Kubernetes 网络权威指南:基础、原理与实践

四月的奥德赛 Kubernetes 1,766 次浏览 没有评论

20元一本

咨询邮箱:gyd1#vip.qq.com(#改@)

目录

第 1 章 夯实基础:Linux 网络虚拟化 1

1.1 网络虚拟化基石:network namespace ············································.1

1.1.1 初识 network namespace ··················································.2

1.1.2 配置 network namespace ··················································.3

1.1.3 network namespace API 的使用 ···········································.6

1.1.4 小结 ·······································································.12

1.2 千呼万唤始出来:veth pair ·······················································.12

1.2.1 veth pair 内核实现·························································.14

1.2.2 容器与 host veth pair 的关系 ··············································.15

1.2.3 小结 ·······································································.17

1.3 连接你我他:Linux bridge ························································.17

1.3.1 Linux bridge 初体验 ·······················································.17

1.3.2 把 IP 让给 Linux bridge ···················································.21

1.3.3 将物理网卡添加到 Linux bridge ··········································.22

1.3.4 Linux bridge 在网络虚拟化中的应用 ·····································.25

1.3.5 网络接口的混杂模式 ·····················································.26

1.4 给用户态一个机会:tun/tap 设备·················································.28

1.4.1 tun/tap 设备的工作原理···················································.28

1.4.2 利用 tun 设备部署一个 VPN··············································.29

1.4.3 tun 设备编程 ······························································.31

1.5 iptables·············································································.34

1.5.1 祖师爷 netfilter ····························································.34

1.5.2 iptables 的三板斧:table、chain 和 rule ··································.36

1.5.3 iptables 的常规武器 ·······················································.39

1.6 初识 Linux 隧道:ipip ····························································.45

1.6.1 测试 ipip 隧道 ·····························································.46

1.6.2 ipip 隧道测试结果复盘 ···················································.49

1.6.3 小结 ·······································································.50

1.7 Linux 隧道网络的代表:VXLAN ················································.51

1.7.1 为什么需要 VXLAN ······················································.51

1.7.2 VXLAN 协议原理简介 ···················································.52

1.7.3 VXLAN 组网必要信息 ···················································.54

1.7.4 VXLAN 基本配置命令 ···················································.55

1.7.5 VXLAN 网络实践·························································.56

1.7.6 分布式控制中心 ··························································.63

1.7.7 自维护 VTEP 组 ··························································.63

1.7.8 小结 ·······································································.68

1.8 物理网卡的分身术:Macvlan·····················································.68

1.8.1 Macvlan 五大工作模式解析 ··············································.68

1.8.2 测试使用 Macvlan 设备 ···················································.72

1.8.3 Macvlan 的跨机通信 ······················································.73

1.8.4 Macvlan 与 overlay 对比 ··················································.74

1.8.5 小结 ·······································································.75

1.9 Macvlan 的救护员:IPvlan························································.75

1.9.1 IPvlan 简介 ································································.75

1.9.2 测试 IPvlan ································································.77

1.9.3 Docker IPvlan 网络 ························································.78

1.9.4 小结 ·······································································.78

第 2 章 饮水思源:Docker 网络模型简介 79

2.1 主角登场:Linux 容器 ····························································.79

2.1.1 容器是什么································································.79

2.1.2 容器与虚拟机对比 ························································.80

2.1.3 小结 ·······································································.81

2.2 打开万花筒:Docker 的四大网络模式 ···········································.81

2.2.1 bridge 模式 ································································.82

2.2.2 host 模式 ··································································.83

2.2.3 container 模式 ·····························································.84

2.2.4 none 模式··································································.85

2.3 最常用的 Docker 网络技巧 ·······················································.85

2.3.1 查看容器 IP ·······························································.85

2.3.2 端口映射 ··································································.86

2.3.3 访问外网 ··································································.87

2.3.4 DNS 和主机名 ····························································.87

2.3.5 自定义网络································································.88

2.3.6 发布服务 ··································································.90

2.3.7 docker link:两两互联 ····················································.91

2.4 容器网络的第一个标准:CNM···················································.93

2.4.1 CNM 标准 ·································································.93

2.4.2 体验 CNM 接口 ···························································.94

2.4.3 Libnetwork·································································.95

2.4.4 Libnetwork 扩展···························································.97

2.4.5 小结 ·······································································.98

