目錄

一：什么是Flannel

1.1 Flannel實現(xiàn)原理

1.2?數(shù)據(jù)轉(zhuǎn)發(fā)流程

二：?Flannel網(wǎng)絡(luò)概述

2.1?Vxlan 模式

2.1.1 通信流程

2.1.2 部署

2.1.3?相關(guān)配置

2.1.4 卸載

2.2 Host-GW 模式

2.2.1 通信流程

2.2.2 部署

2.2.3 相關(guān)配置?

2.2.4 卸載

2.3 Flanneld 作用

2.4?模式對比

三：部署

四：故障分析

4.1?kube-proxy 配置錯誤

4.1.1現(xiàn)象：

4.1.2排查節(jié)點 k8s-node01:

4.2 ipvs 模式下，路由表錯誤

一：什么是Flannel

Flannel 由coreOS開發(fā)，用于解決docker集群跨主機通訊的覆蓋網(wǎng)絡(luò)(overlay network)，它的主要思路是：預(yù)先留出一個網(wǎng)段，每個主機使用其中一部分，然后每個容器被分配不同的ip；讓所有的容器認為大家在同一個直連的網(wǎng)絡(luò)，底層通過UDP/VxLAN/Host-GW等進行報文的封裝和轉(zhuǎn)發(fā)。

• Flannel實質(zhì)上是一種“覆蓋網(wǎng)絡(luò)(overlaynetwork)”，也就是將TCP數(shù)據(jù)包裝在另一種網(wǎng)絡(luò)包里面進行路由轉(zhuǎn)發(fā)和通信，目前已經(jīng)支持udp、vxlan、host-gw、aws-vpc、gce和alloc路由等數(shù)據(jù)轉(zhuǎn)發(fā)方式，默認的節(jié)點間數(shù)據(jù)通信方式是UDP轉(zhuǎn)發(fā)。
• 它的功能是讓集群中的不同節(jié)點主機創(chuàng)建的Docker容器都具有全集群唯一的虛擬IP地址。
• Flannel的設(shè)計目的就是為集群中的所有節(jié)點重新規(guī)劃IP地址的使用規(guī)則，從而使得不同節(jié)點上的容器能夠獲得同屬一個內(nèi)網(wǎng)且不重復(fù)的IP地址，并讓屬于不同節(jié)點上的容器能夠直接通過內(nèi)網(wǎng)IP通信。

1.1 Flannel實現(xiàn)原理

• 集群中的不同節(jié)點上，創(chuàng)建的Pod具有全集群唯一的虛擬IP地址。
• 建立一個覆蓋網(wǎng)絡(luò)（overlay network），通過這個覆蓋網(wǎng)絡(luò)，將數(shù)據(jù)包原封不動的傳遞到目標容器。覆蓋網(wǎng)絡(luò)通過將一個分組封裝在另一個分組內(nèi)來將網(wǎng)絡(luò)服務(wù)與底層基礎(chǔ)設(shè)施分離。在將封裝的數(shù)據(jù)包轉(zhuǎn)發(fā)到端點后，將其解封裝。
• 創(chuàng)建一個新的虛擬網(wǎng)卡flannel0接收docker網(wǎng)橋的數(shù)據(jù)，通過維護路由表，對接收到的數(shù)據(jù)進行封包和轉(zhuǎn)發(fā)（vxlan）。
• etcd保證了所有node上flanned所看到的配置是一致的。同時每個node上的flanned監(jiān)聽etcd上的數(shù)據(jù)變化，實時感知集群中node的變化。

