ebpf的大杀器cilium可视化追踪hubble部署方式和展示

写在前面: hubble的yaml文件: cilium 1.7版本
https://github.com/cilium/hubble/tree/v0.5/tutorials/deploy-hubble-servicemap
测试的yaml文件: https://github.com/cilium/cilium/blob/master/examples/kubernetes/connectivity-check/connectivity-check.yaml

参考: https://cilium.io/blog/2020/05/04/guest-blog-kubernetes-cilium

ciliume1.7以上:

helm template cilium cilium/cilium --version 1.8.1 \
   --namespace kube-system \
   --set global.etcd.enabled=true \
   --set global.etcd.managed=true \
   --set global.hubble.enabled=true \
   --set global.hubble.listenAddress=":4244" \
   --set global.hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" \
   --set global.hubble.relay.enabled=true \
   --set global.hubble.ui.enabled=true > hubble.yaml
可通过生成的yaml文件直接选取修改,或者helm安装。

打开hubble的方式
具体修改方式:

1.修改cm

edit cilium的cm,之后重启生效。

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第1张图片
2. 创建hubble
首先给予权限,创建clusterrole,sa,clusterrolebinding

创建svc,可提供metrics收集

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第2张图片
部署界面

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第3张图片
部署两个deployment

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第4张图片
ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第5张图片

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第6张图片

完成。打开UI界面即可验证。

dashboard

打开hubble metrics后就可把这些制表收集到prometheus,进行告警或者grafana展示。

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第7张图片

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第8张图片

成功之后结果如图所示:

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第9张图片

分解check

echo a

ebpf的大杀器cilium可视化追踪hubble部署方式和展示_第10张图片

echo-a

# Automatically generated by Makefile. DO NOT EDIT
apiVersion: v1
kind: Service
metadata:
  name: echo-a
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    name: echo-a
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo-a
spec:
  selector:
    matchLabels:
      name: echo-a
  replicas: 1
  template:
    metadata:
      labels:
        name: echo-a
    spec:
      containers:
      - name: echo-container
        image: docker.io/cilium/json-mock:1.0
        imagePullPolicy: IfNotPresent
        readinessProbe:
          exec:
            command: ["curl", "-sS", "--fail", "-o", "/dev/null", "localhost"]

pod-to-a

检测是否能够curl到a

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pod-to-a
spec:
  selector:
    matchLabels:
      name: pod-to-a
  replicas: 1
  template:
    metadata:
      labels:
        name: pod-to-a
    spec:
      containers:
      - name: pod-to-a-container
        image: docker.io/byrnedo/alpine-curl:0.1.8
        command: ["/bin/ash", "-c", "sleep 1000000000"]
        imagePullPolicy: IfNotPresent
        livenessProbe:
          exec:
            command: ["curl", "-sS", "--fail", "-o", "/dev/null", "echo-a"]

pod-to-a-allowed-cnp

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pod-to-a-allowed-cnp
spec:
  selector:
    matchLabels:
      name: pod-to-a-allowed-cnp
  replicas: 1
  template:
    metadata:
      labels:
        name: pod-to-a-allowed-cnp
    spec:
      containers:
      - name: pod-to-a-allowed-cnp-container
        image: docker.io/byrnedo/alpine-curl:0.1.8
        command: ["/bin/ash", "-c", "sleep 1000000000"]
        imagePullPolicy: IfNotPresent
        livenessProbe:
          exec:
            command: ["curl", "-sS", "--fail", "-o", "/dev/null", "echo-a"]
        readinessProbe:
          exec:
            command: ["curl", "-sS", "--fail", "-o", "/dev/null", "echo-a"]
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy

你可能感兴趣的:(go,K8S,docker)