Calico components
The diagram below shows the required and optional Calico components for Kubernetes, with network and network policy for local deployment.
Calico components
Calico API server
Felix
BIRD
confd
Dikaste
CNI plugin
Datastore plugin
IPAM plugin
kube-controllers
Typha
calicoctl
Plugins for Cloud Orchestrator
Plugins for cloud orchestrators
Calico API server
Main task: Lets you manage Calico resources directly using kubectl.
Felix
Main task: Program routing and ACLs and anything else needed on a host to provide the required connectivity to endpoints on that host. Runs on every machine hosting the endpoint. Runs as a proxy daemon. Felix Resources.
Depending on the orchestrator environment, Felix is responsible for:
interface management
Program information about the interface into the kernel so that the kernel can properly handle traffic from that endpoint. In particular, it ensures that the host responds to ARP requests from each workload with the host's MAC and enables IP forwarding for the interfaces it manages. It also monitors the interface to ensure programming is applied at the appropriate time.
Route programming (routing programming)
Routes programs destined for endpoints on its host into the Linux kernel FIB (Forwarding Information Base). This ensures that packets destined for those endpoints reaching the host are forwarded accordingly.
ACL programming
ACLs are programmed into the Linux kernel to ensure that only valid traffic is sent between endpoints and that endpoints cannot bypass Calico security measures.
status report
Provides network health data. In particular, it reports errors and problems while configuring its host. This data is written to the data store and thus is visible to other components and operators of the network.
Note: calico/node can run in policy-only mode, where Felix runs without BIRD and confd. This provides policy management without distributing routes between hosts and is used for deployments such as managed cloud providers. You can enable this mode by setting the environment variable CALICO_NETWORKING_BACKEND=none before starting the node.
BIRD
Main task: Obtain routes from Felix and distribute them to BGP peers on the network for inter-host routing. Runs on every node hosting a Felix agent. Open source internet routing daemon. bird.
BGP clients are responsible for:
route distribution
When Felix inserts routes into the Linux kernel FIB, the BGP client distributes them to other nodes in the deployment. This ensures efficient traffic routing for deployments.
BGP Route Reflector Configuration
BGP route reflectors are typically used in larger deployments rather than standard BGP clients. A BGP route reflector acts as a central point for connecting BGP clients. (Standard BGP requires every BGP client to connect to every other BGP client in the mesh topology, which is difficult to maintain.)
For redundancy, you can seamlessly deploy multiple BGP route reflectors. BGP route reflectors only participate in network control: no endpoint data passes through them. When a Calico BGP client advertises routes in its FIB to a route reflector, the route reflector advertises those routes to other nodes in the deployment.
confd
Main task: Monitor Calico datastore for changes in BGP configuration and global defaults such as AS number, logging level, and IPAM information. Open source, lightweight configuration management tool.
Confd dynamically generates BIRD configuration files based on updates to the data in the data store. When a configuration file changes, confd triggers BIRD to load the new file. Configure confd and confd projects.
Dikaste
Main task: Enforce network policies for the Istio service mesh. Runs on the cluster as a sidecar proxy for Istio Envoy.
(Optional) Calico uses an Envoy sidecar proxy called Dikastes at the Linux kernel (using iptables, L3-L4) and L3-L7 to enforce network policy on workloads and cryptographically authenticate requests. Use multiple enforcement points to establish the identity of remote endpoints based on multiple criteria. Even if a workload pod is compromised and the Envoy proxy is bypassed, the host Linux kernel implementation protects your workload. Dikastes and Istio documentation.
CNI plugin
Main task: Provide Calico network for Kubernetes cluster.
The Calico binary that provides this API to Kubernetes is called a CNI plugin and must be installed on every node in the Kubernetes cluster. The Calico CNI plugin allows you to use Calico networking with any orchestrator that uses the CNI networking specification. Configuration is done through standard CNI configuration mechanisms and the Calico CNI plugin.
Datastore plugin
Main mission: Scale by reducing the impact of each node on data storage. It is one of the Calico CNI plugins.
Kubernetes API Datastore (kdd)
The advantages of using the Kubernetes API Datastore (kdd) with Calico are:
Easier to manage as it does not require additional data storage
Control access to Calico resources using Kubernetes RBAC
Generate an audit log of Calico resource changes using the Kubernetes audit log
etcd
etcd is a consistent, highly available distributed key-value store that provides data storage for the Calico network and is used for communication between components. Support for etcd to protect only non-cluster hosts (since Calico v3.1). For completeness, the advantages of etcd are:
Lets you run Calico on non-Kubernetes platforms
Separation of concerns between Kubernetes and Calico resources, for example allowing you to scale datastores independently
Lets you run a Calico cluster consisting of multiple Kubernetes clusters, for example, bare metal servers with Calico host protection intercommunicating with a Kubernetes cluster; or multiple Kubernetes clusters.
etcd Administrator's Guide
IPAM plugin
Main task: Use Calico's IP pool resource to control how IP addresses are assigned to Pods in the cluster. It is the default plugin used by most Calico installations. It is one of the Calico CNI plugins.
kube-controllers
Main tasks: Monitor the Kubernetes API and perform actions based on the cluster state. kube-controller.
