Shulou(Shulou.com)06/01 Report--

How to understand the default connectivity of Calico, in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

We completed the deployment of the Calico network and ran the container earlier, and today we will discuss the connectivity of Calico.

Test connectivity between bbox1 and bbox2:

The ping is successful and the packet flow is shown in the following figure.

① sends packets from bbox1 based on the routing table of cal0.

The ② data goes through veth pair to host1, looks at the routing table, and the data is sent by enp0s8 to host2 (192.168.56.105).

192.168.183.64/26 via 192.168.56.105 dev enp0s8 proto bird

③ host2 receives the packet, sends it to calic8bf9e68397 according to the routing table, and then reaches bbox2 through veth pair cali0.

192.168.183.65 dev calic8bf9e68397 scope link

Next, let's look at the connectivity between different calico networks.

Create a cal_net2.

Docker network create-- driver calico--ipam-driver calico-ipam cal_net2

Run the container bbox3 in host1 and connect to cal_net2:

Docker container run-net cal_net2-name bbox3-tid busybox

Calico assigned IP 192.168.119.5 to bbox3.

Verify connectivity between bbox1 and bbox3.

Although both bbox1 and bbox3 are located in host1 and both are in a subnet 192.168.119.0, they belong to different calico networks and are not passable by default.

The default policy rule for calico is that containers can only communicate with containers in the same calico network.

Each network of calico has a profile,profile of the same name that defines the policy of that network. Let's take a look at cal_net1 's profile:

Calicoctl get profile cal_net1-o yaml

The ① is named cal_net1, which is the profile of the calico network cal_net1.

② adds a tag cal_net1 to the profile. Note that although this tag is also called cal_net1, it can be set at will, which has nothing to do with name: cal_net1 above. This tag will be used later.

③ egress controls packets sent from the container, and there are currently no restrictions.

④ ingress restricts packets entering the container. The current setting is to receive containers from tag cal_net1. According to step ①, we know that only packets from this network are actually received, which further explains the previous experimental results.

Since this is the default policy, there is a way to customize policy, which is the biggest feature of calico compared to other network solutions.

This is the answer to the question on how to understand the default connectivity of Calico. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.