静态路由
总结 瞻博网络云原生 Contrail 网络 (CN2) 23.1 版支持群集的静态路由。本文介绍如何为 CN2 群集配置静态路由。
了解静态路由
当网络不需要动态路由协议的复杂性时,您可以使用静态路由。在路由和转发表中作为永久固定装置的路由通常配置为静态路由。
路由由目标前缀和下一跃点转发地址组成。静态路由在路由表中被激活,并在可访问下一跃点地址时插入转发表。与静态路由匹配的流量将被转发到指定的下一跃点地址。
CN2 中的静态路由
CN2 通过以下两个自定义资源 (CR) 实施静态路由:
-
RouteTable:包含用户定义的网络目标前缀以及关联的下一跃点 (nextHop)。IPnextHop地址必须是 VMI 对象的 IP 地址。前缀定义可通过下一跃点访问的目标网络。您可以通过 ARouteTable定义静态路由和下一跃点配对,然后将其与RouteTable和虚拟网络 (VN) 关联。以下是 CR 的示例RouteTable。请注意,此实例中不需要命名空间字段。apiVersion: core.contrail.juniper.net/v3 kind: RouteTable metadata: name: static-rt namespace: static-route spec: routes: route: - nextHop: 10.20.30.2 nextHopType: ip-address prefix: 10.20.30.0/24 communityAttributes: communityAttribute: - accept-own - no-advertise请注意,下一个HopType 字段必须具有值 ip 地址。任何其他值都会导致用户输入错误。社区归属字段允许您在路由上设置 BGP 社区,这些路由通过 BGP 播发。
-
InterfaceRouteTable:将InterfaceRouteTable静态路由配置为虚拟机接口 (VMI) 的下一跃点。一个InterfaceRouteTable包含目标前缀,无需静态配置的下一跃点条目。与使用 a 时一RouteTable样,前缀定义目标网络。RouteTable与 , 您不需要定义nextHopIP 地址,因为当关联 VMIInterfaceRouteTable时,关联的 VMI 充当此前缀的下一跃点。 -
以下是 CR 的示例
InterfaceRouteTable。请注意,此实例中不需要命名空间字段。apiVersion: core.contrail.juniper.net/v3 kind: InterfaceRouteTable metadata: name: static-rt namespace: static-route spec: interfaceRouteTableRoutes: route: - nextHopType: ip-address prefix: 10.20.30.0/24 communityAttributes: communityAttribute: - accept-own请注意,字段
nextHopType必须具有值ip-address。任何其他值都会导致用户输入错误。这些 CR 的范围限定在各自的命名空间,使您能够为静态路由配置所需属性。
为虚拟网络配置静态路由
配置 CR 以 RouteTable 将静态路由应用于虚拟网络 (VN)。VN 在其规格中引用了一个 RouteTable 。因此,当该 RouteTable VN 与该 VN 关联时,将应用静态路由。下面是一个 VN 对象,带有关联的 RouteTable:
apiVersion: core.contrail.juniper.net/v3
kind: VirtualNetwork
metadata:
namespace: static-route
name: vn-route
spec:
v4SubnetReference:
apiVersion: core.contrail.juniper.net/v1
kind: Subnet
namespace: static-route
name: vn-subnet
routeTableReferences:
- apiVersion: core.contrail.juniper.net/v3
kind: RouteTable
namespace: static-route
name: static-rt
为 VMI 配置静态路由
在 VMI 上配置接口路由表注释,以便对 VMI 应用一个 InterfaceRouteTable 。
apiVersion: v3
kind: VirtualMachineInterface
metadata:
name: static-route-pod
namespace: static-route
annotations:
core.juniper.net/interface-route-table: '[{"name": "static-rt", "namespace": "static-route"}]'
spec:
<VMI_SPEC>
status:
interfaceRouteTableReferences:
- apiVersion: core.contrail.juniper.net/v3
kind: InterfaceRouteTable
namespace: static-route
name: static-rt
以下是输出示例 kubectl describe vmi :
Name: forwarder-6dff5888fd-59c9l-da8f57ef
Namespace: static-route
Labels: back-reference.core.juniper.net/28ffe95511d099080e315d0bb633ec5334f9250a40c8c9c61825d185=Tag_t2-kubernetes.io_metadata.name-static-route
back-reference.core.juniper.net/5b136ca6d41e33dfb79a3f066e3db71186ade2514d1de62cf7d3a2b7=Tag_t1-core.juniper.net_clusterName-contrail-k8s-kubemanager-ku
back-reference.core.juniper.net/83323440b6198bd1f37a71f0ad4afde199fffd2742ed93cdeea56d4f=InterfaceRouteTable_static-route_to-zone-1
back-reference.core.juniper.net/84befcc656f5c3b04ece96e4d040cd168c3470825052cd9ef6903755=Tag_t1-core.juniper.net_namespace-static-route
back-reference.core.juniper.net/92b2adff92e4dea99659da131af95ac5623ac10275e0a581fcab8c77=InterfaceRouteTable_static-route_to-right
back-reference.core.juniper.net/9793fa23186c25d750b1a724d088a2cd46bff77cc54f819860847259=VirtualNetwork_static-route_left-vn
