|
| 1 | +--- |
| 2 | +min-kubernetes-server-version: v1.33 |
| 3 | +title: 重新配置 Kubernetes 默认的 Service CIDR |
| 4 | +content_type: task |
| 5 | +--- |
| 6 | +<!-- |
| 7 | +reviewers: |
| 8 | +- thockin |
| 9 | +- dwinship |
| 10 | +min-kubernetes-server-version: v1.33 |
| 11 | +title: Kubernetes Default Service CIDR Reconfiguration |
| 12 | +content_type: task |
| 13 | +--> |
| 14 | + |
| 15 | +<!-- overview --> |
| 16 | +{{< feature-state feature_gate_name="MultiCIDRServiceAllocator" >}} |
| 17 | + |
| 18 | +<!-- |
| 19 | +This document shares how to reconfigure the default Service IP range(s) assigned |
| 20 | +to a cluster. |
| 21 | +--> |
| 22 | +本文介绍如何重新配置集群中分配的默认 Service IP 范围。 |
| 23 | + |
| 24 | +## {{% heading "prerequisites" %}} |
| 25 | + |
| 26 | +{{< include "task-tutorial-prereqs.md" >}} |
| 27 | + |
| 28 | +{{< version-check >}} |
| 29 | + |
| 30 | +<!-- steps --> |
| 31 | + |
| 32 | +<!-- |
| 33 | +## Kubernetes Default Service CIDR Reconfiguration |
| 34 | +
|
| 35 | +This document explains how to manage the Service IP address range within a |
| 36 | +Kubernetes cluster, which also influences the cluster's supported IP families |
| 37 | +for Services. |
| 38 | +--> |
| 39 | +## 重新配置 Kubernetes 默认 Service CIDR {#kubernetes-default-service-cidr-reconfiguration} |
| 40 | + |
| 41 | +本文解释了如何管理 Kubernetes 集群中的 Service IP 地址范围,这也会影响集群针对不同 Service 所支持的 IP 协议族。 |
| 42 | + |
| 43 | +<!-- |
| 44 | +The IP families available for Service ClusterIPs are determined by the |
| 45 | +`--service-cluster-ip-range` flag to kube-apiserver. For a better understanding of Service IP address allocation, refer to the |
| 46 | +[Services IP address allocation tracking](https://kubernetes.io/docs/reference/networking/virtual-ips/#ip-address-objects) documentation. |
| 47 | +--> |
| 48 | +可用于 Service ClusterIP 的 IP 协议族由传递给 kube-apiserver 的 `--service-cluster-ip-range` |
| 49 | +参数决定。要更好地了解 Service IP 地址分配,请参考 |
| 50 | +[Service IP 地址分配追踪](/zh-cn/docs/reference/networking/virtual-ips/#ip-address-objects)文档。 |
| 51 | + |
| 52 | +<!-- |
| 53 | +Since Kubernetes 1.33, the Service IP families configured for the cluster are |
| 54 | +reflected by the `ServiceCIDR` object named `kubernetes`. The `kubernetes` `ServiceCIDR` |
| 55 | +object is created by the first kube-apiserver instance that starts, based on its |
| 56 | +configured `--service-cluster-ip-range` flag. To ensure consistent cluster behavior, all kube-apiserver instances must be configured with the same `--service-cluster-ip-range` values, which must match the default kubernetes ServiceCIDR object. |
| 57 | +--> |
| 58 | +自 Kubernetes 1.33 起,为集群所配置的 Service IP 协议族会通过名为 `kubernetes` 的 `ServiceCIDR` 对象反映。 |
| 59 | +这个 `kubernetes` `ServiceCIDR` 对象由依据其配置的 `--service-cluster-ip-range` |
| 60 | +参数所启动的第一个 kube-apiserver 实例创建。为了确保集群行为一致,所有 kube-apiserver 实例必须使用相同的 |
| 61 | +`--service-cluster-ip-range` 配置,其取值需与默认的 kubernetes ServiceCIDR 对象保持一致。 |
| 62 | + |
| 63 | +<!-- |
| 64 | +### Kubernetes Service CIDR Reconfiguration Categories |
| 65 | +
|
