Shulou(Shulou.com)06/03 Report--

Kubernetes is an open source container orchestration engine for Google, which supports automated deployment, large-scale scalability, and application containerization management. When deploying an application in a production environment, multiple instances of the application are usually deployed to load balance application requests.

In Kubernetes, we can create multiple containers and run an application instance in each container, and then manage, discover and access this group of application instances through the built-in load balancing policy, and these details do not need to be manually configured and processed by operation and maintenance personnel.

The kubernetes network needs to solve the following four issues:

Within the cluster

Communication between container in the same Pod

Communication between Pod and Pod

Communication between Pod and Service

Outside the cluster

Communication between external applications and Service

1. Corporate network architecture

Take a look at this architecture diagram first. At the bottom is our server, which is the server we maintain. If you want to connect to the network, it has to be forwarded through the above link. For example, the server and office computer are all connected switches. The switch has more ports, and then it is in the access layer, and then up is the core switch, that is, three layers, and some network policies. Further up, we need to forward the data from the network of our core switch to the Internet, it will be forwarded to the Internet through the router, and then we can visit some websites, Baidu, Google, etc., and then visit Baidu server at other levels. The actual Internet access to Baidu server is also forwarded through various devices, switches, routes, etc., to Baidu through this form. Connect some small independent networks with other networks to form a huge whole, this is the Internet.

Most of them are divided into the following layers:

Routers: network egress

Core layer: mainly completes efficient data forwarding and link backup, etc., it is the entrance to the core under the router, and the top entrance to all the switches and servers below. This layer is mainly to ensure efficient forwarding of the data below. But in this layer, it is sometimes separated out of a layer independently, that is, an aggregation layer is added on top of the layer 2 switch. The aggregation layer generally completes some network policies. Data packets come from the Internet, and then do some control on the third layer. Some of the following data packets appear. How to control them? there may be a lot of vlan and many virtual Lans below. Generally, large companies use layer 3 switching to divide multiple vlan to achieve control that cannot be strategically implemented. For example, the office network is impassable. If you want to get through, you need to apply for ecl, and the network between the company and the computer room is also impassable. This is not allowed by default, but also for the sake of security, and then there is no connection between the company and the test computer room. If you want to understand, you also need to apply for ecl, so these are all managed and controlled in the core layer, aggregation layer, and then connect to the switch below, which is the same as that in the computer room.

Most of them are divided into three layers: access layer-> core layer / aggregation layer-> network exit.

Aggregation layer: network policy, security, access to workstation switches, communication between VLAN and other functions

Access layer: access to workstations

The next thing we study is that when our server and pc computer in the access layer, how do we forward its data packets if we want to reach the Internet?

We also need to know how other people access our server, where this data comes from, and how communication flows between Lans in different regions.

If they communicate in the same vlan, that is, the same local area network, what kind of communication do they have?

To understand so many problems, it is necessary to understand these network devices, the first is the switch (switch), the second is the router (router)

In our study of k8s, for example, although the network inside is invisible network equipment, the work behind it is all made up of these, but you can't see these router switches, and what you see are some operations on the server, but we need to know how to get out behind it.

2. Switching technology

Have you ever thought about how hosts communicate in the local area network? How does the host communicate when it accesses the external network?

If you want to understand these problems, you have to start with switches and routers.

This is a Huawei H4C switch, which has 24 ports and 48 ports, so it has a lot more ports than a router. It is mainly to access more workstations, because workstations have a lot of pc computers and servers, so there are many more, so it is aimed at some actual computers. It involves more ports, while the router itself has relatively few superior and subordinate relationship devices. Generally, there are only 4-5. What this switch does is this switching technology. We need to understand how this switching technology works and how to communicate through the host in the local area network. How does the host communicate when it accesses the external network? Set out to understand how this switching technology works.

The switch operates at the second layer of the OSI reference model, the data link layer. The switch has a high-bandwidth back-bus fabric that can transfer data between multiple port pairs at the same time.

The switch is divided into layer 2 and layer 3, which also refers to layer 2 and layer 3 (layer 3 transport layer, layer 2 data link layer) in OSI.

