添加vip支持aap功能介绍 (#135)

zhaocongqi · web-flow · commit ada3dabde707 · 2023-11-08T15:42:26.000+08:00
* 添加vip支持aap功能介绍

Signed-off-by: zcq98 &lt;zhaocongqi_yewu@cmss.chinamobile.com&gt;

* add vip support aap english doc

Signed-off-by: zcq98 &lt;zhaocongqi_yewu@cmss.chinamobile.com&gt;

* aap support multiple interface

Signed-off-by: zcq98 &lt;zhaocongqi_yewu@cmss.chinamobile.com&gt;

* fix lint issues

Signed-off-by: zcq98 &lt;zhaocongqi_yewu@cmss.chinamobile.com&gt;

---------

Signed-off-by: zcq98 &lt;zhaocongqi_yewu@cmss.chinamobile.com&gt;
Co-authored-by: zcq98 &lt;zhaocongqi_yewu@cmss.chinamobile.com&gt;
diff --git a/docs/advance/vip.en.md b/docs/advance/vip.en.md
@@ -5,6 +5,10 @@ In some scenarios we want to dynamically reserve part of the IP but not assign i
 - Kubernetes nested Kubernetes scenarios where the upper Kubernetes uses the Underlay network take up the available addresses of the underlying Subnet.
 - LB or other network infrastructure requires the use of an IP within a Subnet.
 
+In addition, VIP can also reserve IP for Allowed-Address-Pairs to support scenarios where a single network card is configured with multiple IPs, e.g:
+
+- Keepalived can help achieve fast failover and flexible load balancing architecture by configuring additional IP address pairs.
+
 ## Create Random Address VIP
 
 If you just want to set aside a number of IPs and have no requirement for the IP addresses themselves, you can use the following yaml to create them:
@@ -59,8 +63,126 @@ static-vip01   10.16.0.121           00:00:00:F0:DB:26                         o
 
 It can be seen that the VIP has been assigned the expected IP address.
 
+## Pod uses VIP to bind IP
+
+> This feature is supported starting from v1.12.
+
+You can use annotation to assign a VIP to a Pod:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: static-ip
+  annotations:
+    ovn.kubernetes.io/vip: vip-dynamic-01 # Specify vip
+  namespace: default
+spec:
+  containers:
+    - name: static-ip
+      image: docker.io/library/nginx:alpine
+```
+
 ## StatefulSet & Kubevirt VM keep VIP
 
 Specify for `StatefulSet` and `VM` resources, these Pods their owned will reuse the VIP when these Pods recreating.
 
 VM keep VIP must be enable the `keep-vm-ip` param in `kube-ovn-controller`. Refer [Kubevirt VM Fixed Address Settings](../guide/setup-options.en.md#kubevirt-vm)
+
+## Create VIP to support AAP
+
+```yaml
+apiVersion: kubeovn.io/v1
+kind: Vip
+metadata:
+  name: vip-aap
+spec:
+  subnet: ovn-default
+  namespace: default
+  selector:
+    - "app: aap1"
+```
+
+VIP also supports the allocation of fixed addresses and random addresses, and the allocation method is as described above.
+
+- `namespace`: In the AAP scenario, VIP needs to explicitly specify the namespace. VIP only allows resources in the same namespace to enable the AAP function.
+- `selector`: In the AAP scenario, the node selector used to select the Pod attached to the vip has the same format as the NodeSelector in Kubernetes.
+
+Query the Port corresponding to the VIP after creation:
+
+```yaml
+# kubectl ko nbctl show ovn-default
+switch e32e1d3b-c539-45f4-ab19-be4e33a061f6 (ovn-default)
+    port aap-vip
+        type: virtual
+```
+
+## Pod uses VIP to enable AAP
+
+You can use annotation to specify a VIP to enable the AAP function, and labels need to meet the conditions of the node selector in the VIP.
+
+Pod supports specifying multiple VIPs, with a configuration format of: ovn.kubernetes.io/aaps: vip-aap,vip-aap2,vip-aap3
+
+The AAP function supports [multiple interfaces] (./multi-nic.en.md). If the Pod is configured with multiple interfaces, AAP will configure the corresponding Port in the same subnet of the Pod and the VIP.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: busybox
+  annotations:
+    ovn.kubernetes.io/aaps: vip-aap
+  labels:
+    app: aap1
+spec:
+  containers:
+    - name: busybox
+      image: busybox
+      command: ["sleep", "3600"]
+      securityContext: 
+        capabilities:
+          add:
+            - NET_ADMIN
+```
+
+Query the configuration corresponding to the AAP after creation:
+
+```bash
+# kubectl ko nbctl list logical_switch_port aap-vip
+_uuid               : cd930750-0533-4f06-a6c0-217ddac73272
+addresses           : []
+dhcpv4_options      : []
+dhcpv6_options      : []
+dynamic_addresses   : []
+enabled             : []
+external_ids        : {ls=ovn-default, vendor=kube-ovn}
+ha_chassis_group    : []
+mirror_rules        : []
+name                : aap-vip
+options             : {virtual-ip="10.16.0.100", virtual-parents="busybox.default"}
+parent_name         : []
+port_security       : []
+tag                 : []
+tag_request         : []
+type                : virtual
+up                  : false
+```
+
+Virtual ip is configured as an IP reserved for VIP, while virtual parents are configured as the port corresponding to the pod that enables AAP function.
+
+Query the configuration corresponding to the Pod after creation:
+
+```bash
+# kubectl exec -it busybox -- ip addr add 10.16.0.100/16 dev eth0
+# kubectl exec -it busybox01 -- ip addr show eth0
+35: eth0@if36: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1400 qdisc noqueue 
+    link/ether 00:00:00:e2:ab:0c brd ff:ff:ff:ff:ff:ff
+    inet 10.16.0.7/16 brd 10.16.255.255 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet 10.16.0.100/16 scope global secondary eth0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::200:ff:fee2:ab0c/64 scope link 
+       valid_lft forever preferred_lft forever
+```
+
+In addition to the IP automatically assigned during Pod creation, the VIP IP has also been successfully bound, and other Pods within the current subnet can communicate with these two IPs.
diff --git a/docs/advance/vip.md b/docs/advance/vip.md
@@ -5,6 +5,10 @@
 - Kubernetes 嵌套 Kubernetes 的场景中上层 Kubernetes 使用 Underlay 网络会占用底层 Subnet 可用地址。
 - LB 或其他网络基础设施需要使用一个 Subnet 内的 IP，但不会单独起 Pod。
 
