diff --git a/docs/setup/network-plugin/kube-ovn.md b/docs/setup/network-plugin/kube-ovn.md index f7c8a8c49..e925c242a 100644 --- a/docs/setup/network-plugin/kube-ovn.md +++ b/docs/setup/network-plugin/kube-ovn.md @@ -14,6 +14,9 @@ kube-ovn 提供了针对企业应用场景下容器网络实用功能,并为 - 3.动态QoS; - 4.分布式和集中式网关; - 5.内嵌 LoadBalancer; +- 6.Pod IP对外直接暴露 +- 7.流量镜像 +- 8.IPv6 ### kubeasz 集成安装 kube-ovn @@ -31,8 +34,10 @@ roles/kube-ovn ├── tasks │   └── main.yml # 安装执行文件 └── templates + ├── crd.yaml.j2 # crd 模板 ├── kube-ovn.yaml.j2 # kube-ovn yaml 模板 - └── ovn.yaml.j2 # ovn yaml 模板 + └── ovn.yaml.j2 # ovn yaml 模板 + ``` 安装成功后,可以验证所有 k8s 集群功能正常,查看集群的 pod 网络如下: @@ -63,7 +68,7 @@ kube-system metrics-server-6c898b5b8b-zvct2 1/1 Running 0 ### 测试 namespace 子网分配 -新建一个 namespace 测试分配一个新的 pod 子网 +新建一个 subnet 并绑定 namespace 测试分配一个新的 pod 子网 ``` # 创建一个 namespace: test-ns @@ -72,14 +77,28 @@ apiVersion: v1 kind: Namespace metadata: annotations: - ovn.kubernetes.io/cidr: 10.17.0.0/24 - ovn.kubernetes.io/gateway: 10.17.0.1 - ovn.kubernetes.io/logical_switch: test-ns-subnet - ovn.kubernetes.io/exclude_ips: "10.17.0.1..10.17.0.10" name: test-ns EOF $ kubectl apply -f test-ns.yaml +# 创建一个 subnet: test-subnet 并绑定 namespace test-ns +$ cat > test-subnet.yaml << EOF +apiVersion: kubeovn.io/v1 +kind: Subnet +metadata: + name: test-subnet +spec: + protocol: IPv4 + default: false + namespaces: + - test-ns + cidrBlock: 10.17.0.0/24 + gateway: 10.17.0.1 + excludeIps: + - 10.17.0.1..10.17.0.10 +EOF +$ kubectl apply -f test-subnet.yaml + # 在 test-ns 中创建 nginx 部署 $ kubectl run -n test-ns nginx --image=nginx --replicas=2 --port=80 --expose diff --git a/roles/kube-ovn/defaults/main.yml b/roles/kube-ovn/defaults/main.yml index f016466c2..dd8302f08 100644 --- a/roles/kube-ovn/defaults/main.yml +++ b/roles/kube-ovn/defaults/main.yml @@ -2,4 +2,4 @@ OVN_DB_NODE: "{{ groups['kube-master'][0] }}" # 离线镜像tar包 -kube_ovn_offline: "kube_ovn_0.4.0.tar" +kube_ovn_offline: "kube_ovn_0.6.0.tar" diff --git a/roles/kube-ovn/tasks/main.yml b/roles/kube-ovn/tasks/main.yml index 311896787..24fafef66 100644 --- a/roles/kube-ovn/tasks/main.yml +++ b/roles/kube-ovn/tasks/main.yml @@ -5,6 +5,9 @@ - /opt/kube/images - /opt/kube/kube-ovn +- name: 配置 crd.yaml 文件 + template: src=crd.yaml.j2 dest=/opt/kube/kube-ovn/crd.yaml + - name: 配置 kube-ovn.yaml 文件 template: src=kube-ovn.yaml.j2 dest=/opt/kube/kube-ovn/kube-ovn.yaml @@ -51,6 +54,7 @@ # 只需单节点执行一次 - name: 运行 kube-ovn网络 shell: "{{ bin_dir }}/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \ + {{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/crd.yaml && sleep 5 && \ {{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/ovn.yaml && sleep 5 && \ {{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/kube-ovn.yaml" run_once: true diff --git a/roles/kube-ovn/templates/crd.yaml.j2 b/roles/kube-ovn/templates/crd.yaml.j2 new file mode 100644 index 000000000..bc24a5a30 --- /dev/null +++ b/roles/kube-ovn/templates/crd.yaml.j2 @@ -0,0 +1,52 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ips.kubeovn.io +spec: + group: kubeovn.io + version: v1 + scope: Cluster + names: + plural: ips + singular: ip + kind: IP + shortNames: + - ip +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: subnets.kubeovn.io +spec: + group: kubeovn.io + version: v1 + scope: Cluster + names: + plural: subnets + singular: subnet + kind: Subnet + shortNames: + - subnet + additionalPrinterColumns: + - name: Protocol + type: string + JSONPath: .spec.protocol + - name: CIDR + type: string + JSONPath: .spec.cidrBlock + - name: Private + type: boolean + JSONPath: .spec.private + - name: NAT + type: boolean + JSONPath: .spec.natOutgoing + validation: + openAPIV3Schema: + properties: + spec: + required: ["cidrBlock","gateway"] + properties: + cidrBlock: + type: "string" + gateway: + type: "string" \ No newline at end of file diff --git a/roles/kube-ovn/templates/kube-ovn.yaml.j2 b/roles/kube-ovn/templates/kube-ovn.yaml.j2 