2.5 天生不易:容器组网的挑战 ······················································.99

2.5.1 容器网络挑战综述 ························································.99

2.5.2 Docker 的解决方案 ·······················································.101

2.5.3 第三方容器网络插件 ·····················································.102

2.5.4 小结 ·······································································.103

2.6 如何做好技术选型:容器组网方案沙场点兵 ····································.103

2.6.1 隧道方案 ··································································.104

2.6.2 路由方案 ··································································.104

2.6.3 容器网络组网类型 ························································.106

2.6.4 关于容器网络标准接口···················································.107

2.6.5 小结 ·······································································.108

第 3 章 标准的胜利:Kubernetes 网络原理与实践 109

3.1 容器基础设施的代言人:Kubernetes·············································.109

3.1.1 Kubernetes 简介 ···························································.109

3.1.2 Kubernetes 能做什么 ······················································.111

3.1.3 如何用 Kubernetes ························································.113

3.1.4 Docker 在 Kubernetes 中的角色 ··········································.113

3.2 终于等到你:Kubernetes 网络 ····················································.114

3.2.1 Kubernetes 网络基础 ······················································.114

3.2.2 Kubernetes 网络架构综述·················································.115

3.2.3 Kubernetes 主机内组网模型 ··············································.117

3.2.4 Kubernetes 跨节点组网模型 ··············································.118

3.2.5 Pod 的 hosts 文件··························································.120

3.2.6 Pod 的 hostname ···························································.121

3.3 Pod 的核心:pause 容器 ··························································.124

3.4 打通 CNI 与 Kubernetes:Kubernetes 网络驱动··································.131

3.4.1 即将完成历史使命:Kubenet·············································.131

3.4.2 网络生态第一步:CNI ···················································.133

3.5 找到你并不容易:从集群内访问服务············································.139

3.5.1 Kubernetes Service 详解···················································.141

3.5.2 Service 的三个 port························································.145

3.5.3 你的服务适合哪种发布形式··············································.146

3.5.4 Kubernetes Service 发现···················································.150

3.5.5 特殊的无头 Service ·······················································.151

3.5.6 怎么访问本地服务 ························································.153

3.6 找到你并不容易:从集群外访问服务············································.154

3.6.1 Kubernetes Ingress·························································.155

3.6.2 小结 ·······································································.157

3.7 你的名字:通过域名访问服务 ···················································.158

3.7.1 DNS 服务基本框架 ·······················································.158

3.7.2 域名解析基本原理 ························································.159

3.7.3 DNS 使用··································································.161

3.7.4 调试 DNS··································································.166

3.8 Kubernetes 网络策略:为你的应用保驾护航 ····································.167

3.8.1 网络策略应用举例 ························································.168

3.8.2 小结 ·······································································.172

3.9 前方高能:Kubernetes 网络故障定位指南 ·······································.173

3.9.1 IP 转发和桥接·····························································.173

3.9.2 Pod CIDR 冲突 ····························································.175

3.9.3 hairpin ·····································································.176

3.9.4 查看 Pod IP 地址 ··························································.176

3.9.5 故障排查工具 ·····························································.178

3.9.6 为什么不推荐使用 SNAT ·················································.180

第 4 章 刨根问底:Kubernetes 网络实现机制 183

4.1 岂止 iptables:Kubernetes Service 官方实现细节探秘 ···························.183

4.1.1 userspace 模式·····························································.184

4.1.2 iptables 模式·······························································.186

4.1.3 IPVS 模式 ·································································.191

4.1.4 iptables VS. IPVS ··························································.198

4.1.5 conntrack ··································································.199

4.1.6 小结 ·······································································.200

4.2 Kubernetes 极客们的日常:DIY 一个 Ingress Controller·························.201

4.2.1 Ingress Controller 的通用框架 ············································.202

4.2.2 Nginx Ingress Controller 详解 ·············································.202

4.2.3 小结 ·······································································.209

