The valid planning of cluster network can adapt to the requirements of business development. This document will introduce the functions of various network addresses in Baidu AI Cloud VPC environment, as well as the planning method of the address field.

Concept of Cluster Network

The cluster networks include: node network, container network and service network, and their concepts are respectively as follows.

Node Network

The node network is the IP address within the host-assigned node network range in the cluster. When creating a cluster, you should select the subnet of the node network. For more information about the node network and subnet, please refer to Private Network VPC Subnet。

Container Network

The segment where the container instance Pod is located doesn't support the modification of the segment after the cluster is created.

• Pod is the smallest management unit in Kubernetes, and corresponds to an independent IP in the kubernetes network model.
• The container network is the IP address within the Pod-assigned container network range in Pod. Baidu Cloud CCE provides three major categories of user-defined segments 10, 192 and 172 as the container network, and automatically computes the maximum number of nodes of the clusters allowed by the container network according to the maximum number of Pods operated by the configured single node. Limit: Because the maximum limit of VPC routing table is 200.

Service Network

The service of Kubernetes has no entity in the actual network, and one pure virtual IP segment.

• On the node, the kube-proxy can forward the service address to the back-end corresponding Pod through iptables or ipvs.
• The Service address field cannot coincide with the container network and the node network.
• The Service address is used in the Kubernetes cluster and cannot be used outside the cluster. Currently, the Service address hasn't been exposed to users for selection. CCE selects the first address which doesn't conflict with the container network and the node network as Service network address from 172.[16-31].0.0/16.

Schematic Diagram of CCE Cluster Network

The architecture diagram of CCE cluster network is as follows, including node network, container network and service network.

Descriptions of Container Network Conflicts

The address conflicts are checked for the container network configured on CCE. In case of any conflicts, you can view the details to understand the conflicting address or route, and select to use the recommended container network. If the recommended container network is empty, it means that the current VPC has no available container network. It is recommended to create a VPC to create CCE cluster.

Select to view details:

You can view the conflict details of the container network, and select to use the recommended container network.

There are the following points in checking the container network conflicts:

1.Check to ensure the container network doesn't conflict with the node network.

2.Check to ensure the current container network doesn't conflict with the container network of the cluster created in VPC where the current cluster is located.

3.Check to ensure the current container network doesn't conflict with the existing VPC route where the current cluster is located (first compare whether the src address is 0.0.0.0/0, if so, continue to compare des address).

Cluster Network Planning

To ensure the network intercommunication among containers, each container network segment is added to the routing table when a cluster is created by CCE. To avoid the network segment conflicts, the VPC and container network segments should be divided reasonably.

The VPC node subnet network doesn't conflict with the container network. If the VPC node subnet selects 172.16.0.0/16 and the container network also selects 172.16.0.0/16, the container network conflict is prompted when the cluster is created, and the recommended container network is used.

Example

The creation process of CCE cluster in the whole VPC is demonstrated by a complete example process below.

Step 1: Create VPC Network

1.Log in to VPC Console

2.Click "Create VPC".

3.Select VPC CIDR and click "Confirm".

In this example, select VPC network of 192.168.0.0/16 to avoid conflicting with the container network.

Step 2: Create a Subnet in VPC Network

1.After the VPC is created, create a subnet under the VPC, and select CIDR of the subnet.

2.Select the general or NAT exclusive device type. In case of any extranet access requirements, refer to CCE Practice of Accessing Public Network.

Step 3: Create CCE Cluster

1.Log in to CCE Cluster Console.

2.Select "Create a Cluster".

3.Select the node network and the node subnet which are just created. In case of any container network conflicts, click to view the details, and use the recommended container network.

Step 4: Verify the Node IP

After the container cluster is created, verify the cluster IP.

1.Select the just created cluster in the CCE cluster Console.

2.Click the "Node List" in the left navigation bar.

3.Select the node subnet when checking whether the intranet IP of the node belongs to the created cluster.

It is as shown in the figure below:

Step 5: Verify the Routing Table

1.Log in to VPC Console

2.Select the just created VPC.

3.Click the "Routing Table" in the left navigation bar. You can view the route information with the added network segment of 172.16.x.0/24.The next hop is the ID of BCC instance.

It is as shown in the figure below:

Step 6: Verify the Pod IP

Finally, verify whether the Pod-assigned IP is correct.

1.Select the just created cluster in the CCE cluster Console.

2.Select the node list, and then VPC to remotely log into the cluster.

3.Enter the user name and password, and execute: kubect get pods -n kube-system -o wide

It is as shown in the figure below: You can see the container-assigned IP is 172.16.0.x, and this IP belongs to the container network selected when the cluster is created.

The above verification indicates that one cluster in the VPC network is created.