| 66 | +We can categorize Service CIDR reconfiguration into the following scenarios: |
| 67 | +--> |
| 68 | +### Kubernetes Service CIDR 重新配置类别 {#kubernetes-service-cidr-reconfiguration-categories} |
| 69 | + |
| 70 | +我们可以将 Service CIDR 的重新配置分为以下几种情形: |
| 71 | + |
| 72 | +<!-- |
| 73 | +* **Extending the existing Service CIDRs:** This can be done dynamically by |
| 74 | + adding new ServiceCIDR objects without the need of reconfiguration of the |
| 75 | + kube-apiserver. Please refer to the dedicated documentation on |
| 76 | + [Extending Service IP |
| 77 | + Ranges](https://kubernetes.io/docs/tasks/network/extend-service-ip-ranges/). |
| 78 | +--> |
| 79 | +* **扩展现有的 Service CIDR:** |
| 80 | + 这可以通过添加新的 ServiceCIDR 对象动态完成,无需重新配置 kube-apiserver。 |
| 81 | + 请参考[扩展 Service IP 范围](/zh-cn/docs/tasks/network/extend-service-ip-ranges/)的专门文档。 |
| 82 | + |
| 83 | +<!-- |
| 84 | +* **Single-to-dual-stack conversion preserving the primary service CIDR:** This |
| 85 | + involves introducing a secondary IP family (IPv6 to an IPv4-only cluster, or |
| 86 | + IPv4 to an IPv6-only cluster) while keeping the original IP family as |
| 87 | + primary. This requires an update to the kube-apiserver configuration and a |
| 88 | + corresponding modification of various cluster components that need to handle |
| 89 | + this additional IP family. These components include, but are not limited to, |
| 90 | + kube-proxy, the CNI or network plugin, service mesh implementations, and DNS |
| 91 | + services. |
| 92 | +--> |
| 93 | +* **保留主 Service CIDR 的单栈到双栈转换:** |
| 94 | + 这意味着引入次要 IP 协议族(IPv6 到仅 IPv4 集群,或 IPv4 到仅 IPv6 集群), |
| 95 | + 同时保留原 IP 协议族作为主协议族。 |
| 96 | + 这需要更新 kube-apiserver 配置,并相应修改需要处理这个附加 IP 协议族的各个集群组件。 |
| 97 | + 这些组件包括但不限于 kube-proxy、CNI 或网络插件、服务网格实现和 DNS 服务。 |
| 98 | + |
| 99 | +<!-- |
| 100 | +* **Dual-to-single conversion preserving the primary service CIDR:** This |
| 101 | + involves removing the secondary IP family from a dual-stack cluster, |
| 102 | + reverting to a single IP family while retaining the original primary IP |
| 103 | + family. In addition to the reconfiguration of the components to match the |
| 104 | + new IP family, you might need to address Services that were explicitly |
| 105 | + configured to use the removed IP family. |
| 106 | +--> |
| 107 | +* **保留主 Service CIDR 的双栈到单栈转换:** |
| 108 | + 这意味着从双栈集群中移除次要 IP 协议族,恢复为单一 IP 协议族,同时保留原主 IP 协议族。 |
| 109 | + 除了重新配置这些组件以匹配新的 IP 协议族外,你还可能需要处理那些显式使用被移除 IP 协议族的 Service。 |
| 110 | + |
| 111 | +<!-- |
| 112 | +* **Anything that results in changing the primary service CIDR:** Completely |
| 113 | + replacing the default ServiceCIDR is a complex operation. If the new |
| 114 | + ServiceCIDR does not overlap with the existing one, [it will require |
| 115 | + renumbering all existing Services and changing the `kubernetes.default` |
| 116 | + service](#Illustrative Reconfiguration Steps). The case where the primary IP |
| 117 | + family also changes is even more complicated, and may require to change |
| 118 | + multiple cluster components (kubelet, network plugins, etc.) to match the new |
