Cluster Mesh 是Cilium 的多集群實現,可以幫助Cilium 實現跨數據中心、跨VPC 的多Kubernetes 集群管理,Cluster Mesh 主要有以下功能:

  • 1.通過隧道或直接路由的方式,在多個Kubernetes 集群間進行Pod IP 路由,而無需任何網關或代理。
  • 2.使用標準Kubernetes 服務發現機制。
  • 3.跨多個集群的網絡策略。策略可以使用Kubernetes 原生的NetworkPolicy 資源或者擴展的CiliumNetworkPolicy CRD。
  • 4.透明加密本集群以及跨集群節點間所有通信的流量。

#腳本變數

export CLUSTER_NAME=cluster-1
export CLUSTER_ZONE=asia-east1

NATIVE_CIDR="$(gcloud container clusters describe "${CLUSTER_NAME}" --zone "${CLUSTER_ZONE}" --format 'value(clusterIpv4Cidr)')"
echo $NATIVE_CIDR

#安裝cilium

helm install cilium cilium/cilium --version 1.13.0 \
--namespace kube-system \
--set nodeinit.enabled=true \
--set nodeinit.reconfigureKubelet=true \
--set nodeinit.removeCbrBridge=true \
--set cni.binPath=/home/kubernetes/bin \
--set gke.enabled=true \
--set ipam.mode=kubernetes \
--set ipv4NativeRoutingCIDR=$NATIVE_CIDR \
--set ingressController.enabled=true \
--set ingressController.loadbalancerMode=shared \
--set hubble.relay.enabled=true \
--set hubble.ui.enabled=true \
--set hubble.metrics.enabled="{dns,drop,tcp,flow,icmp,http}" \
--set loadBalancer.l7.backend=envoy \
--set kubeProxyReplacement=strict \
--set gatewayAPI.enabled=true

#參數說明
--set ingressController.loadbalancerMode=shared
## dedicated and shared

#安裝指令

brew install cilium-cli

#檢查狀態

cilium status --wait
cilium connectivity test

#服務狀態

kubectl -n kube-system exec ds/cilium -- cilium status
kubectl api-resources | grep cilium.io
kubectl -n kube-system exec ds/cilium -- cilium service list
kubectl -n kube-system exec ds/cilium -- cilium status --verbose
kubectl -n kube-system exec ds/cilium -- cilium status | grep KubeProxyReplacement

demo app

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml

#Gateway API Support

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1/config/crd/standard/gateway.networking.k8s.io_gateways.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml

#GatewayApi http Demo

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes/gateway/basic-http.yaml
GATEWAY=$(kubectl get gateway my-gateway -o jsonpath='{.status.addresses[0].value}')
curl --fail -s http://"$GATEWAY"/details/1 | jq
curl -v -H 'magic: foo' http://"$GATEWAY"\?great\=example

#GatewayApi https Demo

minica -domains '*.cilium.rocks'
kubectl create secret tls demo-cert --key=_.cilium.rocks/key.pem --cert=_.cilium.rocks/cert.pem
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes/gateway/basic-https.yaml
kubectl get gateway tls-gateway
kubectl get httproutes https-app-route-1 https-app-route-2
curl --cacert minica.pem -v https://bookinfo.cilium.rocks/details/1
curl --cacert minica.pem -v https://hipstershop.cilium.rocks/

#Ingress http Demo

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes/servicemesh/basic-ingress.yaml
kubectl get services -n kube-system cilium-ingress
kubectl get ingress
HTTP_INGRESS=$(kubectl get ingress basic-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
curl --fail -s http://"$HTTP_INGRESS"/details/1 | jq

#Ingress https Demo

minica -domains '*.cilium.rocks'
kubectl create secret tls demo-cert --key=_.cilium.rocks/key.pem --cert=_.cilium.rocks/cert.pem
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes/servicemesh/tls-ingress.yaml
kubectl get ingress
curl --cacert minica.pem -v https://bookinfo.cilium.rocks/details/1

 

By tony

自由軟體愛好者~喜歡不斷的思考各種問題,有新的事物都會想去學習嘗試 做實驗並熱衷研究 沒有所謂頂天的技術 只有謙虛及不斷的學習 精進專業,本站主要以分享系統及網路相關知識、資源而建立。 Github http://stnet253.github.io

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料