000000..1f2c49cf4f Binary files /dev/null and b/docs/en/docs/network/images/cilium_speedup001.png differ diff --git a/docs/en/docs/network/modules/cilium/cilium-speedup.md b/docs/en/docs/network/modules/cilium/cilium-speedup.md index 2dcff29a7e..4c14091663 100644 --- a/docs/en/docs/network/modules/cilium/cilium-speedup.md +++ b/docs/en/docs/network/modules/cilium/cilium-speedup.md @@ -1,21 +1,12 @@ ---- -MTPE: WANG0608GitHub -Date: 2024-08-13 ---- - -# Cross-Cluster Application Communication +# Cilium Network Communication Acceleration ## Introduction -As microservices processes evolve, many enterprises choose to deploy multiple Kubernetes (K8s) clusters -in order to meet the needs of application isolation, high availability/disaster tolerance, and operations management. -However, such multicluster deployments pose a problem where some applications depend on microservices -in other K8s clusters and need to implement cross-cluster communication. Specifically, a pod in -one cluster needs to access a pod or Service in another cluster. +This page describes how to configure Cilium's communication acceleration capability. There are two optional configuration methods. ## Prerequisites -Please make sure the Linux Kernel version >= v4.9.17 with v5.10+ recommended. To view and install the latest version, you can do the following: +Please make sure the Linux Kernel version >= 4.9.17 with 5.10+ recommended. To view and install the latest version, you can do the following: 1. To view the current kernel version: @@ -44,258 +35,61 @@ Please make sure the Linux Kernel version >= v4.9.17 with v5.10+ recommended. To grub2-mkconfig -o /boot/grub2/grub.cfg ``` -## Create Clusters - -> For more information on creating clusters, see [Creating Clusters](../../../kpanda/user-guide/clusters/create-cluster.md). - -1. Create two clusters with different names, cluster01 and cluster02. - - ![create-cluster1](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross1.png) +> Note that manually updating the kernel may be risky and should be done with caution in production environments. - - Choose Cilium as the CNI plugin for cluster01. - - Add two parameters, `cluster-id` and `cluster-name`. - - Use the default configuration for other items. +## First method:configure when creating the cluster -2. Follow the same steps to create cluster02. +1. Click `Container Management` --> `Clusters`. On the page of `Create Cluster`, enter the cluster's `basic information` and `node configuration`, then go to `Network Configuration` to configure as follows: +![cilium-speedup01](../../images/cilium_speedup001.png) - ![Create cluster2](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross2.png) + - Select `cilium` for the cluster's CNI plugin - > The container and service segments used by the two clusters must not overlap. The values of - > the two parameters must not conflict to identify the clusters uniquely and avoid conflicts for cross-cluster communication. + - Add `other parameters` as follows: -## Create a Service for API Server + ```yaml + # Auto direct node routes must be set to be true, otherwise cross-node traffic cannot be routed + cilium_auto_direct_node_routes: "true" + # If masquerading is used, it will replace the iptables implementation based on eBPF. + # Require kernel 5.10 and later. + # Otherwise it will be downgraded to the iptables implementation even if enabled + cilium_enable_bpf_masquerade: "true" + # When doing source address translation for Pod access to outside traffic, enable it if using tunnel mode. + # Disable it if BGP is used to connect to the physical network. + cilium_enable_ipv6_masquerade: "false" + # Disable the ability for hosts to bypass their kernel stack when processing packets to speed up data forwarding. + # Enable it by default, but fallback to legacy behavior if the host kernel does not support it. + cilium_enable_host_legacy_routing: "false" + # Turn on bandwidth-manager to improve the performance of tcp, udp + cilium_enable_bandwidth_manager: "true" + # Kube-proxy replacement feature can be enabled after removing kube-proxy component + cilium_kube_proxy_replacement: strict + # Disable tunnel mode + cilium_tunnel_mode: disabled + # (optional) bbr network blocking control, with the requirement of kernel > 5.18 + cilium_enable_bbr: "true" + ``` -1. After the cluster is created, create a Service on each of the two clusters to expose API server for that cluster. + - Use the default ConfigMaps for everything else - ![create service](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross3.png) +1. Click `Create Cluster` to complete the creation. - ![Create service](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross4.png) +## Second method: modify Cilium ConfigMaps - - Choose NodePort as the access type for external access for cluster01. - - Choose kube-system as the namespace of API Server. - - Use label selectors to filter API Server components, allowing you to view the selectors associated with the API Server. - - Configure the access port of the Service, and the container port is 6443. - - Get the external access link for the Service. +If the cluster has been created and you need to enable acceleration parameters, you can modify the `Cilium-Config` file. -2. Create a Service for API Server on cluster02 in the same way. +Click `Container Management`--> `Clusters`. Go to the created cluster and click `ConfigMaps & Secrets`. Select `Config