Kubernetes CNI classification / operation mechanism

CNI

The connectivity of the network is determined by CNI To deal with , That is to say pod When it's started , from CNI Plug in each plug-in to realize the configuration of the network , To achieve mutual network connectivity .

It not only needs to connect the network between the current node containers , We also need to open up the network between cross nodes .

kubernetes What are the basic principles of the network model , Is a cluster all pod All networks can be interconnected , Not pass NAT, All nodes do not need to go through NAT Can be connected to each other .

That is, my nodes must be interconnected , Their network is accessible , On this basis, I have CNI Some of the interfaces plugin To achieve specific right pod Configuration of container network , These containers can also be directly interconnected .

The address seen inside the container and the address seen outside the container are unique .

CNI Plug in classification and common plug-ins

 IPAM： be responsible for IP Address assignment , One pod To run , You have to give me one first IP, Then I can configure the network . So in kubernetes There is a kind of cni The plug-in is called IPAM Plug in for , This IPAM The main responsibility of the plug-in is to pod Distribute IP.

There is also the main plug-in , The main plug-in is IPAM Plug in pod Distribute IP in the future , So my one IP To configure this container, face it , I want to configure the container , Here are several modes .

For example, through the bridge mode , Connect the network between the host and the container , This is saying docker I have already talked about .

also ipvlan The pattern of , With ipvlan Connect the network card of the host and container in the form of .

also lookback How to configure the loopback address .

These are all things that the main plug-in needs to consider .

There are also some additional functions called metaplugin, Many plug-ins will support .

For example, hope for you pod Network current limiting , Probably pod It does not support the limitation of network bandwidth , But you can pass some annotation What is the bandwidth of your inbound traffic and outbound traffic , Then from metaplugin Go and help you limit the flow .

So this is additional capability .

CNI Plug in operation mechanism

 CNI and CRI It's different again ,CRI It's a GRPC service , from kubelet launch GRPC To CRI Of runtime, Then from CRI Of runtime Send the request , and CNI By container runtime Sponsored , This request will be sent to CNI plug-in unit ,CNI Is an executable file one by one , It is placed in a directory of the host ,container runtime When you need to configure the network , It needs to read first , scanning , Read the CNI Configuration file for , This configuration file will explain what plug-ins are used to configure the network , Then it will go to the corresponding executable , because CNI The plug-ins of are executable files one by one , When the container runs, it will go to the directory of the executable file to find the corresponding plugin The executable of , Then run the corresponding command , To complete the whole network configuration .

CNI and CRI Dissimilarity , It is called directly through the executable file , amount to os Of exec Command to execute .

It will have a default path , Under this directory, it stores the configuration files of the valid network plug-ins on the current node .

[[email protected] ~]# cd /etc/cni/net.d/
[[email protected] net.d]# ls
10-flannel.conflist


[[email protected] net.d]# cat 10-flannel.conflist 
{
  "name": "cbr0",
  "cniVersion": "0.3.1",
  "plugins": [
    {
      "type": "flannel",
      "delegate": {
        "hairpinMode": true,
        "isDefaultGateway": true
      }
    },
    {
      "type": "portmap",
      "capabilities": {
        "portMappings": true
      }
    }
  ]
}

  In the plug-in configuration file, he defines , The first one is mine CNI Of version What is it? , the second plugin What is included , What is included is a series of configurations .

type It defines plugin yes flannel, You need to use flannel Of plugin Go and help me configure the network .

There are also metadata plugin, I want to open portmap Of plugin, Like calico To open the current limiting plugin,

    {
      "type": "portmap",
      "capabilities": {
        "portMappings": true
      }
    }

The third is IPAM,calico It is the Lord. plugin, In the main plugin On the basis of , my ipam With what , yes calico-ipam This plugin, All this is filled in type In fact, the corresponding executable files are one by one . That is, the current node is used calico Of cni, When you want to assign ip Will call when calico Of ipam The executable of , Distribution of the ip after , Then call calico This executable file , Then go to configure the network for my container . 

  When I want to limit the current, I need to call bandwidth, This is the default cni Configuration path .

You can see the location of the executable , You can see what is said calico-ipam, Include bandwidth It's all here. .

[[email protected] ~]# cd /opt/cni/bin/
[[email protected] bin]# ls
bandwidth  calico       dhcp      flannel      host-local  ipvlan    macvlan  ptp  static  vlan
bridge     calico-ipam  firewall  host-device  install     loopback  portmap  sbr  tuning

If your runtime switches to containerd, that containerd Need to be for pod To configure the network , You will go to the default configuration file directory to check what the current node uses plugin,cni Of plugin Found to be calico, Then it will parse this calico Configuration file for , stay calico In the configuration file of , Will define the Lord plugin yes calico,ipam Of plugin yes calico-ipam, then meta plugin yes bandwith.

Next containerd The path of the default executable file will be called calico-ipam Order to go for this pod configure network .

Above is cni How it works , It's more direct , Not through anything interface To call the completed . But through direct calls , Call to executable .

  You can see that the default print out is version, It's an executable , You can tell calico This plugin say , Which container do you want to create a network for , Delete the network for which container , So this CNI Of plugin You need to do specific actions .

[[email protected] bin]# ./calico
Calico CNI plugin v3.16.3

Below is the top cni Description of operation mechanism .

CNI Design and consideration of plug-ins

Through the above to understand cni How does the plug-in work , The first is the container runtime , You must call the plug-in before , Create a new network for this container namespace, Each container has its own different network namespace, For these networks, those plug-ins need to be implemented , These plug-ins are configured with json The format of , from containerd Read these configuration files , Then execute the corresponding plug-ins in sequence . 

  When pod When you want to delete , When the container is running, delete the network in the reverse order . In some scenarios, multiple network plug-ins will be configured , These network plug-ins may be different , Carry out one by one according to its established order .

When deleting the network , You should delete in the reverse order .

When cni When the plug-in configures the network for the container , It must be executed sequentially , You can't wait until the previous request has been processed , There is a new request to configure this container . In this case, it is likely that the intermediate status batches are not synchronized , This is the time IP It may be configured incorrectly . The first configuration has not been completed ,ip Just assigned , Then the second one came , And then a new one ip, Then there will be all kinds of problems in the end , So it must be sequential .

add and delete Operations are also sequential ,add Always followed by delete,delete There can be additional delete, Then what principles should plug-ins follow .

  Get through the host layer network

  Cross host network connection requires cni Plug-in support .

 cni Plug ins contain some general capabilities , such as loopback How to configure the port , such as ipvlan,bridge The creation of these devices . The creation of these interfaces is cni Standard plug-ins are configured .

This eth0 Of device It's us calico Of plugin To configure , This loopback Your address is cni Of loopback

This binary file is made up of standard cni Interface implemented . 

  therefore , The standard cni Interface , Some abilities are general abilities , Wherever you go , these loopback All network configurations need to be configured , These general capabilities require cni The standard plug-ins provided by the organization . So it provides the configuration of specific general capabilities .