Switching technology is divided into two layers and three layers:

Layer 2: mainly used for small local area networks, it only supports data forwarding at the data link layer and access to workstations, that is, forwarding based on MAC addresses

Layer 3: layer 3 switching technology was born to solve the problem of broadcast domain. After years of development, layer 3 switch books have become the main force in the construction of large and medium-sized networks, that is, based on the function of routers, data packets are forwarded based on IP, mainly to solve the problem of a broadcast domain.

For example, there is a switch, there are two pc below, respectively, host a, and host b, and now host a to access host b how to communicate?

It is not necessary to understand how the switch works, because our two pc are physically isolated and are connected by the switch, and the communication they achieve is necessary to understand the working principle of the switch.

Here is a brief summary of the functions of the OSI model

Application layer: (various application protocols, such as http, ftp, pop3, smtp, etc.)

Transport layer: TCP/UDP (receives data from the upper layer, splits the data if necessary, and gives the data to the network layer, ensuring that these data segments reach the opposite end effectively)

Network layer: IP address (control the operation of the subnet, such as logical addressing, packet transmission, routing) corresponding device router

Data link layer: MAC address (physical addressing, that is, the code left by the manufacturer on the machine, that is, the network card, which is the only identification in the network, while transforming the original bit stream into a logical transmission line) corresponding to the device switch

Physical layer: bitstream (original bitstream transmission over mechanical, electronic, timing interface communication channels)

In fact, in the switch, it is forwarded according to the MAC address of layer 2, that is, the mac address is the network card on each computer. This network card has a physical address, which is unique, that is, when the manufacturer brings it out, the switch forwards the communication based on this mac address. If host a sends a file to host b, then it will involve an ip address. That is, it is equivalent to a house number, and you can be found through this logo, so you must know who the ip is, but the switch will not consider who the ip is, because it is designed to address based on the Mac address, so host a must know the mac address of the target host before it can encapsulate a layer two, the packet is called a frame, so how to find this ip? The mac address itself is unique, and its IP is the same network segment. If it is not a network segment, it cannot communicate with each other. Although the other party's ip address is known, the switch is designed to forward through the other party's mac address. Because it works at layer 2, it also relies on an ARP protocol, which is a TCP/IP protocol that obtains physical addresses according to the IP address. When sending information, the host broadcasts the ARP request containing the destination IP address to all hosts on the local network and receives a return message to determine the physical address of the destination. After receiving the return message, the IP address and physical address are stored in the local ARP cache and retained for a certain period of time. The next request is directly queried to save resources. After the archiving is completed, the packet can be directly requested and forwarded next time. Then the quad is formed. First, the source IP, the source mac, the destination ip, the destination mac, that is, a layer 2 packet, so that the transmission of a data is completed.

During this period, the problem of a broadcast domain will be involved. there is a large network in the company, and this network will be divided into many virtual networks, such as more than 20 hosts under the switch. if the broadcast packet is to be intercepted by other hosts, or some hosts like to send broadcast packets, for example, they do not have this destination address, for example, they do not have this 1.30 host. Well, if this switch cannot find and broadcast all the time, then there will be a lot of traffic loss, network delay, network paralysis, and so on. In order to solve this problem, hundreds of hosts may be divided into small Lans. If the broadcast domain is not divided, some bad factors will occur when this broadcast domain encounters a destination mac that cannot be found. If it is replaced by a small LAN, it will only affect a small number of Lans. That is, vlan, a vlan is a broadcast domain, and a port under a router is a broadcast domain. The function of vlan is to logically divide the physical environment into different Lans. Vlan isolates this broadcast domain, and the router can also isolate the broadcast domain, so there is a broadcast domain under the router. If there is a broadcast storm or arp in a vlan (arp is actually cheating by falsifying IP and MAC addresses. Make the source address, destination address and ARP number traffic of Ethernet packets cause network outage or man-in-the-middle. ARP mainly exists in the local area network. If one of the computers is infected with ARP virus. It will try to intercept the information of other computers in the local area network through ARP deception, resulting in the communication failure of the computers in the local area network. Will affect the hosts in the broadcast domain of this vlan, which is why the network architecture of large companies divides vlan.

Broadcast domain

When forwarding data, the switch broadcasts first, and the area where this broadcast can be sent is a broadcast domain. Switches are transparent to broadcast frames, so the network between switches is a broadcast domain.

