kubernetes|kubernetes 安装cilium
kubernetes 安装cilium
Cilium介绍
Cilium是一个开源软件,用于透明地提供和保护使用Kubernetes,Docker和Mesos等Linux容器管理平台部署的应用程序服务之间的网络和API连接。
Cilium基于一种名为BPF的新Linux内核技术,它可以在Linux内部动态插入强大的安全性,可见性和网络控制逻辑。 除了提供传统的网络级安全性之外,BPF的灵活性还可以在API和进程级别上实现安全性,以保护容器或容器内的通信。由于BPF在Linux内核中运行,因此可以应用和更新Cilium安全策略,而无需对应用程序代码或容器配置进行任何更改。
1 安装helm
[root@k8s-master01 ~]# curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
[root@k8s-master01 ~]# chmod 700 get_helm.sh
[root@k8s-master01 ~]# ./get_helm.sh2 安装cilium
[root@k8s-master01 ~]# helm repo add cilium https://helm.cilium.io
[root@k8s-master01 ~]# helm install cilium cilium/cilium--namespace kube-system--set hubble.relay.enabled=true--set hubble.ui.enabled=true--set prometheus.enabled=true--set operator.prometheus.enabled=true--set hubble.enabled=true--set hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}"NAME: cilium
LAST DEPLOYED: Sun Sep 11 00:04:30 2022
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You have successfully installed Cilium with Hubble.Your release version is 1.12.1.For any further help, visit https://docs.cilium.io/en/v1.12/gettinghelp
[root@k8s-master01 ~]#3 查看
[root@k8s-master01 ~]# kubectlget pod -A | grep cil
kube-systemcilium-gmr6c1/1Running05m3s
kube-systemcilium-kzgdj1/1Running05m3s
kube-systemcilium-operator-69b677f97c-6pw4k1/1Running05m3s
kube-systemcilium-operator-69b677f97c-xzzdk1/1Running05m3s
kube-systemcilium-q2rnr1/1Running05m3s
kube-systemcilium-smx5v1/1Running05m3s
kube-systemcilium-tdjq41/1Running05m3s
[root@k8s-master01 ~]#4 下载专属监控面板
[root@k8s-master01 yaml]# wget https://raw.githubusercontent.com/cilium/cilium/1.12.1/examples/kubernetes/addons/prometheus/monitoring-example.yaml
[root@k8s-master01 yaml]#
[root@k8s-master01 yaml]# kubectlapply -f monitoring-example.yaml
namespace/cilium-monitoring created
serviceaccount/prometheus-k8s created
configmap/grafana-config created
configmap/grafana-cilium-dashboard created
configmap/grafana-cilium-operator-dashboard created
configmap/grafana-hubble-dashboard created
configmap/prometheus created
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
service/grafana created
service/prometheus created
deployment.apps/grafana created
deployment.apps/prometheus created
[root@k8s-master01 yaml]#5 下载部署测试用例
[root@k8s-master01 yaml]# wget https://raw.githubusercontent.com/cilium/cilium/master/examples/kubernetes/connectivity-check/connectivity-check.yaml[root@k8s-master01 yaml]# sed -i "s#google.com#oiox.cn#g" connectivity-check.yaml[root@k8s-master01 yaml]# kubectlapply -f connectivity-check.yaml
deployment.apps/echo-a created
deployment.apps/echo-b created
deployment.apps/echo-b-host created
deployment.apps/pod-to-a created
deployment.apps/pod-to-external-1111 created
deployment.apps/pod-to-a-denied-cnp created
deployment.apps/pod-to-a-allowed-cnp created
deployment.apps/pod-to-external-fqdn-allow-google-cnp created
deployment.apps/pod-to-b-multi-node-clusterip created
deployment.apps/pod-to-b-multi-node-headless created
deployment.apps/host-to-b-multi-node-clusterip created
deployment.apps/host-to-b-multi-node-headless created
deployment.apps/pod-to-b-multi-node-nodeport created
deployment.apps/pod-to-b-intra-node-nodeport created
service/echo-a created
service/echo-b created
service/echo-b-headless created
service/echo-b-host-headless created
ciliumnetworkpolicy.cilium.io/pod-to-a-denied-cnp created
