$ cat > calico-csr.json <<EOF
{
"CN": "calico",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}
]
}
EOF
$ cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes calico-csr.json | cfssljson -bare calico
$ ls calico*pem
$ chmod 755 /etc/kubernetes/ssl/calico*pem
$ kubectl create secret generic -n kube-system calico-etcd-secrets \
--from-file=etcd-ca=/etc/kubernetes/ssl/ca.pem \
--from-file=etcd-key=/etc/kubernetes/ssl/calico-key.pem \
--from-file=etcd-cert=/etc/kubernetes/ssl/calico.pem
$ export NODE_IPS=(192.168.133.129 192.168.133.130 192.168.133.131 192.168.133.132)
$ for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp calico* ${node_ip}:/etc/kubernetes/ssl
ssh ${node_ip} "chmod 755 /etc/kubernetes/ssl/calico*pem"
done
$ wget https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/rbac.yaml
$ wget https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/calico.yaml
## 更改为自己的etcd集群
$ sed -i 's@.*etcd_endpoints:.*@\ \ etcd_endpoints:\ \"https://192.168.133.128:2379,https://192.168.133.129:2379,https://192.168.133.130:2379\"@gi' calico.yaml
## 通过证书访问etcd集群
$ sed -i 's@__ETCD_KEY_FILE__@/etc/kubernetes/ssl/calico-key.pem@gi' calico.yaml
$ sed -i 's@__ETCD_CERT_FILE__@/etc/kubernetes/ssl/calico.pem@gi' calico.yaml
$ sed -i 's@__ETCD_CA_CERT_FILE__@/etc/kubernetes/ssl/ca.pem@gi' calico.yaml
$ sed -i 's@.*etcd_ca:.*@\ \ etcd_ca:\ "/calico-secrets/etcd-ca"@gi' calico.yaml
$ sed -i 's@.*etcd_cert:.*@\ \ etcd_cert:\ "/calico-secrets/etcd-cert"@gi' calico.yaml
$ sed -i 's@.*etcd_key:.*@\ \ etcd_key:\ "/calico-secrets/etcd-key"@gi' calico.yaml
## 修改 pod IP网段
$ sed -i '[email protected]/[email protected]/16@gi' calico.yaml
## 删除证书秘钥字段,通过上面的证书访问集群
$ sed -i '59,76d' calico.yaml
## 修改容器的镜像地址为docker.io
$ sed -i 's#quay.io/##' calico.yaml
$ export NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130 192.168.133.131)
$ for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh ${node_ip} "rm -rf /etc/cni/net.d/*"
done
$ kubectl create -f rbac.yaml
$ kubectl create -f calico.yaml
$ wget https://github.com/projectcalico/calicoctl/releases/download/v3.1.3/calicoctl
$ chmod +x calicoctl
$ ./calicoctl node status
Calico process is running.
IPv4 BGP status
+-----------------+-------------------+-------+----------+-------------+
| PEER ADDRESS | PEER TYPE | STATE | SINCE | INFO |
+-----------------+-------------------+-------+----------+-------------+
| 192.168.133.129 | node-to-node mesh | up | 13:35:33 | Established |
| 192.168.133.130 | node-to-node mesh | up | 13:35:34 | Established |
| 192.168.133.131 | node-to-node mesh | up | 13:35:34 | Established |
+-----------------+-------------------+-------+----------+-------------+
IPv6 BGP status
No IPv6 peers found.
BGP 协议是通过TCP 连接来建立邻居的,因此可以用netstat 命令验证 BGP Peer
$ netstat -antlp|grep ESTABLISHED|grep 179
tcp 0 0 192.168.133.128:13226 192.168.133.128:179 ESTABLISHED 84068/bird
tcp 0 0 192.168.133.128:31565 192.168.133.129:179 ESTABLISHED 84068/bird
tcp 0 0 192.168.133.128:179 192.168.133.131:53066 ESTABLISHED 84068/bird
tcp 0 0 192.168.133.128:179 192.168.133.132:22586 ESTABLISHED 84068/bird
tcp 0 0 192.168.133.128:5613 192.168.133.130:179 ESTABLISHED 84068/bird
$ cat > nginx-ds.yml <<EOF
apiVersion: v1
kind: Service
metadata:
name: nginx-ds
labels:
app: nginx-ds
spec:
type: NodePort
selector:
app: nginx-ds
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ds
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
template:
metadata:
labels:
app: nginx-ds
spec:
containers:
- name: my-nginx
image: nginx:1.7.9
ports:
- containerPort: 80
EOF
$ kubectl create -f nginx-ds.yml
$ kubectl get pods -o wide|grep nginx-ds
$ kubectl get pods -o wide|grep nginx-ds
nginx-ds-2z4gv 1/1 Running 0 21s 172.30.181.193 192.168.133.131 <none> <none>
nginx-ds-flzrd 1/1 Running 0 21s 172.30.217.1 192.168.133.129 <none> <none>
nginx-ds-kqfrw 1/1 Running 0 21s 172.30.205.129 192.168.133.130 <none> <none>
nginx-ds-xjbb5 1/1 Running 0 21s 172.30.176.1 192.168.133.128 <none> <none>
$ NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130 192.168.133.131)
$ for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh ${node_ip} "ping -c 4 172.30.181.193"
ssh ${node_ip} "ping -c 4 172.30.217.1"
ssh ${node_ip} "ping -c 4 172.30.205.129"
ssh ${node_ip} "ping -c 4 172.30.176.1"
done
$ kubectl get services |grep nginx-ds
nginx-ds NodePort 10.254.158.126 <none> 80:30518/TCP 3m51s
$ NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130 192.168.133.131)
$ for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh ${node_ip} "curl 10.254.158.126"
done
因为这里calico网络使用etcd存储数据,所以可以在etcd集群中查看数据。calico 3.x 版本默认使用 etcd v3存储,登陆集群的一个etcd 节点,查看命令: 查看所有calico相关数据
$ export ETCDCTL_API=3
$ etcdctl \
--cacert=/etc/kubernetes/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd.pem \
--key=/etc/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.133.128:2379,https://192.168.133.129:2379,https://192.168.133.130:2379" \
get --prefix /calico
查看 calico网络为各节点分配的网段
$ export ETCDCTL_API=3
$ etcdctl \
--cacert=/etc/kubernetes/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd.pem \
--key=/etc/etcd/ssl/etcd-key.pem \
--endpoints="https://192.168.133.128:2379,https://192.168.133.129:2379,https://192.168.133.130:2379" \
get --prefix /calico/ipam/v2/host