|
| 1 | +--- |
| 2 | +layout: blog |
| 3 | +title: "Kubernetes 1.24: 避免为 Services 分配 IP 地址时发生冲突" |
| 4 | +date: 2022-05-23 |
| 5 | +slug: service-ip-dynamic-and-static-allocation |
| 6 | +--- |
| 7 | +<!-- |
| 8 | +layout: blog |
| 9 | +title: "Kubernetes 1.24: Avoid Collisions Assigning IP Addresses to Services" |
| 10 | +date: 2022-05-23 |
| 11 | +slug: service-ip-dynamic-and-static-allocation |
| 12 | +--> |
| 13 | + |
| 14 | +<!-- |
| 15 | +**Author:** Antonio Ojea (Red Hat) |
| 16 | +--> |
| 17 | +**作者:** Antonio Ojea (Red Hat) |
| 18 | + |
| 19 | +<!-- |
| 20 | +In Kubernetes, [Services](/docs/concepts/services-networking/service/) are an abstract way to expose |
| 21 | +an application running on a set of Pods. Services |
| 22 | +can have a cluster-scoped virtual IP address (using a Service of `type: ClusterIP`). |
| 23 | +Clients can connect using that virtual IP address, and Kubernetes then load-balances traffic to that |
| 24 | +Service across the different backing Pods. |
| 25 | +--> |
| 26 | +在 Kubernetes 中,[Services](/zh/docs/concepts/services-networking/service/) |
| 27 | +是一种抽象,用来暴露运行在一组 Pod 上的应用。 |
| 28 | +Service 可以有一个集群范围的虚拟 IP 地址(使用 `type: ClusterIP` 的 Service)。 |
| 29 | +客户端可以使用该虚拟 IP 地址进行连接, Kubernetes 为对该 Service 的访问流量提供负载均衡,以访问不同的后端 Pod。 |
| 30 | + |
| 31 | +<!-- |
| 32 | +## How Service ClusterIPs are allocated? |
| 33 | +--> |
| 34 | +## Service ClusterIP 是如何分配的? |
| 35 | + |
| 36 | +<!-- |
| 37 | +A Service `ClusterIP` can be assigned: |
| 38 | +--> |
| 39 | +Service `ClusterIP` 有如下分配方式: |
| 40 | + |
| 41 | +<!-- |
| 42 | +_dynamically_ |
| 43 | +: the cluster's control plane automatically picks a free IP address from within the configured IP range for `type: ClusterIP` Services. |
| 44 | +--> |
| 45 | +**动态** |
| 46 | +:群集的控制平面会自动从配置的 IP 范围内为 `type:ClusterIP` 的 Service 选择一个空闲 IP 地址。 |
| 47 | + |
| 48 | +<!-- |
| 49 | +_statically_ |
| 50 | +: you specify an IP address of your choice, from within the configured IP range for Services. |
| 51 | +--> |
| 52 | +**静态** |
| 53 | +:你可以指定一个来自 Service 配置的 IP 范围内的 IP 地址。 |
| 54 | + |
| 55 | +<!-- |
| 56 | +Across your whole cluster, every Service `ClusterIP` must be unique. |
| 57 | +Trying to create a Service with a specific `ClusterIP` that has already |
| 58 | +been allocated will return an error. |
| 59 | +--> |
| 60 | +在整个集群中,每个 Service 的 `ClusterIP` 必须是唯一的。 |
| 61 | +尝试创建一个已经被分配了的 `ClusterIP` 的 Service 将会返回错误。 |
| 62 | + |
| 63 | +<!-- |
| 64 | +## Why do you need to reserve Service Cluster IPs? |
| 65 | +--> |
| 66 | +## 为什么需要预留 Service Cluster IP? |
| 67 | + |
| 68 | +<!-- |
| 69 | +Sometimes you may want to have Services running in well-known IP addresses, so other components and |
| 70 | +users in the cluster can use them. |
| 71 | +--> |
| 72 | +有时,你可能希望让 Service 运行在众所周知的 IP 地址上,以便集群中的其他组件和用户可以使用它们。 |
| 73 | + |
| 74 | +<!-- |
| 75 | +The best example is the DNS Service for the cluster. Some Kubernetes installers assign the 10th address from |
| 76 | +the Service IP range to the DNS service. Assuming you configured your cluster with Service IP range |
| 77 | +10.96.0.0/16 and you want your DNS Service IP to be 10.96.0.10, you'd have to create a Service like |
| 78 | +this: |
| 79 | +--> |
| 80 | +最好的例子是集群的 DNS Service。一些 Kubernetes 安装程序将 Service IP 范围中的第 10 个地址分配给 DNS Service。 |
