tencent cloud

Feedback

VPC-CNI Component Description

Last updated: 2024-02-01 10:04:17
    VPC-CNI component contains three kubernetes cluster components: tke-eni-agent, tke-eni-ipamd and tke-eni-ip-scheduler.

    tke-eni-agent

    It is deployed on each node of the cluster in the form of daemonset. The responsibilities are described below.
    Copy tke-route-eni, tke-eni-ipamc and other CNI plugins to the directory of CNI executive file of the node (it is set to /opt/cni/bin by default).
    Generate CNI configuration file in CNI configuration directory (it is set to /etc/cni/net.d/ by default).
    Configure policy-based routing and an ENI for the node.
    It acts as the GRPC Server to be responsible for allocating/releasing Pod IPs.
    Conduct IP garbage collection periodically, and reclaim IPs for which the Pods does not on the node.
    Set expansion resources of ENIs and IPs through [Device Plugins] of kubernetes(https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/).

    tke-eni-ipamd

    It is deployed on certain nodes or masters of the cluster in the form of deployment. The responsibilities are described below.
    Create and manage CRD resources such as nec, vipc, vip and veni.
    In non-static IP address mode, create/bind/unbind/delete an ENI and allocate/release an ENI IP based on node requirements and status.
    In static IP address mode, create/bind/unbind/delete an ENI and allocate/release an ENI IP based on Pod requirements and status.
    Manage the security groups of ENIs of the node.
    Create/bind/unbind/delete an EIP based on Pod requirements.

    tke-eni-ip-scheduler

    It is deployed on certain nodes or masters of the cluster in the form of deployment only in static IP address mode to act as an extension plugin for scheduling. The responsibilities are described below.
    If there are multiple subnets, it schedule the Pods with static IP addresses to the nodes of the specified subnet.
    In static IP address mode, it judges whether the IPs in the subnets corresponding to the node to which the Pod is scheduled are sufficient.

    Component Permission Description

    Note:
    The Permission Scenarios section only lists the permissions related to the core features of the components, for a complete permission list, please refer to the Permission Definition.

    tke-eni-agent Permission

    Permission Description

    The permission of this component is the minimal dependency required for the current feature to operate.
    To modify network-related kernel parameters, such as net.ipv4.ip_forward, net.ipv4.rp_filter, etc., thus the activation of a privileged-level container is required.

    Permission Scenarios

    Feature
    Involved Object
    Involved Operation Permission
    In the process of IP allocation, obtaining information related to pods and nodes is required.
    pods, namespaces, and nodes
    get/list/watch
    Obtaining the network configuration information
    configmaps
    get/list/watch
    Managing the relevant network extended resources of the nodes, such as tke.cloud.tencent.com/eni-ip, etc.
    nodes/status
    get/list/watch/patch
    Obtaining IP, Network Interface Card, and other network configuration details through a self-defined object, and collaborating with the eni-ipamd component
    networking.tke.cloud.tencent.com groups
    get/list/watch/delete/update
    Exposing the working status of components through events and information related to changes in the node network
    events
    get/list/watch/create/update/patch

    Permission Definition

    kind: ClusterRole
    metadata:
    name: tke-eni-agent
    rules:
    - apiGroups: [""]
    resources:
    - pods
    - namespaces
    - nodes
    - configmaps
    verbs: ["list", "watch", "get"]
    - apiGroups: [""]
    resources:
    - nodes/status
    verbs: ["list", "watch", "get", "patch"]
    - apiGroups: ["networking.tke.cloud.tencent.com"]
    resources:
    - underlayips
    - nodeeniconfigs
    - vpcipclaims
    - vpcips
    - vpcenis
    verbs: ["get", "list", "watch", "delete", "update"]
    - apiGroups: [""]
    resources:
    - events
    verbs: ["list", "watch", "get", "update", "patch", "create"]

    tke-eni-ipamd Permission

    Permission Description

    The permission of this component is the minimal dependency required for the current feature to operate.

