Tencent Kubernetes Engine
- Release Notes and Announcements
- Release Notes
- Announcements
- Security Vulnerability Fix Description
- Release Notes
- Kubernetes Version Maintenance
- Runtime Version Maintenance Description
- Product Introduction
- Quick Start
- TKE General Cluster Guide
- Purchase a TKE General Cluster
- Permission Management
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Cluster Management
- Images
- Worker node introduction
- Normal Node Management
- Native Node Management
- Purchasing Native Nodes
- Supernode management
- Purchasing a Super Node
- Registered Node Management
- Memory Compression Instructions
- GPU Share
- qGPU Online/Offline Hybrid Deployment
- Kubernetes Object Management
- Workload
- Configuration
- Auto Scaling
- Service Management
- Ingress Management
- CLB Type Ingress
- API Gateway Type Ingress
- Storage Management
- Use File to Store CFS
- Use Cloud Disk CBS
- Add-On Management
- CBS-CSI Description
- Network Management
- GlobalRouter Mode
- VPC-CNI Mode
- Static IP Address Mode Instructions
- Cilium-Overlay Mode
- OPS Center
- Audit Management
- Event Management
- Monitoring Management
- Log Management
- Using CRD to Configure Log Collection
- Backup Center
- TKE Serverless Cluster Guide
- Purchasing a TKE Serverless Cluster
- TKE Serverless Cluster Management
- Super Node Management
- Kubernetes Object Management
- OPS Center
- Log Collection
- Using a CRD to Configure Log Collection
- Audit Management
- Event Management
- TKE Registered Cluster Guide
- Registered Cluster Management
- Ops Guide
- TKE Insight
- TKE Scheduling
- Job Scheduling
- Native Node Dedicated Scheduler
- Cloud Native Service Guide
- Cloud Service for etcd
- Version Maintenance
- Cluster Troubleshooting
- Practical Tutorial
- Cluster
- Serverless Cluster
- Mastering Deep Learning in Serverless Cluster
- Scheduling
- Security
- Service Deployment
- Proper Use of Node Resources
- Network
- DNS
- Self-Built Nginx Ingress Practice Tutorial
- Logs
- Monitoring
- OPS
- DevOps
- Construction and Deployment of Jenkins Public Network Framework Appications based on TKE
- Auto Scaling
- KEDA
- Containerization
- Microservice
- Cost Management
- Hybrid Cloud
- Fault Handling
- Pod Status Exception and Handling
- Pod exception troubleshooter
- API Documentation
- Making API Requests
- Elastic Cluster APIs
- Resource Reserved Coupon APIs
- Cluster APIs
- Third-party Node APIs
- Network APIs
- Node APIs
- Node Pool APIs
- TKE Edge Cluster APIs
- Cloud Native Monitoring APIs
- Super Node APIs
- TKE API 2022-05-01
- Making API Requests
- Node Pool APIs
- FAQs
- TKE General Cluster
- TKE Serverless Cluster
- About OPS
- Service Agreement
- User Guide(Old)
DocumentationTencent Kubernetes EngineTKE General Cluster Guide Network Management VPC-CNI ModeVPC-CNI Component Description
VPC-CNI Component Description
Last updated: 2024-02-01 10:04:17
VPC-CNI component contains three kubernetes cluster components:
tke-eni-agent, tke-eni-ipamd and tke-eni-ip-scheduler.tke-eni-agent
It is deployed on each node of the cluster in the form of
daemonset. The responsibilities are described below.Copy
tke-route-eni, tke-eni-ipamc and other CNI plugins to the directory of CNI executive file of the node (it is set to /opt/cni/bin by default).Generate CNI configuration file in CNI configuration directory (it is set to
/etc/cni/net.d/ by default).Configure policy-based routing and an ENI for the node.
It acts as the GRPC Server to be responsible for allocating/releasing Pod IPs.
Conduct IP garbage collection periodically, and reclaim IPs for which the Pods does not on the node.
Set expansion resources of ENIs and IPs through [Device Plugins] of kubernetes(https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/).
tke-eni-ipamd
It is deployed on certain nodes or masters of the cluster in the form of
deployment. The responsibilities are described below.Create and manage CRD resources such as nec, vipc, vip and veni.
In non-static IP address mode, create/bind/unbind/delete an ENI and allocate/release an ENI IP based on node requirements and status.
In static IP address mode, create/bind/unbind/delete an ENI and allocate/release an ENI IP based on Pod requirements and status.
Manage the security groups of ENIs of the node.
Create/bind/unbind/delete an EIP based on Pod requirements.
tke-eni-ip-scheduler
It is deployed on certain nodes or masters of the cluster in the form of
deployment only in static IP address mode to act as an extension plugin for scheduling. The responsibilities are described below.If there are multiple subnets, it schedule the Pods with static IP addresses to the nodes of the specified subnet.
In static IP address mode, it judges whether the IPs in the subnets corresponding to the node to which the Pod is scheduled are sufficient.
Component Permission Description
Note:
The Permission Scenarios section only lists the permissions related to the core features of the components, for a complete permission list, please refer to the Permission Definition.
tke-eni-agent Permission
Permission Description
The permission of this component is the minimal dependency required for the current feature to operate.
To modify network-related kernel parameters, such as net.ipv4.ip_forward, net.ipv4.rp_filter, etc., thus the activation of a privileged-level container is required.