| 81 | +假设你配置集群 Service IP 范围是 10.96.0.0/16,并且希望 DNS Service IP 为 10.96.0.10, |
| 82 | +那么你必须创建一个如下所示的 Service: |
| 83 | + |
| 84 | +```yaml |
| 85 | +apiVersion: v1 |
| 86 | +kind: Service |
| 87 | +metadata: |
| 88 | + labels: |
| 89 | + k8s-app: kube-dns |
| 90 | + kubernetes.io/cluster-service: "true" |
| 91 | + kubernetes.io/name: CoreDNS |
| 92 | + name: kube-dns |
| 93 | + namespace: kube-system |
| 94 | +spec: |
| 95 | + clusterIP: 10.96.0.10 |
| 96 | + ports: |
| 97 | + - name: dns |
| 98 | + port: 53 |
| 99 | + protocol: UDP |
| 100 | + targetPort: 53 |
| 101 | + - name: dns-tcp |
| 102 | + port: 53 |
| 103 | + protocol: TCP |
| 104 | + targetPort: 53 |
| 105 | + selector: |
| 106 | + k8s-app: kube-dns |
| 107 | + type: ClusterIP |
| 108 | +``` |
| 109 | +
|
| 110 | +<!-- |
| 111 | +but as I explained before, the IP address 10.96.0.10 has not been reserved; if other Services are created |
| 112 | +before or in parallel with dynamic allocation, there is a chance they can allocate this IP, hence, |
| 113 | +you will not be able to create the DNS Service because it will fail with a conflict error. |
| 114 | +--> |
| 115 | +但正如我之前解释的,IP 地址 10.96.0.10 没有被保留; |
| 116 | +如果其他 Service 在动态分配之前创建或与动态分配并行创建,则它们有可能分配此 IP 地址, |
| 117 | +因此,你将无法创建 DNS Service,因为它将因冲突错误而失败。 |
| 118 | +
|
| 119 | +<!-- |
| 120 | +## How can you avoid Service ClusterIP conflicts? {#avoid-ClusterIP-conflict} |
| 121 | +--> |
| 122 | +## 如何避免 Service ClusterIP 冲突? {#avoid-ClusterIP-conflict} |
| 123 | +
|
| 124 | +<!-- |
| 125 | +In Kubernetes 1.24, you can enable a new feature gate `ServiceIPStaticSubrange`. |
| 126 | +Turning this on allows you to use a different IP |
| 127 | +allocation strategy for Services, reducing the risk of collision. |
| 128 | +--> |
| 129 | +在 Kubernetes 1.24 中,你可以启用一个新的特性门控 `ServiceIPStaticSubrange`。 |
| 130 | +启用此特性允许你为 Service 使用不同的 IP 分配策略,减少冲突的风险。 |
| 131 | + |
| 132 | +<!-- |
| 133 | +The `ClusterIP` range will be divided, based on the formula `min(max(16, cidrSize / 16), 256)`, |
| 134 | +described as _never less than 16 or more than 256 with a graduated step between them_. |
| 135 | +--> |
| 136 | +`ClusterIP` 范围将根据公式 `min(max(16, cidrSize / 16), 256)` 进行划分, |
| 137 | +该公式可描述为 “在不小于 16 且不大于 256 之间有一个步进量(Graduated Step)”。 |
| 138 | + |
| 139 | +<!-- |
| 140 | +Dynamic IP assignment will use the upper band by default, once this has been exhausted it will |
| 141 | +use the lower range. This will allow users to use static allocations on the lower band with a low |
| 142 | +risk of collision. |
| 143 | +--> |
| 144 | +分配默认使用上半段地址,当上半段地址耗尽后,将使用下半段地址范围。 |
| 145 | +这将允许用户使用下半段地址中静态分配的地址并且降低冲突的风险。 |
| 146 | + |
| 147 | +<!-- |
| 148 | +Examples: |
| 149 | +--> |
| 150 | +举例: |
| 151 | + |
| 152 | +<!-- |
| 153 | +#### Service IP CIDR block: 10.96.0.0/24 |
| 154 | +--> |
| 155 | +#### Service IP CIDR 地址段: 10.96.0.0/24 |
| 156 | + |
| 157 | +<!-- |
| 158 | +Range Size: 2<sup>8</sup> - 2 = 254 |
| 159 | +Band Offset: `min(max(16,256/16),256)` = `min(16,256)` = 16 |
| 160 | +Static band start: 10.96.0.1 |
| 161 | +Static band end: 10.96.0.16 |
| 162 | +Range end: 10.96.0.254 |
| 163 | +--> |
| 164 | +地址段大小:2<sup>8</sup> - 2 = 254 |
| 165 | +地址段偏移:`min(max(16,256/16),256)` = `min(16,256)` = 16 |
| 166 | +静态地址段起点:10.96.0.1 |
| 167 | +静态地址段终点:10.96.0.16 |
| 168 | +地址范围终点:10.96.0.254 |
| 169 | + |
| 170 | +<!-- |