ciliumnetworkpolicy.cilium.io/pod-to-a-allowed-cnp created
ciliumnetworkpolicy.cilium.io/pod-to-external-fqdn-allow-google-cnp created
[root@k8s-master01 yaml]#6 查看pod
[root@k8s-master01 yaml]# kubectlget pod -A
NAMESPACENAMEREADYSTATUSRESTARTSAGE
cilium-monitoringgrafana-59957b9549-6zzqh1/1Running010m
cilium-monitoringprometheus-7c8c9684bb-4v9cl1/1Running010m
defaultchenby-75b5d7fbfb-7zjsr1/1Running027h
defaultchenby-75b5d7fbfb-hbvr81/1Running027h
defaultchenby-75b5d7fbfb-ppbzg1/1Running027h
defaultecho-a-6799dff547-pnx6w1/1Running010m
defaultecho-b-fc47b659c-4bdg91/1Running010m
defaultecho-b-host-67fcfd59b7-28r9s1/1Running010m
defaulthost-to-b-multi-node-clusterip-69c57975d6-z4j2z1/1Running010m
defaulthost-to-b-multi-node-headless-865899f7bb-frrmc1/1Running010m
defaultpod-to-a-allowed-cnp-5f9d7d4b9d-hcd8x1/1Running010m
defaultpod-to-a-denied-cnp-65cc5ff97b-2rzb81/1Running010m
defaultpod-to-a-dfc64f564-p7xcn1/1Running010m
defaultpod-to-b-intra-node-nodeport-677868746b-trk2l1/1Running010m
defaultpod-to-b-multi-node-clusterip-76bbbc677b-knfq21/1Running010m
defaultpod-to-b-multi-node-headless-698c6579fd-mmvd71/1Running010m
defaultpod-to-b-multi-node-nodeport-5dc4b8cfd6-8dxmz1/1Running010m
defaultpod-to-external-1111-8459965778-pjt9b1/1Running010m
defaultpod-to-external-fqdn-allow-google-cnp-64df9fb89b-l9l4q1/1Running010m
kube-systemcilium-7rfj61/1Running056s
kube-systemcilium-d4cch1/1Running056s
kube-systemcilium-h5x8r1/1Running056s
kube-systemcilium-operator-5dbddb6dbf-flpl51/1Running056s
kube-systemcilium-operator-5dbddb6dbf-gcznc1/1Running056s
kube-systemcilium-t2xlz1/1Running056s
kube-systemcilium-z65z71/1Running056s
kube-systemcoredns-665475b9f8-jkqn81/1Running1 (36h ago)36h
kube-systemhubble-relay-59d8575-9pl9z1/1Running056s
kube-systemhubble-ui-64d4995d57-nsv9j2/2Running056s
kube-systemmetrics-server-776f58c94b-c6zgs1/1Running1 (36h ago)37h
[root@k8s-master01 yaml]#7 修改为NodePort
[root@k8s-master01 yaml]# kubectledit svc-n kube-system hubble-ui
service/hubble-ui edited
[root@k8s-master01 yaml]#
[root@k8s-master01 yaml]# kubectledit svc-n cilium-monitoring grafana
service/grafana edited
[root@k8s-master01 yaml]#
[root@k8s-master01 yaml]# kubectledit svc-n cilium-monitoring prometheus
service/prometheus edited
[root@k8s-master01 yaml]#type: NodePort8 查看端口
[root@k8s-master01 yaml]# kubectl get svc -A | grep monit
cilium-monitoringgrafanaNodePort10.100.250.173000:30707/TCP15m
cilium-monitoringprometheusNodePort10.100.131.2439090:31155/TCP15m
[root@k8s-master01 yaml]#
[root@k8s-master01 yaml]# kubectl get svc -A | grep hubble
kube-systemhubble-metricsClusterIPNone9965/TCP5m12s
kube-systemhubble-peerClusterIP10.100.150.29443/TCP5m12s
kube-systemhubble-relayClusterIP10.109.251.3480/TCP5m12s
kube-systemhubble-uiNodePort10.102.253.5980:31219/TCP5m12s
[root@k8s-master01 yaml]# 9 访问
http://192.168.1.61:30707
http://192.168.1.61:31155
http://192.168.1.61:31219关于
https://www.oiox.cn/
https://www.oiox.cn/index.php...
CSDN、GitHub、知乎、开源中国、思否、掘金、简书、华为云、阿里云、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客
【kubernetes|kubernetes 安装cilium】全网可搜《小陈运维》
文章主要发布于微信公众号
推荐阅读
- Apache安装配置避坑指南
- 安装、激活,一头雾水
- kubernetes|升级 Kubernetes 上的 TiDB 集群
- Kubernetes API 访问控制之认证、鉴权、准入控制的介绍
- 如何安装 Ubuntu Server 22.04 LTS ?
- 软件安装|虚拟机安装centos7
- 软件安装|centos7安装zookeeper
- 软件安装|centos7安装配置jdk8
- Centos安装Redis(极速安装)
- 云原生之谜|[ 云计算相关 ] KVM虚拟化平台windows虚拟机迁移到openstack虚拟化平台(KVM虚拟化环境中Windows虚拟机安装Virtio驱动程序)