1.2?數(shù)據(jù)轉(zhuǎn)發(fā)流程

1. 容器直接使用目標容器的ip訪問，默認通過容器內(nèi)部的eth0發(fā)送出去。
2. 報文通過veth pair被發(fā)送到vethXXX。
3. vethXXX是直接連接到虛擬交換機docker0的，報文通過虛擬bridge docker0發(fā)送出去。
4. 查找路由表，外部容器ip的報文都會轉(zhuǎn)發(fā)到flannel0虛擬網(wǎng)卡，這是一個P2P的虛擬網(wǎng)卡，然后報文就被轉(zhuǎn)發(fā)到監(jiān)聽在另一端的flanneld。
5. flanneld通過etcd維護了各個節(jié)點之間的路由表，把原來的報文UDP封裝一層，通過配置的iface發(fā)送出去。
6. 報文通過主機之間的網(wǎng)絡(luò)找到目標主機。
7. 報文繼續(xù)往上，到傳輸層，交給監(jiān)聽在8285端口的flanneld程序處理。
8. 數(shù)據(jù)被解包，然后發(fā)送給flannel0虛擬網(wǎng)卡。
9. 查找路由表，發(fā)現(xiàn)對應(yīng)容器的報文要交給docker0。
10. docker0找到連到自己的容器，把報文發(fā)送過去。

簡單理解：

容器10.1.15.2/24訪問10.0.20.3/24，經(jīng)過所在主機的docker0，也就相當于這個容器的網(wǎng)關(guān)，轉(zhuǎn)發(fā)到flannel0虛擬網(wǎng)卡，經(jīng)過flanneld進行處理，將源容器的ip和目的容器的ip封裝成內(nèi)部ip，將源物理網(wǎng)卡的網(wǎng)關(guān)和目的物理網(wǎng)卡的網(wǎng)關(guān)封裝成外部ip，并同時封裝其MAC地址，源主機的flanneld服務(wù)將原本的數(shù)據(jù)內(nèi)容UDP封裝后根據(jù)自己的路由表投遞給目的節(jié)點的flanneld服務(wù)，數(shù)據(jù)到達以后被解包，然后進入目的節(jié)點flannel0虛擬網(wǎng)卡，然后被轉(zhuǎn)發(fā)到目的主機的docker0虛擬網(wǎng)卡，傳遞到對應(yīng)ip的容器

二：?Flannel網(wǎng)絡(luò)概述

Overlay Network：
覆蓋網(wǎng)絡(luò)，在基礎(chǔ)網(wǎng)絡(luò)上疊加的一種虛擬網(wǎng)絡(luò)技術(shù)模式，該網(wǎng)絡(luò)中的主機通過虛擬鏈路連接起來
類似VPN隧道，原理為在物理網(wǎng)絡(luò)上實現(xiàn)的邏輯網(wǎng)絡(luò)

VXLAN：
將源數(shù)據(jù)包封裝到UDP中，并使用基礎(chǔ)網(wǎng)絡(luò)的IP/MAC作為外層包頭進行封裝，然后在以太網(wǎng)上傳輸，到達目的地后由隧道斷電解封并將數(shù)據(jù)發(fā)給目標地址

Flannel：
是Overlay網(wǎng)絡(luò)的一種，也是將源數(shù)據(jù)包封裝在另一種網(wǎng)絡(luò)包中進行路由轉(zhuǎn)發(fā)和通信，目前已支持UDP、VXLAN、AWS VPN和GCE路由等數(shù)據(jù)轉(zhuǎn)發(fā)方式

2.1?Vxlan 模式

2.1.1 通信流程

不同node上的pod通信流程：

1. pod中的數(shù)據(jù)，根據(jù)pod的路由信息，發(fā)送到網(wǎng)橋 cni0
2. cni0 根據(jù)節(jié)點路由表，將數(shù)據(jù)發(fā)送到隧道設(shè)備flannel.1
3. flannel.1 查看數(shù)據(jù)包的目的ip，從flanneld獲取對端隧道設(shè)備的必要信息，封裝數(shù)據(jù)包
4. flannel.1 將數(shù)據(jù)包發(fā)送到對端設(shè)備。對端節(jié)點的網(wǎng)卡接收到數(shù)據(jù)包，發(fā)現(xiàn)數(shù)據(jù)包為overlay數(shù)據(jù)包，解開外層封裝，并發(fā)送內(nèi)層封裝到flannel.1 設(shè)備
5. Flannel.1 設(shè)備查看數(shù)據(jù)包，根據(jù)路由表匹配，將數(shù)據(jù)發(fā)送給cni0設(shè)備
6. cni0匹配路由表，發(fā)送數(shù)據(jù)到網(wǎng)橋