4.3 沧海桑田:Kubernetes DNS 架构演进之路 ······································.209

4.3.1 Kube-dns 的工作原理 ·····················································.209

4.3.2 上位的 CoreDNS ··························································.212

4.3.3 Kube-dns VS. CoreDNS ···················································.217

4.3.4 小结 ·······································································.220

4.4 你的安全我负责:使用 Calico 提供 Kubernetes 网络策略·······················.220

4.4.1 部署一个带 Calico 的 Kubernetes 集群 ···································.221

4.4.2 测试 Calico 网络策略 ·····················································.225

第 5 章 百花齐放:Kubernetes 网络插件生态 228

5.1 从入门到放弃:Docker 原生网络的不足·········································.228

5.2 CNI 标准的胜出:从此江湖没有 CNM ··········································.229

5.2.1 CNI 与 CNM 的转换 ······················································.230

5.2.2 CNI 的工作原理···························································.231

5.2.3 为什么 Kubernetes 不使用 Libnetwork ···································.235

5.3 Kubernetes 网络插件鼻祖 flannel ·················································.238

5.3.1 flannel 简介································································.239

5.3.2 flannel 安装配置 ··························································.241

5.3.3 flannel backend 详解 ······················································.244

5.3.4 flannel 与 etcd ·····························································.256

5.3.5 小结 ·······································································.257

5.4 全能大三层网络插件:Calico ····················································.257

5.4.1 Calico 简介 ································································.258

5.4.2 Calico 的隧道模式 ························································.263

5.4.3 安装 Calico ································································.263

5.4.4 Calico 报文路径 ···························································.264

5.4.5 Calico 使用指南 ···························································.267

5.4.6 为什么 Calico 网络选择 BGP ·············································.272

5.4.7 小结 ·······································································.274

5.5 Weave:支持数据加密的网络插件 ···············································.276

5.5.1 Weave 简介································································.276

5.5.2 Weave 实现原理···························································.277

5.5.3 Weave 安装································································.278

5.5.4 Weave 网络通信模型 ·····················································.280

5.5.5 Weave 的应用示例 ························································.282

5.5.6 小结 ·······································································.288

5.6 Cilium:为微服务网络连接安全而生 ············································.288

5.6.1 为什么使用 Cilium ························································.289

5.6.2 以 API 为中心的微服务安全 ·············································.294

5.6.3 BPF 优化的数据平面性能 ················································.295

5.6.4 试用 Cilium:网络策略···················································.297

5.6.5 小结 ·······································································.299

5.7 Kubernetes 多网络的先行者:CNI-Genie ········································.299

5.7.1 为什么需要 CNI-Genie····················································.300

5.7.2 CNI-Genie 功能速递 ······················································.302

5.7.3 容器多 IP ··································································.303

第 6 章 Kubernetes 网络下半场:Istio 305

6.1 微服务架构的大地震:sidecar 模式 ··············································.305

6.1.1 你真的需要 Service Mesh 吗··············································.306

6.1.2 sidecar 模式 ·······························································.307

6.1.3 Service Mesh 与 sidecar ···················································.307

6.1.4 Kubernetes Service VS. Service Mesh ·····································.309

6.1.5 Service Mesh 典型实现之 Linkerd ········································.310

6.2 Istio:引领新一代微服务架构潮流···············································.312

6.2.1 Istio 简介 ··································································.312

6.2.2 Istio 安装 ··································································.313

6.2.3 Istio 路由规则的实现 ·····················································.317

6.3 一切尽在不言中:Istio sidecar 透明注入·········································.319

6.3.1 Init 容器 ···································································.319

6.3.2 sidecar 注入示例 ··························································.319

6.3.3 手工注入 sidecar ··························································.326

6.3.4 自动注入 sidecar ··························································.327

6.3.5 从应用容器到 sidecar 代理的通信········································.329

6.4 不再为 iptables 脚本所困:Istio CNI 插件 ·······································.330

6.5 除了微服务,Istio 还能做更多 ···················································.331

发表回复

Go