限速安全行驶

Pod网络(速)控制的必要性

高速公路上,当流量大时,如果汽车仍然不限制速度的话,将会很容易发生车祸,我们都会自觉地减速缓慢通过,只有减速才能安全行驶。
在平台的集群中也是一样,一台主机上会有大量容器运行,容器相当于高速速上的汽车,对外的网络通信都使用主机出口这条高速路,如果某(几)个容器突然访问流量大增,而且没有作任何网络限速,会占用了主机的网络,严重影响其它容器的网络,进而影响其它业务。

前提

  • Openshift打开多租户网络模式
    修改/etc/origin/master/master-config.yaml将networkPluginName设置为redhat/openshift-ovs-multitenant
    1
    2
    3
    4
    5
    ...
      hostSubnetLength: 9
      networkPluginName: redhat/openshift-ovs-multitenant
      serviceNetworkCIDR: 172.30.0.0/16
    ...

为Pod添加网络限速标记

1
2
3
4
5
6
7
8
9
10
11
kind: Pod
apiVersion: v1
metadata:
  name: nginx
 annotations:
   kubernetes.io/ingress-bandwidth: 1M
   kubernetes.io/egress-bandwidth: 1M
spec:
    containers:
      - image: nginx
        name: nginx

说明:

  • kubernetes.io/ingress-bandwidth设置的是 (出端口)下行的网速限制
  • kubernetes.io/egress-bandwidth设置的是 (入端口)上行的网速限制
  • 网络限制单位必须是M,实际单位对应的是Mb

为DeploymentConfig添加限速标记

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kind: DeploymentConfig
metadata:
  labels:
    app: nginx
  name: nginx
  namespace: test
spec:
  replicas: 1
  selector:
    deploymentconfig: nginx
  template:
    metadata:
      annotations:
        kubernetes.io/egress-bandwidth: 0.5M
        kubernetes.io/ingress-bandwidth: 0.5M
      labels:
        app: nginx
        deploymentconfig: nginx
    spec:
      containers:
        - image: nginx
          name: nginx

说明:

  • 因为限速是面向Pod的所以需要要Pod对应的template中添加网络上下行速度限制。

测试(上行与下行都限制为0.5M)

Pod访问外网

1
2
3
4
5
6
7
8
9
10
[root@demo ~]# oc rsh op-java-sample-13-7bmj7
sh-4.2$ wget https://xxxx.com/xx.zip
--2018-07-10 08:31:26--  https://xxxx.com/xx.zip
Resolving xxxx.com (xxxx.com)... 117.211.167.14
Connecting to xxxx.com (xxxx.com)|117.211.167.14|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: 'xx.zip.2'

  14% [               <=>                                                 ] 211,857     57.2KB/s

说明:
下载速度为57.2KB/s,恰好是被限的500Kb

外部访问Pod

1
2
3
4
5
6
7
8
9
[root@demo ~]# wget http://10.131.1.32:8080/20180416.db
--2018-07-10 16:50:02--  http://10.131.1.32:8080/20180416.db
Connecting to 10.131.1.32:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10698784 (10M) [application/octet-stream]
Saving to: ‘20180416.db.1’

 9% [               <=>                                                 ]1,056,888   58.3KB/s  eta 4m 10s

说明
10.131.1.32为Pod在集群下的IP,从主机访问Pod的服务下载文件,速度为58.3KB/s,恰好是被限的500Kb

同一个Poroject下的Pod间访问

1
2
3
4
5
6
7
8
sh-4.2$ wget http://10.131.1.32:8080/20180416.db
--2018-07-10 08:54:50--  http://10.131.1.32:8080/20180416.db
Connecting to 10.131.1.32:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10698784 (10M) [application/octet-stream]
Saving to: '20180416.db' 

13% [======================>                                       ] 1,480,482   57.6KB/s  eta 47s

说明:

  • Pod间网络访问也会受到Pod网络配置的控制
  • 同时在测试过程中发现,刚开始测试时网络是很高的,但是3-5s后会降到被限制的网速