back-reference.core.juniper.net/bcaf7cc535f4f34dd8d9e4a425cebeea7c229e4efc8e2f8ba3821bc8=VirtualMachine_contrail-k8s-kubemanager-kubernetes-forwarder-6d
back-reference.core.juniper.net/ec2031060f3699dd2f7dd888d858d0a51de65fc2e5e62100b85df999=RoutingInstance_static-route_left-vn
back-reference.core.juniper.net/f48f4e9c4f6c1dfccc439d752da4c9ee8eb7472a73d7bf5749a050af=Tag_t1-app-forwarder
back-reference.core.juniper.net/f6b670baed4845c6640bb4db030b0d22cb3165a5e3929aad3a91fff6=Tag_t1-pod-template-hash-6dff5888fd
Annotations: core.juniper.net/interface-route-table: [{"Namespace":"static-route","Name":"to-right"},{"Namespace":"static-route","Name":"to-zone-1"}]
index: 1/5
interface: eth1
kube-manager.juniper.net/pod-cluster-name: contrail-k8s-kubemanager-kubernetes
kube-manager.juniper.net/pod-name: forwarder-6dff5888fd-59c9l
kube-manager.juniper.net/pod-namespace: static-route
network: left-vn
vmi-address-family: dualStack
API Version: core.contrail.juniper.net/v3
Kind: VirtualMachineInterface
Metadata:
Creation Timestamp: 2023-05-04T06:05:15Z
Finalizers:
virtualmachineinterface.finalizers.core.juniper.net
Generation: 2
Managed Fields:
API Version: core.contrail.juniper.net/v3
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"virtualmachineinterface.finalizers.core.juniper.net":
f:labels:
f:back-reference.core.juniper.net/ec2031060f3699dd2f7dd888d858d0a51de65fc2e5e62100b85df999:
f:spec:
f:virtualMachineInterfaceMacAddresses:
f:macAddress:
Manager: manager
Operation: Update
Time: 2023-05-04T06:05:15Z
API Version: core.contrail.juniper.net/v3
Fields Type: FieldsV1
fieldsV1:
f:status:
f:interfaceRouteTableReferences:
f:observation:
f:routingInstanceReferences:
f:state:
Manager: manager
Operation: Update
Subresource: status
Time: 2023-05-04T06:05:16Z
API Version: core.contrail.juniper.net/v3
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:core.juniper.net/interface-route-table:
f:index:
f:interface:
f:kube-manager.juniper.net/pod-cluster-name:
f:kube-manager.juniper.net/pod-name:
f:kube-manager.juniper.net/pod-namespace:
f:network:
f:vmi-address-family:
f:ownerReferences:
.:
k:{"uid":"a48fb78d-710b-4d66-9c29-73b77d5db8c6"}:
f:spec:
f:portSecurityEnabled:
f:tagReferences:
f:virtualMachineReferences:
f:virtualNetworkReference:
.:
f:apiVersion:
f:kind:
f:name:
f:namespace:
f:resourceVersion:
f:uid:
Manager: kubemanager
Operation: Update
Time: 2023-05-04T06:05:17Z
Owner References:
API Version: core.contrail.juniper.net/v3
Block Owner Deletion: true
Controller: true
Kind: VirtualMachine
Name: contrail-k8s-kubemanager-kubernetes-forwarder-6dff5888fd-59c9l-65da579d
UID: a48fb78d-710b-4d66-9c29-73b77d5db8c6
Resource Version: 43839
UID: bbe79a87-fda4-4a2d-be5f-52ecad9863e2
Spec:
Allowed Address Pairs:
Fq Name:
default-domain
static-route
forwarder-6dff5888fd-59c9l-da8f57ef
Parent:
Port Security Enabled: true
Properties:
Tag References:
API Version: core.contrail.juniper.net/v3
Fq Name:
t1-core.juniper.net_namespace-static-route
Kind: Tag
Name: t1-core.juniper.net_namespace-static-route
Resource Version: 43153
UID: c6bc3209-03c0-4c42-92fe-a71bcf5d2268
API Version: core.contrail.juniper.net/v3
Fq Name:
t1-core.juniper.net_clusterName-contrail-k8s-kubemanager-kubernetes
Kind: Tag
Name: t1-core.juniper.net_clusterName-contrail-k8s-kubemanager-kubernetes
