在介绍CNI Chaining之前，我们先简单介绍一下Cilium。要说现在最火的容器网络，莫过于Cilium了。Cilium 是一个基于 eBPF 和 XDP 的高性能容器网络方案，代码开源在https://github.com/cilium/cilium。其主要功能特性包括安全上，支持 L3/L4/L7 安全策略，这些策略按照使用方法又可以分为基于身份的安全策略(security identity)

基于 CIDR 的安全策略

基于标签的安全策略

网络上，支持三层平面网络(flat layer 3 network)，如覆盖网络(Overlay)，包括 VXLAN 和 Geneve 等

Linux 路由网络，包括原生的 Linux 路由和云服务商的高级网络路由等

提供基于 BPF 的负载均衡

提供便利的监控和排错能力

此外最新版本的Cilium已经包含了Kube-proxy的功能。

CNI Chaining

今天我们试想一种场景：你的集群运行在公有云上，整个k8s的网络模型已经使用了公有云提供的ENI弹性网络，比如aws的aws-cni和阿里云的terway。ENI带给我们诸多好处，高性能，拉平了Pod网络。

但是我们却希望使用Cilium带来的高性能负载均衡和可观察性。

于是今天的主角CNI Chaining出场了。

CNI Chaining允许将Cilium与其他CNI插件结合使用。

通过Cilium CNI Chaining，基本网络连接和IP地址管理由非Cilium CNI插件管理，但是Cilium将BPF程序附加到由非Cilium插件创建的网络设备上，以提供L3/L4/L7网络可见性和策略强制执行和其他高级功能，例如透明加密。

目前Cilium支持与以下网络模型配合使用：

今天我们主要测试AWS-CNI。

Cilium与AWS eni

接下来主要介绍如何与aws-cni结合设置Cilium。在这种混合模式下，aws-cni插件负责通过ENI设置虚拟网络设备以及地址分配(IPAM)。安装程序中，调用Cilium CNI插件将BPF程序附加到aws-cni设置的网络设备上，以实施网络策略，执行负载平衡和加密。

关于EKS集群部署，本文不涉及。大家可以参考相关文档。

安装成功后，执行kubectl get nodes可以类似如下输出：

NAME STATUS ROLES AGE VERSION

ip-172-xx-56-151.ap-southeast-1.compute.internal Ready 10m v1.15.11-eks-af3caf

ip-172-xx-94-192.ap-southeast-1.compute.internal Ready 10m v1.15.11-eks-af3caf

部署helm3

执行

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3

chmod 700 get_helm.sh

./get_helm.sh

看到如下输出，表明安装成功：

Helm v3.2.0 is available. Changing from version .

Downloading https://get.helm.sh/helm-v3.2.0-linux-amd64.tar.gz

Preparing to install helm into /usr/local/bin

helm installed into /usr/local/bin/helm

安装Cilium

增加Cilium helm repo:

helm repo add cilium https://helm.cilium.io/

通过Helm部署Cilium：

helm install cilium cilium/cilium --version 1.7.3 \

--namespace kube-system \

--set global.cni.chainingMode=aws-cni \

--set global.masquerade=false \

--set global.tunnel=disabled \

--set global.nodeinit.enabled=true

这将启用与aws-cni插件的chaining，也将禁用隧道。由于ENI IP地址可以直接在您的VPC中路由，因此不需要隧道，也可以出于相同原因禁用伪装。

看到如下类似输出，表明安装成功：

NAME: cilium

LAST DEPLOYED: Thu Apr 30 17:56:11 2020

NAMESPACE: kube-system

STATUS: deployed

REVISION: 1

TEST SUITE: None

NOTES:

You have successfully installed Cilium.

Your release version is 1.7.3.