The network under one interface of the router is a broadcast domain, so the router can isolate the broadcast domain.

ARP (address Resolution Protocol, replaced by NDP in IPV6)

Sending this broadcast frame is implemented by the ARP protocol. ARP is a TCP/IP protocol that obtains the physical address through the IP address, which is mainly responsible for parsing an IP address into the corresponding MAC address.

Layer 3 switch

The layer 2 switch mentioned earlier works only at the data link layer, while the router works at the network layer. The powerful layer 3 switch can work in both the data link layer and the network layer, and forward packets according to the MAC address or IP address, while the layer 3 switch supports the function of the router, the router works in the network layer, and the layer 3 switch integrates layer 2 and layer 3, so it is called a layer 3 switch. When we replace the layer 2 switch with layer 3, we can realize the communication between different vlan. Different vlan is an isolated local area network, and then it is impossible to use layer 2, because this is not in the same network segment, and the broadcast packet cannot be scattered to this one, so it can only be forwarded by walking in the form of a table, but the layer 3 switch cannot replace the routing function, because the layer 3 switch was designed at the beginning to solve the problem of broadcast domain between different vlan Lans, after many years. The third layer will not only do this piece, but also do some network policies, security and so on, which are more mature.

Network bridge

Bridges (Bridge) are early two-port layer 2 network devices used to connect different network segments. The two ports of the bridge have an independent switching channel, which does not share a backplane bus and can isolate the collision domain. Bridges perform better than hubs (Hub), where all ports share the same backplane bus. Later, the bridge was replaced by a switch (Switch) that has more ports and can also isolate the collision domain.

VLAN (Virtual Local Area Network): virtual local area network

VLAN is a method that logically divides LAN devices into network segments.

A VLAN is a broadcast domain, and communication between VLAN is done through a layer 3 router. VLAN is widely used, basically most network projects will be divided into vlan.

The main benefits of VLAN are:

Divide the broadcast domain and reduce the influence range of broadcast storm.

Improve network security and divide different network segments according to different departments, uses and applications

In fact, I just said that the arp cache table, when broadcasting, will receive a copy of the destination mac address table, and then cache another copy, which can also be seen through the command line.

You can see it with arp-a, and the cache table is also for the purpose that the next time you send a packet, you don't have to broadcast the destination mac, it will first look for a corresponding destination mac table from its own cache table, and if so, it will forward the packet directly, but this table also has retention time, if the table is not active, it will be gone.

How does a container communicate in K8s is through the ARP protocol, the same as the switch principle, because it has a bridge, that is, the role of a switch, and the ARP protocol is supported in the bridge.

3. Routing technology

This is also an h4c router with only six ports in it, but this port is generally divided into two roles, except for a console management port, a LAN port and a Wang port.

Routers are mainly divided into two port types: lan port and Wang port.

WAN port: configure public network IP, access to the Internet, and forward IP packets from LAN port.

LAN port: configure the intranet IP (gateway), connect the internal switch, and dock the working machine and workstation.

Well, there is a public network IP and an internal network IP. Wankou certainly needs to configure a public network ip, so that the following machines can go out and access the external network. Then how can the IP of the Internet itself connect to the Internet? then it needs a public network ip that trusts each other on the Internet. The public network is visible on the Internet, and everyone else can access this IP at will. Then the intranet IP? Only internal Lans can be accessed, just like the server in the computer room, there are two NICs, one is the internal network and the other is the public network, the external network IP is the configured public network, and the private network is the configured private network IP. It is necessary to use the public network card to access the external network.

A router is a hardware device that connects two or more networks and intelligently forwards packets received from the port according to the destination address of the packet.

The functions of the router:

Routin

Forwarding

Ion isolating net

Isolated broadcast domain

The router is the hub of the Internet and the device that connects each local area network and wide area network in the Internet. Compared with the switch, the data forwarding of the router is very complex, and it will give an optimal path according to the destination address. Then there are two sources of path information: dynamic routing and static routing.

That is to say, how does the company's network get to the Internet? that is to say, how do Internet users access our services? they are all forwarded through routers, while the switch only forwards data packets between Lans, that is, it can only forward this data packet through the MAC address at layer 2 and can send broadcast packets. But the forwarding of the router is more complicated. It will consider which path is better and the best path to forward. The shortest way, that is, the router will do such a thing, and this path is divided into two, one is static and the other is dynamic.

