NAD概述#

之前学习K8S基础的时候，pod都是以单网卡的形式工作，默走集群CNI（Container Network Interface）网络（Flannel/Calico 等）。

以核心网容器化为例，不同的网元可能需要工作在不同的网段，网络资源需要更明细的划分，其实这只是核心网容器化最最基础的需求，其他的如状态保持之类的就更麻烦。

普通网元一般会区分业务网段和管理网段，单POD的单网卡限制了这一点
使用NodePort将POD服务端口映射到节点端口，对于UPF数据转发业务并不适用（GTP封装不允许NAT）。
强状态网元也不适用于用clusterIP提供服务，如AMF SMF会保留上下文和PDU会话，不能随便负载均衡。

这时候就需要专门的组件来处理多网卡问题：

Multus-CNI 是一个多CNI插件，可以让一个 Pod 能拥有多张网卡，它自己不创建网络，只负责调用其它 CNI ；
NAD（Network Attachment Definition）是K8S的一种资源定义，用于描述一个Pod的网络附件，记录一张额外网卡的配置信息； Multus 根据 NAD 的定义来为 POD 配置额外的网卡。

Multus-CNI 工作原理如图所示： multus

NAD实操#

Multus-CNI镜像导入#

worker1节点使用 ctr 导入准备好的镜像即可：

1
# worker1
2
root@k8s-worker1:~# ctr -n k8s.io images import multus-cni_snapshot.tar
3
# unpacking ghcr.io/k8snetworkplumbingwg/multus-cni:snapshot (sha256:477accb90081414520b5473adfb732b4ca13e91d8e32f78547e882c99a8d6481)...done
4
root@k8s-worker1:~# crictl image list
5
# IMAGE                                                TAG                 IMAGE ID            SIZE
6
# ghcr.io/k8snetworkplumbingwg/multus-cni              snapshot            deedd5a8d3d7e       426MB