    Permission Scenarios

    Feature
    Involved Object
    Involved Operation Permission
    In the process of IP allocation, obtaining information related to pods and nodes is required.
    pods, namespaces, nodes, and nodes/status
    get/list/watch
    In the process of allocating IP to the super node's Pod, it is required to update the allocation information to the Pod's annotation.
    pods
    update/patch
    Under the global routing work pattern, it is required to write the podCIDR assigned to the node on the node's object. Simultaneously, when working in conjunction with the node's auto-scaling, it is required to update the node's conditions and taints.
    nodes, and nodes/status
    update/patch
    The multi-replica operation feature is based on LeaderElection, which requires read and write permissions for associated configmaps or endpoints, with operational information exposed via events.
    configmaps, endpoints, and events
    get/list/watch/create/update/patch
    When a Pod with a fixed IP is terminated, it is required to obtain its associated workload information to determine whether the fixed IP needs to be released.
    statefulsets and deployments
    get/list/watch
    Using custom objects to manage relevant network resources (Elastic Network Interface, IP, Security Group, etc.).
    customresourcedefinitions
    create/update/get
    networking.tke.cloud.tencent.com apiGroups
    get/list/watch/create/update/patch/delete
    It is required to obtain the native node-related information.
    node.tke.cloud.tencent.com apiGroups
    get/list/watch
    Registration of node-related capabilities requires collaboration with the Cilium component.
    cilium.io apiGroups
    get/list/watch/create/update/patch/delete

    Permission Definition

    apiVersion: rbac.authorization.k8s.io/v1
    # kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
    name: tke-eni-ipamd
    rules:
    - apiGroups: [""]
    resources:
    - pods
    - namespaces
    - nodes
    - nodes/status
    verbs: ["list", "watch", "get", "patch", "update"]
    - apiGroups: [""]
    resources:
    - configmaps
    - endpoints
    - events
    verbs: ["get", "list", "watch", "update", "create", "patch"]
    - apiGroups: ["apps", "extensions"]
    resources:
    - statefulsets
    - deployments
    verbs: ["list", "watch", "get"]
    - apiGroups: ["apiextensions.k8s.io"]
    resources:
    - customresourcedefinitions
    verbs: ["create", "update", "get"]
    - apiGroups: ["networking.tke.cloud.tencent.com"]
    resources:
    - staticipconfigs
    - underlayips
    - nodeeniconfigs
    - vpcipclaims
    - vpcips
    - eipclaims
    - vpcenis
    verbs: ["create", "update", "delete", "get", "list", "watch", "patch"]
    - apiGroups: ["node.tke.cloud.tencent.com"]
    resources:
    - machines
    verbs: ["get", "list", "watch"]
    - apiGroups: [ "cilium.io" ]
    resources:
    - ciliumnodes
    - ciliumnodes/status
    - ciliumnodes/finalizers
    verbs: [ "create", "update", "delete", "get", "list", "watch", "patch" ]
    

    tke-eni-ip-scheduler Permission

    Permission Description

    The permission of this component is the minimal dependency required for the current feature to operate.
    The related directory /var/lib/kubelet on the host machine needs to be mounted to the container to accomplish volume mount/unmount, hence the activation of the privileged-level container is required.

    Permission Scenarios

    Feature
    Involved Object
    Involved Operation Permission
    An expansion of bindVerb is required, to address the issue of IP allocation conflicts when binding the Pod concurrency.
    pods/binding
    get/list/watch/create/update/patch
    The multi-replica operation feature is based on LeaderElection, which requires read and write permissions for associated configmaps or endpoints, with operational information exposed via events.
    configmaps,endpoints,events
    get/list/watch/create/update/patch
    During scheduling expansion, it is required to obtain relevant information about pods and nodes.
    pods,namespaces,nodes,nodes/status
    get/list/watch
    During scheduling expansion, it is required to interact with the custom object of the component, thus ensuring the complete allocation of IPs and resolving the conflicts of IP allocation.
    networking.tke.cloud.tencent.com groups
    get/list/watch/update

    Permission Definition

    apiVersion: rbac.authorization.k8s.io/v1
    # kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
    name: tke-eni-ip-scheduler
    rules:
    - apiGroups: [""]
    resources:
    - pods/binding
    verbs: ["get", "list", "watch", "update", "create", "patch"]
    - apiGroups: [""]
    resources:
    - ["configmaps", "endpoints", "events"]
    verbs: ["get", "list", "watch", "update", "create", "patch"]
    - apiGroups: [""]
    resources:
    - ["pods", "namespaces", "nodes", "nodes/status"]
    verbs: ["list", "watch", "get"]
    - apiGroups: ["networking.tke.cloud.tencent.com"]
    resources:
    - ["nodeeniconfigs", "vpcipclaims", "vpcips"]
    verbs: ["get", "list", "watch", "update"]

    

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support