2.1.2 部署

$ wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
 
# 配置 Pod CIDR 
$ vi kube-flannel.yml
  "Network": "10.244.0.0/16", 
  
# 多網(wǎng)卡時，可指定網(wǎng)卡
vi kube-flannel.yml
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        - --iface=ens38    # 指定網(wǎng)卡
        
$ kubectl apply -f kube-flannel.yml
 
$ kubectl get pod -n kube-system
NAME                    READY   STATUS    RESTARTS   AGE
kube-flannel-ds-8qnnx   1/1     Running   0          10s
kube-flannel-ds-979lc   1/1     Running   0          16m
kube-flannel-ds-kgmgg   1/1     Running   0          16m

集群節(jié)點上網(wǎng)絡(luò)分配：

$ ip addr
6: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
    link/ether b6:95:2a:cd:01:c3 brd ff:ff:ff:ff:ff:ff
    inet 10.244.0.0/32 brd 10.244.0.0 scope global flannel.1
       valid_lft forever preferred_lft forever
    inet6 fe80::b495:2aff:fecd:1c3/64 scope link
       valid_lft forever preferred_lft forever
7: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
    link/ether 16:ac:e9:68:a4:c0 brd ff:ff:ff:ff:ff:ff
    inet 10.244.0.1/24 brd 10.244.0.255 scope global cni0
       valid_lft forever preferred_lft forever
    inet6 fe80::14ac:e9ff:fe68:a4c0/64 scope link
       valid_lft forever preferred_lft forever
 
$ ethtool -i cni0
driver: bridge
 
$ ethtoo -i flannel.1
driver: vxlan
 
$ ps -ef | grep flanneld
root       15300   15275  0 10:21 ?        00:00:19 /opt/bin/flanneld --ip-masq --kube-subnet-mgr
 
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.80.2    0.0.0.0         UG    0      0        0 ens33
10.244.0.0      10.244.0.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.1.0      10.244.1.0      255.255.255.0   UG    0      0        0 flannel.1
10.244.2.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0
192.168.80.0    0.0.0.0         255.255.255.0   U     0      0        0 ens33
 
$ brctl show
bridge name     bridge id               STP enabled     interfaces
cni0            8000.e2ee89678398       no              veth28b04daf
                                                        vethe6d4a6b8

cni0：網(wǎng)橋設(shè)備，每創(chuàng)建一個pod都會創(chuàng)建一對 veth pair。其中一段是pod中的eth0，另一端是cni0網(wǎng)橋中的端口。

flannel.1：vxlan網(wǎng)關(guān)設(shè)備，用戶 vxlan 報文的解包和封包。不同的 pod 數(shù)據(jù)流量都從overlay設(shè)備以隧道的形式發(fā)送到對端。flannel.1不會發(fā)送arp請求去獲取目標IP的mac地址，而是由Linux kernel將一個"L3 Miss"事件請求發(fā)送到用戶空間的flanneld程序，flanneld程序收到內(nèi)核的請求事件后，從etcd中查找能夠匹配該地址的子網(wǎng)flannel.1設(shè)備的mac地址，即目標pod所在host中flannel.1設(shè)備的mac地址。

flanneld：在每個主機中運行flanneld作為agent，它會為所在主機從集群的網(wǎng)絡(luò)地址空間中，獲取一個小的網(wǎng)段subnet，本主機內(nèi)所有容器的IP地址都將從中分配。同時Flanneld監(jiān)聽K8s集群數(shù)據(jù)庫，為flannel.1設(shè)備提供封裝數(shù)據(jù)時必要的mac，ip等網(wǎng)絡(luò)數(shù)據(jù)信息。

VXLAN：Virtual eXtensible Local Area Network，虛擬擴展局域網(wǎng)。采用L2 over L4（MAC-in-UDP）的報文封裝模式，將二層報文用三層協(xié)議進行封裝，實現(xiàn)二層網(wǎng)絡(luò)在三層范圍內(nèi)進行擴展，同時滿足數(shù)據(jù)中心大二層虛擬遷移和多租戶的需求。

flannel只使用了vxlan的部分功能，VNI被固定為1。容器跨網(wǎng)絡(luò)通信解決方案：如果集群的主機在同一個子網(wǎng)內(nèi)，則通過路由轉(zhuǎn)發(fā)過去；若不在一個子網(wǎng)內(nèi)，就通過隧道轉(zhuǎn)發(fā)過去。