Static route: refers to manually specifying the address of the destination host and recording it in the routing table. If one of the nodes is not available, it needs to be re-specified. Manually, it may be like manually adding the routing table on your linux server or router. Who should I forward this route to, who the next hop is, and when the next hop is not available, then this packet will not be available on this router. If the next hop cannot be forwarded, it will be discarded, and if the packet cannot pass, access will naturally be an unreachable network.

Dynamic routing: the router automatically calculates the permanent availability of the path according to the dynamic routing protocol, which can adapt to the changes of the network structure in real time.

Commonly used dynamic routing protocols:

RIP (Routing Information Protocol, routing Information Protocol)

OSPF (Open Shortest Path First, Open shortest path first)

BGP (Border Gateway Protocol, Border Gateway Protocol)

4. OSI seven-layer model

OSI (Open System Interconnection) is a standard system developed by the International Organization for Standardization (ISO) for the interconnection of computers or communication systems, which is generally called the OSI reference model or seven-tier model.

What we often say about layer 7 and layer 4 forwarding is actually a system based on the OSI seven-layer model.

What are the stages of processing from host a to host b? generally, the data from host a to host b is encapsulated and encapsulated in the following way. After layer 4, there is a transport layer, that is, the protocol of TCP/UDP, which provides the function of establishing, maintaining and canceling the transmission connection between the session layers of the two end systems. Responsible for end-to-end reliable data transmission, at this layer, the protocol data unit of information transmission is called segment or message, and then arrives at the network layer. It mainly defines the logical address that can identify all nodes, and also defines the way of routing implementation and learning. According to the identification of the address of ip, it is generally completed by the market router, and then to the data link layer to the switch. That is, the physical address, through the ARP protocol address resolution protocol, parses the destination mac and source mac addresses, and adds them to the cache, so that the data packet can be converted into a sequence of bits recognized by the computer at the physical layer next time, and then returned to the target host layer by layer.

5. TCP/UDP protocol

TCP (Transmission Control Protocol, Transmission Control Protocol) is a connection-oriented protocol in which both parties establish a reliable connection before sending data. Tcp is mainly suitable for application scenarios where a large amount of data is transmitted and high reliability is required. If the packet exceeds the mpu, the maximum transmission unit, the maximum is 1500 bytes, and if the packet exceeds 1500 bytes, the packet is grouped, that is, the packet is grouped here in the third layer, divided into many small blocks for release, and the group will be marked into a sequence number, which can guarantee whether the data sent is continuous or damaged. Then retransmit, tcp guarantee to ensure the reliability of the packet

UDP (User Data Protocol, user Datagram Protocol), which is oriented to the non-connection protocol, does not establish a connection with the other party and sends the packet directly to the other party. It is suitable for application scenarios where only a small amount of data is transmitted at a time and the reliability requirement is low. The transmission speed is faster than that of TCP. This udp sends a packet directly without a three-way handshake, but sends a packet, but is not sure whether your packet can be accurately received, because there is no ack to return the serial number to determine, this serial number is 1, I received this packet, serial number 2, I received this packet, if you send a 3 and do not receive this packet, it will be retransmitted with you, its design is relatively simple, you give me a port. I can send you this packet, no matter whether you receive it or not, it will not respond, and after it exceeds the largest transmission unit, it will also be grouped, but it cannot guarantee the reliability of the packet. One of the packets is lost. The other packets cannot be integrated, because after the packet is separated from you, one piece is missing, then the packet is in a damaged state and the other party cannot receive it. Because the packet was dropped.

4.2 Kubernetes network model

Network plug-ins such as flannel and calico have certain requirements. How to connect to K8s must meet these requirements, that is, they all meet these requirements before they can be supported by third-party network plug-ins.

Kubernetes requires that all network plug-in implementations must meet the following requirements:

One Pod and one IP. This is necessary. A pod can communicate with all the pod on the node, that is, it can be accessed directly, and there is no need for a nginx agent.

All Pod can communicate directly with any other Pod without using NAT mapping. All nodes of K8s can access this pod. First of all, all pod can be accessed from the Su mainframe.

All nodes can communicate directly with all Pod without using NAT mapping

The IP address acquired within the Pod is the same as the IP address when other Pod or nodes communicate with it.

