tke-eni-agent
、tke-eni-ipamd
和 tke-eni-ip-scheduler
。daemonset
形式部署在集群中的每个节点上,职责:tke-route-eni
和 tke-eni-ipamc
等 CNI 插件到节点 CNI 执行文件目录(默认为 /opt/cni/bin
)。/etc/cni/net.d/
)生成 CNI 配置文件。deployment
形式部署在集群中的特定节点或 master 上,职责:deployment
形式部署在集群中的特定节点或 master 上,仅固定 IP 模式会部署,为调度扩展插件,职责:功能 | 涉及对象 | 涉及操作权限 |
分配 IP 过程中,需要获取 pod 和 node 相关信息。 | pods、namespaces、nodes | get/list/watch |
获取网络配置信息。 | configmaps | get/list/watch |
管理 node 的相关网络扩展资源,如 tke.cloud.tencent.com/eni-ip 等。 | nodes/status | get/list/watch/patch |
通过自定义对象获取分配 IP、网卡等网络配置信息,并与 eni-ipamd 组件配合工作。 | networking.tke.cloud.tencent.com groups | get/list/watch/delete/update |
通过 events 暴露组件的工作状态,节点网络的相关变更信息。 | events | get/list/watch/create/update/patch |
kind: ClusterRolemetadata:name: tke-eni-agentrules:- apiGroups: [""]resources:- pods- namespaces- nodes- configmapsverbs: ["list", "watch", "get"]- apiGroups: [""]resources:- nodes/statusverbs: ["list", "watch", "get", "patch"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- underlayips- nodeeniconfigs- vpcipclaims- vpcips- vpcenisverbs: ["get", "list", "watch", "delete", "update"]- apiGroups: [""]resources:- eventsverbs: ["list", "watch", "get", "update", "patch", "create"]
功能 | 涉及对象 | 涉及操作权限 |
分配 IP 的过程中,需要获取 Pod 和 Node 的相关信息。 | pods、namespaces、nodes、nodes/status | get/list/watch |
给超级节点的 Pod 分配 IP 的过程中,需要将分配信息更新到 Pod 的注解中。 | pods | update/patch |
全局路由工作模式下,需要将分配给节点的 podCIDR 写到 nodes 对象上,同时与节点自动扩缩容配合工作时,需要更新 nodes 的 conditions 和 taints。 | nodes、nodes/status | update/patch |
多副本运行功能基于 LeaderElection 实现,LeaderElection 需要 configmaps 或 endpoints 的相关读写权限,同时运行信息通过 events 暴露。 | configmaps、endpoints、events | get/list/watch/create/update/patch |
固定 IP 的 Pod 销毁时,需要获取所属的 workload 信息来判断是否需要释放固定 IP。 | statefulsets、deployments | get/list/watch |
使用自定义对象来管理相关网络资源(弹性网卡、IP、安全组等)。 | customresourcedefinitions | create/update/get |
| networking.tke.cloud.tencent.com apiGroups | get/list/watch/create/update/patch/delete |
需要获取原生节点的相关信息。 | node.tke.cloud.tencent.com apiGroups | get/list/watch |
注册节点相关能力需要与 cilium 组件配合工作。 | cilium.io apiGroups | get/list/watch/create/update/patch/delete |
apiVersion: rbac.authorization.k8s.io/v1# kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:name: tke-eni-ipamdrules:- apiGroups: [""]resources:- pods- namespaces- nodes- nodes/statusverbs: ["list", "watch", "get", "patch", "update"]- apiGroups: [""]resources:- configmaps- endpoints- eventsverbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: ["apps", "extensions"]resources:- statefulsets- deploymentsverbs: ["list", "watch", "get"]- apiGroups: ["apiextensions.k8s.io"]resources:- customresourcedefinitionsverbs: ["create", "update", "get"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- staticipconfigs- underlayips- nodeeniconfigs- vpcipclaims- vpcips- eipclaims- vpcenisverbs: ["create", "update", "delete", "get", "list", "watch", "patch"]- apiGroups: ["node.tke.cloud.tencent.com"]resources:- machinesverbs: ["get", "list", "watch"]- apiGroups: [ "cilium.io" ]resources:- ciliumnodes- ciliumnodes/status- ciliumnodes/finalizersverbs: [ "create", "update", "delete", "get", "list", "watch", "patch" ]
功能 | 涉及对象 | 涉及操作权限 |
需要扩展 bindVerb,以解决 Pod 并发绑定时 IP 分配冲突的问题。 | pods/binding | get/list/watch/create/update/patch |
多副本运行功能基于 LeaderElection 实现,LeaderElection 需要 configmaps 或 endpoints 的相关读写权限,同时运行信息通过 events 暴露。 | configmaps、endpoints、events | get/list/watch/create/update/patch |
扩展调度时需要获取 pod 和 nodes 的相关信息。 | pods、namespaces、nodes、nodes/status | get/list/watch |
扩展调度时需要与组件自定义对象进行交互,从而实现 IP 的完整分配,解决 IP 分配冲突的问题。 | networking.tke.cloud.tencent.com groups | get/list/watch/update |
apiVersion: rbac.authorization.k8s.io/v1# kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:name: tke-eni-ip-schedulerrules:- apiGroups: [""]resources:- pods/bindingverbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: [""]resources:- ["configmaps", "endpoints", "events"]verbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: [""]resources:- ["pods", "namespaces", "nodes", "nodes/status"]verbs: ["list", "watch", "get"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- ["nodeeniconfigs", "vpcipclaims", "vpcips"]verbs: ["get", "list", "watch", "update"]
本页内容是否解决了您的问题?