| 119 | + primary IP family. |
| 120 | +--> |
| 121 | +* **变更主 Service CIDR 的任何情形:** |
| 122 | + 完全替换默认 ServiceCIDR 是一项复杂的操作。如果新旧 ServiceCIDR 不重叠, |
| 123 | + [则需要重新编号所有现有 Service 并更改 `kubernetes.default` Service](#illustrative-reconfiguration-steps)。 |
| 124 | + 如果主 IP 协议族也发生变化,则更为复杂,可能需要修改多个集群组件(如 kubelet、网络插件等)以匹配新的主 IP 协议族。 |
| 125 | + |
| 126 | +<!-- |
| 127 | +### Manual Operations for Replacing the Default Service CIDR |
| 128 | +
|
| 129 | +Reconfiguring the default Service CIDR necessitates manual steps performed by |
| 130 | +the cluster operator, administrator, or the software managing the cluster |
| 131 | +lifecycle. These typically include: |
| 132 | +--> |
| 133 | +### 替换默认 Service CIDR 的手动操作 {#manual-operations-for-replacing-the-default-service-cidr} |
| 134 | + |
| 135 | +重新配置默认 Service CIDR 需要集群运维人员、管理员或管理集群生命周期的软件执行一系列手动步骤。 |
| 136 | +这些通常包括: |
| 137 | + |
| 138 | +<!-- |
| 139 | +1. **Updating** the kube-apiserver configuration: Modify the |
| 140 | + `--service-cluster-ip-range` flag with the new IP range(s). |
| 141 | +--> |
| 142 | +1. **更新** kube-apiserver 配置: |
| 143 | + 使用新的 IP 范围修改 `--service-cluster-ip-range` 参数。 |
| 144 | +<!-- |
| 145 | +2. **Reconfiguring** the network components: This is a critical step and the |
| 146 | + specific procedure depends on the different networking components in use. It |
| 147 | + might involve updating configuration files, restarting agent pods, or |
| 148 | + updating the components to manage the new Service CIDR(s) and the desired IP |
| 149 | + family configuration for Pods. Typical components can be the implementation |
| 150 | + of Kubernetes Services, such as kube-proxy, and the configured networking |
| 151 | + plugin, and potentially other networking components like service mesh |
| 152 | + controllers and DNS servers, to ensure they can correctly handle traffic and |
| 153 | + perform service discovery with the new IP family configuration. |
| 154 | +--> |
| 155 | +2. **重新配置**网络组件:这一步至关重要,具体步骤取决于正在使用的联网组件。 |
| 156 | + 这可能包括更新配置文件、重启代理 Pod,或更新组件以处理新的 Service CIDR 和期望的 Pod IP 协议族配置。 |
| 157 | + 典型组件可以是 Kubernetes Service(例如 kube-proxy)的实现、 |
| 158 | + 所配置的网络插件以及服务网格控制器和 DNS 服务器等潜在的其他联网组件, |
| 159 | + 以确保它们能够正确处理流量并使用新的 IP 协议族配置来执行服务发现。 |
| 160 | +<!-- |
| 161 | +3. **Managing existing Services:** Services with IPs from the old CIDR need to |
| 162 | + be addressed if they are not within the new configured ranges. Options |
| 163 | + include recreation (leading to downtime and new IP assignments) or |
| 164 | + potentially more complex reconfiguration strategies. |
| 165 | +4. **Recreating internal Kubernetes services:** The `kubernetes.default` |
| 166 | + service must be deleted and recreated to obtain an IP address from the new |
| 167 | + Service CIDR if the primary IP family is changed or replaced by a different |
| 168 | + network. |
| 169 | +--> |
| 170 | +3. **管理现有 Service:** |
| 171 | + 如果某些 Service 所使用的 IP 不在新配置的范围内,则需处理这些服务。 |
| 172 | + 你可以选择重新创建(会造成停机并重新分配 IP),或者采取更复杂的重新配置策略。 |
