docs: add gvisor service proxy mode arch

2025-12-24 11:51:13 +08:00 · 2025-01-24 10:52:18 +00:00
parent ebfb7168d2
commit e0e45cf84e
4 changed files with 24 additions and 320 deletions
--- a/README.md
+++ b/README.md
@@ -42,9 +42,8 @@ With KubeVPN, empower yourself to develop applications entirely on your local PC
 1. [QuickStart](./README.md#quickstart)
 2. [Functions](./README.md#functions)
-3. [FAQ](./README.md#faq)
+3. [Architecture](./README.md#architecture)
-4. [Architecture](./README.md#architecture)
+4. [Contributions](./README.md#Contributions)
 5. [Contributions](./README.md#Contributions)
 ## QuickStart
@@ -710,165 +709,9 @@ support OSI model layers 3 and above, protocols like `ICMP`, `TCP`, and `UDP`...
 - Linux
 - Windows
 ## FAQ
 ### 1, What should I do if the dependent image cannot be pulled, or the inner environment cannot access docker.io?
 Answer: here are two solutions to solve this problem
 - Solution 1: In the network that can access docker.io, transfer the image in the command `kubevpn version` to your own
  private image registry, and then add option `--image` to special image when starting the command.
  Example:
 ``` shell
 ➜  ~ kubevpn version
 KubeVPN: CLI
    Version: v2.0.0
    Daemon: v2.0.0
    Image: docker.io/naison/kubevpn:v2.0.0
    Branch: feature/daemon
    Git commit: 7c3a87e14e05c238d8fb23548f95fa1dd6e96936
    Built time: 2023-09-30 22:01:51
    Built OS/Arch: darwin/arm64
    Built Go version: go1.20.5
 ```
 Image is `docker.io/naison/kubevpn:v2.0.0`, transfer this image to private docker registry
 ```text
 docker pull docker.io/naison/kubevpn:v2.0.0
 docker tag docker.io/naison/kubevpn:v2.0.0 [docker registry]/[namespace]/[repo]:[tag]
 docker push [docker registry]/[namespace]/[repo]:[tag]
 ```
 Then you can use this image, as follows:
 ```text
 ➜  ~ kubevpn connect --image [docker registry]/[namespace]/[repo]:[tag]
 Starting connect
 Getting network CIDR from cluster info...
 Getting network CIDR from CNI...
 Getting network CIDR from services...
 ...
 ```
 - Solution 2: Use options `--transfer-image`, enable this flags will transfer image from default image to `--image`
  special address automatically。
  Example
 ```shell
 ➜  ~ kubevpn connect --transfer-image --image nocalhost-team-docker.pkg.coding.net/nocalhost/public/kubevpn:v2.0.0
 v2.0.0: Pulling from naison/kubevpn
 Digest: sha256:450446850891eb71925c54a2fab5edb903d71103b485d6a4a16212d25091b5f4
 Status: Image is up to date for naison/kubevpn:v2.0.0
 The push refers to repository [nocalhost-team-docker.pkg.coding.net/nocalhost/public/kubevpn]
 ecc065754c15: Preparing
 f2b6c07cb397: Pushed
 448eaa16d666: Pushed
 f5507edfc283: Pushed
 3b6ea9aa4889: Pushed
 ecc065754c15: Pushed
 feda785382bb: Pushed
 v2.0.0: digest: sha256:85d29ebb53af7d95b9137f8e743d49cbc16eff1cdb9983128ab6e46e0c25892c size: 2000
 Starting connect
 Got network CIDR from cache
 Use exist traffic manager
 Forwarding port...
 Connected tunnel
 Adding route...