Permission Scenarios
Feature | Involved Object | Involved Operation Permission |
In the process of IP allocation, obtaining information related to pods and nodes is required. | pods, namespaces, and nodes | get/list/watch |
Obtaining the network configuration information | configmaps | get/list/watch |
Managing the relevant network extended resources of the nodes, such as tke.cloud.tencent.com/eni-ip, etc. | nodes/status | get/list/watch/patch |
Obtaining IP, Network Interface Card, and other network configuration details through a self-defined object, and collaborating with the eni-ipamd component | networking.tke.cloud.tencent.com groups | get/list/watch/delete/update |
Exposing the working status of components through events and information related to changes in the node network | events | get/list/watch/create/update/patch |
Permission Definition
kind: ClusterRolemetadata:name: tke-eni-agentrules:- apiGroups: [""]resources:- pods- namespaces- nodes- configmapsverbs: ["list", "watch", "get"]- apiGroups: [""]resources:- nodes/statusverbs: ["list", "watch", "get", "patch"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- underlayips- nodeeniconfigs- vpcipclaims- vpcips- vpcenisverbs: ["get", "list", "watch", "delete", "update"]- apiGroups: [""]resources:- eventsverbs: ["list", "watch", "get", "update", "patch", "create"]
tke-eni-ipamd Permission
Permission Description
The permission of this component is the minimal dependency required for the current feature to operate.
Permission Scenarios
Feature | Involved Object | Involved Operation Permission |
In the process of IP allocation, obtaining information related to pods and nodes is required. | pods, namespaces, nodes, and nodes/status | get/list/watch |
In the process of allocating IP to the super node's Pod, it is required to update the allocation information to the Pod's annotation. | pods | update/patch |
Under the global routing work pattern, it is required to write the podCIDR assigned to the node on the node's object. Simultaneously, when working in conjunction with the node's auto-scaling, it is required to update the node's conditions and taints. | nodes, and nodes/status | update/patch |
The multi-replica operation feature is based on LeaderElection, which requires read and write permissions for associated configmaps or endpoints, with operational information exposed via events. | configmaps, endpoints, and events | get/list/watch/create/update/patch |
When a Pod with a fixed IP is terminated, it is required to obtain its associated workload information to determine whether the fixed IP needs to be released. | statefulsets and deployments | get/list/watch |
Using custom objects to manage relevant network resources (Elastic Network Interface, IP, Security Group, etc.). | customresourcedefinitions | create/update/get |
| networking.tke.cloud.tencent.com apiGroups | get/list/watch/create/update/patch/delete |
It is required to obtain the native node-related information. | node.tke.cloud.tencent.com apiGroups | get/list/watch |
Registration of node-related capabilities requires collaboration with the Cilium component. | cilium.io apiGroups | get/list/watch/create/update/patch/delete |
Permission Definition
apiVersion: rbac.authorization.k8s.io/v1# kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:name: tke-eni-ipamdrules:- apiGroups: [""]resources:- pods- namespaces- nodes- nodes/statusverbs: ["list", "watch", "get", "patch", "update"]- apiGroups: [""]resources:- configmaps- endpoints- eventsverbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: ["apps", "extensions"]resources:- statefulsets- deploymentsverbs: ["list", "watch", "get"]- apiGroups: ["apiextensions.k8s.io"]resources:- customresourcedefinitionsverbs: ["create", "update", "get"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- staticipconfigs- underlayips- nodeeniconfigs- vpcipclaims- vpcips- eipclaims- vpcenisverbs: ["create", "update", "delete", "get", "list", "watch", "patch"]- apiGroups: ["node.tke.cloud.tencent.com"]resources:- machinesverbs: ["get", "list", "watch"]- apiGroups: [ "cilium.io" ]resources:- ciliumnodes- ciliumnodes/status- ciliumnodes/finalizersverbs: [ "create", "update", "delete", "get", "list", "watch", "patch" ]
tke-eni-ip-scheduler Permission
Permission Description
The permission of this component is the minimal dependency required for the current feature to operate.
The related directory /var/lib/kubelet on the host machine needs to be mounted to the container to accomplish volume mount/unmount, hence the activation of the privileged-level container is required.
Permission Scenarios
Feature | Involved Object | Involved Operation Permission |
An expansion of bindVerb is required, to address the issue of IP allocation conflicts when binding the Pod concurrency. | pods/binding | get/list/watch/create/update/patch |
The multi-replica operation feature is based on LeaderElection, which requires read and write permissions for associated configmaps or endpoints, with operational information exposed via events. | configmaps,endpoints,events | get/list/watch/create/update/patch |
During scheduling expansion, it is required to obtain relevant information about pods and nodes. | pods,namespaces,nodes,nodes/status | get/list/watch |
During scheduling expansion, it is required to interact with the custom object of the component, thus ensuring the complete allocation of IPs and resolving the conflicts of IP allocation. | networking.tke.cloud.tencent.com groups | get/list/watch/update |
Permission Definition
apiVersion: rbac.authorization.k8s.io/v1# kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:name: tke-eni-ip-schedulerrules:- apiGroups: [""]resources:- pods/bindingverbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: [""]resources:- ["configmaps", "endpoints", "events"]verbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: [""]resources:- ["pods", "namespaces", "nodes", "nodes/status"]verbs: ["list", "watch", "get"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- ["nodeeniconfigs", "vpcipclaims", "vpcips"]verbs: ["get", "list", "watch", "update"]
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No