Alauda Container Platform
  • 简体中文

    • Kube-OVN Underlay + MetalLB LoadBalancer Service 配置

    目录

    概述前提条件环境要求流量流向配置步骤1. 使用 VLAN 子接口配置 ProviderNetwork2. 配置 Kube-OVN Controller 参数3. 配置 Underlay 子网外部地址功能4. 创建 MetalLB 外部地址池5. 创建示例应用和 LoadBalancer Service6. 验证配置7. 迁移现有 Service

    概述

    此方案解决了 MetalLB L2 模式与 Kube-OVN Underlay 网络的集成问题。它允许用户将 Underlay 子网 IP 用作 MetalLB LoadBalancer Service 的 VIP,并将流量直接转发到后端业务 Pods。

    ⚠️ 关键:LoadBalancer VIP 和后端 Pod IP 必须位于同一个 Underlay 子网中

    ⚠️ 关键:禁止内部 Pods 访问 LoadBalancer Service IP。该 IP 仅用于外部客户端访问。

    前提条件

    环境要求

    • ACP 版本:>= 4.2.2
    • IP 支持:仅支持 IPv4(当前不支持 IPv6)

    流量流向

    流量示意图

    配置步骤

    1. 使用 VLAN 子接口配置 ProviderNetwork

    重要:必须使用 VLAN 子接口。

    配置 Kube-OVN Underlay 网络以自动创建 VLAN 子接口:

    apiVersion: kubeovn.io/v1
kind: ProviderNetwork
metadata:
  name: provider
spec:
  defaultInterface: underlay0.341
  autoCreateVlanSubinterfaces: true  # Automatically creates VLAN sub-interfaces (e.g., underlay0.341) if only parent interface (underlay0) exists

---
apiVersion: kubeovn.io/v1
kind: Vlan
metadata:
  name: ovn-vlan
spec:
  id: 0    # Use 0 because autoCreateVlanSubinterfaces creates the VLAN sub-interface (underlay0.341) which handles VLAN tagging, not Kube-OVN directly
  provider: provider
status:
  subnets:
  - ovn-default

    ⚠️ 警告:当单独修改 ProviderNetworkVlan 资源时,Underlay 网络连通性将被中断。只有在这两个资源都完成配置并保持同步后,网络连通性才会恢复。请在维护窗口期间安排配置变更,以尽量减少服务中断。

    2. 配置 Kube-OVN Controller 参数

    为 LoadBalancer 功能配置 Kube-OVN controller 所需参数:

    使用 Web 控制台:

    1. 导航到 管理员 > Marketplace > 集群插件,然后搜索 ovn,找到 Alauda Container Platform Networking for Kube-OVN
    2. 在插件行中,点击操作菜单(竖向 ⋮),选择 Update 以打开配置对话框
    3. 配置以下设置:
      • Skip CT for Dst LPort IPsNo
      • Enable OVN LB LocalYes

    3. 配置 Underlay 子网外部地址功能

    编辑 Underlay 子网,为 LoadBalancer 使用预留一个 IP 范围:

    重要:外部地址池 IP 必须位于 Underlay 子网内。

    将 Underlay 子网参数修改为 spec.enableExternalLBAddress: true

    apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
  name: underlay-subnet
spec:
  enableExternalLBAddress: true       # Indicates this subnet has IP range for LB service VIP
  excludeIps:
  - 10.180.208.200..10.180.208.220    # Reserve IP range for external address pool

    4. 创建 MetalLB 外部地址池

    # underlay-ippool.yaml
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: acp-underlay-pool
  namespace: metallb-system
spec:
  addresses:
    - 10.180.208.200-10.180.208.220  # Underlay subnet IP range
  avoidBuggyIPs: true
  autoAssign: true
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: acp-underlay-pool
  namespace: metallb-system
spec:
  ipAddressPools:
    - acp-underlay-pool
  interfaces:
    - br-provider  # Optional: Interface for ARP broadcasting; use bridge interface (br-*) instead of physical interface
  nodeSelectors: []

    部署地址池:

    kubectl apply -f underlay-ippool.yaml

    5. 创建示例应用和 LoadBalancer Service

    # application-with-loadbalancer.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend-app
  labels:
    app: backend
spec:
  replicas: 3
  selector:
    matchLabels:
      app: backend
  template:
    metadata:
      labels:
        app: backend
    spec:
      containers:
        - name: backend
          image: nginx:1.25
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: backend-lb-service
  # To use specific IPPool: add annotation `metallb.io/address-pool: acp-underlay-pool`
  # To use fixed IP: set `spec.loadBalancerIP: 10.180.208.201`
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local  # **IMPORTANT**: Required for preserving source IP and enabling direct Pod routing
  selector:
    app: backend
  ports:
    - port: 80
      targetPort: 80

    部署应用:

    kubectl apply -f application-with-loadbalancer.yaml

    6. 验证配置

    # Check service status
kubectl get svc backend-lb-service -o wide

# Test external access
curl http://10.180.208.200

    7. 迁移现有 Service

    对于使用旧地址池(仅节点子网)的现有 Service,您可以将其迁移到新的 Underlay 地址池:

    # Add annotation to migrate existing service
kubectl annotate service <existing-service-name> metallb.io/address-pool=acp-underlay-pool --overwrite

# Verify the service has been assigned a new IP from the Underlay pool
kubectl get svc <existing-service-name> -o wide

    对于新 Service,直接添加注解:

    apiVersion: v1
kind: Service
metadata:
  name: backend-lb-service
  annotations:
    metallb.io/address-pool: acp-underlay-pool  # Use the Underlay address pool
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  selector:
    app: backend
  ports:
    - port: 80
      targetPort: 80
    # Check service status
kubectl get svc backend-lb-service -o wide

# Test external access
curl http://10.180.208.200