calicoctl

为什么80%的码农都做不了架构师？>>>   

calicoctl：
calicoctl可以方便的管理calico网络和安全策略，你也可以将其当做容器运行，可以在dockhub上下载calico/ctl，但是在容器中运行会有限制，不具有二进制命令的完整功能。calicoctl命令行提供了许多资源管理命令，允许您创建，修改，删除和查看不同的Calico资源。

Command Reference：
    create    Create a resource by filename or stdin.
    replace   Replace a resource by filename or stdin.
    apply     Apply a resource by filename or stdin.  This creates a resource
              if it does not exist, and replaces a resource if it does exists.
    delete    Delete a resource identified by file, stdin or resource type and
              name.
    get       Get a resource identified by file, stdin or resource type and
              name.
    config    Manage system-wide and low-level node configuration options.
    ipam      IP address management.
    node      Calico node management.
    version   Display the version of calicoctl.

calicoctl create：根据配置文件创建资源，配置文件可以是yaml或者json格式，资源类型node、bgpPeer、hostEndpoint、workloadEndpoint、ipPool、policy、profile。-f 指定资源文件位置，-c 默认是/etc/calico/calicoctl.cfg
calicoctl replace：根据配置文件替换一个已经存在的资源，参数和create一样
calicoctl apply：根据配置文件创建一个资源或者替换一个已有的资源，参数和create一样
calicoctl delete：根据资源文件删除资源，或者根据类型、标识符删除资源
calicoctl get：根据文件显示设置资源，或者根据类型、标识符显示资源。显示格式有多种ps、wide、yaml、json....
calicoctl config：允许用户查看或者修改Felix和BGP的低级组件配置。calicoctl config set/unset/get

calicoctl ipam release：从calico ip 地址管理中释放一个ip。这个不会删除endpoint上的ip，只是会清除已经释放的美欧干净移除的ip
calicoctl ipam show：显示已经已经分配的ip

calicoctl node run：用来启动一个calico/node容器。

calicoctl node run [--ip=] [--ip6=] [--as=]
                     [--name=]
                     [--ip-autodetection-method=]
                     [--ip6-autodetection-method=]
                     [--log-dir=]
                     [--node-image=]
                     [--backend=(bird|gobgp|none)]
                     [--config=]
                     [--no-default-ippools]
                     [--dryrun]
                     [--init-system]
                     [--disable-docker-networking]
                     [--docker-networking-ifprefix=]
                     [--use-docker-networking-container-labels]

calicoctl node run --ip autodetect --ip-autodetection-method interface=eth0

calicoctl node status：检查calico node的状态
calicoctl node diags：在calico node收集诊断信息
calicoctl node checksystem：检查主机的兼容性

Resource Definitions：
apiVersion: v1
kind:
metadata:
  # Identifying information
  name:
  ...
spec:
  # Specification of the resource
  ... 
===================================================
BGP Peer
Metadata：scope、node、peerIP
Spec：asNumber

apiVersion: v1
kind: bgpPeer
metadata:
  scope: node
  node: rack1-host1
  peerIP: 192.168.1.1
spec:
  asNumber: 63400
====================================================
Host Endpoint
Metadata：name、node、labels
Spec：interfaceName、expectedIPs、profiles

apiVersion: v1
kind: hostEndpoint
metadata:
  name: eth0
  node: myhost
  labels:
    type: production
spec:
  interfaceName: eth0
  expectedIPs:
  - 192.168.0.1
  - 192.168.0.2
  profiles:
  - profile1
  - profile2
========================================================
IP Pool
Metadata：cidr
Spec：ipip、nat-outgoing、disabled

apiVersion: v1
kind: ipPool
metadata:
  cidr: 10.1.0.0/16
spec:
  ipip:
    enabled: true
    mode: cross-subnet
  nat-outgoing: true
  disabled: false
=====================================================

Node
Metadata：name
Spec：bgp、orchRefs
OrchRef：nodeName、orchestrator
BGP：asNumber、ipv4Address、ipv6Address

=======================================================

Policy
Metadata：name、annotations
Spec：order、selector、types、ingress、egress、doNotTrack、preDNAT
Rule：action、protocol、notProtocol、icmp、notICMP、ipVersion、source、destination
ICMP：type、code
EntityRule：tag、notTag、nets、net、notNets、notNet、selector、notSelector、ports、notPorts
Selector：
Ports：int、start:end

apiVersion: v1
kind: policy
metadata:
  name: allow-tcp-6379
spec:
  selector: role == 'database'
  types:
  - ingress
  - egress
  ingress:
  - action: allow
    protocol: tcp
    source:
      selector: role == 'frontend'
    destination:
      ports:
      - 6379
  egress:
  - action: allow

================================================================

Profile

Metadata：name、labels、tags
Spec：ingress、egress
Rule：action、protocol、notProtocol、icmp、notICMP、ipVersion、source、destination
ICMP：type、code
EntityRule：tag、notTag、nets、net、notNets、notNet、selector、notSelector、ports、notPorts
Selector：
Ports：int、start:end

apiVersion: v1
kind: profile
metadata:
  name: profile1
  labels:
    profile: profile1 
spec:
  ingress:
  - action: deny
    source:
      nets:
      - 10.0.20.0/24
  - action: allow
    source:
      selector: profile == 'profile1'
  egress:
  - action: allow 

===============================================

Workload Endpoint
Metadata：

apiVersion: v1
kind: workloadEndpoint
metadata:
  name: eth0
  workload: default.frontend-5gs43
  orchestrator: k8s
  node: rack1-host1
  labels:
    app: frontend
    calico/k8s_ns: default
spec:
  interfaceName: cali0ef24ba
  mac: ca:fe:1d:52:bb:e9
  ipNetworks:
  - 192.168.0.0/32
  profiles:
  - profile1

 

转载于:https://my.oschina.net/guol/blog/1934374