index 206d9dd27..69b0ad655 100644 --- a/roles/kube-ovn/templates/kube-ovn.yaml.j2 +++ b/roles/kube-ovn/templates/kube-ovn.yaml.j2 @@ -8,7 +8,7 @@ metadata: kubernetes.io/description: | kube-ovn controller spec: - replicas: 2 + replicas: 1 selector: matchLabels: app: kube-ovn-controller @@ -38,12 +38,13 @@ spec: hostNetwork: true containers: - name: kube-ovn-controller - image: "index.alauda.cn/alaudak8s/kube-ovn-controller:v0.4.0" + image: "index.alauda.cn/alaudak8s/kube-ovn-controller:v0.6.0" imagePullPolicy: IfNotPresent command: - /kube-ovn/start-controller.sh args: - --default-cidr=10.16.0.0/16 + - --default-gateway=10.16.0.1 - --node-switch-cidr=100.64.0.0/16 env: - name: POD_NAME @@ -54,6 +55,30 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + readinessProbe: + exec: + command: + - nc + - -z + - -w3 + - 127.0.0.1 + - "10660" + periodSeconds: 3 + livenessProbe: + exec: + command: + - nc + - -z + - -w3 + - 127.0.0.1 + - "10660" + initialDelaySeconds: 30 + periodSeconds: 7 + failureThreshold: 5 nodeSelector: beta.kubernetes.io/os: "linux" @@ -87,7 +112,7 @@ spec: hostPID: true initContainers: - name: install-cni - image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.4.0" + image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.6.0" imagePullPolicy: IfNotPresent command: ["/kube-ovn/install-cni.sh"] volumeMounts: @@ -97,8 +122,13 @@ spec: name: cni-bin containers: - name: cni-server - image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.4.0" + image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.6.0" imagePullPolicy: IfNotPresent + command: + - sh + - /kube-ovn/start-cniserver.sh + args: + - --enable-mirror=false securityContext: runAsUser: 0 privileged: true @@ -114,6 +144,26 @@ spec: volumeMounts: - mountPath: /run/openvswitch name: host-run-ovs + readinessProbe: + exec: + command: + - nc + - -z + - -w3 + - 127.0.0.1 + - "10665" + periodSeconds: 3 + livenessProbe: + exec: + command: + - nc + - -z + - -w3 + - 127.0.0.1 + - "10665" + initialDelaySeconds: 30 + periodSeconds: 7 + failureThreshold: 5 nodeSelector: beta.kubernetes.io/os: "linux" volumes: diff --git a/roles/kube-ovn/templates/ovn.yaml.j2 b/roles/kube-ovn/templates/ovn.yaml.j2 index def409ca8..9499493de 100644 --- a/roles/kube-ovn/templates/ovn.yaml.j2 +++ b/roles/kube-ovn/templates/ovn.yaml.j2 @@ -23,24 +23,36 @@ kind: ClusterRole metadata: annotations: rbac.authorization.k8s.io/system-only: "true" - name: system:ovn-reader + name: system:ovn rules: + - apiGroups: + - "kubeovn.io" + resources: + - subnets + - ips + verbs: + - "*" - apiGroups: - "" - - extensions resources: - pods - namespaces - - networkpolicies - nodes + - configmaps verbs: + - create - get - list - watch + - patch + - update - apiGroups: + - "" - networking.k8s.io resources: - networkpolicies + - services + - endpoints verbs: - get - list @@ -58,37 +70,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: ovn-cluster-reader -roleRef: - name: cluster-reader - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn - namespace: kube-ovn - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-reader -roleRef: - name: system:ovn-reader - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn - namespace: kube-ovn - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cluster-admin-0 + name: ovn roleRef: - name: cluster-admin + name: system:ovn kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: @@ -170,7 +154,7 @@ spec: hostNetwork: true containers: - name: ovn-central - image: "index.alauda.cn/alaudak8s/kube-ovn-db:v0.4.0" + image: "index.alauda.cn/alaudak8s/kube-ovn-db:v0.6.0" imagePullPolicy: IfNotPresent env: - name: POD_IP @@ -257,7 +241,7 @@ spec: hostPID: true containers: - name: openvswitch - image: "index.alauda.cn/alaudak8s/kube-ovn-node:v0.4.0" + image: "index.alauda.cn/alaudak8s/kube-ovn-node:v0.6.0" imagePullPolicy: IfNotPresent securityContext: runAsUser: 0