Items`, find `Cilium-config`, and then click Edit to enter the following acceleration parameters: - ![create service](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross3.png) +![cilium-sppedup02](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-speedup2.png) - ![Create service](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross5.png) +![speed-up03](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-speedup3.png) -## Modify cluster configuration +Once the parameters are written, Check if the following ENV exists for cilium agent Daemonset (containers for cilium-agent), if not, you need to add it manually: -Edit the `kubeconfig` files for cluster01 and cluster02 through the `vi` command. - -```bash -vi $HOME/.kube/config +``` + - name: KUBERNETES_SERVICE_HOST + value: The address of the API Server Service can be found or copied from the DCE5.0 page, which requires to use the https protocol. - - - Add new `context` information to `contexts`: change the values of the `name`, `user`, and `cluster` fields - for the clusters in `context` to the names of the two clusters themselves, namely cluster01 and cluster02. - - - Add new `user` information to `users`: the two clusters copy their original credential - and change the name to the names of the two clusters namely cluster01 and cluster02. - -2. Add the `cluster`, `context`, and `user` information to each other's clusters. - - The following is a yaml example of how to do this: - - ```yaml - clusters: - - cluster: #Add the cluster01's `cluster` information - certificate-authority-data: {{cluster01}} - server: https://{{https://10.6.124.66:31936}} - name: {{cluster01 }} - - cluster: #Add the cluster02's `cluster` information - certificate-authority-data: {{cluster02}} - server: https://{{https://10.6.124.67:31466}} - name: {{cluster02}} - ``` - - ```yaml - contexts: - - context: #Add the cluster01's `context` information - cluster: {{cluster01 name}} - user: {{cluster01 name}} - name: {{cluster01 name}} - - context: #Add the cluster02's `context` information - cluster: {{cluster02 name}} - user: {{cluster02 name}} - name: {{cluster02 name}} - current-context: kubernetes-admin@cluster.local - ``` - - ```yaml - users: - - name: {{cluster01}} #Add the cluster01's `user` information - user: - client-certificate-data: {{cluster01 certificate-data}} - client-key-data: {{cluster01 key-data}} - - name: {{cluster02}} #Add the cluster02's `user` information - user: - client-certificate-data: {{cluster02 certificate-data}} - client-key-data: {{cluster02 key-data}} - ``` - -## Configure cluster connectivity - -Run the following commands to verify cluster connectivity: - -1. Run the following commands on cluster01: - - ```bash - cilium clustermesh enable --create-ca --context cluster01 --service-type NodePort - ``` - -2. Run the following command to enable `clustermesh` on cluster02: - - ```bash - cilium clustermesh enable --create-ca --context cluster02 --service-type NodePort - ``` - -3. Establish connectivity on cluster01: - - ```bash - cilium clustermesh connect --context cluster01 --destination-context cluster02 - ``` - -4. The presence of both `connected cluster1 and cluster2!` on cluster01 and `ClusterMesh enabled!` - on cluster02 indicates that both clusters are connected. - - ![connect](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/network-cross-cluster7.png) - - ![connect](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/network-cross-cluster8.png) - -## Create a demo application - -1. Use the [rebel-base](https://github.com/cilium/cilium/blob/main/examples/kubernetes/clustermesh/global-service-example/cluster1.yaml) application provided in the Cilium docs, and copy the following yaml file: - - ```yaml - apiVersion: apps/v1 - kind: Deployment - metadata: - name: rebel-base - spec: - selector: - matchLabels: - name: rebel-base - replicas: 2 - template: - metadata: - labels: - name: rebel-base - spec: - containers: - - name: rebel-base - image: docker.io/nginx:1.15.8 - volumeMounts: - - name: html - mountPath: /usr/share/nginx/html/ - livenessProbe: - httpGet: - path: / - port: 80 - periodSeconds: 1 - readinessProbe: - httpGet: - path: / - port: 80 - volumes: - - name: html - configMap: - name: rebel-base-response - items: - - key: message - path: index.html - --- - apiVersion: v1 - kind: ConfigMap - metadata: - name: rebel-base-response - data: - message: "{\"Galaxy\": \"Alderaan\", \"Cluster\": \"Cluster-1\"}\n" # Change Cluster-1 to the name of Cluster01 - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: x-wing - spec: - selector: - matchLabels: - name: x-wing - replicas: 2 - template: - metadata: - labels: - name: x-wing - spec: - containers: - - name: x-wing-container - image: quay.io/cilium/json-mock:v1.3.3@sha256:f26044a2b8085fcaa8146b6b8bb73556134d7ec3d5782c6a04a058c945924ca0 - livenessProbe: - exec: - command: - - curl - - -sS - - -o - - /dev/null - - localhost - readinessProbe: - exec: - command: - - curl - - -sS - - -o - - /dev/null - - localhost - ``` - -2. Quickly create two applications for cluster01 and cluster02 in DCE 5.0 using yaml file. - - ![Create Application](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross9.png) - - Modify the contents of `ConfigMap` so that the data returned is labeled with the names of cluster01 - and cluster02, respectively when you access a Service in cluster01 and cluster02. The pod labels - can be found in the `rebel-base` application. - -3. Create a Service for a global service video in each of the two clusters, which points to the created - `rebel-base` application. - - ![Create service application](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross10.png) - - ![Create service application](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross10.png) - - - Service type is ClusterIP - - Add the application pod labels to filter the proper application - - Configure the port - - Add an annotation to make the current Service effective globally. - - > When creating a service for cluster02, the service name must be the same for both clusters, - > The two clusters must locate in the same namespace, and have the same port name and global annotation. - -## Cross-cluster communication - -1. Check the pod IP of the application in cluster02. - - - -2. On the page of cluster01 details, click __Pod__ -> __Console__ of rebel-base , and then curl the Pod - IP of cluster02's rebel-baseand, and successfully return the information from cluster02 indicating that the pods in two - clusters can communicate with each other. - - - -3. Check the service name of cluster01. Click __Pod__ -> __Console__ of rebel-base in cluster02, - then curl the proper service name of cluster01. Some of the returned content is from cluster01, - which means that the pods and Services in the two clusters can also communicate with each other. - - +Restart the Cilium agent pods after adding them. diff --git a/docs/en/docs/network/modules/cilium/cross-cluster.md b/docs/en/docs/network/modules/cilium/cross-cluster.md index f34fc133e2..2dcff29a7e 100644 --- a/docs/en/docs/network/modules/cilium/cross-cluster.md +++ b/docs/en/docs/network/modules/cilium/cross-cluster.md @@ -1,12 +1,21 @@ -# Cilium Network Communication Acceleration +--- +MTPE: WANG0608GitHub +Date: 2024-08-13 +--- + +# Cross-Cluster Application Communication ## Introduction -This page describes how to configure Cilium's communication acceleration capability. There are two optional configuration methods. +As microservices processes evolve, many enterprises choose to deploy multiple Kubernetes (K8s) clusters +in order to meet the needs of application isolation, high availability/disaster tolerance, and operations management. +However, such multicluster deployments pose a problem where some applications depend on microservices +in other K8s clusters and need to implement cross-cluster communication. Specifically, a pod in +one cluster needs to access a pod or Service in another cluster. ## Prerequisites -Please make sure the Linux Kernel version >= 4.9.17 with 5.10+ recommended. To view and install the latest version, you can do the following: +Please make sure the Linux Kernel version >= v4.9.17 with v5.10+ recommended. To view and install the latest version, you can do the following: 1. To view the current kernel version: @@ -35,52 +44,258 @@ Please make sure the Linux Kernel version >= 4.9.17 with 5.10+ recommended. To v grub2-mkconfig -o /boot/grub2/grub.cfg ``` -## First method:configure when creating the cluster +## Create Clusters + +> For more information on creating clusters, see [Creating Clusters](../../../kpanda/user-guide/clusters/create-cluster.md). + +1. Create two clusters with different names, cluster01 and cluster02. + + ![create-cluster1](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross1.png) + + - Choose Cilium as the CNI plugin for cluster01. + - Add two parameters, `cluster-id` and `cluster-name`. + - Use the default configuration for other items. + +2. Follow the same steps to create cluster02. + + ![Create cluster2](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross2.png) + + > The container and service segments used by the two clusters must not overlap. The values of + > the two parameters must not conflict to identify the clusters uniquely and avoid conflicts for cross-cluster communication. + +## Create a Service for API Server + +1. After the cluster is created, create a Service on each of the two clusters to expose API server for that cluster. + + ![create service](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross3.png) + + ![Create service](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross4.png) + + - Choose NodePort as the access type for external access for cluster01. + - Choose kube-system as the namespace of API Server. + - Use label selectors to filter API Server components, allowing you to view the selectors associated with the API Server. + - Configure the access port of the Service, and the container port is 6443. + - Get the external access link for the Service. + +2. Create a Service for API Server on cluster02 in the same way. + + ![create service](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross3.png) + + ![Create service](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross5.png) + +## Modify cluster configuration + +Edit the `kubeconfig` files for cluster01 and cluster02 through the `vi` command. + +```bash +vi $HOME/.kube/config +``` + +1. Add new `cluster`, `context`, and `user` information to both cluster01 and cluster02. + + - Under `clusters`, add new `cluster` information: the original CA for both clusters remains unchanged; + the new `server` address is changed to the address of the API Server Service that you have created above; + and the `name` is changed to the names of the two clusters themselves, namely cluster01 and cluster02. + + > The