What is the network of docker on the same node? To understand the communication between pod and the same node on the same node, you can first understand it from the network model of docker, which is the same as the communication between pod and pod.

1. Docker container network model

First, take a look at the Linux network nouns:

That is, after a linux host is installed, a network namespace is created, that is, all processes are in this network namespace, so the network can be accessed in this linux. But the docker is isolated using this large network namespace, that is, a container is a network namespace, so you cannot see or access the network of a container on the host. You can't see it, and you can't see each other's network between containers, so the namespace used by the container isolates the network from the container, and then the container has a problem.

That is, the container already has its own namespace, and the container is isolated from the host. How does my packet get out? so here I use this device to veth.

Network namespace: Linux introduces network namespaces into the network stack, isolates independent network protocol stacks into different command spaces, and cannot communicate with each other; Docker uses this feature to achieve network isolation between different containers.

Veth device pair: Veth device pair is introduced to enable communication in different network namespaces. This device is equivalent to a network cable. The network namespace of the container is the namespace of the host, and the namespace of the host is root. If you want the namespace of containers to communicate with the namespace of the host, you will use the device pair of this veth, this network cable, to connect the namespace of the container to the namespace of the host. When you start a pod in K8s When using docker to start a container, you will see a lot of veth devices with ifconfig. In fact, this is the other end, which can be said to be the other end of the crystal head. The container itself has a virtual network of its own. If it wants to go out, it can only go out with the help of the host network, because it is a hidden network on the host, and it has to go through the host if it wants to go out, so it can forward the data with this device.

Iptables/Netfilter:Docker uses Netfilter to implement container network forwarding. If docker wants to access the Internet, although it has such a packet of container and host network namespace, how can it access the external network through the host network? so it uses netfilter, an IP packet filtering mechanism of its linux, and then to achieve network forwarding between containers, the container reaches the host, and the veth port is actually connected to the bridge, and then you can imagine it this way. Each container is a computer, and the switch is a bridge. You can see the other end through the command, which network cables are added to the bridge and which hosts are under the switch. Through this command, you can see that the principle is similar to that of the switch. The mac address is obtained through the arp protocol, that is, the frame packet of the layer 2 packet is encapsulated and then forwarded between the layer 2 packets. But in order to access the external network, it also needs the snat dnat of iptables to forward the public network according to the original address and destination address.

[root@k8s-node1 ~] # yum-y install bridge-utils [root@k8s-node1 ~] # brctl show cni0bridge name bridge id STP enabled interfacescni0 8000.e27423da0b65 no vethbf3ee8ae vethf4889480

Bridge: a bridge is a layer 2 network device, through which different ports supported by Linux can be connected and many-to-many communications like switches can be realized. The bridge of docker0 can be seen through ifconfig. The bridge is created by docker, that is, it is added to the switch to achieve mutual access.

Routing: the Linux system includes a complete routing function, and when the IP layer handles data sending or forwarding, it uses the routing table to determine where to send it. This will be encountered, that is, when third-party plug-ins are used, there will be a lot of routing tables to realize the communication between containers.

The schematic diagram of the Docker container network is as follows:

This is the schematic diagram of the container network. Each container has a veth device pair, that is, after the deployment of a pod, this device pair will appear to connect the namespace of the host. This pair is a network cable on one end and a bridge on the other, that is, eth0 (docker0). If they communicate, they can directly use the layer 2 broadcast packet protocol packet to forward the network. If it wants to go out, it uses the nat of iptables to access the external network with the help of the host network.

2. Pod network

Question: Pod is the minimum scheduling unit of K8S. A Pod consists of one or more containers. When there are multiple containers, how can you use this Pod IP?

That is, no matter how many containers in my pod can only communicate with this ip, this is why it designs pod.

Implementation: K8s starts a small infra container container in each Pod, then connects other containers to the network namespace, and then the other containers see exactly the same network attempt. That is, network equipment, IP address, Mac address and so on. This is a solution to network sharing. The IP address in Pod is the IP address of infra container.

