背景
现代数据中心应用程序的开发已经转向微服务,微服务应用程序往往是高度动态的,高度不稳定的容器生命周期让传统的 Linux 网络安全方法(例如 iptables)应付不断更新的负载均衡表和访问控制列表劣势显现出来。
得利于Linux eBPF的发展,Cilium 利用 Linux eBPF,Cilium 保留了透明地插入安全可视性 强制执行的能力,但这种方式基于服务 /pod/ 容器标识(与传统系统中的 IP 地址识别相反),并且可以根据应用层进行过滤 (例如 HTTP)。因此,通过将安全性与寻址分离,Cilium 不仅可以在高度动态的环境中应用安全策略,而且除了提供传统的第 3 层和第 4 层分割之外,还可以通过在 HTTP 层运行来提供更强的安全隔离。
不止Cilium,其实Calico也有eBPF模式。Calico 从 v3.13 开始,集成了 eBPF 数据平面。
因为iptables的netfilter的低性能,Kubernetes的kube-proxy组件一直被诟病,Cilium和Calico都全面实现 kube-proxy 的功能,包括ClusterIP, NodePort, ExternalIPs 和 LoadBalancer,可以完全取代它的位置,同时提供更好的性能,Cilium和Calico都支持把Kubernetes的kube-proxy组件给替换掉。
另外Cilium的ClusterMesh可以跨多个集群,跨VPC,跨多数据中心,甚至跨Openstack,K8S集群 互联和配置网络策略。
启动2节点的Kubernetes集群
代码语言:javascript复制[dev@centos9 ~]$ minikube start --vm-driver=podman --network-plugin=cni --nodes=2* minikube v1.26.1 on Centos 9* Using the podman driver based on user configuration! With --network-plugin=cni, you will need to provide your own CNI. See --cni flag as a user-friendly alternative
* Using Podman driver with root privileges
* Starting control plane node minikube in cluster minikube
* Pulling base image ...
E0901 09:20:52.559294 215553 cache.go:203] Error downloading kic artifacts: not yet implemented, see issue #8426* Creating podman container (CPUs=2, Memory=4000MB) ...
* Preparing Kubernetes v1.24.3 on Docker 20.10.17 ...
- Generating certificates and keys ...
- Booting up control plane ...
- Configuring RBAC rules ...
* Configuring CNI (Container Networking Interface) ...
* Verifying Kubernetes components...
- Using image gcr.io/k8s-minikube/storage-provisioner:v5
* Enabled addons: storage-provisioner, default-storageclass
* Starting worker node minikube-m02 in cluster minikube
* Pulling base image ...
E0901 09:21:24.042538 215553 cache.go:203] Error downloading kic artifacts: not yet implemented, see issue #8426* Creating podman container (CPUs=2, Memory=4000MB) ...
* Found network options:
- NO_PROXY=192.168.49.2
* Preparing Kubernetes v1.24.3 on Docker 20.10.17 ...
- env NO_PROXY=192.168.49.2
* Verifying Kubernetes components...
* Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default[dev@centos9 ~]$ kubectl get pod -ANAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6d4b75cb6d-8r5xp 1/1 Running 0 61s
kube-system etcd-minikube 1/1 Running 0 72s
kube-system kindnet-cgqrd 1/1 Running 0 62s
kube-system kindnet-cnhbh 1/1 Running 0 46s
kube-system kube-apiserver-minikube 1/1 Running 0 72s
kube-system kube-controller-manager-minikube 1/1 Running 0 72s
kube-system kube-proxy-5w6fl 1/1 Running 0 46s
kube-system kube-proxy-qkh7d 1/1 Running 0 62s
kube-system kube-scheduler-minikube 1/1 Running 0 72s
kube-system storage-provisioner 1/1 Running 0 71s[dev@centos9 ~]$ kubectl get node -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
minikube Ready control-plane 76s v1.24.3 192.168.49.2 <none> Ubuntu 20.04.4 LTS 5.14.0-115.el9.x86_64 docker://20.10.17
minikube-m02 Ready <none> 49s v1.24.3 192.168.49.3 <none> Ubuntu 20.04.4 LTS 5.14.0-115.el9.x86_64 docker://20.10.17Mount the eBPF filesystem
代码语言:javascript复制[dev@centos9 ~]$ minikube ssh -n minikube -- sudo mount bpffs -t bpf /sys/fs/bpf[dev@centos9 ~]$ minikube ssh -n minikube-m02 -- sudo mount bpffs -t bpf /sys/fs/bpfCilium是基于eBPF,所以只能用于Linux系统,且对内核版本有一定的要求,centos7 默认的3点几的肯定不行,至少4.几以上,或5.几以上,具体参考官方文档。内核升级的步骤参见本篇最后的章节
附:CentOS内核升级
安装Cilium
下面两种方式2选1安装即可:
quick-install.yaml
代码语言:javascript复制[dev@centos9 ~]$ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.9/install/kubernetes/quick-install.yaml
serviceaccount/cilium created
serviceaccount/cilium-operator created
configmap/cilium-config created
clusterrole.rbac.authorization.k8s.io/cilium created
clusterrole.rbac.authorization.k8s.io/cilium-operator created
clusterrolebinding.rbac.authorization.k8s.io/cilium created
clusterrolebinding.rbac.authorization.k8s.io/cilium-operator created
Warning: spec.template.metadata.annotations[scheduler.alpha.kubernetes.io/critical-pod]: non-functional in v1.16 ; use the "priorityClassName" field instead
daemonset.apps/cilium created
deployment.apps/cilium-operator created[dev@centos9 ~]$ kubectl get pod -ANAMESPACE NAME READY STATUS RESTARTS AGE
kube-system cilium-bnv9z 1/1 Running 0 4m43s
kube-system cilium-n5xpt 1/1 Running 0 11m
kube-system cilium-operator-d86cdbf88-ljfw8 1/1 Running 0 11m
kube-system coredns-6d4b75cb6d-8r5xp 1/1 Running 0 16m
kube-system etcd-minikube 1/1 Running 0 17m
kube-system kindnet-cgqrd 1/1 Running 0 16m
kube-system kindnet-cnhbh 1/1 Running 0 16m
kube-system kube-apiserver-minikube 1/1 Running 0 17m
kube-system kube-controller-manager-minikube 1/1 Running 0 17m
kube-system kube-proxy-5w6fl 1/1 Running 0 16m
kube-system kube-proxy-qkh7d 1/1 Running 0 16m
kube-system kube-scheduler-minikube 1/1 Running 0 17m
kube-system storage-provisioner 1/1 Running 0 17mCilium CLI
代码语言:javascript复制[root@centos7 ~]# CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)[root@centos7 ~]# CLI_ARCH=amd64[root@centos7 ~]# if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi[root@centos7 ~]# curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0100 23.1M 100 23.1M 0 0 1378k 0 0:00:17 0:00:17 --:--:-- 5047k 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0100 92 100 92 0 0 91 0 0:00:01 0:00:01 --:--:-- 92000[root@centos7 ~]# sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sumcilium-linux-amd64.tar.gz: OK[root@centos7 ~]# sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bincilium[root@centos7 ~]# rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}rm: remove regular file ‘cilium-linux-amd64.tar.gz’? y
rm: remove regular file ‘cilium-linux-amd64.tar.gz.sha256sum’? y[root@centos7 ~]# cilium install