2.1.3?相關(guān)配置

$ cat /etc/cni/net.d/10-flannel.conflist
{
  "name": "cbr0",
  "cniVersion": "0.3.1",
  "plugins": [
    {
      "type": "flannel",
      "delegate": {
        "hairpinMode": true,
        "isDefaultGateway": true
      }
    },
    {
      "type": "portmap",
      "capabilities": {
        "portMappings": true
      }
    }
  ]
}
 
$ cat /run/flannel/subnet.env
FLANNEL_NETWORK=10.244.0.0/16
FLANNEL_SUBNET=10.244.0.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=true
 
# Bridge CNI 插件
$ cat /var/lib/cni/flannel/462cf658ef71d558b36884dfb6d068e100a3209d36ba2602ad04dd9445e63684 | python3 -m json.tool
{
    "cniVersion": "0.3.1",
    "hairpinMode": true,
    "ipMasq": false,
    "ipam": {
        "routes": [
            {
                "dst": "10.244.0.0/16"
            }
        ],
        "subnet": "10.244.2.0/24",
        "type": "host-local"
    },
    "isDefaultGateway": true,
    "isGateway": true,
    "mtu": 1450,
    "name": "cbr0",
    "type": "bridge"
}

2.1.4 卸載

# 主節(jié)點
kubectl delete -f kube-flannel.yml
 
# 所有節(jié)點上
ip link set cni0 down
ip link set flannel.1 down
 
ip link delete cni0
ip link delete flannel.1
 
rm -rf /var/lib/cni/
rm -f /etc/cni/net.d/*

2.2 Host-GW 模式

2.2.1 通信流程

host-gw采用純靜態(tài)路由的方式，要求所有宿主機都在一個局域網(wǎng)內(nèi)，跨局域網(wǎng)無法進行路由。如果需要進行跨局域網(wǎng)路由，需要在其他設(shè)備上添加路由，但已超出flannel的能力范圍?？蛇x擇calico等使用動態(tài)路由技術(shù)，通過廣播路由的方式將本機路由公告出去，從而實現(xiàn)跨局域網(wǎng)路由學(xué)習(xí)。

所有的子網(wǎng)和主機的信息，都保存在Etcd中，flanneld只需要watch這些數(shù)據(jù)的變化 ，實時更新路由表。
核心：IP包在封裝成楨的時候，使用路由表的“下一跳”設(shè)置上的MAC地址，這樣可以經(jīng)過二層網(wǎng)絡(luò)到達目的宿主機。

2.2.2 部署

$ vi kube-flannel.yml
      "Backend": {
        "Type": "host-gw"
      }
 
$ kubectl apply -f kube-flannel.yml
 
$ kubectl get pod -n kube-system
NAMESPACE     NAME                    READY   STATUS    RESTARTS   AGE
kube-system   kube-flannel-ds-l2dg7   1/1     Running   0          7s
kube-system   kube-flannel-ds-tj2vg   1/1     Running   0          7s
kube-system   kube-flannel-ds-xxhfm   1/1     Running   0          7s

集群節(jié)點上網(wǎng)絡(luò)分配：

$ ip addr
7: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 2a:00:05:23:3f:5e brd ff:ff:ff:ff:ff:ff
    inet 10.244.2.1/24 brd 10.244.2.255 scope global cni0
       valid_lft forever preferred_lft forever
    inet6 fe80::2800:5ff:fe23:3f5e/64 scope link
       valid_lft forever preferred_lft forever
 
$ kubectl logs kube-flannel-ds-l2dg7 -n kube-system
I1227 12:09:56.991787       1 route_network.go:86] Subnet added: 10.244.2.0/24 via 192.168.80.240
I1227 12:09:56.992305       1 route_network.go:86] Subnet added: 10.244.0.0/24 via 192.168.80.241
 
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.80.2    0.0.0.0         UG    0      0        0 ens33
10.244.0.0      192.168.80.241  255.255.255.0   UG    0      0        0 ens33
10.244.1.0      192.168.80.242  255.255.255.0   UG    0      0        0 ens33
10.244.2.0      0.0.0.0         255.255.255.0   U     0      0        0 cni0
192.168.80.0    0.0.0.0         255.255.255.0   U     0      0        0 ens33

2.2.3 相關(guān)配置?