For any further help, visit https://docs.cilium.io/en/v1.7/gettinghelp

重启已经部署的Pod

新的CNIchaining配置将不适用于群集中已在运行的任何Pod。现有Pod将可以访问，Cilium将对其进行负载平衡，但策略实施将不适用于它们并且不对源流量进行负载平衡您必须重新启动这些Pod才能在其上调用链配置。

如果不确定某个Pod是否由Cilium管理，请在相应的名称空间中运行kubectl get cep并查看是否列出了该Pod。

如下：

kubectl get cep -n kube-system

NAME ENDPOINT ID IDENTITY ID INGRESS ENFORCEMENT EGRESS ENFORCEMENT VISIBILITY POLICY ENDPOINT STATE IPV4 IPV6

coredns-5d76c48b7c-q2z5b 1297 43915 ready 172.26.92.175

coredns-5d76c48b7c-ths7q 863 43915 ready 172.26.55.46

coredns 已经重启，并且生效。

检验安装

接下来我们查看一下部署了那些组件：

kubectl get pods -n kube-system

NAME READY STATUS RESTARTS AGE

aws-node-5lgwp 1/1 Running 0 18m

aws-node-cpj9g 1/1 Running 0 18m

cilium-7ql6n 1/1 Running 0 94s

cilium-node-init-kxh2t 1/1 Running 0 94s

cilium-node-init-zzlrd 1/1 Running 0 94s

cilium-operator-6f9f88d64-lrt7f 1/1 Running 0 94s

cilium-zdtxq 1/1 Running 0 94s

coredns-5d76c48b7c-q2z5b 1/1 Running 0 55s

coredns-5d76c48b7c-ths7q 1/1 Running 0 40s

kube-proxy-27j82 1/1 Running 0 18m

kube-proxy-qktk8 1/1 Running 0 18m

部署连通性测试

您可以部署“连通性检查”以测试Pod之间的连通性。

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/1.7.3/examples/kubernetes/connectivity-check/connectivity-check.yaml

可以看到如下输出：

service/echo-a created

deployment.apps/echo-a created

service/echo-b created

service/echo-b-headless created

deployment.apps/echo-b created

deployment.apps/echo-b-host created

service/echo-b-host-headless created

deployment.apps/host-to-b-multi-node-clusterip created

deployment.apps/host-to-b-multi-node-headless created

deployment.apps/pod-to-a-allowed-cnp created

ciliumnetworkpolicy.cilium.io/pod-to-a-allowed-cnp created

deployment.apps/pod-to-a-l3-denied-cnp created

ciliumnetworkpolicy.cilium.io/pod-to-a-l3-denied-cnp created

deployment.apps/pod-to-a created

deployment.apps/pod-to-b-intra-node-hostport created

deployment.apps/pod-to-b-intra-node created

deployment.apps/pod-to-b-multi-node-clusterip created

deployment.apps/pod-to-b-multi-node-headless created

deployment.apps/pod-to-b-multi-node-hostport created

deployment.apps/pod-to-a-external-1111 created

deployment.apps/pod-to-external-fqdn-allow-google-cnp created

它将部署一系列部署，这些部署将使用各种连接路径相互连接，包括和不具有服务负载平衡以及各种网络策略组合的连接路径。Pod名称表示联通性测试方向，就绪和活跃性表示成功或测试失败：