| 171 | +{{< mermaid >}} |
| 172 | +pie showData |
| 173 | + title 10.96.0.0/24 |
| 174 | + "Static" : 16 |
| 175 | + "Dynamic" : 238 |
| 176 | +{{< /mermaid >}} |
| 177 | +--> |
| 178 | +{{< mermaid >}} |
| 179 | +pie showData |
| 180 | +title 10.96.0.0/24 |
| 181 | +"静态" : 16 |
| 182 | +"动态" : 238 |
| 183 | +{{< /mermaid >}} |
| 184 | + |
| 185 | +<!-- |
| 186 | +#### Service IP CIDR block: 10.96.0.0/20 |
| 187 | +--> |
| 188 | +#### Service IP CIDR 地址段: 10.96.0.0/20 |
| 189 | + |
| 190 | +<!-- |
| 191 | +Range Size: 2<sup>12</sup> - 2 = 4094 |
| 192 | +Band Offset: `min(max(16,4094/16),256)` = `min(256,256)` = 256 |
| 193 | +Static band start: 10.96.0.1 |
| 194 | +Static band end: 10.96.1.0 |
| 195 | +Range end: 10.96.15.254 |
| 196 | +--> |
| 197 | +地址段大小:2<sup>12</sup> - 2 = 4094 |
| 198 | +地址段偏移:`min(max(16,4094/16),256)` = `min(256,256)` = 256 |
| 199 | +静态地址段起点:10.96.0.1 |
| 200 | +静态地址段终点:10.96.1.0 |
| 201 | +地址范围终点:10.96.15.254 |
| 202 | + |
| 203 | +<!-- |
| 204 | +{{< mermaid >}} |
| 205 | +pie showData |
| 206 | + title 10.96.0.0/20 |
| 207 | + "Static" : 256 |
| 208 | + "Dynamic" : 3838 |
| 209 | +{{< /mermaid >}} |
| 210 | +--> |
| 211 | +{{< mermaid >}} |
| 212 | +pie showData |
| 213 | +title 10.96.0.0/20 |
| 214 | +"静态" : 256 |
| 215 | +"动态" : 3838 |
| 216 | +{{< /mermaid >}} |
| 217 | + |
| 218 | +<!-- |
| 219 | +#### Service IP CIDR block: 10.96.0.0/16 |
| 220 | +--> |
| 221 | +#### Service IP CIDR 地址段: 10.96.0.0/16 |
| 222 | + |
| 223 | +<!-- |
| 224 | +Range Size: 2<sup>16</sup> - 2 = 65534 |
| 225 | +Band Offset: `min(max(16,65536/16),256)` = `min(4096,256)` = 256 |
| 226 | +Static band start: 10.96.0.1 |
| 227 | +Static band ends: 10.96.1.0 |
| 228 | +Range end: 10.96.255.254 |
| 229 | +--> |
| 230 | +地址段大小:2<sup>16</sup> - 2 = 65534 |
| 231 | +地址段偏移:`min(max(16,65536/16),256)` = `min(4096,256)` = 256 |
| 232 | +静态地址段起点:10.96.0.1 |
| 233 | +静态地址段终点:10.96.1.0 |
| 234 | +地址范围终点:10.96.255.254 |
| 235 | + |
| 236 | +<!-- |
| 237 | +{{< mermaid >}} |
| 238 | +pie showData |
| 239 | + title 10.96.0.0/16 |
| 240 | + "Static" : 256 |
| 241 | + "Dynamic" : 65278 |
| 242 | +{{< /mermaid >}} |
| 243 | +--> |
| 244 | +{{< mermaid >}} |
| 245 | +pie showData |
| 246 | +title 10.96.0.0/16 |
| 247 | +"静态" : 256 |
| 248 | +"动态" : 65278 |
| 249 | +{{< /mermaid >}} |
| 250 | + |
| 251 | +<!-- |
| 252 | +## Get involved with SIG Network |
| 253 | +--> |
| 254 | +## 加入 SIG Network |
| 255 | + |
| 256 | +<!-- |
| 257 | +The current SIG-Network [KEPs](https://github.com/orgs/kubernetes/projects/10) and [issues](https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Asig%2Fnetwork) on GitHub illustrate the SIG’s areas of emphasis. |
| 258 | +--> |
| 259 | +当前 SIG-Network 在 GitHub 上的 [KEPs](https://github.com/orgs/kubernetes/projects/10) 和 |
| 260 | +[issues](https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Asig%2Fnetwork) |
| 261 | +表明了该 SIG 的重点领域。 |
| 262 | + |
| 263 | +<!-- |
| 264 | +[SIG Network meetings](https://github.com/kubernetes/community/tree/master/sig-network) are a friendly, welcoming venue for you to connect with the community and share your ideas. |
| 265 | +Looking forward to hearing from you! |
| 266 | +--> |
| 267 | +[SIG Network 会议](https://github.com/kubernetes/community/tree/master/sig-network)是一个友好、热情的场所, |
| 268 | +你可以与社区联系并分享你的想法。期待你的回音! |
0 commit comments