Calico在Kubernetes上使用嵌套容器时存在的IP-in-IP连接问题

huangapple go评论67阅读模式
英文:

Calico IP-in-IP connectivity issues with nested containers on Kubernetes

问题

我正在使用Kubernetes作为基础设施提供程序来实施Cluster API控制器,也就是说,我正在尝试将Kubernetes节点作为Kubernetes Pods运行,并在集群内形成一个集群。

除了内部集群内(在基础设施集群的Pod上运行)的Pod之间的网络连通性之外,我陷入了问题。

我正在使用GKE,使用它们的默认CNI实现。然后,我尝试使用Calico来进行内部集群的叠加实现,使用IP-in-IP封装,以便基础设施集群的节点无需知道如何路由内部集群的Pod IP。

我按照以下方式创建基础设施集群(需要UBUNTU镜像,因为Calico的IP-in-IP需要ipip内核模块):

gcloud container clusters create management-cluster --image-type=UBUNTU

然后,我在内部集群中部署了一些nginx Pods。如果它们落在相同的内部集群节点上,它们可以互相连接。如果它们落在不同的内部集群节点上,它们就无法连接,因此我认为这意味着IP-in-IP隧道没有正常工作,但我不确定原因。即使内部集群节点(Pods)落在相同的基础设施(外部集群)节点上,这也会失败。两个集群的Pod和Service CIDR范围不重叠。

我明白这不是Calico的支持用例,但我看不出为什么不可能,并且希望能让它正常工作。外部集群的节点是否需要支持转发IP-in-IP数据包?它们已配置为转发IPv4数据包,但我不确定是否足够。

我想更多的信息可能需要为此问题提供具体原因,但我目前不太确定那将是什么,对于任何方向都会感到感激。

英文:

I am implementing a cluster-api controller using Kubernetes as the infrastructure provider - that is, I am trying to run Kubernetes Nodes as Kubernetes Pods and form a cluster within a cluster.

I have this working apart from network connectivity between Pods of the inner cluster (running on Pods of the infrastructure cluster), but I am stuck as to what the issue is.

I am running on GKE, using their default CNI implementation. I am then attempting to use Calico for an overlay implementation of the inner cluster, using IP-in-IP encapsulation so the Nodes of the infrastructure cluster do not need to know how to route inner cluster Pod IPs.

I am creating the infrastructure cluster as follows (the UBUNTU image is needed for the ipip kernel module required by Calico's IP-in-IP encapsulation.

gcloud container clusters create management-cluster --image-type=UBUNTU

I then deploy a number of nginx Pods to the inner cluster. If they land on the same inner cluster Node, they can connect to eachother. If they land on separate inner cluster Nodes they cannot, so I assume this means the IP-in-IP tunnel isn't working properly, but I am not sure why. This fails even if the inner cluster Nodes (Pods) land on the same infrastructure (outer cluster) Node. Pod and Service CIDR ranges of the two clusters do not overlap.

I realise this is not a supported use case for Calico, but I cannot see a reason why it is not possible and would like to get it working. Do the outer cluster Nodes need to support forwarding IP-in-IP packets? They are configured to forward IPv4 packets, but I am not sure if that is enough.

I guess more information is required to give a concrete reason for why this isn't working, but I am not too sure what that would be at this point and would be grateful for any direction.

答案1

得分: 1

需要在GKE节点上允许ipencap协议:

iptables -C FORWARD -p ipencap -j ACCEPT || iptables -A FORWARD -p ipencap -j ACCEPT
英文:

It was necessary to allow ipencap protocol on the GKE nodes:

iptables -C FORWARD -p ipencap -j ACCEPT || iptables -A FORWARD -p ipencap -j ACCEPT

huangapple
  • 本文由 发表于 2020年1月6日 19:58:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/59611719.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定