 Configured DNS service
 +----------------------------------------------------------+
 | Now you can access resources in the kubernetes cluster ! |
 +----------------------------------------------------------+
 ➜  ~
 ```
 ### 2, When use `kubevpn dev`, but got error code 137, how to resolve?
 ```text
 Configured DNS service
 tar: Removing leading `/' from member names
 tar: Removing leading `/' from hard link targets
 /var/folders/30/cmv9c_5j3mq_kthx63sb1t5c0000gn/T/7375606548554947868:/var/run/secrets/kubernetes.io/serviceaccount
 Created container: server_vke-system_kubevpn_0db84
 Wait container server_vke-system_kubevpn_0db84 to be running...
 Container server_vke-system_kubevpn_0db84 is running on port 8888/tcp: 6789/tcp:6789 now
 $ Status: , Code: 137
 Performing cleanup operations
 Clearing DNS settings
 ```
 This is because of your docker-desktop required resource is less than pod running request resource, it OOM killed, so
 you can add more resource in your docker-desktop setting `Preferences --> Resources --> Memory`
 ### 3, Using WSL( Windows Sub Linux ) Docker, when use mode `kubevpn dev`, can not connect to cluster network, how to solve this problem?
 Answer:
 this is because WSL'Docker using Windows's Network, so if even start a container in WSL, this container will not use WSL
 network, but use Windows network
 Solution:
 - 1): install docker in WSL, not use Windows Docker-desktop
 - 2): use command `kubevpn connect` on Windows, and then startup `kubevpn dev` in WSL
 - 3): startup a container using command `kubevpn connect` on Windows, and then
  startup `kubevpn dev --network container:$CONTAINER_ID` in WSL
 ### 4，After use command `kubevpn dev` enter develop mode，but can't assess kubernetes api-server，occur error `172.17.0.1:443 connect refusued`，how to solve this problem?
 Answer:
 Maybe k8s network subnet is conflict with docker subnet
 Solution:
 - Use option `--connect-mode container` to startup command `kubevpn dev`
 - Modify `~/.docker/daemon.json`, add not conflict subnet, eg: `"bip": "172.15.0.1/24"`.
 ```shell
 ➜  ~ cat ~/.docker/daemon.json
 {
  "builder": {
    "gc": {
      "defaultKeepStorage": "20GB",
      "enabled": true
    }
  },
  "experimental": false,
  "features": {
    "buildkit": true
  },
  "insecure-registries": [
  ],
 }
 ```
 add subnet not conflict, eg: 172.15.0.1/24
 ```shell
 ➜  ~ cat ~/.docker/daemon.json
 {
  "builder": {
    "gc": {
      "defaultKeepStorage": "20GB",
      "enabled": true
    }
  },
  "experimental": false,
  "features": {
    "buildkit": true
  },
  "insecure-registries": [
  ],
  "bip": "172.15.0.1/24"
 }
 ```
 restart docker and retry
 ## Architecture
 ![arch.svg](docs/en/images/proxy-arch.svg)
 Architecture can be found [here](/docs/en/Architecture.md)
 and [website](https://www.kubevpn.cn/docs/architecture/connect).
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -37,9 +37,8 @@ Docker
 1. [快速开始](./README_ZH.md#快速开始)
 2. [功能](./README_ZH.md#功能)
-3. [问答](./README_ZH.md#问答)
+3. [架构](./README_ZH.md#架构)
-4. [架构](./README_ZH.md#架构)
+4. [贡献代码](./README_ZH.md#贡献代码)
 5. [贡献代码](./README_ZH.md#贡献代码)
 ## 快速开始
@@ -628,161 +627,9 @@ d0b3dab8912a   naison/kubevpn:v2.0.0           "/bin/bash"              5 minute
 - Linux
 - Windows
 ## 问答
 ### 1，依赖的镜像拉不下来，或者内网环境无法访问 docker.io 怎么办？
 答：有两种方法可以解决
 - 第一种，在可以访问 docker.io 的网络中，将命令 `kubevpn version` 中的 image 镜像，
  转存到自己的私有镜像仓库，然后启动命令的时候，加上 `--image 新镜像` 即可。
  例如:
 ``` shell
 ➜  ~ kubevpn version
 KubeVPN: CLI
    Version: v2.0.0
    Daemon: v2.0.0
    Image: docker.io/naison/kubevpn:v2.0.0
    Branch: feature/daemon
    Git commit: 7c3a87e14e05c238d8fb23548f95fa1dd6e96936
    Built time: 2023-09-30 22:01:51
    Built OS/Arch: darwin/arm64
    Built Go version: go1.20.5
 ```
 镜像是 `docker.io/naison/kubevpn:v2.0.0`，将此镜像转存到自己的镜像仓库。
 ```text
 docker pull docker.io/naison/kubevpn:v2.0.0
 docker tag docker.io/naison/kubevpn:v2.0.0 [镜像仓库地址]/[命名空间]/[镜像仓库]:[镜像版本号]
 docker push [镜像仓库地址]/[命名空间]/[镜像仓库]:[镜像版本号]
 ```
 然后就可以使用这个镜像了，如下：
 ```text
 ➜  ~ kubevpn connect --image [docker registry]/[namespace]/[repo]:[tag]
 Starting connect
 Getting network CIDR from cluster info...