This infra will pull a small infra container for you when it starts, as can be seen in the kubelet,conf configuration file. This container is relatively simple to use go to start such a container to maintain a persistent state. It is created with its own network namespace, which does not run any programs, but it is mainly used to maintain the network namespace. The business container is actually linked to this network namespace, and this namespace is not visible to users. For example, the micro service we run uses sidecar mode to run multiple containers, then all you see is a podIP, then the created business container will be linked to this infra. For example, if you create another sidecar container, it will be linked to it. This IP will also be given to pause, which has an independent network namespace. Then kubelet gives it an ip, that is, the ip seen by get pod-o wide. This IP is unique in the whole network, so you can access the IP and the port where the business is exposed, so share the pod network through this mechanism.

K8s pod and container, pod is composed of one or more containers, but its network namespace is also one, but for intimacy applications, it adds the concept of a pod, while the docker container has a container and a network namespace, and they are actually not many. They are two separate namespaces, as shown above, the host has a network namespace, and then pod1 a network namespace. Pod2 is a network namespace. The communication between two network,namespace and two network,namespace is the same, because both of them are forwarded through veth, the switch forwards from layer 2, and the access is the same.

In Kubernetes, each Pod has a real IP address, and each Pod can use this IP address to communicate with other Pod.

There are two situations in which Pod communicate with each other:

If two Pod are on the same Node, that is, two services and two copies, both are distributed on the node1.

Two Pod on different Node, that is, two services with two copies, are distributed on node1 and node2.

The process of data communication in these two cases is different.

Let's take a look at the first situation: two Pod on the same Node

The communication between the Pod of the same node is the same as that of the Docker network, as shown below:

For Pod1, eth0 connects to root namespace through a virtual Ethernet device (veth0)

A network segment is configured for veth0 in the bridge cbr0. Once the packet arrives at the bridge, the bridge parses its correct destination segment veth2 using the ARP protocol

Bridge cbr0 sends packets to veth2

When the packet arrives at veth2, it is forwarded directly to the eth0 network device in the network namespace of Pod2.

Let's look at the second case: two Pod on different Node

And there are two pod on different nodes, the picture above, when pod1 sends out this packet, because the two pod are on different node, two different node are equivalent to two different machines. If there is no processing, the packet must not get out, because the access address is the address on the node2, so think about how to send this packet out. So it needs the third network component to realize it. To put it bluntly, the third-party network plug-in is mainly used to realize the communication between the cross-node network, rather than the communication of the local container node. Because of this, it does not need it to realize. What it mainly implements is how to send the data packet of the original data source to the destination eth0 port.

The K8S network model requires Pod IP to be accessible throughout the network, which is realized by third-party network components.

Therefore, the two containers communicate across nodes, and it is forwarded by a third-party component, and the cloud in the middle is the third-party component. No matter whether it is a routing scheme or a tunneling scheme, the node1 packet is sent to the node of the specified destination node.

3. CNI (container network interface)

In K8s, cni is now the specification for the network interface of K8s container. There is a cnm in docker itself, which is also a network standard, but that does not quite adapt to this form of clustering. As a result, some large companies have made such a standard for network interface of cni.

CNI (Container Network Interface, Container Network Interface): is a container network specification, Kubernetes network uses this CNI specification

The CNI implementation depends on two plug-ins, one is responsible for connecting the container to the host and can assign IP to it, the other is to manage the IP for these containers, such as whether two pod can set an IP, so this is not possible, who will respond to this packet, so it is IPAM who is responsible for configuring the network of the container network namespace to ensure that each pod is assigned a unique IP

Default path for CNI plug-ins: ls / opt/cni/bin/

This directory allocates IP for the container. When kubelet starts a pod, it invokes the configuration file to configure the network.

All the binaries are provided at this address. You can download the package and download the package in release. This plug-in is used to meet the support of various third-party network components.

Address: https://github.com/containernetworking/cni

When you deploy Flanneld on the host machine, flanneld starts up and generates its corresponding CNI configuration file (which is actually a ConfigMap) on each host, thus telling Kubernetes that the cluster will use Flannel as the container network solution.

CNI profile path:

There is also a configuration file for the management of the container network, in which the configuration is the configuration information and some attribute information managed by a third-party component.

Cat / etc/cni/net.d/10-flannel.conflist

When the kubelet component needs to create a Pod, call dockershim first. It first creates an Infra container. Then call the CNI plug-in to configure the network for the Infra container.