+此外，VIP 还可以为 Allowed-Address-Pairs 预留 IP 用来支持单个网卡配置多个 IP 的场景，例如：
+
+- Keepalived 通过配置额外的 IP 地址对，可以帮助实现快速故障切换和灵活的负载均衡架构
+
 ## 创建随机地址 VIP
 
 如果只是为了预留若干 IP 而对 IP 地址本身没有要求可以使用下面的 yaml 进行创建：
@@ -84,3 +88,101 @@ spec:
 针对 `StatefulSet` 和 `VM` 的特殊性，在他们的 Pod 销毁再拉起起后会重新使用之前设置的 VIP。
 
 VM 保留 VIP 需要确保 `kube-ovn-controller` 的 `keep-vm-ip` 参数为 `true`。请参考 [Kubevirt VM 固定地址开启设置](../guide/setup-options.md#kubevirt-vm)
+
+## 创建 VIP 支持 AAP
+
+```yaml
+apiVersion: kubeovn.io/v1
+kind: Vip
+metadata:
+  name: vip-aap
+spec:
+  subnet: ovn-default
+  namespace: default
+  selector:
+    - "app: aap1"
+```
+
+VIP 同样支持固定地址和随机地址的分配，分配方式如上文所述。
+
+- `namespace`: AAP 场景下，VIP 需显式地指定命名空间，VIP 仅允许相同命名空间的资源开启 AAP 功能。
+- `selector`: AAP 场景下，用于选择 VIP 所附属的 Pod 的节点选择器，格式和 Kubernetes 中的 NodeSelector 格式相同。
+
+创建成功后查询该 VIP 对应的 Port：
+
+```bash
+# kubectl ko nbctl show ovn-default
+switch e32e1d3b-c539-45f4-ab19-be4e33a061f6 (ovn-default)
+    port aap-vip
+        type: virtual
+```
+
+## Pod 使用 VIP 开启 AAP
+
+可以使用 annotation 指定 VIP 开启 AAP 功能，labels 需要满足 VIP 中节点选择器的条件。
+
+Pod 支持指定多个 VIP，配置格式为：ovn.kubernetes.io/aaps: vip-aap,vip-aap2,vip-aap3
+
+AAP 功能支持[多网卡场景](./multi-nic.md)，若 Pod 配置了多网卡，AAP 会对 Pod 中和 VIP 同一 subnet 的对应 Port 进行配置
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: busybox
+  annotations:
+    ovn.kubernetes.io/aaps: vip-aap
+  labels:
+    app: aap1
+spec:
+  containers:
+    - name: busybox
+      image: busybox
+      command: ["sleep", "3600"]
+      securityContext: 
+        capabilities:
+          add:
+            - NET_ADMIN
+```
+
+创建成功后查询该 AAP 对应的配置：
+
+```bash
+# kubectl ko nbctl list logical_switch_port aap-vip
+_uuid               : cd930750-0533-4f06-a6c0-217ddac73272
+addresses           : []
+dhcpv4_options      : []
+dhcpv6_options      : []
+dynamic_addresses   : []
+enabled             : []
+external_ids        : {ls=ovn-default, vendor=kube-ovn}
+ha_chassis_group    : []
+mirror_rules        : []
+name                : aap-vip
+options             : {virtual-ip="10.16.0.100", virtual-parents="busybox.default"}
+parent_name         : []
+port_security       : []
+tag                 : []
+tag_request         : []
+type                : virtual
+up                  : false
+```
+
+virtual-ip 被配置为 VIP 预留的 IP，virtual-parents 配置为开启 AAP 功能的 Pod 对应的 Port。
+
+创建成功后查询该 Pod 对应的配置：
+
+```bash
+# kubectl exec -it busybox -- ip addr add 10.16.0.100/16 dev eth0
+# kubectl exec -it busybox01 -- ip addr show eth0
+35: eth0@if36: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1400 qdisc noqueue 
+    link/ether 00:00:00:e2:ab:0c brd ff:ff:ff:ff:ff:ff
+    inet 10.16.0.7/16 brd 10.16.255.255 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet 10.16.0.100/16 scope global secondary eth0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::200:ff:fee2:ab0c/64 scope link 
+       valid_lft forever preferred_lft forever
+```
+
+除 Pod 创建时自动分配的 IP，VIP 的 IP 也被成功绑定，并且当前 subnet 内的其它 Pod 能和这两个 IP 进行通信。