 Getting network CIDR from CNI...
 Getting network CIDR from services...
 ...
 ...
 ```
 - 第二种，使用选项 `--transfer-image`, 这个选项将会自动转存镜像到选项 `--image` 指定的地址。
  例如：
 ```shell
 ➜  ~ kubevpn connect --transfer-image --image nocalhost-team-docker.pkg.coding.net/nocalhost/public/kubevpn:v2.0.0
 v2.0.0: Pulling from naison/kubevpn
 Digest: sha256:450446850891eb71925c54a2fab5edb903d71103b485d6a4a16212d25091b5f4
 Status: Image is up to date for naison/kubevpn:v2.0.0
 The push refers to repository [nocalhost-team-docker.pkg.coding.net/nocalhost/public/kubevpn]
 ecc065754c15: Preparing
 f2b6c07cb397: Pushed
 448eaa16d666: Pushed
 f5507edfc283: Pushed
 3b6ea9aa4889: Pushed
 ecc065754c15: Pushed
 feda785382bb: Pushed
 v2.0.0: digest: sha256:85d29ebb53af7d95b9137f8e743d49cbc16eff1cdb9983128ab6e46e0c25892c size: 2000
 Starting connect
 Got network CIDR from cache
 Use exist traffic manager
 Forwarding port...
 Connected tunnel
 Adding route...
 Configured DNS service
 +----------------------------------------------------------+
 | Now you can access resources in the kubernetes cluster ! |
 +----------------------------------------------------------+
 ➜  ~
 ```
 ### 2，在使用 `kubevpn dev` 进入开发模式的时候,有出现报错 137, 改怎么解决 ?
 ```text
 Configured DNS service
 tar: Removing leading `/' from member names
 tar: Removing leading `/' from hard link targets
 /var/folders/30/cmv9c_5j3mq_kthx63sb1t5c0000gn/T/7375606548554947868:/var/run/secrets/kubernetes.io/serviceaccount
 Created container: server_vke-system_kubevpn_0db84
 Wait container server_vke-system_kubevpn_0db84 to be running...
 Container server_vke-system_kubevpn_0db84 is running on port 8888/tcp: 6789/tcp:6789 now