Resource Version: 5169
UID: 72bf6479-90c2-4c57-97ca-214f0ddeec38
API Version: core.contrail.juniper.net/v3
Fq Name:
t1-app-forwarder
Kind: Tag
Name: t1-app-forwarder
Resource Version: 43297
UID: c31f28bb-efba-4793-bd2f-567fd3ff396d
API Version: core.contrail.juniper.net/v3
Fq Name:
t1-pod-template-hash-6dff5888fd
Kind: Tag
Name: t1-pod-template-hash-6dff5888fd
Resource Version: 43298
UID: 7add9d84-8db2-4ddc-b32a-6f2ba06182ee
API Version: core.contrail.juniper.net/v3
Fq Name:
t2-kubernetes.io_metadata.name-static-route
Kind: Tag
Name: t2-kubernetes.io_metadata.name-static-route
Resource Version: 43178
UID: ed588b5a-bc07-4ab4-b163-016ab16924ee
Virtual Machine Interface Mac Addresses:
Mac Address:
02:bb:e7:9a:87:fd
Virtual Machine References:
API Version: core.contrail.juniper.net/v3
Fq Name:
contrail-k8s-kubemanager-kubernetes-forwarder-6dff5888fd-59c9l-65da579d
Kind: VirtualMachine
Name: contrail-k8s-kubemanager-kubernetes-forwarder-6dff5888fd-59c9l-65da579d
Resource Version: 43434
UID: a48fb78d-710b-4d66-9c29-73b77d5db8c6
Virtual Network Reference:
API Version: core.contrail.juniper.net/v3
Fq Name:
default-domain
static-route
left-vn
Kind: VirtualNetwork
Name: left-vn
Namespace: static-route
Resource Version: 42804
UID: 41ab021d-0b55-4598-bc32-abf954708fd0
Status:
Interface Route Table References:
API Version: core.contrail.juniper.net/v3
Fq Name:
static-route
to-right
Kind: InterfaceRouteTable
Name: to-right
Namespace: static-route
Resource Version: 42473
UID: 912aa23d-fb26-4181-8c42-880ebe9f1a9b
API Version: core.contrail.juniper.net/v3
Fq Name:
static-route
to-zone-1
Kind: InterfaceRouteTable
Name: to-zone-1
Namespace: static-route
Resource Version: 42475
UID: a2cfce5c-cb31-4a24-b432-16bdb8318bd6
Observation:
Routing Instance References:
API Version: core.contrail.juniper.net/v3
Attributes:
Direction: both
Fq Name:
default-domain
static-route
left-vn
left-vn
Kind: RoutingInstance
Name: left-vn
Namespace: static-route
UID: 300cda6a-a7fa-4f79-a815-dc3d7c0a46e7
State: Success
Events: <none>]
记下该 Interface Route Table References 部分。本节显示所列 InterfaceRouteTables VMI 与 VMI 之间的关联。
在 Pod 接口上配置静态路由
您可以使用 Pod 清单的注释部分为 Pod 的默认接口或辅助接口配置静态路由。Pod 协调器处理注释部分,以创建具有关联的 InterfaceRouteTableVMI 对象。协调器在注释部分查找字符串密钥:“core.juniper.net/interface-route-table”。Pod 的 VMI 使用该字符串作为元数据标签,与 。InterfaceRouteTable
以下是为默认接口定义的 Pod 清单 InterfaceRouteTable 的示例:
apiVersion: v1
kind: Pod
metadata:
name: static-route-pod
namespace: static-route
annotations:
core.juniper.net/interface-route-table: '[{"name": "vmi-rt", "namespace": "static-route"}]'
spec:
containers:
- name: praqma
image: <image-repository>:<tag>
imagePullPolicy: Always
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
记下 securityContext 字段。这些字段是必要的,因为 Pod 必须有权更改其路由表,才能利用配置的路由。
以下是为辅助接口定义的 Pod 清单 InterfaceRouteTable 的示例:
apiVersion: v1
kind: Pod
metadata:
name: static-route-pod
namespace: static-route
annotations:
k8s.v1.cni.cncf.io/networks: |
[
{
"name": "vn-route",
"namespace": "static-route",
"cni-args": {
"core.juniper.net/interface-route-table": "[{\"name\": \"vmi-rt\", \"namespace\": \"static-route\"}]"
}
}
]
spec:
containers:
- name: praqma
image: <image-repository>:<tag>
imagePullPolicy: Always
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