These two paths are defined in the kubelet startup parameters:

-- network-plugin=cni\ specify the cni network-- cni-conf-dir=/etc/cni/net.d\ specify the location of the cni configuration file-- cni-bin-dir=/opt/cni/bin specifies the location of the cni binary file

Summary, in fact, the significance of the existence of cni is to enable third-party network components to connect K8s more smoothly, because pod is created by kubelet, and the network it creates pod is also assigned by kubelet. What about the container that kubelet creates? Kubelet calls docker's API to implement, that is, use dockershim to create the container, and also call the binary file, and then assign the network to the container, such as assigning a destination ip, cni is for the network specification, K8s this piece can not meet all the requirements, so it has developed a specification, as long as the installation of its specification can be connected to the K8s network, the second it can connect components That is, you can access all the components you want, as long as you meet this requirement, all components can be accessed.

Summary of questions:

1. Communication packet transmission process between host An and host B in a local area network

That is, the process of communication in a vlan, first check whether your ARP cache table has a MAC address, layer 2 transmission is based on the Mac address, will not consider which IP is how much, in a local area network to communicate first to determine the destination address.

Class C network segment: 192.168.30.0 ip 24 first determines whether the source and destination ip are in the same network segment. This is a prerequisite for communicating in a local area network, that is, if the original address is sent to host b, the first step is to encapsulate a data packet, because it is in layer 2, and the first step is to obtain the destination mac address.

1) look up the ARP cache table locally for the mac address required by the layer 2 packet for this frame. If not, the ARP broadcast packet will be sent, so the host will certainly receive it. This is connected by a root network cable. Then the switch receives the broadcast packet and asks the destination host for the mac address. Then the quad is formed: source IP, source mac, destination IP. Destination mac, if the switch does not have a mac for this purpose, then all hosts in the local area network will be sent. Because this has this destination ip, the destination IP will respond to my mac address, so if not, it will discard the packet. After the response, b will send it to the switch, the switch will send it to host a, and then host a can send the packet to host b. So this is the principle of communication between layer 2 Lans.

There will be an ARP cache table in the middle, which will record the corresponding mac addresses of the source IP and destination IP transmitted through layer 2 at host a, host b, and switch, so that the next transmission can be directly encapsulated using the existing one.

Well, if the switch in this local area network sends broadcast packets, will the hosts in different network segments receive it? if it cannot be received without a layer 3 switch, if the layer 3 switch, that is, the core switch, which can handle layer 2 ARP, then the switch with different network segments can also receive it, if it is a router, it will not be received naturally, because every port under the router There is a vlan, and the router isolates the broadcast packet, so if it is a layer 3 core switch, it can handle layer 2 and layer 3, then it can receive it.

2. Host An and host B do not communicate packet transmission process between a local area network

Vlan1 192.168.36.0/24vlan2 192.168.35.0/24

They are not in the same subnet, so these two need to communicate through the router, because it exceeds the range of layer 2 packet forwarding. In this case, the first thing to communicate is to determine whether the target IP is in a subnet. If it is in a subnet, it will be sent to its default gateway, which can be seen through ip route.

[root@k8s-node2] # ip route default via 10.4.7.1 dev eth0 proto static metric 100 10.4.7.21 metric 10.244.21 metric 10.244.0.0 dev flannel.1 onlink 24 via 10.244.0.1 10.244.1.0 dev flannel.1 onlink 10.244.2.0 dev flannel.1 onlink 172. 17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1

Because the destination ip is no longer in a subnet, if you go to arp broadcast, there is naturally no way to respond, or it will be discarded, or no one will respond, so you will go to the default gateway, 10.4.7.1, that is, the next-hop address, and then the packet will be forwarded to this gateway, and then the gateway will check the local routing table. Generally, the routing table will record some destination addresses and next-hop addresses, and then go out from which routing table.

Routing Table:

Destination address. For example, 192.168.35.0 Compact 24, the gateway interface, because the following information is known, there is no next hop.

That is, the packet enters layer 2 from vlan1, and then enters the core switch. There are two ports here, port an and port b, and port an is the default gateway. Then the network segment that queries the routing table goes out from port b, then reaches the switch to layer 2, and then goes to the destination vlan. During this period, the layer 2 will also record the mac address.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.