这里镜像名称为 ghcr.io/k8snetworkplumbingwg/multus-cni:snapshot ，后面yaml文件需要修改下。

Multus-CNI组件启用#

master1 上创建 multus-daemonset.yml 文件，官方内容基础上修改 multus-cni 镜像名称：

1
# Note:
2
#   This deployment file is designed for 'quickstart' of multus, easy installation to test it,
3
#   hence this deployment yaml does not care about following things intentionally.
4
#     - various configuration options
5
#     - minor deployment scenario
6
#     - upgrade/update/uninstall scenario
7
#   Multus team understand users deployment scenarios are diverse, hence we do not cover
8
#   comprehensive deployment scenario. We expect that it is covered by each platform deployment.
9
---
10
apiVersion: apiextensions.k8s.io/v1
11
kind: CustomResourceDefinition
12
metadata:
13
  name: network-attachment-definitions.k8s.cni.cncf.io
14
spec:
15
  group: k8s.cni.cncf.io
16
  scope: Namespaced
17
  names:
18
    plural: network-attachment-definitions
19
    singular: network-attachment-definition
20
    kind: NetworkAttachmentDefinition
21
    shortNames:
22
    - net-attach-def
23
  versions:
24
    - name: v1
25
      served: true
26
      storage: true
27
      schema:
28
        openAPIV3Schema:
29
          description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing
30
            Working Group to express the intent for attaching pods to one or more logical or physical
31
            networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec'
32
          type: object
33
          properties:
34
            apiVersion:
35
              description: 'APIVersion defines the versioned schema of this represen
36
                tation of an object. Servers should convert recognized schemas to the
37
                latest internal value, and may reject unrecognized values. More info:
38
                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
39
              type: string
40
            kind:
41
              description: 'Kind is a string value representing the REST resource this
42
                object represents. Servers may infer this from the endpoint the client
43
                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
44
              type: string
45
            metadata:
46
              type: object
47
            spec:
48
              description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment'
49
              type: object
50
              properties:
51
                config:
52
                  description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration'
53
                  type: string
54
---
55
kind: ClusterRole
56
apiVersion: rbac.authorization.k8s.io/v1
57
metadata:
58
  name: multus
59
rules:
60
  - apiGroups: ["k8s.cni.cncf.io"]
61
    resources:
62
      - '*'
63
    verbs:
64
      - '*'
65
  - apiGroups:
66
      - ""
67
    resources:
68
      - pods
69
      - pods/status
70
    verbs:
71
      - get
72
      - update
73
  - apiGroups:
74
      - ""
75
      - events.k8s.io
76
    resources:
77
      - events
78
    verbs:
79
      - create
80
      - patch
81
      - update
82
---
83
kind: ClusterRoleBinding
84
apiVersion: rbac.authorization.k8s.io/v1
85
metadata:
86
  name: multus
87
roleRef:
88
  apiGroup: rbac.authorization.k8s.io
89
  kind: ClusterRole
90
  name: multus
91
subjects:
92
- kind: ServiceAccount
93
  name: multus
94
  namespace: kube-system
95
---
96
apiVersion: v1
97
kind: ServiceAccount
98
metadata:
99
  name: multus
100
  namespace: kube-system
101
---
102
kind: ConfigMap
103
apiVersion: v1
104
metadata:
105
  name: multus-cni-config
106
  namespace: kube-system
107
  labels:
108
    tier: node
109
    app: multus
110
data:
111
  # NOTE: If you'd prefer to manually apply a configuration file, you may create one here.
112
  # In the case you'd like to customize the Multus installation, you should change the arguments to the Multus pod
113
  # change the "args" line below from
114
  # - "--multus-conf-file=auto"
115
  # to:
116
  # "--multus-conf-file=/tmp/multus-conf/70-multus.conf"
117
  # Additionally -- you should ensure that the name "70-multus.conf" is the alphabetically first name in the
118
  # /etc/cni/net.d/ directory on each node, otherwise, it will not be used by the Kubelet.
119
  cni-conf.json: |
120
    {
121
      "name": "multus-cni-network",
122
      "type": "multus",
123
      "capabilities": {
124
        "portMappings": true
125
      },
126
      "delegates": [
127
        {
128
          "cniVersion": "0.3.1",
129
          "name": "default-cni-network",
130
          "plugins": [
131
            {
132
              "type": "flannel",
133
              "name": "flannel.1",
134
                "delegate": {
135
                  "isDefaultGateway": true,
136
                  "hairpinMode": true
137
                }
138
              },
139
              {
140
                "type": "portmap",
141
                "capabilities": {
142
                  "portMappings": true
143
                }
144
              }
145
          ]
146
        }
147
      ],
148
      "kubeconfig": "/etc/cni/net.d/multus.d/multus.kubeconfig"
149
    }
150
---
151
apiVersion: apps/v1
152
kind: DaemonSet
153
metadata:
154
  name: kube-multus-ds
155
  namespace: kube-system
156
  labels:
157
    tier: node
158
    app: multus
159
    name: multus
160
spec:
161
  selector:
162
    matchLabels:
163
      name: multus
164
  updateStrategy:
165
    type: RollingUpdate
166
  template:
167
    metadata:
168
      labels:
169
        tier: node
170
        app: multus
171
        name: multus
172
    spec:
173
      hostNetwork: true
174
      tolerations:
175
      - operator: Exists
176
        effect: NoSchedule
177
      - operator: Exists
178
        effect: NoExecute
179
      serviceAccountName: multus
180
      containers:
181
      - name: kube-multus
182
        image: ghcr.io/k8snetworkplumbingwg/multus-cni:snapshot
183
        command: ["/thin_entrypoint"]
184
        args:
185
        - "--multus-conf-file=auto"
186
        - "--multus-autoconfig-dir=/host/etc/cni/net.d"
187
        - "--cni-conf-dir=/host/etc/cni/net.d"
188
        resources:
189
          requests:
190
            cpu: "100m"
191
            memory: "50Mi"
192
          limits:
193
            cpu: "100m"
194
            memory: "50Mi"
195
        securityContext:
196
          privileged: true
197
        terminationMessagePolicy: FallbackToLogsOnError
198
        volumeMounts:
199
        - name: cni
200
          mountPath: /host/etc/cni/net.d
201
        - name: cnibin
202
          mountPath: /host/opt/cni/bin
203
        - name: multus-cfg
204
          mountPath: /tmp/multus-conf
205
      initContainers:
206
        - name: install-multus-binary
207
          image: ghcr.io/k8snetworkplumbingwg/multus-cni:snapshot
208
          command: ["/install_multus"]
209
          args:
210
            - "--type"
211
            - "thin"
212
          resources:
213
            requests:
214
              cpu: "10m"
215
              memory: "15Mi"
216
          securityContext:
217
            privileged: true
218
          terminationMessagePolicy: FallbackToLogsOnError
219
          volumeMounts:
220
            - name: cnibin
221
              mountPath: /host/opt/cni/bin
222
              mountPropagation: Bidirectional
223
      terminationGracePeriodSeconds: 10
224
      volumes:
225
        - name: cni
226
          hostPath:
227
            path: /etc/cni/net.d
228
        - name: cnibin
229
          hostPath:
230
            path: /opt/cni/bin
231
        - name: multus-cfg
232
          configMap:
233
            name: multus-cni-config
234
            items:
235
            - key: cni-conf.json
236
              path: 70-multus.conf