$ cat /etc/cni/net.d/10-flannel.conflist
{
  "name": "cbr0",
  "cniVersion": "0.3.1",
  "plugins": [
    {
      "type": "flannel",
      "delegate": {
        "hairpinMode": true,
        "isDefaultGateway": true
      }
    },
    {
      "type": "portmap",
      "capabilities": {
        "portMappings": true
      }
    }
  ]
}
 
$ cat /run/flannel/subnet.env
FLANNEL_NETWORK=10.244.0.0/16
FLANNEL_SUBNET=10.244.0.1/24
FLANNEL_MTU=1500  # 路由方式下，MTU值使用默認值
FLANNEL_IPMASQ=true
 
# Bridge CNI 插件
$ cat /var/lib/cni/flannel/46c76c1d50d61494d6d95e0171667ec705bbcdcaeeafa859e25ac4749979bd76 | python3 -m json.tool
{
    "cniVersion": "0.3.1",
    "hairpinMode": true,
    "ipMasq": false,
    "ipam": {
        "ranges": [
            [
                {
                    "subnet": "10.244.2.0/24"
                }
            ]
        ],
        "routes": [
            {
                "dst": "10.244.0.0/16"
            }
        ],
        "type": "host-local"
    },
    "isDefaultGateway": true,
    "isGateway": true,
    "mtu": 1500,
    "name": "cbr0",
    "type": "bridge"
}

2.2.4 卸載

# 主節(jié)點
kubectl delete -f kube-flannel.yml
 
# 所有節(jié)點上
ip link set cni0 down
ip link delete cni0
 
rm -rf /var/lib/cni/
rm -f /etc/cni/net.d/*

2.3 Flanneld 作用

Flanneld 收到 EventAdded 事件后，從 etcd 將其他主機上報的各種信息，在本機上進行配置，主要分下列三種信息：

• ARP：IP和MAC的對應(yīng)關(guān)系，三層轉(zhuǎn)發(fā)
• FDB：MAC+VLAN和PORT的對應(yīng)關(guān)系，二層轉(zhuǎn)發(fā)，即使兩個設(shè)備不在同一網(wǎng)段或者沒配置IP，只要兩者之間的鏈路層是連通的，就可以通過FDB表進行數(shù)據(jù)轉(zhuǎn)發(fā)。它作用就在于告訴設(shè)備從某個端口出去就可以到某個目的MAC
• Routing Table：通往目標地址的封包，通過網(wǎng)關(guān)方式發(fā)送出去

2.4?模式對比

• udp模式：使用設(shè)備flannel.0進行封包解包，不是內(nèi)核原生支持，上下文切換較大，性能非常差
• vxlan模式：使用flannel.1進行封包解包，內(nèi)核原生支持，性能損失在20%~30%左右
• host-gw模式：無需flannel.1這樣的中間設(shè)備，直接宿主機當作子網(wǎng)的下一跳地址，性能損失大約在10%左右

三：部署

首先兩個node節(jié)點需要先安裝docker引擎

安裝依賴包
yum install -y yum-utils device-mapper-persistent-data lvm2
 
設(shè)置阿里云鏡像源
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
 
安裝Docker-CE
vim /etc/selinux/config
SELINUX=disabled
 
yum install -y docker-ce
 
systemctl start docker.service
systemctl enable docker.service

鏡像加速

搜索容器鏡像服務(wù)

網(wǎng)絡(luò)優(yōu)化
 
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
 
systemctl restart network
systemctl restart docker

?master配置

需要在有證書的目錄下使用此命令
寫入分配的子網(wǎng)段到ETCD中，供flannel使用

[root@localhost ~]# cd k8s/etcd-cert/
 
[root@localhost ~]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.111.10:2379,https://192.168.111.30:2379,https://192.168.111.40:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'