| 173 | +4. **重新创建 Kubernetes 内部服务:** |
| 174 | + 如果主 IP 协议族发生变化,或者被替换为另一个不同的网络, |
| 175 | + 则必须删除并重新创建 `kubernetes.default` Service,以便从新的 Service CIDR 获取 IP 地址。 |
| 176 | + |
| 177 | +<!-- |
| 178 | +### Illustrative Reconfiguration Steps |
| 179 | +
|
| 180 | +The following steps describe a controlled reconfiguration focusing on the |
| 181 | +completely replacement of the default Service CIDR and the recreation of the |
| 182 | +`kubernetes.default` Service: |
| 183 | +--> |
| 184 | +### 示例重新配置步骤 {#illustrative-reconfiguration-steps} |
| 185 | + |
| 186 | +以下步骤描述了受控的重新配置过程,重点是完全替换默认 Service CIDR 并重新创建 `kubernetes.default` Service: |
| 187 | + |
| 188 | +<!-- |
| 189 | +1. Start the kube-apiserver with the initial `--service-cluster-ip-range`. |
| 190 | +2. Create initial Services that obtain IPs from this range. |
| 191 | +3. Introduce a new Service CIDR as a temporary target for reconfiguration. |
| 192 | +4. Mark the `kubernetes` default Service CIDR for deletion (it will remain |
| 193 | + pending due to existing IPs and finalizers). This prevents new allocations |
| 194 | + from the old range. |
| 195 | +--> |
| 196 | +1. 使用初始的 `--service-cluster-ip-range` 启动 kube-apiserver。 |
| 197 | +2. 创建初始 Service,使其从该范围获取 IP。 |
| 198 | +3. 引入新的 Service CIDR,作为重新配置的临时目标。 |
| 199 | +4. 将默认的 `kubernetes` Service CIDR 标记为删除(由于存在 IP 和 Finalizer,会处于 Pending 状态)。 |
| 200 | + 这将阻止从旧的范围分配新的 IP。 |
| 201 | +<!-- |
| 202 | +5. Recreate existing Services. They should now be allocated IPs from the new, |
| 203 | + temporary Service CIDR. |
| 204 | +6. Restart the kube-apiserver with the new Service CIDR(s) configured and shut |
| 205 | + down the old instance. |
| 206 | +7. Delete the `kubernetes.default` service. The new kube-apiserver will |
| 207 | + recreate it within the new Service CIDR. |
| 208 | +--> |
| 209 | +5. 重新创建现有 Service。这些 Service 应从新的临时 Service CIDR 分配 IP。 |
| 210 | +6. 使用配置的新 Service CIDR 重新启动 kube-apiserver,并关闭旧实例。 |
| 211 | +7. 删除 `kubernetes.default` Service。新的 kube-apiserver 将在新的 |
| 212 | + Service CIDR 范围内重新创建此 Service。 |
| 213 | + |
| 214 | +## {{% heading "whatsnext" %}} |
| 215 | + |
| 216 | +<!-- |
| 217 | +* **Kubernetes Networking Concepts:** |
| 218 | + [https://kubernetes.io/docs/concepts/cluster-administration/networking/](https://kubernetes.io/docs/concepts/cluster-administration/networking/) |
| 219 | +* **Kubernetes Dual-Stack Services:** |
| 220 | + [https://kubernetes.io/docs/concepts/services-networking/dual-stack/](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) |
| 221 | +* **Extending Kubernetes Service IP Ranges:** |
| 222 | + [https://kubernetes.io/docs/tasks/network/extend-service-ip-ranges/](https://kubernetes.io/docs/tasks/network/extend-service-ip-ranges/) |
| 223 | +--> |
| 224 | +* [Kubernetes 联网概念](/zh-cn/docs/concepts/cluster-administration/networking/) |
| 225 | +* [Kubernetes 双栈服务](/zh-cn/docs/concepts/services-networking/dual-stack/) |
| 226 | +* [扩展 Kubernetes Service IP 范围](/zh-cn/docs/tasks/network/extend-service-ip-ranges/) |
0 commit comments