address of the API Server Service can be found or copied from the DCE5.0 page, which requires to use the https protocol. + + - Add new `context` information to `contexts`: change the values of the `name`, `user`, and `cluster` fields + for the clusters in `context` to the names of the two clusters themselves, namely cluster01 and cluster02. + + - Add new `user` information to `users`: the two clusters copy their original credential + and change the name to the names of the two clusters namely cluster01 and cluster02. + +2. Add the `cluster`, `context`, and `user` information to each other's clusters. + + The following is a yaml example of how to do this: + + ```yaml + clusters: + - cluster: #Add the cluster01's `cluster` information + certificate-authority-data: {{cluster01}} + server: https://{{https://10.6.124.66:31936}} + name: {{cluster01 }} + - cluster: #Add the cluster02's `cluster` information + certificate-authority-data: {{cluster02}} + server: https://{{https://10.6.124.67:31466}} + name: {{cluster02}} + ``` + + ```yaml + contexts: + - context: #Add the cluster01's `context` information + cluster: {{cluster01 name}} + user: {{cluster01 name}} + name: {{cluster01 name}} + - context: #Add the cluster02's `context` information + cluster: {{cluster02 name}} + user: {{cluster02 name}} + name: {{cluster02 name}} + current-context: kubernetes-admin@cluster.local + ``` + + ```yaml + users: + - name: {{cluster01}} #Add the cluster01's `user` information + user: + client-certificate-data: {{cluster01 certificate-data}} + client-key-data: {{cluster01 key-data}} + - name: {{cluster02}} #Add the cluster02's `user` information + user: + client-certificate-data: {{cluster02 certificate-data}} + client-key-data: {{cluster02 key-data}} + ``` + +## Configure cluster connectivity + +Run the following commands to verify cluster connectivity: + +1. Run the following commands on cluster01: + + ```bash + cilium clustermesh enable --create-ca --context cluster01 --service-type NodePort + ``` + +2. Run the following command to enable `clustermesh` on cluster02: + + ```bash + cilium clustermesh enable --create-ca --context cluster02 --service-type NodePort + ``` + +3. Establish connectivity on cluster01: + + ```bash + cilium clustermesh connect --context cluster01 --destination-context cluster02 + ``` + +4. The presence of both `connected cluster1 and cluster2!` on cluster01 and `ClusterMesh enabled!` + on cluster02 indicates that both clusters are connected. + + ![connect](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/network-cross-cluster7.png) + + ![connect](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/network-cross-cluster8.png) + +## Create a demo application + +1. Use the [rebel-base](https://github.com/cilium/cilium/blob/main/examples/kubernetes/clustermesh/global-service-example/cluster1.yaml) application provided in the Cilium docs, and copy the following yaml file: + + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: rebel-base + spec: + selector: + matchLabels: + name: rebel-base + replicas: 2 + template: + metadata: + labels: + name: rebel-base + spec: + containers: + - name: rebel-base + image: docker.io/nginx:1.15.8 + volumeMounts: + - name: html + mountPath: /usr/share/nginx/html/ + livenessProbe: + httpGet: + path: / + port: 80 + periodSeconds: 1 + readinessProbe: + httpGet: + path: / + port: 80 + volumes: + - name: html + configMap: + name: rebel-base-response + items: + - key: message + path: index.html + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: rebel-base-response + data: + message: "{\"Galaxy\": \"Alderaan\", \"Cluster\": \"Cluster-1\"}\n" # Change Cluster-1 to the name of Cluster01 + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: x-wing + spec: + selector: + matchLabels: + name: x-wing + replicas: 2 + template: + metadata: + labels: + name: x-wing + spec: + containers: + - name: x-wing-container + image: quay.io/cilium/json-mock:v1.3.3@sha256:f26044a2b8085fcaa8146b6b8bb73556134d7ec3d5782c6a04a058c945924ca0 + livenessProbe: + exec: + command: + - curl + - -sS + - -o + - /dev/null + - localhost + readinessProbe: + exec: + command: + - curl + - -sS + - -o + - /dev/null + - localhost + ``` + +2. Quickly create two applications for cluster01 and cluster02 in DCE 5.0 using yaml file. + + ![Create Application](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross9.png) + + Modify the contents of `ConfigMap` so that the data returned is labeled with the names of cluster01 + and cluster02, respectively when you access a Service in cluster01 and cluster02. The pod labels + can be found in the `rebel-base` application. -1. Click `Container Management` --> `Clusters`. On the page of `Create Cluster`, enter the cluster's `basic information` and `node configuration`, then go to `Network Configuration` to configure as follows: -![cilium-speedup01](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-speedup1.png) +3. Create a Service for a global service video in each of the two clusters, which points to the created + `rebel-base` application. - - Select `cilium` for the cluster's CNI plugin + ![Create service application](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross10.png) - - Add `other parameters` as follows: + ![Create service application](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-cross10.png) - ```yaml - # Auto direct node routes must be set to be true, otherwise cross-node