Overview

When all hosts in a cluster are on the same Layer 2, calico cni can make all Pod networks interoperate by just routing. However, a pure Layer 2 environment is not always possible in many scenarios, so when hosts interoperate with each other at only Layer 3, the calico IPIP (full name IP in IP) mode can be used.

IP in IP is an IP tunneling protocol whose core technology is that the sender encapsulates an IP packet into another IP packet and sends it to the receiver, who then parses out the internal IP packet from the outer IP packet for processing. It is commonly used in technologies such as VPN to bridge two intranet environments.

calico IPIP traffic analysis

In the previous article, we briefly talked about how calico is able to pass through Pod networks on different hosts via routing. In fact, there is a prerequisite for this solution, which is that different hosts need to interoperate with each other at Layer 2. When the network environment can not meet, you can use the route + IPIP way to open the network.

Here is a simple experiment to verify the scheme.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# node.sh
ip netns add n1
ip link add veth1 type veth peer name veth2
ip link set veth2 netns n1
ip netns exec n1 ip link set veth2 up
ip netns exec n1 ip route add 169.254.1.1 dev veth2 scope link
ip netns exec n1 ip route add default via 169.254.1.1
ip netns exec n1 ip addr add 172.19.1.10/24 dev veth2
ip link set veth1 up
ip route add 172.19.1.10 dev veth1 # 这个路由必须有
ip netns exec n1 ip route del 172.19.1.0/24 dev veth2 proto kernel scope link src 172.19.1.10
echo 1 > /proc/sys/net/ipv4/conf/veth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

The above script is used to create a virtual Pod that can be executed on a different host, remember to change the IP address to ensure that the two Pods have different IPs.

After that, create an IP tunnel on the host. This is also executed on both hosts.

1
2
3

ip tunnel add mode ipip
ip link set tunl0 up
ip route add 172.19.1.0/24 via 192.168.105.135 dev tunl0 proto bird onlink

Here, when creating the IP tunnel, the address of the opposite end of the tunnel is not specified, because in a real cluster, a 1-to-1 tunnel is not used in a scenario. Instead, a route is used to tell the address of the other end of the tunnel. At this point, you can ping through to the IP of the other end in netns n1.

The flowchart is as follows.

flowchart