拷貝到所有node節(jié)點（只需要部署在node節(jié)點即可）
[root@localhost k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz root@192.168.111.30:/root
[root@localhost k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz root@192.168.111.40:/root

所有node節(jié)點操作解壓

[root@localhost ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz 
 
flanneld
mk-docker-opts.sh
README.md

k8s工作目錄
[root@localhost ~]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/

編寫flannel啟動腳本
[root@localhost ~]# vim flannel.sh
#!/bin/bash
 
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
 
cat <<EOF >/opt/kubernetes/cfg/flanneld
 
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
 
EOF
 
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
 
[Install]
WantedBy=multi-user.target
 
EOF
 
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld

開啟flannel網(wǎng)絡(luò)功能
[root@localhost ~]# bash flannel.sh https://192.168.111.10:2379,https://192.168.111.30:2379,https://192.168.111.40:2379

配置docker連接flannel
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
 
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
 
 
systemctl daemon-reload
systemctl restart docker

驗證下docker網(wǎng)絡(luò)和flannel網(wǎng)絡(luò)是否在同一個網(wǎng)段
ifconfig

拉取鏡像然后進入容器去ping另一個不同網(wǎng)段的容器

docker run -it centos:7 /bin/bash
yum -y install net-tools
 
ping 172.17.39.1

如果這里ping的時候出現(xiàn)卡住了需要這么解決
所有的node節(jié)點按順序依次重啟服務(wù)文章來源地址http://www.zghlxwxcb.cn/news/detail-659091.html

systemctl restart flanneld.service
systemctl restart network
systemctl restart docker

四：故障分析

4.1?kube-proxy 配置錯誤

4.1.1現(xiàn)象：

root@k8s-master:~# kubectl get pod -A -o wide -l app=flannel
NAMESPACE     NAME                    READY   STATUS             RESTARTS   AGE     IP              NODE         NOMINATED NODE   READINESS GATES
kube-system   kube-flannel-ds-5whpv   0/1     CrashLoopBackOff   5          6m53s   192.168.3.114   k8s-node01   <none>           <none>
kube-system   kube-flannel-ds-l7msr   1/1     Running            2          16d     192.168.3.113   k8s-master   <none>           <none>
kube-system   kube-flannel-ds-rvvhv   0/1     CrashLoopBackOff   10         33m     192.168.3.115   k8s-node02   <none>           <none>
root@k8s-master:~# kubectl logs  kube-flannel-ds-5whpv -n kube-system
I0211 02:04:21.358127       1 main.go:520] Determining IP address of default interface
I0211 02:04:21.359211       1 main.go:533] Using interface with name enp1s0 and address 192.168.3.118
I0211 02:04:21.359295       1 main.go:550] Defaulting external address to interface address (192.168.3.118)
W0211 02:04:21.359364       1 client_config.go:608] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
E0211 02:04:51.456912       1 main.go:251] Failed to create SubnetManager: error retrieving pod spec for 'kube-system/kube-flannel-ds-5whpv': Get "https://10.96.0.1:443/api/v1/namespaces/kube-system/pods/kube-flannel-ds-5whpv": dial tcp 10.96.0.1:443: i/o timeout
root@k8s-master:~# kubectl get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   16d

4.1.2排查節(jié)點 k8s-node01:

root@k8s-node01:~# ip addr show kube-ipvs0
5: kube-ipvs0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
    link/ether a6:99:85:4e:ba:35 brd ff:ff:ff:ff:ff:ff
	inet 10.96.0.1/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
 
# 本地節(jié)點無法連接到kube-apiserver, 說明是kube-proxy 故障
root@k8s-node01:~# telnet 10.96.0.1 443
Trying 10.96.0.1...
telnet: Unable to connect to remote host: Connection timed out
 
# 檢查 kube-proxy 日志，發(fā)現(xiàn)其配置有問題
root@k8s-node01:/var/log/kubernetes# vi kube-proxy.ERROR
...
E0211 09:13:56.135807    1842 node.go:161] Failed to retrieve node info: Get "https://192.168.3.113:6443/api/v1/nodes/k8s-node01": dial tcp 192.168.3.113:6443: connect: connection refused
 
root@k8s-node01:/var/log/kubernetes# vi kube-proxy.WARNING
...
: v1alpha1.KubeProxyConfiguration.IPTables: v1alpha1.KubeProxyIPTablesConfiguration.MasqueradeBit: ReadObject: found unknown field: masqueradeAl, error found in #10 byte of ...|queradeAl":"","masqu|..., bigger context ...|eOverride":"k8s-node01","iptables":{"masqueradeAl":"","masqueradeBit":14,"minSyncPeriod":"5s","syncP|...
 