traffic cannot be routed - auto-direct-node-routes: "true" - # If masquerading is used, it will replace the iptables implementation based on eBPF. - # Require kernel 5.10 and later. - # Otherwise it will be downgraded to the iptables implementation even if enabled - enable-bpf-masquerade: "true" - # When doing source address translation for Pod access to outside traffic, enable it if using tunnel mode. - # Disable it if BGP is used to connect to the physical network. - enable-ipv6-masquerade: "false" - # Distribute no-ct iptables rules for the pod to improve performance. - install-no-conntrack-iptables-rules: "true" - # Disable the ability for hosts to bypass their kernel stack when processing packets to speed up data forwarding. - # Enable it by default, but fallback to legacy behavior if the host kernel does not support it. - enable-host-legacy-routing: "false" - # Turn on bandwidth-manager to improve the performance of tcp, udp - enable-bandwidth-manager: "true" - # Kube-proxy replacement feature can be enabled after removing kube-proxy component - kube-proxy-replacement: strict - # Disable tunnel mode - tunnel: disabled - # (optional) bbr network blocking control, with the requirement of kernel > 5.18 - enable-bbr: "true" - ``` + - Service type is ClusterIP + - Add the application pod labels to filter the proper application + - Configure the port + - Add an annotation to make the current Service effective globally. - - Use the default ConfigMaps for everything else + > When creating a service for cluster02, the service name must be the same for both clusters, + > The two clusters must locate in the same namespace, and have the same port name and global annotation. -1. Click `Create Cluster` to complete the creation. +## Cross-cluster communication -## Second method: modify Cilium ConfigMaps +1. Check the pod IP of the application in cluster02. -If the cluster has been created and you need to enable acceleration parameters, you can modify the `Cilium-Config` file. + -Click `Container Management`--> `Clusters`. Go to the created cluster and click `ConfigMaps & Secrets`. Select `Config Items`, find `Cilium-config`, and then click Edit to enter the following acceleration parameters: +2. On the page of cluster01 details, click __Pod__ -> __Console__ of rebel-base , and then curl the Pod + IP of cluster02's rebel-baseand, and successfully return the information from cluster02 indicating that the pods in two + clusters can communicate with each other. -![cilium-sppedup02](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-speedup2.png) + -![speed-up03](https://docs.daocloud.io/daocloud-docs-images/docs/en/docs/network/images/cilium-speedup3.png) +3. Check the service name of cluster01. Click __Pod__ -> __Console__ of rebel-base in cluster02, + then curl the proper service name of cluster01. Some of the returned content is from cluster01, + which means that the pods and Services in the two clusters can also communicate with each other. -Once the parameters are written, click `OK` to achieve Pod communication acceleration. + diff --git a/docs/en/navigation.yml b/docs/en/navigation.yml index e35113d2c1..4e721cdc43 100644 --- a/docs/en/navigation.yml +++ b/docs/en/navigation.yml @@ -500,8 +500,8 @@ nav: - Intro: network/modules/cilium/index.md - Args Config: network/modules/cilium/install.md - Unsupported Features: network/modules/cilium/notSupport.md - - Cilium Network Communication Acceleration: network/modules/cilium/cross-cluster.md - - Cross-Cluster Application Communication: network/modules/cilium/cilium-speedup.md + - Cilium Network Communication Acceleration: network/modules/cilium/cilium-speedup.md + - Cross-Cluster Application Communication: network/modules/cilium/cross-cluster.md - Cilium Network Policy Support for IPVlan: network/modules/cilium/cilium_chaining.md - Contour: - Intro: network/modules/contour/index.md diff --git a/docs/zh/docs/network/images/cilium_speedup001.png b/docs/zh/docs/network/images/cilium_speedup001.png new file mode 100644 index 0000000000..1f2c49cf4f Binary files /dev/null and b/docs/zh/docs/network/images/cilium_speedup001.png differ diff --git a/docs/zh/docs/network/modules/cilium/cilium-speedup.md b/docs/zh/docs/network/modules/cilium/cilium-speedup.md index 6e9953a9fb..bb4796619f 100644 --- a/docs/zh/docs/network/modules/cilium/cilium-speedup.md +++ b/docs/zh/docs/network/modules/cilium/cilium-speedup.md @@ -1,9 +1,6 @@ -# 应用跨集群通信 +# Cilium 网络通信加速 -## 介绍 - -随着微服务进程发展,为了满足应用隔离、高可用/容灾以及运维管理的需求,许多企业选择部署多个 Kubernetes(K8s)集群。然而,这种多集群部署带来了一个问题:一些应用依赖于其他 K8s 集群中的 -微服务,需要实现集群间的通信。具体而言,需要从一个集群的 Pod 去访问另外一个集群的 Pod 或者 Service。 +本章节介绍如何配置 Cilium 通信加速能力,本章节提供 2 种方式配置,可根据需要进行选择。 ## 前提条件 @@ -36,246 +33,49 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ``` -## 创建集群 - -> 关于创建集群的更多信息,可参考[创建集群](../../../kpanda/user-guide/clusters/create-cluster.md) +> 注意手动更新内核可能有风险,生产环境谨慎操作。 -1. 创建两个名称不同的集群分别为 cluster01 和 cluster02。 +## 方式一:创建集群时配置 - ![创建集群1](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster1.png) - - - 集群 cluster01 的网络插件选择 Cilium - - 添加两个参数 `cluster-id`和 `cluster-name` - - 其他均使用默认配置项 +1. 点击 **容器管理** -> **集群列表** ,点击 **创建集群** ,输入集群 **基本信息** 、 **节点配置** 信息后,进入 **网络配置** 进行如下配置。 -2. 以同样的步骤创建集群 cluster02。 + ![cilium_speedup01](../../images/cilium_speedup001.png) - ![创建集群2](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster2.png) + - 集群的网络插件选择 **cilium** + - 添加 **其他参数** 如下: - > 两个集群使用的容器网段和服务网段一定不能冲突。