kubectl get pods

NAME READY STATUS RESTARTS AGE

echo-a-558b9b6dc4-hjpqx 1/1 Running 0 72s

echo-b-59d5ff8b98-gxrb8 1/1 Running 0 72s

echo-b-host-f4bd98474-5bpfz 1/1 Running 0 72s

host-to-b-multi-node-clusterip-7bb8b4f964-4zslk 1/1 Running 0 72s

host-to-b-multi-node-headless-5c5676647b-7dflx 1/1 Running 0 72s

pod-to-a-646cccc5df-ssg8l 1/1 Running 0 71s

pod-to-a-allowed-cnp-56f4cfd999-2vln8 1/1 Running 0 72s

pod-to-a-external-1111-7c5c99c6d9-mbglt 1/1 Running 0 70s

pod-to-a-l3-denied-cnp-556fb69b9f-v9b74 1/1 Running 0 72s

pod-to-b-intra-node-b9454c7c6-k9s4s 1/1 Running 0 71s

pod-to-b-intra-node-hostport-665b46c945-x7g8s 1/1 Running 0 71s

pod-to-b-multi-node-clusterip-754d5ff9d-rsqgz 1/1 Running 0 71s

pod-to-b-multi-node-headless-7876749b84-c9fr5 1/1 Running 0 71s

pod-to-b-multi-node-hostport-77fcd6f59f-m7w8s 1/1 Running 0 70s

pod-to-external-fqdn-allow-google-cnp-6478db9cd9-4cc78 1/1 Running 0 70s

安装Hubble

我们使用Cilium，一个很大的原因，为了流量的可观察性，所以我们部署Hubble。

Hubble是一个用于Cloud Native工作负载的完全分布式的网络和安全性可观察性平台，它基于Cilium和eBPF构建，以完全透明的方式实现对服务以及网络基础架构的通信和行为的深入可见性。

生成部署文件：

git clone https://github.com/cilium/hubble.git

cd hubble/install/kubernetes

helm template hubble \

--namespace kube-system \

--set metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" \

--set ui.enabled=true \

> hubble.yaml

查看生产的hubble.yaml 文件：

---

# Source: hubble/templates/serviceaccount.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

name: hubble

namespace: kube-system

---

# Source: hubble/templates/serviceaccount.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

namespace: kube-system

name: hubble-ui

---

# Source: hubble/templates/clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

name: hubble

rules:

- apiGroups:

- ""

resources:

- pods

verbs:

- get

- list

---

# Source: hubble/templates/clusterrole.yaml

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1

metadata:

name: hubble-ui

rules:

- apiGroups:

- networking.k8s.io

resources:

- networkpolicies

verbs:

- get

- list

- watch

- apiGroups:

- ""

resources:

- componentstatuses

- endpoints

- namespaces

- nodes

- pods

- services

verbs:

- get

- list

- watch

- apiGroups:

- apiextensions.k8s.io

resources:

- customresourcedefinitions

verbs:

- get

- list

- watch

- apiGroups:

- cilium.io

resources:

- "*"

verbs:

- get

- list

- watch

---

# Source: hubble/templates/clusterrolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

name: hubble

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

name: hubble

subjects:

- kind: ServiceAccount

name: hubble

namespace: kube-system

---

# Source: hubble/templates/clusterrolebinding.yaml

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

name: hubble-ui

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

name: hubble-ui

subjects:

- kind: ServiceAccount

namespace: kube-system

name: hubble-ui

---

# Source: hubble/templates/svc.yaml

kind: Service

apiVersion: v1

metadata:

name: hubble-grpc

namespace: kube-system

labels:

k8s-app: hubble

spec:

type: ClusterIP

clusterIP: None

selector:

k8s-app: hubble

ports:

- targetPort: 50051

protocol: TCP

port: 50051

---

# Source: hubble/templates/svc.yaml

kind: Service

apiVersion: v1

metadata:

namespace: kube-system

name: hubble-ui

spec:

selector:

k8s-app: hubble-ui

ports:

- name: http

port: 12000

targetPort: 12000

type: ClusterIP

---

# Source: hubble/templates/daemonset.yaml

apiVersion: apps/v1

kind: DaemonSet

metadata:

name: hubble

namespace: kube-system

spec:

selector:

matchLabels:

k8s-app: hubble

kubernetes.io/cluster-service: "true"

template:

metadata:

annotations:

prometheus.io/port: "6943"

prometheus.io/scrape: "true"

labels:

k8s-app: hubble

kubernetes.io/cluster-service: "true"

spec:

priorityClassName: system-node-critical

affinity:

podAffinity:

requiredDuringSchedulingIgnoredDuringExecution:

- labelSelector:

matchExpressions:

