Cluster Mesh 是Cilium 的多集群實現,可以幫助Cilium 實現跨數據中心、跨VPC 的多Kubernetes 集群管理,Cluster Mesh 主要有以下功能:
- 1.通過隧道或直接路由的方式,在多個Kubernetes 集群間進行Pod IP 路由,而無需任何網關或代理。
- 2.使用標準Kubernetes 服務發現機制。
- 3.跨多個集群的網絡策略。策略可以使用Kubernetes 原生的NetworkPolicy 資源或者擴展的CiliumNetworkPolicy CRD。
- 4.透明加密本集群以及跨集群節點間所有通信的流量。
#腳本變數
export CLUSTER_NAME=cluster-1 export CLUSTER_ZONE=asia-east1 NATIVE_CIDR="$(gcloud container clusters describe "${CLUSTER_NAME}" --zone "${CLUSTER_ZONE}" --format 'value(clusterIpv4Cidr)')" echo $NATIVE_CIDR
#安裝cilium
helm install cilium cilium/cilium --version 1.13.0 \ --namespace kube-system \ --set nodeinit.enabled=true \ --set nodeinit.reconfigureKubelet=true \ --set nodeinit.removeCbrBridge=true \ --set cni.binPath=/home/kubernetes/bin \ --set gke.enabled=true \ --set ipam.mode=kubernetes \ --set ipv4NativeRoutingCIDR=$NATIVE_CIDR \ --set ingressController.enabled=true \ --set ingressController.loadbalancerMode=shared \ --set hubble.relay.enabled=true \ --set hubble.ui.enabled=true \ --set hubble.metrics.enabled="{dns,drop,tcp,flow,icmp,http}" \ --set loadBalancer.l7.backend=envoy \ --set kubeProxyReplacement=strict \ --set gatewayAPI.enabled=true
#參數說明
--set ingressController.loadbalancerMode=shared
## dedicated and shared
#安裝指令
brew install cilium-cli
#檢查狀態
cilium status --wait cilium connectivity test
#服務狀態
kubectl -n kube-system exec ds/cilium -- cilium status kubectl api-resources | grep cilium.io kubectl -n kube-system exec ds/cilium -- cilium service list kubectl -n kube-system exec ds/cilium -- cilium status --verbose kubectl -n kube-system exec ds/cilium -- cilium status | grep KubeProxyReplacement
demo app
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml
#Gateway API Support
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1/config/crd/standard/gateway.networking.k8s.io_gateways.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml
#GatewayApi http Demo
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes/gateway/basic-http.yaml GATEWAY=$(kubectl get gateway my-gateway -o jsonpath='{.status.addresses[0].value}') curl --fail -s http://"$GATEWAY"/details/1 | jq curl -v -H 'magic: foo' http://"$GATEWAY"\?great\=example
#GatewayApi https Demo
minica -domains '*.cilium.rocks' kubectl create secret tls demo-cert --key=_.cilium.rocks/key.pem --cert=_.cilium.rocks/cert.pem kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes/gateway/basic-https.yaml kubectl get gateway tls-gateway kubectl get httproutes https-app-route-1 https-app-route-2 curl --cacert minica.pem -v https://bookinfo.cilium.rocks/details/1 curl --cacert minica.pem -v https://hipstershop.cilium.rocks/
#Ingress http Demo
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes/servicemesh/basic-ingress.yaml kubectl get services -n kube-system cilium-ingress kubectl get ingress HTTP_INGRESS=$(kubectl get ingress basic-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}') curl --fail -s http://"$HTTP_INGRESS"/details/1 | jq
#Ingress https Demo
minica -domains '*.cilium.rocks' kubectl create secret tls demo-cert --key=_.cilium.rocks/key.pem --cert=_.cilium.rocks/cert.pem kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes/servicemesh/tls-ingress.yaml kubectl get ingress curl --cacert minica.pem -v https://bookinfo.cilium.rocks/details/1