两个参数的值不能冲突,便于标识集群确保唯一性,避免跨集群通信时出现冲突。 + ```yaml + cilium_auto_direct_node_routes: "true" #路由模式下必须设置为 True, 否则无法路由跨节点流量 + cilium_enable_bpf_masquerade: "true" #设置该参数为 true 之后,如果使用了 masquerading 特性,那么会基于 eBPF 来替代 iptables 的实现,需要内核 5.10 及之后版本,否则就算开启也会降级到 iptables 实现 + cilium_enable_ipv6_masquerade: "false" #对于 POD 访问外界的流量做源地址转换,如果使用 tunnel 模式需要开启,如果是通过 BGP 打通了物理网络则禁用 + cilium_enable_host_legacy_routing: "false" # 关闭可以主机处理数据包时绕过其内核协议栈,加快数据转发。默认情况下打开,但如果主机内核不支持,则回退到传统行为 + cilium_enable_bandwidth_manager: "true # 打开bandwidth_manager,提高tcp、udp的性能 + cilium_kube_proxy_replacement: strict # 启用 kube_proxy replacement 功能,需要删除 kube_proxy 组件 + cilium_tunnel_mode: disabled # 关闭隧道模式 + cilium_enable_bbr: "true" #(可选) bbr网络阻塞控制,提供更高的带宽及更低的延时。要求内核大于5.18 + ``` -## 为 API Server 创建 Service - -1. 集群创建成功后,在两个集群上分别创建一个 Service,用于将该集群的 API server 对外暴露。 - - ![创建service](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster3.png) + - 其他均使用默认配置项 - ![创建service](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster4.png) +1. 点击 **创建集群** 完成创建。 - - 集群 cluster01 访问类型选择 NodePort, 便于外部访问 - - 命名空间选择 kube-system,即 API Server 所在命名空间 - - 标签选择器筛选 API Server 组件,可返回查看 API Server 的选择器 - - 配置 Service 的访问端口,容器端口为 6443 - - 获取该 Service 的外部访问链接 +## 方式二:修改 Cilium Config 配置 -2. 再以同样方式在集群 cluster02 上为 API Server 创建 Service。 +如集群已经创建,需要开启加速参数,可修改 `Cilium-Config` 文件。 - ![创建service](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster5.png) +点击 **容器管理** -> **集群列表** ,点击已创建的集群名称,进入详情后,点击 **配置与秘钥** ,选择 **配置项** ,找到 **cilium-config** 点击编辑,输入上述加速参数: - ![创建service](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster6.png) +![cilium-sppedup02](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/cilium-speedup02.jpg) -## 修改集群配置 +![speed-up03](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/cilium-sppedup03.jpg) -通过 `vi` 命令开始编辑 集群 cluster01 和集群 cluster02 的 `kubeconfig` 文件: +参数编写完成后,点击完成。检查 cilium agent Daemonset(cilium-agent 的 containers)是否存在以下 ENV。如果没有,需要手动添加: -```bash -vi $HOME/.kube/config +```yaml +- name: KUBERNETES_SERVICE_HOST + value: +- name: KUBERNETES_SERVICE_PORT + value: "6443" ``` -1. 在两个集群 cluster01 和 cluster02 里分别添加新的 `cluster`、`context`、`user` 信息。 - - - 在 `clusters` 下面添加新的 `cluster` 信息:两个集群原有的 CA 颁发机构不变;新的 `server` 地址改为上述创建的 API Server Service 地址;`name` 改为两个集群本身的名称:cluster01 和 cluster02。 - - > API Server Service 的地址可以从 DCE5.0 的页面查看或复制,需要使用 https 协议。 - - - 在 `contexts` 下面添加新的 `context` 信息:将 `context` 中集群的 `name` 、`user`、`cluster` 三个字段的值均修改为两个集群本身的名称:cluster01 和 cluster02 。 - - - 在 `users` 下面添加新的 `user` 信息:两个集群 cluster01 和 cluster02 分别复制本身原有的证书信息,将 name 改为两个集群本身的名称:cluster01 和 cluster02。 - -2. 在对端集群中分别互相添加已经创建好的 `cluster` 、`context`、`user` 信息。 - - 如下为操作过程中的 yaml 示例: - - ```yaml - clusters: - - cluster: #添加本集群 cluster01 `cluster`信息 - certificate-authority-data: {{cluster01}} - server: https://{{https://10.6.124.66:31936}} - name: {{cluster01 }} - - cluster: #添加对端集群 cluster02`cluster`信息 - certificate-authority-data: {{cluster02}} - server: https://{{https://10.6.124.67:31466}} - name: {{cluster02}} - ``` - - ```yaml - contexts: - - context: #添加本集群 cluster01 `context` 信息 - cluster: {{cluster01 name}} - user: {{cluster01 name}} - name: {{cluster01 name}} - - context: #添加对端集群 cluster02 `context`信息 - cluster: {{cluster02 name}} - user: {{cluster02 name}} - name: {{cluster02 name}} - current-context: kubernetes-admin@cluster.local - ``` - - ```yaml - users: - - name: {{cluster01}} #添加本集群 cluster01 `user`信息 - user: - client-certificate-data: {{cluster01 certificate-data}} - client-key-data: {{cluster01 key-data}} - - name: {{cluster02}} #添加对端集群 cluster02 `user`信息 - user: - client-certificate-data: {{cluster02 certificate-data}} - client-key-data: {{cluster02 key-data}} - ``` - -## 配置集群连通性 - -执行如下命令验证集群的连通性: - -1. 在集群 cluster01 上输入: - - ```bash - cilium clustermesh enable --create-ca --context cluster01 --service-type NodePort - ``` - -2. 集群 cluster02 开启 `clustermesh` 执行如下命令: - - ```bash - cilium clustermesh enable --create-ca --context cluster02 --service-type NodePort - ``` - -3. 在集群 cluster01 上建立连接: - - ```bash - cilium clustermesh connect --context cluster01 --destination-context cluster02 - ``` - -4. 集群 cluster01 出现 `connected cluster1 and cluster2!` ,集群 cluster02 出现 `ClusterMesh enabled!` 说明两个集群通了。 - - ![连通](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster7.png) - - ![连通](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster8.png) - -## 创建演示应用 - -1. 使用 Cilium 官方文档中提供的 [rebel-base](https://github.com/cilium/cilium/blob/main/examples/kubernetes/clustermesh/global-service-example/cluster1.yaml) 应用,复制如下 yaml 文件: - - ```yaml - apiVersion: apps/v1 - kind: Deployment - metadata: - name: rebel-base - spec: - selector: - matchLabels: - name: rebel-base - replicas: 2 - template: - metadata: - labels: - name: rebel-base - spec: - containers: - - name: rebel-base - image: docker.io/nginx:1.15.8 - volumeMounts: - - name: html - mountPath: /usr/share/nginx/html/ - livenessProbe: - httpGet: - path: / - port: 80 - periodSeconds: 1 - readinessProbe: - httpGet: - path: / - port: 80 - volumes: - - name: html - configMap: - name: rebel-base-response - items: - - key: message - path: index.html - --- - apiVersion: v1 - kind: ConfigMap - metadata: - name: rebel-base-response - data: - message: "{\"Galaxy\": \"Alderaan\", \"Cluster\": \"Cluster-1\"}\n" #将 Cluster-1 修改为集群一的名称 - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: x-wing - spec: - selector: - matchLabels: - name: x-wing - replicas: 2 - template: - metadata: - labels: - name: x-wing - spec: - containers: - - name: x-wing-container - image: quay.io/cilium/json-mock:v1.3.3@sha256:f26044a2b8085fcaa8146b6b8bb73556134d7ec3d5782c6a04a058c945924ca0 - livenessProbe: - exec: - command: - - curl - - -sS - - -o - - /dev/null - - localhost - readinessProbe: - exec: - command: - - curl - - -sS - - -o - - /dev/null - - localhost - ``` - -2. 