How to use Calico to configure BGP networks for Kubernetes clusters deployed in data centers - Container Service for Kubernetes

If your data center uses a Border Gateway Protocol (BGP) network in a hybrid cloud environment, you can use only the BGP Peer mode. In this case, the switches and routers that are used in the data center must support BGP. Calico is a networking solution that supports overlay networks and BGP networks. This topic describes how to use Calico to configure container networks for Kubernetes clusters that are deployed in data centers.

Prerequisites

A Kubernetes cluster is created in your data center. The Calico plug-in is installed in the cluster. For more information, see Install Calico.
Your data center is connected to Cloud Enterprise Network (CEN). For more information, see Use CEN and Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks.

Background Information

The following figure shows how a data center is connected to Alibaba Cloud.

Procedure

Install the calicoctl command-line tool. For more information, see Install calicoctl.

Use calicoctl to create resource objects that are used to configure a Calico network policy based on the following template.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "arms:List*",
                "arms:Get*",
                "arms:Update*",
                "arms:Exe*",
                "arms:Create*",
                "arms:Del*",
                "arms:Add*",
                "arms:Check*",
                "arms:Delete*",
                "arms:Restart*",
                "arms:HealthCheck*",
                "arms:BindPrometheus*",
                "arms:install*"
            ],
            "Resource": "acs:arms:cn-hangzhou:*:prometheus/*"
        }
    ]
}

Set the asNumber and peerIP parameters based on your data center.

kubectl apply -f - << EOF
apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
  name: default
spec:
  logSeverityScreen: Info
  nodeToNodeMeshEnabled: false
  asNumber: 64513
EOF

kubectl apply -f - << EOF
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
  name: my-global-peer
spec:
  peerIP: 192.168.0.1
  asNumber: 64513
EOF

Use one of the following methods to check whether a new route entry is added.
- Use calicoctl to check whether a new route entry is added.
```
[root@master ~]# ./calicoctl node status
Calico process is running.

IPv4 BGP status
+--------------+-----------+-------+----------+-------------+
| PEER ADDRESS | PEER TYPE | STATE |  SINCE   |    INFO     |
+--------------+-----------+-------+----------+-------------+
| 192.168.0.1  | global    | up    | 03:38:03 | Established |
+--------------+-----------+-------+----------+-------------+

IPv6 BGP status
No IPv6 peers found.
```
- Check whether a new route entry is added to the custom route table of the virtual private cloud (VPC) that is attached to the CEN instance.
  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. On the Route Tables page, click the name of the route table to go to the details page.
  4. Click Route Entry List. Then, click Cloud Enterprise Network to verify that a new route entry is added to the route table.