# 修改 Kube-proxy 配置
vi /etc/kubernetes/kube-proxy-config.yml
...
iptables:
  masqueradeAll: true
 
# 重啟 Kube-proxy
root@k8s-node01:/var/log/kubernetes# systemctl restart kube-proxy
 
# 再次檢查，已正常
root@k8s-node01:/var/log/kubernetes# vi kube-proxy.INFO
...
I0211 10:25:30.297232    2754 service.go:421] Adding new service port "default/kubernetes:https" at 10.96.0.1:443/TCP
...
I0211 10:32:52.626926    3155 proxier.go:1034] Not syncing ipvs rules until Services and Endpoints have been received from master
 
# 重啟flannel
root@k8s-master:~# kubectl delete pod kube-flannel-ds-5whpv -n kube-system
root@k8s-master:~# kubectl get pod -A -o wide -l app=flannel
NAMESPACE     NAME                    READY   STATUS             RESTARTS   AGE     IP              NODE         NOMINATED NODE   READINESS GATES
kube-system   kube-flannel-ds-lld4b   0/1     Running            0          6m53s   192.168.3.114   k8s-node01   <none>           <none>
kube-system   kube-flannel-ds-l7msr   1/1     Running            2          16d     192.168.3.113   k8s-master   <none>           <none>
kube-system   kube-flannel-ds-rvvhv   0/1     CrashLoopBackOff   10         33m     192.168.3.115   k8s-node02   <none>           <none>
 
# 確認OK
root@k8s-node01:/var/log/kubernetes# vi kube-proxy.INFO
I0211 02:36:07.555531       1 main.go:520] Determining IP address of default interface
I0211 02:36:07.556543       1 main.go:533] Using interface with name enp1s0 and address 192.168.3.118
I0211 02:36:07.556615       1 main.go:550] Defaulting external address to interface address (192.168.3.118)
W0211 02:36:07.556688       1 client_config.go:608] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0211 02:36:08.057730       1 kube.go:116] Waiting 10m0s for node controller to sync
I0211 02:36:08.057858       1 kube.go:299] Starting kube subnet manager
I0211 02:36:09.058115       1 kube.go:123] Node controller sync successful
I0211 02:36:09.058511       1 main.go:254] Created subnet manager: Kubernetes Subnet Manager - k8s-node01
I0211 02:36:09.058524       1 main.go:257] Installing signal handlers
I0211 02:36:09.152670       1 main.go:392] Found network config - Backend type: host-gw
I0211 02:36:09.254550       1 main.go:357] Current network or subnet (10.244.0.0/16, 10.244.0.0/24) is not equal to previous one (0.0.0.0/0, 0.0.0.0/0), trying to recycle old iptables rules
I0211 02:36:09.853007       1 iptables.go:172] Deleting iptables rule: -s 0.0.0.0/0 -d 0.0.0.0/0 -j RETURN
I0211 02:36:09.858096       1 iptables.go:172] Deleting iptables rule: -s 0.0.0.0/0 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully
I0211 02:36:09.952777       1 iptables.go:172] Deleting iptables rule: ! -s 0.0.0.0/0 -d 0.0.0.0/0 -j RETURN
I0211 02:36:09.955497       1 iptables.go:172] Deleting iptables rule: ! -s 0.0.0.0/0 -d 0.0.0.0/0 -j MASQUERADE --random-fully
I0211 02:36:09.962242       1 main.go:307] Setting up masking rules
I0211 02:36:09.964711       1 main.go:315] Changing default FORWARD chain policy to ACCEPT
I0211 02:36:09.965035       1 main.go:323] Wrote subnet file to /run/flannel/subnet.env
I0211 02:36:09.965050       1 main.go:327] Running backend.
I0211 02:36:09.965069       1 main.go:345] Waiting for all goroutines to exit
I0211 02:36:09.965099       1 route_network.go:53] Watching for new subnet leases
I0211 02:36:09.965579       1 route_network.go:86] Subnet added: 10.244.2.0/24 via 192.168.3.117
I0211 02:36:09.966182       1 route_network.go:86] Subnet added: 10.244.1.0/24 via 192.168.3.119
I0211 02:36:10.152723       1 iptables.go:148] Some iptables rules are missing; deleting and recreating rules
I0211 02:36:10.152782       1 iptables.go:172] Deleting iptables rule: -s 10.244.0.0/16 -d 10.244.0.0/16 -j RETURN
I0211 02:36:10.153844       1 iptables.go:148] Some iptables rules are missing; deleting and recreating rules
I0211 02:36:10.153886       1 iptables.go:172] Deleting iptables rule: -s 10.244.0.0/16 -j ACCEPT
I0211 02:36:10.155194       1 iptables.go:172] Deleting iptables rule: -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully
I0211 02:36:10.156970       1 iptables.go:172] Deleting iptables rule: -d 10.244.0.0/16 -j ACCEPT
I0211 02:36:10.252675       1 iptables.go:172] Deleting iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/24 -j RETURN
I0211 02:36:10.255063       1 iptables.go:160] Adding iptables rule: -s 10.244.0.0/16 -j ACCEPT
I0211 02:36:10.255399       1 iptables.go:172] Deleting iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE --random-fully
I0211 02:36:10.353644       1 iptables.go:160] Adding iptables rule: -s 10.244.0.0/16 -d 10.244.0.0/16 -j RETURN
I0211 02:36:10.452443       1 iptables.go:160] Adding iptables rule: -d 10.244.0.0/16 -j ACCEPT
I0211 02:36:10.456201       1 iptables.go:160] Adding iptables rule: -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully
I0211 02:36:10.555203       1 iptables.go:160] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/24 -j RETURN
I0211 02:36:10.655121       1 iptables.go:160] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE --random-fully