其中 kind 为 CustomResourceDefinition ，用于自定义新资源。
这些pod被归于 kube-system 空间。

直接 apply 即可：

1
root@k8s-master1:~# kubectl apply -f multus-daemonset.yml
2
root@k8s-master1:~# kubectl get pods -n kube-system -o wide | grep -i worker1
3
# calico-node-lp6fk                          1/1     Running   1 (121m ago)   2d    192.168.24.131   k8s-worker1   <none>           <none>
4
# kube-multus-ds-bmgxw                       1/1     Running   0              14m   192.168.24.131   k8s-worker1   <none>           <none>
5
# kube-proxy-fwh65                           1/1     Running   1 (121m ago)   2d    192.168.24.131   k8s-worker1   <none>           <none>

NAD资源创建#

新建 nad.yaml 文件：

1
---
2
apiVersion: k8s.cni.cncf.io/v1
3
kind: NetworkAttachmentDefinition
4
metadata:
5
  name: nad-network
6
  namespace: default
7
spec:
8
  config: |
9
    {
10
      "cniVersion": "0.3.1",
11
      "type": "macvlan",
12
      "master": "ens33",
13
      "mode": "bridge",
14
      "ipam": {
15
        "type": "host-local",
16
        "subnet": "192.168.100.0/24"
17
      }
18
    }

简单的NAD资源就定义完成了，其含义如下：

使用macvlan技术（虚拟出多个独立网卡）
复用宿主机网卡 ens33
以桥接模式运行
由节点本地分配 192.168.100.0/24 网段的ip

执行apply创建资源：

1
root@k8s-master1:~# kubectl apply -f nad.yaml
2
# networkattachmentdefinition.k8s.cni.cncf.io/nad-network created
3
root@k8s-master1:~# kubectl get network-attachment-definitions
4
# NAME          AGE
5
# nad-network   3s

NAD资源使用#

以之前创建的 nginx pod 为例，修改 nginx.yaml 文件，metadata 部分新增 NAD 资源：

1
apiVersion: v1
2
kind: Pod
3
metadata:
4
  name: nginx
5
  annotations:
6
    k8s.v1.cni.cncf.io/networks: nad-network
7
spec:
8
  containers:
9
    - name: nginx
10
      image: nginx
11
      ports:
12
        - containerPort: 80

apply 重新应用，然后查看 nginx pod 是否有新增网卡：

1
root@k8s-master1:~# kubectl apply -f nginx.yaml
2
root@k8s-master1:~# kubectl exec -it nginx -- cat /proc/net/dev
3
# Inter-|   Receive                                                |  Transmit
4
#  face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
5
#     lo:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
6
#  tunl0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
7
#   eth0:     446       5    0    0    0     0          0         0      866      11    0    0    0     0       0          0
8
#   net1:      60       1    0    0    0     0          0         1      908      12    0    0    0     0       0          0

可以看到 nginx pod 已经加上了一张 net1 网卡，net1 是 multus 命名规则生成的。