Exploration and Practice of Calico Network Plugin

This article deeply explores the configuration and practice of Calico network plugin in Kubernetes clusters, analyzing common troubleshooting methods and network optimization strategies.
Tags:
Categories:

Exploration and Practice of Calico Network Plugin

Overview

Calico is a widely used Container Network Interface (CNI) plugin in the Kubernetes ecosystem, providing high-performance network connectivity and flexible network policy management. Based on production environment practices, this article deeply analyzes the core functions and configuration key points of Calico.

Core Functional Architecture

Calico uses a Layer 3 routing model to implement inter-container communication. The main components include:

  • Felix: Daemon running on each node, responsible for route configuration and ACL rules
  • BIRD: Route distribution component, implementing route information exchange between nodes
  • confd: Dynamic configuration generation tool
  • CNI Plugin: Interfaces with the Kubernetes network model

Configuration Management and Practice

IP Address Pool Configuration

Network Architecture Principles

graph TD
    subgraph Kubernetes Cluster
        node1[Node1] -->|BGP Route| node2[Node2]
        node1 -->|VXLAN Tunnel| node3[Node3]
        node2 -->|IPIP Tunnel| node3
    end
    node1 --> pod1[Pod]
    node2 --> pod2[Pod]
    node3 --> pod3[Pod]
[root@k8s-03:~/.kube 20:41 $]k get ippools.crd.projectcalico.org -o yaml
apiVersion: v1
items:
- apiVersion: crd.projectcalico.org/v1
  kind: IPPool
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"crd.projectcalico.org/v1","kind":"IPPool","metadata":{"annotations":{},"generation":1,"name":"default-ipv4-ippool"},"spec":{"allowedUses":["Workload","Tunnel"],"blockSize":26,"cidr":"192.168.0.0/16","ipipMode":"Never","natOutgoing":true,"nodeSelector":"all()","vxlanMode":"Always"}}
      projectcalico.org/metadata: '{"uid":"0891de51-013e-4a44-9cb6-0c142f480567","creationTimestamp":"2023-05-26T07:36:30Z"}'
    creationTimestamp: "2023-05-26T07:36:30Z"
    generation: 3
    name: default-ipv4-ippool
    resourceVersion: "37479"
    uid: de7868c1-ad93-4441-aa22-9198d07822f5
  spec:
    allowedUses:
    - Workload
    - Tunnel
    blockSize: 26
    cidr: 192.168.0.0/16
    ipipMode: Never
    natOutgoing: true
    nodeSelector: all()
    vxlanMode: Always
kind: List
metadata:
  resourceVersion: ""

[root@k8s-03:~/.kube 20:41 $]k edit ippools.crd.projectcalico.org default-ipv4-ippool

Configuration Modification Considerations

  1. After modifying IPPool, you need to restart the calico-node component for the configuration to take effect
  2. CIDR changes may cause network interruption for existing Pods; operate with caution
  3. Selection of VXLAN/IPIP mode needs to consider network performance and compatibility

Detailed Configuration Steps

Modifying IPPool Configuration

  1. Get current configuration:
    kubectl get ippools.crd.projectcalico.org -o yaml
  2. Edit configuration:
    kubectl edit ippools.crd.projectcalico.org default-ipv4-ippool
  3. Description of main parameters:
    • cidr: Pod network CIDR range
    • vxlanMode: Always enables VXLAN
    • ipipMode: Never disables IPIP
    • natOutgoing: true enables outbound NAT

Common Troubleshooting

Inter-node Communication Failure

flowchart TD
    A[Inter-node network unreachable] --> B{Check Mode}
    B -->|VXLAN| C[Verify UDP 4789 port]
    B -->|IPIP| D[Verify Protocol Number 4]
    C --> E[Firewall Configuration]
    D --> E
    E --> F[Problem Solved]

Configuration Verification Commands

# Check Calico node status
calicoctl node status

# View routing table
ip route show

Performance Optimization Suggestions

  1. Use BGP instead of VXLAN for large-scale clusters
  2. Enable eBPF data plane to improve performance
  3. Set IP address block size reasonably

Reference Documentation