The tigera/kube-controllers container includes the following controllers:
policy controller
namespace controller
Service Account Controller
Workload Endpoint Controller
node controller
Cattail (Typha)
Main mission: Scale by reducing the impact of each node on data storage. Runs as a daemon process between the datastore and the Felix instance. Installed by default, but not configured. Typha Description and Typha Components.
Typha maintains a single datastore connection on behalf of all its clients such as Felix and confd. It caches data store state and deduplicates events so they can be spread out to many listeners. Because one Typha instance can support hundreds of Felix instances, it greatly reduces the load on data storage. And because Typha can filter out updates that are not related to Felix, it also reduces Felix's CPU usage. In large scale (100+ nodes) Kubernetes clusters, this is essential because the number of updates generated by the API server increases with the number of nodes.
cauliflower (calicoctl)
Main task: Create, read, update, and delete a command-line interface for Calico objects. The calicoctl command line can be used on any host that has network access to the Calico datastore (either as a binary or as a container). It needs to be installed separately. brocoli
Plugins for Cloud Orchestrator
Main task: Convert the Coordinator API for managing the network to the Calico data model and data store.
For cloud providers, Calico has a separate plugin for each major cloud orchestration platform. This allows Calico to be tightly bound to the orchestrator, so users can use their orchestration tools to manage Calico networks. The orchestrator plugin provides feedback from the Calico network to the orchestrator when needed. For example, provide information about Felix liveness and mark specific endpoints as failed when network setup fails.
This article: https://architect.pub/calico-component-architecture | ||
Discussion: Knowledge Planet [Chief Architect Circle] or add WeChat trumpet [ca_cto] or add QQ group [792862318] | ||
No public |
【jiagoushipro】 【Super Architect】 Brilliant graphic and detailed explanation of architecture methodology, architecture practice, technical principles, and technical trends. We are waiting for you, please scan and pay attention. |
|
WeChat trumpet |
[ca_cea] Community of 50,000 people, discussing: enterprise architecture, cloud computing, big data, data science, Internet of Things, artificial intelligence, security, full-stack development, DevOps, digitalization. |
|
QQ group |
[285069459] In-depth exchange of enterprise architecture, business architecture, application architecture, data architecture, technical architecture, integration architecture, security architecture. And various emerging technologies such as big data, cloud computing, Internet of Things, artificial intelligence, etc. Join the QQ group to share valuable reports and dry goods. |
|
video number | [Super Architect] Quickly understand the basic concepts, models, methods, and experiences related to architecture in 1 minute. 1 minute a day, the structure is familiar. |
|
knowledge planet | [Chief Architect Circle] Ask big names, get in touch with them, or get private information sharing. | |
Himalayas | [Super Architect] Learn about the latest black technology information and architecture experience on the road or in the car. | [Intelligent moments, Mr. Architecture will talk to you about black technology] |
knowledge planet | Meet more friends, workplace and technical chat. | Knowledge Planet【Workplace and Technology】 |
Harry | https://www.linkedin.com/in/architect-harry/ | |
LinkedIn group | LinkedIn Architecture Group |
https://www.linkedin.com/groups/14209750/ |
Weibo | 【Super Architect】 | smart moment |
Bilibili | 【Super Architect】 | |
Tik Tok | 【cea_cio】Super Architect | |
quick worker | 【cea_cio_cto】Super Architect | |
little red book | [cea_csa_cto] Super Architect | |
website | CIO (Chief Information Officer) | https://cio.ceo |
website | CIOs, CTOs and CDOs | https://cioctocdo.com |
website | Architect practical sharing | https://architect.pub |
website | Programmer cloud development sharing | https://pgmr.cloud |
website | Chief Architect Community | https://jiagoushi.pro |
website | Application development and development platform | https://apaas.dev |
website | Development Information Network | https://xinxi.dev |
website | super architect | https://jiagou.dev |
website | Enterprise technical training | https://peixun.dev |
website | Programmer's Book | https://pgmr.pub |
website | developer chat | https://blog.developer.chat |
website | CPO Collection | https://cpo.work |
website | chief security officer | https://cso.pub |
website | CIO cool | https://cio.cool |
website | CDO information | https://cdo.fyi |
website | CXO information | https://cxo.pub |
Thank you for your attention, forwarding, likes and watching.