 $ Status: , Code: 137
 Performing cleanup operations
 Clearing DNS settings
 ```
 这是因为你的 `Docker-desktop` 声明的资源, 小于 container 容器启动时所需要的资源, 因此被 OOM 杀掉了,
 你可以增加 `Docker-desktop` 对于 resources
 的设置, 目录是：`Preferences --> Resources --> Memory`
 ### 3，使用 WSL( Windows Sub Linux ) Docker, 用命令 `kubevpn dev` 进入开发模式的时候, 在 terminal 中无法提示链接集群网络, 这是为什么, 如何解决?
 答案: 这是因为 WSL 的 Docker 使用的是 主机 Windows 的网络, 所以即便在 WSL 中启动 container, 这个 container 不会使用 WSL
 的网络，而是使用 Windows 的网络。
 解决方案:
 - 1): 在 WSL 中安装 Docker, 不要使用 Windows 版本的 Docker-desktop
 - 2): 在主机 Windows 使用命令 `kubevpn connect`, 然后在 WSL 中使用 `kubevpn dev` 进入开发模式
 - 3): 在主机 Windows 上启动一个 container，在 container 中使用命令 `kubevpn connect`, 然后在 WSL
  中使用 `kubevpn dev --network container:$CONTAINER_ID`
 ### 4，在使用 `kubevpn dev` 进入开发模式后，无法访问容器网络，出现错误 `172.17.0.1:443 connect refusued`，该如何解决？
 答案：大概率是因为 k8s 容器网络和 docker 网络网段冲突了。
 解决方案：
 - 使用参数 `--connect-mode container` 在容器中链接，也可以解决此问题
 - 可以修改文件 `~/.docker/daemon.json` 增加不冲突的网络，例如 `"bip": "172.15.0.1/24"`.
 ```shell
 ➜  ~ cat ~/.docker/daemon.json
 {
  "builder": {
    "gc": {
      "defaultKeepStorage": "20GB",
      "enabled": true
    }
  },
  "experimental": false,
  "features": {
    "buildkit": true
  },
  "insecure-registries": [
  ],
 }
 ```
 增加不冲突的网段
 ```shell
 ➜  ~ cat ~/.docker/daemon.json
 {
  "builder": {
    "gc": {
      "defaultKeepStorage": "20GB",
      "enabled": true
    }
  },
  "experimental": false,
  "features": {
    "buildkit": true
  },
  "insecure-registries": [
  ],
  "bip": "172.15.0.1/24"
 }
 ```
 重启 docker，重新操作即可
 ## 架构
 ![arch.svg](docs/en/images/proxy-arch.svg)
 架构信息可以从[这里](/docs/en/Architecture.md) 和 [网站](https://www.kubevpn.cn/docs/architecture/connect) 找到.
 ## 贡献代码
--- a/docs/en/Architecture.md
+++ b/docs/en/Architecture.md
@@ -1,10 +1,15 @@
 ## Architecture
 ### Connect mode
-create a tunnel with port-forward, add route to virtual interface, like tun0, forward traffic though tunnel to remote traffic manager.  
+
 create a tunnel with port-forward, add route to virtual interface, like tun0, forward traffic though tunnel to remote
 traffic manager.  
 ![connect-mode](/docs/en/images/connect-mode.drawio.svg)
 ### Reverse mode
-base on connect mode, inject a container to controller, use iptables to block all inbound traffic and forward to local though tunnel.
+
 base on connect mode, inject a container to controller, use iptables to block all inbound traffic and forward to local
 though tunnel.
 ```text
 ┌──────────┐    ┌─────────┌──────────┐    ┌──────────┐
@@ -20,7 +25,10 @@ base on connect mode, inject a container to controller, use iptables to block al
 ```
 ### Mesh mode
-base on reverse mode, using envoy as proxy, if headers have special key-value pair, it will route to local machine, if not, use origin service.
+
 base on reverse mode, using envoy as proxy, if headers have special key-value pair, it will route to local machine, if
 not, use origin service.
 ```text
 ┌──────────┐    ┌─────────┌────────────┐     ┌──────────┐
 │ ServiceA ├───►│ sidecar ├─► ServiceB │─►┌─►│ ServiceC │
@@ -32,4 +40,6 @@ base on reverse mode, using envoy as proxy, if headers have special key-value pa
                 ┌───┘──────┐             │
                 │ ServiceB'├─────────────┘
                 └──────────┘
-```
+```
 ![arch.svg](/docs/en/images/proxy-arch.svg)
--- a/docs/en/images/proxy-arch.svg
+++ b/docs/en/images/proxy-arch.svg