Red Hatã§OpenShiftã®ã‚µãƒãƒ¼ãƒˆã‚’ã—ã¦ã„ã‚‹id:nekopã§ã™ã€‚OpenShift Advent Calendar 2019ã®2日目ã®ã‚¨ãƒ³ãƒˆãƒªã§ã™ã€‚
OpenShift Service Meshã¯Istioã®è£½å“版ã§ã™ãŒã€é€šå¸¸ã®Istioをセットアップã—ãŸã¨ãã¨å°‘ã—構æˆãŒç•°ãªã‚Šã€Istio CNIã¨ã„ã†ã‚‚ã®ãŒåˆ©ç”¨ã•ã‚Œã¦ã„ã¾ã™ã€‚
Istioã¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’インターセプトã—ã¦Sidecar proxyã¸æµã™ãŸã‚ã«iptablesã®ãƒ«ãƒ¼ãƒ«ã‚’利用ã—ã¦ã„ã¾ã™ã€‚ã“ã®iptablesã®ãƒ«ãƒ¼ãƒ«ã‚’ã©ã®ã‚ˆã†ã«é©ç”¨ã™ã‚‹ã‹ã€ã¨ã„ã†ã¨ã“ã‚ã§ã™ãŒã€é€šå¸¸ã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—ã§ã¯Init containerãŒSidecar proxyã¨å…±ã«ã‚¢ãƒ—リケーションã®Podã¸Injectã•ã‚Œã¦åˆ©ç”¨ã•ã‚Œã¾ã™ã€‚ã“ã®Init containerã¯iptablesを利用ã™ã‚‹ãŸã‚ã€NET_ADMIN capabilityãŒè¨±å¯ã•ã‚Œã¦ã„る特権コンテナ(privileged, è¦ã¯root権é™)ã¨ã—ã¦è¨å®šã•ã‚Œã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ã—ã‹ã—ã€ç‰¹æ¨©ã‚³ãƒ³ãƒ†ãƒŠã‚’許å¯ã—ã¦ã—ã¾ã†ã¨ã€ã‚¢ãƒ—リケーションã®ã™ã横ã«ã‚»ã‚ュリティレベルã®å¼±ã„コンテナãŒé…ç½®ã•ã‚Œã‚‹ã“ã¨ã«ãªã‚Šã¾ã™ã—ã€ç‰¹æ¨©ã‚³ãƒ³ãƒ†ãƒŠèµ·å‹•ãŒè¨±å¯ã•ã‚Œã¦ã„るサービスアカウントをæµç”¨ã—ã¦ä»–ã®æ‚ªæ„ã®ã‚る特権コンテナを起動ã—ã¦ã„ã‚ã„ã‚ã§ãã¦ã—ã¾ã£ãŸã‚Šã™ã‚‹ã®ã§å›žé¿ã—ãŸã„ã¨ã“ã‚ã§ã™ã€‚ãã“ã§åˆ©ç”¨ã•ã‚Œã‚‹ã®ãŒIstio CNIã¨ã„ã†CNIプラグインã§ã™ã€‚Istio CNIã§ã¯ç‰¹æ¨©Init contaienrã§ã¯ãªãCNIã®ä»•çµ„ã¿å†…ã‹ã‚‰iptablesã®ãƒ«ãƒ¼ãƒ«é©ç”¨ã‚’è¡Œã£ã¦ã„ã¾ã™ã€‚
ã“ã‚ŒãŒOpenShift 4.2上ã§ã©ã®ã‚ˆã†ã«æ§‹æˆã•ã‚Œã¦ã„ã‚‹ã‹è¦‹ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚ã“ã®ä¾‹ã§ã¯test-istioã¨ã„ã†ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã‚’対象ã«è¦‹ã¦ã„ãã¾ã™ã€‚
OpenShift Service Meshã§ã¯ServiceMeshMemberRollsã¨ã„ã†ãƒªã‚½ãƒ¼ã‚¹ã«Istioを使ã†ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã‚’記述ã™ã‚‹ã¨ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—ãŒå®Ÿè¡Œã•ã‚Œã¾ã™ã€‚
$ oc get -n istio-system servicemeshmemberrolls.maistra.io NAME MEMBERS default [knative-serving test-knative test-istio]
OpenShift 4ã§ã¯multus-cniã¨ã„ã†CNIプラグインを柔軟ã«é¸æŠžã§ãã‚‹CNIメタプラグインãŒæ¨™æº–ã¨ãªã£ã¦ãŠã‚Šã€ä¸Šè¨˜è¨å®šã‚’è¡Œã†ã¨Multusã®NetworkAttachmentDefinitionã¨ã„ã†ãƒªã‚½ãƒ¼ã‚¹ãŒãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã«ä½œæˆã•ã‚Œã€istio-cniãŒæœ‰åŠ¹åŒ–ã•ã‚Œã¾ã™ã€‚NetworkAttachmentDefinitionã®ä¸èº«ã¯åˆ©ç”¨ã™ã‚‹CNIã®åå‰ã ã‘指定ã•ã‚Œã¦ã„ã‚‹ã‚‚ã®ã§ã™ã€‚