- key: "k8s-app"

operator: In

values:

- cilium

topologyKey: "kubernetes.io/hostname"

namespaces:

- cilium

- kube-system

containers:

- name: hubble

image: "quay.io/cilium/hubble:v0.5.0"

imagePullPolicy: Always

command:

- hubble

args:

- serve

- --listen-client-urls=0.0.0.0:50051

- --listen-client-urls=unix:///var/run/hubble.sock

- --metrics-server

- ":6943"

- --metric=dns

- --metric=drop

- --metric=tcp

- --metric=flow

- --metric=port-distribution

- --metric=icmp

- --metric=http

env:

- name: HUBBLE_NODE_NAME

valueFrom:

fieldRef:

fieldPath: spec.nodeName

- name: HUBBLE_NAMESPACE

valueFrom:

fieldRef:

fieldPath: metadata.namespace

ports:

- containerPort: 6943

protocol: TCP

name: metrics

readinessProbe:

exec:

command:

- hubble

- status

failureThreshold: 3

initialDelaySeconds: 5

periodSeconds: 30

successThreshold: 1

timeoutSeconds: 5

resources:

{}

volumeMounts:

- mountPath: /var/run/cilium

name: cilium-run

restartPolicy: Always

serviceAccount: hubble

serviceAccountName: hubble

terminationGracePeriodSeconds: 1

tolerations:

- operator: Exists

volumes:

- hostPath:

# We need to access Cilium's monitor socket

path: /var/run/cilium

type: Directory

name: cilium-run

---

# Source: hubble/templates/deployment.yaml

kind: Deployment

apiVersion: apps/v1

metadata:

namespace: kube-system

name: hubble-ui

spec:

replicas: 1

selector:

matchLabels:

k8s-app: hubble-ui

template:

metadata:

labels:

k8s-app: hubble-ui

spec:

priorityClassName:

serviceAccountName: hubble-ui

containers:

- name: hubble-ui

image: "quay.io/cilium/hubble-ui:latest"

imagePullPolicy: Always

env:

- name: NODE_ENV

value: "production"

- name: LOG_LEVEL

value: "info"

- name: HUBBLE

value: "true"

- name: HUBBLE_SERVICE

value: "hubble-grpc.kube-system.svc.cluster.local"

- name: HUBBLE_PORT

value: "50051"

ports:

- containerPort: 12000

name: http

resources:

{}

部署Hubble:

kubectl apply -f hubble.yaml

可以看到创建了以下的对象：

serviceaccount/hubble created

serviceaccount/hubble-ui created

clusterrole.rbac.authorization.k8s.io/hubble created

clusterrole.rbac.authorization.k8s.io/hubble-ui created

clusterrolebinding.rbac.authorization.k8s.io/hubble created

clusterrolebinding.rbac.authorization.k8s.io/hubble-ui created

service/hubble-grpc created

service/hubble-ui created

daemonset.apps/hubble created

deployment.apps/hubble-ui created

此时，我们还需要为Hubble UI 部署一个负载均衡器，方便我们从外部访问。

所以需要把service hubble-ui 类型更改为LoadBalancer。

如下：

kind: Service

apiVersion: v1

metadata:

annotations:

service.beta.kubernetes.io/aws-load-balancer-type: nlb

namespace: kube-system

name: hubble-ui

spec:

selector:

k8s-app: hubble-ui

ports:

- name: http

port: 12000

targetPort: 12000

type: LoadBalancer

访问UI，我们可以看到如下：

点击放大，我们可以清晰看到联调测试部署的网络拓扑：

总结

本文主要介绍了如何借助CNI Chaining ，实现Cilium对其他网络模型的功能增强。

不过由于eBPF对内核版本要求比较高，3.x系列的内核是不支持的。

最新版的Cilium利用eBPF实现负载均衡，完全可以不用部署Kube-proxy。

接下来，我们会详细讲述下Cilium原理和其他知识点。