请注意,主接口 InterfaceRouteTable 的名称是 vmi-rt ,辅助接口的名称是 vn-route。在同一命名空间中定义两 InterfaceRouteTables 个名称不同,会自动为该 Pod 的主接口和辅助接口创建一个 InterfaceRouteTable 。
为具有 NAD 的虚拟网络配置静态路由
您还可以在网络附件定义 (NAD) 对象中指定静态路由属性。协调或应用 NAD 后,将创建 a RouteTable ,由此产生的 VN 对象引用该 RouteTable。以下是定义的静态路由信息 NAD 的示例:
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: vn-route
namespace: static-route
labels:
vn: vn-route
annotations:
juniper.net/networks: '{
"ipamV4Subnet": "108.108.2.0/24"
"routeTableReferences": '[{"name": "vn-rt", "namespace": "static-route"}]'
}'
spec:
config: '{
"cniVersion": "0.3.1",
"name": "vn-route",
"type": "contrail-k8s-cni"
}'
Pod 接口上的多个静态路由
您可以使用 InterfaceRouteTable,将多个静态路由关联到单个 Pod 接口 (VMI)。这意味着该 VMI 对象有多个下一跃点目标,具体取决于 IP 前缀。您可以使用群集服务版本 (CSV) 语法或 JSON 语法注释指定多个 InterfaceRouteTable 参考。
引用时 InterfaceRouteTable 必须采用“命名空间/名称”格式。在以下示例中, static-route 是命名空间和 to-right 和 to-zone-1 ,是 InterfaceRouteTable VMI 的对象或下 left-vn 一跃点目标。
以下示例包含 Deployment 多个 InterfaceRouteTable 参考:
apiVersion: apps/v1
kind: Deployment
metadata:
name: forwarder
namespace: static-route
labels:
app: forwarder
spec:
replicas: 3
selector:
matchLabels:
app: forwarder
template:
metadata:
labels:
app: forwarder
annotations:
k8s.v1.cni.cncf.io/networks: |
[
{
"name": "left-vn",
"namespace": "static-route",
"cni-args": {
"core.juniper.net/interface-route-table": "static-route/to-right,static-route/to-zone-1"
}
},
{
"name": "right-vn",
"namespace": "static-route",
"cni-args": {
"core.juniper.net/interface-route-table": "static-route/to-left"
}
},
{
"name": "zone-1",
"namespace": "static-route",
"cni-args": {
"core.juniper.net/interface-route-table": "static-route/to-left"
}
},
{
"name": "zone-2",
"namespace": "static-route",
"cni-args": {
"core.juniper.net/interface-route-table": "static-route/to-left"
}
}
]
spec:
containers:
- name: praqma
image: <repository>:<tag>
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
以下示例是一个使用 JSON 语法的多个 InterfaceRouteTable 引用的 Pod 清单:
apiVersion: v1
kind: Pod
metadata:
name: irt-right
namespace: static-route
annotations:
k8s.v1.cni.cncf.io/networks: |
[{
"name": "right-vn",
"namespace": "static-route",
"cni-args": {
"core.juniper.net/interface-route-table": "[{\"namespace\": \"static-route\", "\name\": \"to-left\"}, {\"namespace\": \"static-route\", \"name\": \"to-zone-1\"}]"
}
}]
spec:
containers:
- name: praqma
image: <image-repository>:<tag>
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
您必须在 JSON 语法中使用向后斜杠。要将 JSON 字符串编码在另一个 JSON 字符串中,需要向后斜杠。
路由表和接口RouteTable 故障排除
数据平面验证
-
在 vRouter 内省中,使用以下步骤验证 VN 的 VRF 是否显示了一行,该行具有 RT 中指定的匹配静态路由前缀:
-
访问 vRouter 内省,https://<vrouter_ip>:8085/Snh_VrfListReq
-
验证 VRF 是否与 VN 关联。
-
导航至 VRF 单播
RouteTable中的 ucindex 列。 -
验证表中是否包含具有正确静态路由前缀的行。
-
- 在内省中,验证 VN 的下一跃点属性是否准确且根据需要。在内省中,前缀的下一跃点列应包含以下内容:
-
下一跃点接口名称必须是有效的分路接口。
-
必须是
label正整数。 -
值
resolved必须为true。 -
值
route-type:必须为InterfaceStaticRoute。
-
配置平面验证
-
验证和对象的状态
RouteTableInterfaceRouteTable。-
检查对象的协调器
InterfaceRouteTable状态。kubectl get interfaceroutetable -n
-
检查对象的协调器
RouteTable状态。kubectl get routetable -n
-
-
RouteTable验证相关 VN 中的参考。InterfaceRouteTable验证关联 VMI 中的参考。-
检查 VMI 协调器的状态。您应该会看到
InterfaceRouteTableVMI 中带有关联的通用唯一标识符 (UUID) Contrail FQ(元信息,如apiversion、kindnamespace、name)名称。kubectl get vmi -n -oyaml | grep -i interfaceRouteTable
kubectl get vn -n -oyaml | grep -i routeTable
-