$ oc get network-attachment-definitions.k8s.cni.cncf.io --all-namespaces NAMESPACE NAME AGE knative-serving istio-cni 23m test-istio istio-cni 23m test-knative istio-cni 32d $ oc get -n test-istio network-attachment-definitions.k8s.cni.cncf.io istio-cni -o yaml apiVersion: k8s.cni.cncf.io/v1 kind: NetworkAttachmentDefinition metadata: generation: 1 name: istio-cni namespace: test-istio
ã“ã®è¨å®šã¯ã©ã“ã«ç´ã¥ã„ã¦ã„ã‚‹ã‹ã¨ã„ã†ã¨ã€OpenShift Service Meshã«å«ã¾ã‚Œã‚‹DaemonSetãŒå„ノードã®multusè¨å®šãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã«CNIè¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã‚’é…ç½®ã—ã¦ã„ã¦ã€ãã®åå‰ã‚’指定ã—ã¦ã„ã¾ã™ã€‚
$ oc set volumes -n openshift-operators ds/istio-node
daemonsets/istio-node
host path /opt/multus/bin as cni-bin-dir
mounted at /host/opt/cni/bin
host path /etc/cni as etc-cni-dir
mounted at /host/etc/cni/
ã“ã®DaemonSetã«ã‚ˆã£ã¦å„ホストã«ä»¥ä¸‹ã®ãƒ•ã‚¡ã‚¤ãƒ«ç¾¤ãŒé…ç½®ã•ã‚Œã¦ã„ã¾ã™ã€‚
/etc/cni/multus/net.d/istio-cni.conf /etc/cni/multus/net.d/istio-cni.kubeconfig /opt/cni/bin/istio-cni /opt/cni/bin/istio-iptables.sh
実際ã®CNIè¨å®šå†…容ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
$ oc debug node/node01
# chroot /host
# cat /etc/cni/multus/net.d/istio-cni.conf
{
"cniVersion": "0.3.0",
"name": "istio-cni",
"type": "istio-cni",
"log_level": "info",
"kubernetes": {
"kubeconfig": "/etc/cni/multus/net.d/istio-cni.kubeconfig",
"cni_bin_dir": "/opt/multus/bin",
"iptables_script": "istio-iptables.sh",
"exclude_namespaces": [ "openshift-operators" ]
}
}
OpenShift Service Meshã§ã¯ã€ã“ã®ã‚ˆã†ã«DaemonSetã§Multusã«istio-cniè¨å®šã‚’é…ç½®ã€Multusã®NetworkAttachmentDefinitionã§æœ‰åŠ¹åŒ–ã™ã‚‹ã¨ã„ã†ä»•çµ„ã¿ã‚’利用ã—ã¦ç‰¹æ¨©ã‚³ãƒ³ãƒ†ãƒŠã‚’利用ã—ãªã„ã€ã‚ˆã‚Šå®‰å…¨ãªIstioã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—を実ç¾ã—ã¦ã„ã¾ã™ã€‚