4.2 ipvs 模式下，路由表錯誤

# 無法訪問 kube-apiserver
$ kubectl logs -f kube-flannel-ds-ntwh4 -n kube-system
I1108 10:48:00.864770       1 main.go:520] Determining IP address of default interface
I1108 10:48:00.865795       1 main.go:533] Using interface with name ens33 and address 192.168.80.241
I1108 10:48:00.865827       1 main.go:550] Defaulting external address to interface address (192.168.80.241)
W1108 10:48:00.865861       1 client_config.go:608] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
E1108 10:48:30.960762       1 main.go:251] Failed to create SubnetManager: error retrieving pod spec for 'kube-system/kube-flannel-ds-ntwh4': Get "https://10.96.0.1:443/api/v1/namespaces/kube-system/pods/kube-flannel-ds-ntwh4": dial tcp 10.96.0.1:443: i/o timeout
 
# 切換到相關(guān)主機，測試網(wǎng)絡(luò)，無法連通
$ curl 10.96.0.1:443
 
# 查詢網(wǎng)絡(luò)
$ ip addr
3: kube-ipvs0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
    link/ether c6:14:f7:ad:b6:c8 brd ff:ff:ff:ff:ff:ff
    inet 10.96.92.170/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.96.0.1/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
       
# 嘗試刪除 ip, 發(fā)現(xiàn)刪除后，自動生成；進一步發(fā)現(xiàn)，該設(shè)備默認down，設(shè)置IP地址，不影響通信
$ ip addr delete 10.96.0.1/32 dev kube-ipvs0
 
# 查詢路由表，發(fā)現(xiàn)路由表錯誤
$ ip route show table local
local 10.96.0.1 dev kube-ipvs0 proto kernel scope host src 10.96.0.1
 
# 刪除路由表
$ ip route del table local local 10.96.0.1 dev kube-ipvs0 proto kernel scope host src 10.96.0.1

到了這里，關(guān)于Kubernetes：（十八）flannel網(wǎng)絡(luò)的文章就介紹完了。如果您還想了解更多內(nèi)容，請在右上角搜索TOY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！