我发现,直到几个月前,the "hostPort" configuration for Pods was not going to work with CNI based integrations。这意味着,对于使用Calico的任何Kubernetes集群,无法直接在某个节点的端口上直接暴露Pod端口,而无需使用服务或标记hostNetwork=true(这是有点极端)。
从Kubernetes 1.7.0开始,这是可能的,但有必要更改Calico配置,以便让the new "portmap" CNI plugin进入,这是我尝试做的,但没有成功。我从一个新的IBM Bluemix Container Service集群开始。
我的calico-node DaemonSet具有以下CNI_NETWORK_CONFIG环境变量:
{
"name": "k8s-pod-network",
"cniVersion": "0.3.1",
"type": "calico",
"etcd_endpoints": "__ETCD_ENDPOINTS__",
"etcd_key_file": "__ETCD_KEY_FILE__",
"etcd_cert_file": "__ETCD_CERT_FILE__",
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
"log_level": "info",
"mtu": 1480,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s",
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
}
}
我在这里所做的只是尝试用以下配置替换它:
{
"name": "k8s-pod-network",
"cniVersion": "0.3.1",
"plugins": [{
"type": "calico",
"etcd_endpoints": "__ETCD_ENDPOINTS__",
"etcd_key_file": "__ETCD_KEY_FILE__",
"etcd_cert_file": "__ETCD_CERT_FILE__",
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
"log_level": "info",
"mtu": 1480,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s",
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
}
},
{
"type": "portmap",
"snat": true,
"capabilities": {
"portMappings": true
}
}
]
}
calico-node pod正在成功运行,但是我自己的Pod仍然卡在"待定"初始化期间的状态,事件"错误同步窗格"来自" kubelet NODE_IP"。
我很欣赏这个问题的一些帮助。提前谢谢。
答案 0 :(得分:1)
就内容而言,你看起来是合理的,我认为问题可能是你需要将配置文件的名称从.conf更改为.conflist。有一些PR更改https://github.com/projectcalico/calico/pull/903用于在calico清单中启用hostport,您可以将其与您所做的进行比较。
如果你通过守护进程设置文件名,你应该删除主机上的先前配置文件,因为发布的install-cni容器没有清理以前的配置,我不确定kubelet会使用哪个配置文件。