K3s 网络优化与 Ingress 配置
本文介绍 K3s 集群的网络优化策略、Traefik Ingress 部署配置以及 CoreDNS 性能调优方法。
概述
在 Kubernetes 集群中,网络性能和 DNS 解析效率直接影响应用的响应速度和稳定性。本文将介绍 K3s 环境下网络组件的优化方法,包括 IPVS 代理模式配置、Traefik Ingress 部署以及 CoreDNS 性能优化。
IPVS 代理模式配置
为什么要使用 IPVS
相比默认的 iptables 模式,IPVS 具有以下优势:
- 更好的负载均衡性能
- 支持更丰富的调度算法(rr、wrr、lc、wlc 等)
- 更好的可扩展性,适合大规模集群
启用 IPVS 模式
在 K3s 安装时通过参数启用:
# Server 节点
--kube-proxy-arg=proxy-mode=ipvs
# 验证 IPVS 是否启用
ipvsadm -L -n
ipvsadm -L -n --stats
IPVS 依赖模块
确保系统已加载必要的内核模块:
# 创建模块加载配置
cat > /etc/modules-load.d/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack
EOF
chmod 755 /etc/modules-load.d/ipvs.modules
bash /etc/modules-load.d/ipvs.modules
lsmod | grep -e ip_vs -e nf_conntrack
Traefik Ingress 部署
禁用默认 Traefik
K3s 默认安装了 Traefik,如果需要自定义配置,首先在安装时禁用:
# 方法一:安装参数禁用
--disable traefik
# 方法二:配置文件禁用(v1.30.3+)
mkdir -p /etc/rancher/k3s
cat > /etc/rancher/k3s/config.yaml <<EOF
disable:
- traefik
- servicelb
EOF
Helm 安装 Traefik v3
# 添加仓库
helm repo add traefik https://traefik.github.io/charts
helm repo update
# 拉取 Chart
helm pull traefik/traefik --version 28.2.0
# 解压并配置
tar -xf traefik-28.2.0.tgz
cd traefik
生产环境配置
# prod-traefik-v3.yaml
nodeSelector:
traefik-lb: "true"
tolerations:
- key: dedicated
operator: Equal
value: ingress-only
effect: NoSchedule
deployment:
enabled: true
kind: Deployment
replicas: 2
additionalArguments:
- "--log.level=INFO"
- "--serversTransport.insecureSkipVerify=true"
- "--providers.kubernetesingress.allowexternalnameservices"
- "--providers.kubernetescrd.allowexternalnameservices"
ingressClass:
enabled: true
isDefaultClass: true
providers:
kubernetesIngress:
enabled: true
allowExternalNameServices: true
allowCrossNamespace: true
publishedService:
enabled: true
ports:
traefik:
port: 9000
expose:
default: false
exposedPort: 9000
protocol: TCP
web:
port: 8000
expose:
default: true
exposedPort: 80
protocol: TCP
websecure:
port: 8443
expose:
default: true
exposedPort: 443
protocol: TCP
tls:
enabled: true
http3:
enabled: true
rbac:
enabled: true
logs:
access:
enabled: true
安装 Traefik
# 创建命名空间
kubectl create ns traefik
# 为网关节点添加标签
kubectl label node k8s-server-01 traefik-lb=true
kubectl label node k8s-server-02 traefik-lb=true
# 安装
helm install -n kube-system -f prod-traefik-v3.yaml traefik ./
# 升级
helm upgrade -n kube-system -f prod-traefik-v3.yaml traefik ./
Ingress 配置示例
HTTP 路由
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
namespace: default
spec:
ingressClassName: traefik
rules:
- host: nginx.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service
port:
number: 80
HTTPS 路由(TLS 配置)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
namespace: default
spec:
ingressClassName: traefik
tls:
- hosts:
- app.example.com
secretName: app-tls-secret
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
创建 TLS 证书 Secret
# 从证书文件创建 Secret
kubectl create secret tls app-tls-secret \
--cert=app.example.com.crt \
--key=app.example.com.key \
-n default
TCP 路由配置
配置 TCP EntryPoint
在 Traefik values.yaml 中添加:
ports:
mysql:
port: 9200
expose:
default: true
exposedPort: 9200
protocol: TCP
TCP IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: mysql-route
namespace: default
spec:
entryPoints:
- mysql
routes:
- match: HostSNI(`*`)
services:
- name: mysql-service
port: 3306
CoreDNS 性能优化
启用 autopath 插件
autopath 插件可以减少 DNS 查询次数,提高解析效率:
# 编辑 CoreDNS 配置
kubectl -n kube-system edit configmap coredns
# 修改为以下内容
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods verified # 将 insecure 改为 verified
fallthrough in-addr.arpa ip6.arpa
}
autopath @kubernetes # 添加此行
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
增加 CoreDNS 副本数
# 修改配置文件
vim /var/lib/rancher/k3s/server/manifests/coredns.yaml
# 修改 replicas 数量
spec:
replicas: 3 # 根据节点数量调整
配置 CoreDNS 自动扩缩容
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: coredns
namespace: kube-system
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: coredns
minReplicas: 3
maxReplicas: 6
targetCPUUtilizationPercentage: 50
自定义 DNS 解析
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
custom.server: |
custom.domain {
hosts {
10.10.10.31 service1.custom.domain
10.10.10.32 service2.custom.domain
fallthrough
}
}
应用后重启 CoreDNS:
kubectl -n kube-system rollout restart deployment coredns
网络调优参数
内核参数优化
# 创建网络优化配置
cat > /etc/sysctl.d/network-tuning.conf <<EOF
# TCP 连接优化
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 10
# TCP 缓冲区
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# 连接队列
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_syn_backlog = 8096
# TIME_WAIT 优化
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_tw_reuse = 1
EOF
sysctl --system
故障排查
DNS 调试
# 创建测试 Pod
cat > dnsutils.yaml <<'EOF'
apiVersion: v1
kind: Pod
metadata:
name: dnsutils
spec:
containers:
- name: dnsutils
image: registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3
command: ["sleep", "infinity"]
EOF
kubectl apply -f dnsutils.yaml
# 测试 DNS 解析
kubectl exec -it dnsutils -- nslookup kubernetes.default
# 查看 CoreDNS 日志
kubectl logs -n kube-system -l k8s-app=kube-dns
Traefik 调试
# 查看 Traefik 日志
kubectl logs -n kube-system -l app.kubernetes.io/name=traefik
# 查看 Traefik Dashboard(端口转发)
kubectl -n kube-system port-forward $(kubectl -n kube-system get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
总结
本文介绍了 K3s 集群的网络优化方法:
- IPVS 模式:提供更好的负载均衡性能和可扩展性
- Traefik Ingress:功能丰富的 Ingress Controller,支持 HTTP/HTTPS/TCP 路由
- CoreDNS 优化:通过 autopath 和自动扩缩容提升 DNS 解析性能
- 网络调参:内核参数优化提升 TCP 连接性能
通过合理的网络配置和优化,可以显著提升 K3s 集群的网络吞吐量和稳定性。