在 DCE 5.0 中通过 yaml 文件快速分别创建两个集群 cluster01 和 cluster02 的应用。 - - ![创建应用](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster9.png) - - 分别修改 `ConfigMap` 的内容,使得访问集群 cluster01 和集群 cluster02 中的 Service 时,返回的数据分别带有 cluster01 和 cluster02 名称的标签。可在 `rebel-base` 应用中查看容器组标签。 - -3. 在两个集群 cluster01 和 cluster02 中分别创建一个 global service video 的 Service,指向的是已创建的 `rebel-base` 应用。 - - ![创建service应用](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster10.png) - - ![创建service应用](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster11.png) - - - Service 类型为 ClusterIP - - 添加应用的容器组标签筛选对应的应用 - - 配置端口 - - 添加注解,使当前的 Service 在全局生效 - - > 在创建集群 cluster02 的 Service 时,两个集群的 service name 必须相同,并位于相同的命名空间,拥有相同的端口名称和相同的 global 注解。 - -## 跨集群通信 - -1. 先查看集群 cluster02 中应用的 Pod IP。 - - ![查看pod ip](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster12.png) - -2. 进入集群 cluster01 详情,点击应用 rebel-base 的 __容器组__ -> __控制台__ ,curl 集群 cluster02 应用 rebel-base 的 Pod IP,成功返回 - cluster02 信息,说明两个集群中的 Pod 可以相互通信。 - - ![pod 通信](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster13.png) - -3. 查看集群 cluster01 的 Service 名称,进入集群 cluster02 应用 rebel-base 的 __容器组__ -> __控制台__ ,`curl` 对应的 cluster01 的 Service 名称, - 有些返回内容来自 cluster01,说明两个集群中的 Pod 和 Service 也可以互相通信。 - - ![Pod 和 Service通信](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster14.png) +添加完成后重启 Cilium agent pod。 diff --git a/docs/zh/docs/network/modules/cilium/cross-cluster.md b/docs/zh/docs/network/modules/cilium/cross-cluster.md index fbdfec60a2..aa7428bbb2 100644 --- a/docs/zh/docs/network/modules/cilium/cross-cluster.md +++ b/docs/zh/docs/network/modules/cilium/cross-cluster.md @@ -1,12 +1,12 @@ -# Cilium 网络通信加速 +# 应用跨集群通信 -## 介绍 - -本章节介绍如何配置 Cilium 通信加速能力,本章节提供 2 种方式配置,可根据需要进行选择 +随着微服务进程发展,为了满足应用隔离、高可用/容灾以及运维管理的需求,许多企业选择部署多个 Kubernetes(K8s)集群。 +然而,这种多集群部署带来了一个问题:一些应用依赖于其他 K8s 集群中的 +微服务,需要实现集群间的通信。具体而言,需要从一个集群的 Pod 去访问另外一个集群的 Pod 或者 Service。 ## 前提条件 -请确认操作系统 Kernel 版本号 >= 4.9.17,推荐 5.10+。查看并安装升级最新的 Linux 内核版本,您可以按照如下命令进行操作: +请确认操作系统 Kernel 版本号 >= v4.9.17,推荐 v5.10+。查看并安装升级最新的 Linux 内核版本,您可以按照如下命令进行操作: 1. 查看当前内核版本: @@ -35,40 +35,248 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ``` -## 方式一:创建集群时配置 +> 注意手动更新内核可能有风险,生产环境谨慎操作。 -1. 点击`容器管理`-->`集群列表`,点击`创建集群`,输入集群`基本信息`,`节点配置`信息后,进入`网络配置`进行如下配置。 ![cilium-speedup01](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/cilium-speedup01.jpg) +## 创建集群 - - 集群的网络插件选择 `cilium` +> 关于创建集群的更多信息,可参考[创建集群](../../../kpanda/user-guide/clusters/create-cluster.md) - - 添加`其他参数` 如下: +1. 创建两个名称不同的集群分别为 cluster01 和 cluster02。 - ``` - auto-direct-node-routes: "true" #路由模式下必须设置为 True, 否则无法路由跨节点流量 - enable-bpf-masquerade: "true" #设置该参数为 true 之后,如果使用了 masquerading 特性,那么会基于 eBPF 来替代 iptables 的实现,需要内核 5.10 及之后版本,否则就算开启也会降级到 iptables 实现 - enable-ipv6-masquerade: "false" #对于 POD 访问外界的流量做源地址转换,如果使用 tunnel 模式需要开启,如果是通过 BGP 打通了物理网络则禁用 - install-no-conntrack-iptables-rules: "true" # 为 pod 下发 no-ct 的iptables规则,提升性能 - enable-host-legacy-routing: "false" # 关闭可以主机处理数据包时绕过其内核协议栈,加快数据转发。默认情况下打开,但如果主机内核不支持,则回退到传统行为 - enable-bandwidth-manager: "true # 打开bandwidth-manager,提高tcp、udp的性能 - kube-proxy-replacement: strict # 启用 kube-proxy replacement 功能,需要删除 kube-proxy 组件 - tunnel: disabled # 关闭隧道模式 - enable-bbr: "true" #(可选) bbr网络阻塞控制,要求内核大于5.18 - ``` + ![创建集群1](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster1.png) + - 集群 cluster01 的网络插件选择 Cilium + - 添加两个参数 `cluster-id`和 `cluster-name` - 其他均使用默认配置项 -2. 点击`创建集群`完成创建。 +2. 以同样的步骤创建集群 cluster02。 + + ![创建集群2](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster2.png) + + > 两个集群使用的容器网段和服务网段一定不能冲突。两个参数的值不能冲突,便于标识集群确保唯一性,避免跨集群通信时出现冲突。 + +## 为 API Server 创建 Service + +1. 集群创建成功后,在两个集群上分别创建一个 Service,用于将该集群的 API server 对外暴露。 + + ![创建service](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster3.png) + + ![创建service](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster4.png) + + - 集群 cluster01 访问类型选择 NodePort, 便于外部访问 + - 命名空间选择 kube-system,即 API Server 所在命名空间 + - 标签选择器筛选 API Server 组件,可返回查看 API Server 的选择器 + - 配置 Service 的访问端口,容器端口为 6443 + - 获取该 Service 的外部访问链接 + +2. 再以同样方式在集群 cluster02 上为 API Server 创建 Service。 + + ![创建service](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster5.png) + + ![创建service](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster6.png) + +## 修改集群配置 + +通过 `vi` 命令开始编辑 集群 cluster01 和集群 cluster02 的 `kubeconfig` 文件: + +```bash +vi $HOME/.kube/config +``` + +1. 在两个集群 cluster01 和 cluster02 里分别添加新的 `cluster`、`context`、`user` 信息。 + + - 在 `clusters` 下面添加新的 `cluster` 信息:两个集群原有的 CA 颁发机构不变;新的 `server` 地址改为上述创建的 API Server Service 地址;`name` 改为两个集群本身的名称:cluster01 和 cluster02。 + + > API Server Service 的地址可以从 DCE5.0 的页面查看或复制,需要使用 https 协议。 + + - 在 `contexts` 下面添加新的 `context` 信息:将 `context` 中集群的 `name` 、`user`、`cluster` 三个字段的值均修改为两个集群本身的名称:cluster01 和 cluster02 。 + + - 在 `users` 下面添加新的 `user` 信息:两个集群 cluster01 和 cluster02 分别复制本身原有的证书信息,将 name 改为两个集群本身的名称:cluster01 和 cluster02。 + +2. 在对端集群中分别互相添加已经创建好的 `cluster` 、`context`、`user` 信息。 + + 如下为操作过程中的 yaml 示例: + + ```yaml + clusters: + - cluster: #添加本集群 cluster01 `cluster`信息 + certificate-authority-data: {{cluster01}} + server: https://{{https://10.6.124.66:31936}} + name: {{cluster01 }} + - cluster: #添加对端集群 cluster02`cluster`信息 + certificate-authority-data: {{cluster02}} + server: https://{{https://10.6.124.67:31466}} + name: {{cluster02}} + ``` + + ```yaml + contexts: + - context: #添加本集群 cluster01 `context` 信息 + cluster: {{cluster01 name}} + user: {{cluster01 name}} + name: {{cluster01 name}} + - context: #添加对端集群 cluster02 `context`信息 + cluster: {{cluster02 name}} + user: {{cluster02 name}} + name: {{cluster02 name}} + current-context: kubernetes-admin@cluster.local + ``` + + ```yaml + users: + - name: {{cluster01}} #添加本集群 cluster01 `user`信息 + user: + client-certificate-data: {{cluster01 certificate-data}} + client-key-data: {{cluster01 key-data}} + - name: {{cluster02}} #添加对端集群 cluster02 `user`信息 + user: + client-certificate-data: {{cluster02 certificate-data}} + client-key-data: {{cluster02 key-data}} + ``` + +## 配置集群连通性 + +执行如下命令验证集群的连通性: + +1. 在集群 cluster01 上输入: + + ```bash + cilium clustermesh enable --create-ca --context cluster01 --service-type NodePort + ``` + +2. 集群 cluster02 开启 `clustermesh` 执行如下命令: + + ```bash + cilium clustermesh enable --create-ca --context cluster02 --service-type NodePort + ``` + +3. 在集群 cluster01 上建立连接: + + ```bash + cilium clustermesh connect --context cluster01 --destination-context cluster02 + ``` + +4. 集群 cluster01 出现 `connected cluster1 and cluster2!` ,集群 cluster02 出现 `ClusterMesh enabled!` 说明两个集群通了。 + + ![连通](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster7.png) + + ![连通](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster8.png) + +## 创建演示应用 + +1. 使用 Cilium 官方文档中提供的 [rebel-base](https://github.com/cilium/cilium/blob/main/examples/kubernetes/clustermesh/global-service-example/cluster1.yaml) 应用,复制如下 yaml 文件: + + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: rebel-base + spec: + selector: + matchLabels: + name: rebel-base + replicas: 2 + template: + metadata: + labels: + name: rebel-base + spec: + containers: + - name: rebel-base + image: docker.io/nginx:1.15.8 + volumeMounts: + - name: html + mountPath: /usr/share/nginx/html/ + livenessProbe: + httpGet: + path: / + port: 80 + periodSeconds: 1 + readinessProbe: + httpGet: + path: / + port: 80 + volumes: + - name: html + configMap: + name: rebel-base-response + items: + - key: message + path: index.html + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: rebel-base-response + data: + message: "{\"Galaxy\": \"Alderaan\", \"Cluster\": \"Cluster-1\"}\n" #将 Cluster-1 修改为集群一的名称 + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: x-wing + spec: + selector: + matchLabels: + name: x-wing + replicas: 2 + template: + metadata: + labels: + name: x-wing + spec: + containers: + - name: x-wing-container + image: quay.io/cilium/json-mock:v1.3.3@sha256:f26044a2b8085fcaa8146b6b8bb73556134d7ec3d5782c6a04a058c945924ca0 + livenessProbe: + exec: + command: + - curl + - -sS + - -o + - /dev/null + - localhost + readinessProbe: + exec: + command: + - curl + - -sS + - -o + - /dev/null + - localhost + ``` + +2. 在 DCE 5.0 中通过 yaml 文件快速分别创建两个集群 cluster01 和 cluster02 的应用。 + + ![创建应用](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster9.png) + + 分别修改 `ConfigMap` 的内容,使得访问集群 cluster01 和集群 cluster02 中的 Service 时,返回的数据分别带有 cluster01 和 cluster02 名称的标签。可在 `rebel-base` 应用中查看容器组标签。 + +3. 在两个集群 cluster01 和 cluster02 中分别创建一个 global service video 的 Service,指向的是已创建的 `rebel-base` 应用。 + + ![创建service应用](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster10.png) + + ![创建service应用](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster11.png) + + - Service 类型为 ClusterIP + - 添加应用的容器组标签筛选对应的应用 + - 配置端口 + - 添加注解,使当前的 Service 在全局生效 -## 方式二:修改 Cilium Config 配置 + > 在创建集群 cluster02 的 Service 时,两个集群的 service name 必须相同,并位于相同的命名空间,拥有相同的端口名称和相同的 global 注解。 -如集群已经创建,需要开启加速参数,可修改 `Cilium-Config` 文件。 +## 跨集群通信 -点击`容器管理`-->`集群列表`,点击已创建的`集群名称`,进入详情后,点击`配置与秘钥`,选择`配置项`,找到`cilium-config` 点击编辑,输入上述加速参数: +1. 先查看集群 cluster02 中应用的 Pod IP。 -![cilium-sppedup02](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/cilium-speedup02.jpg) + ![查看pod ip](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster12.png) -![speed-up03](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/cilium-sppedup03.jpg) +2. 进入集群 cluster01 详情,点击应用 rebel-base 的 __容器组__ -> __控制台__ ,curl 集群 cluster02 应用 rebel-base 的 Pod IP,成功返回 + cluster02 信息,说明两个集群中的 Pod 可以相互通信。 + ![pod 通信](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster13.png) +3. 查看集群 cluster01 的 Service 名称,进入集群 cluster02 应用 rebel-base 的 __容器组__ -> __控制台__ ,`curl` 对应的 cluster01 的 Service 名称, + 有些返回内容来自 cluster01,说明两个集群中的 Pod 和 Service 也可以互相通信。 -参数编写完成后,点击完成,应用 Pod 通信即可进行加速。 + ![Pod 和 Service通信](https://docs.daocloud.io/daocloud-docs-images/docs/zh/docs/network/images/network-cross-cluster14.png) diff --git a/docs/zh/navigation.yml b/docs/zh/navigation.yml index 7986732a21..1b46d1f824 100644 --- a/docs/zh/navigation.yml +++ b/docs/zh/navigation.yml @@ -535,8 +535,8 @@ nav: - 介绍: network/modules/cilium/index.md - 安装参数配置: network/modules/cilium/install.md - 未支持功能说明: network/modules/cilium/not-support.md - - Cilium 网络通信加速: network/modules/cilium/cross-cluster.md - - 应用跨集群通信: network/modules/cilium/cilium-speedup.md + - Cilium 网络通信加速: network/modules/cilium/cilium-speedup.md + - 应用跨集群通信: network/modules/cilium/cross-cluster.md - 实现IPVlan网络策略能力: network/modules/cilium/cilium_chaining.md - 集成 Contour: - 介绍: network/modules/contour/index.md