SlideShare a Scribd company logo

Kubernetes networking-made-easy-with-open-v switch

InfraEngineer
InfraEngineer

오리뎅이님 추천자료 #2 https://www.facebook.com/groups/InfraEngineer/

Technology
1 of 84
Download to read offline
Kubernetes Networking Made Easy with Open vSwitch and OpenFlow Péter Megyesi Co-founder @ LeanNet ltd.
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Who Am I? PhD in Telecommunications @ Budapest University of Technology § Measurement and monitoring in Software Defined Networks § Participating in 5G-PPP EU projects § Graduated in the EIT Digital Doctoral School Co-founder & CTO @ LeanNet Ltd. § Evangelist of open networking solutions § Currently focusing on SDN in cloud native environments megyesi@leannet.eu twitter.com/M3gy0 linkedin.com/in/M3gy0
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu What is Open vSwitch? The de facto production quality, multilayer virtual switch § Originally developed by Nicira (the inventors of SDN and OpenFlow) § Now it’s developed under the Linux Foundation § Designed to be programmable by OVSDB and OpenFlow § Compatible with standard management interfaces (NetFlow, sFlow, IPFIX, RSPAN, LACP) § The basis of VMware NSX-T, OpenStack and many other public clouds… § Able to run in user-space mode via DPDK, thus can provide speed up to ~80 Gbps Server NIC VM 1 VM 2 Open vSwitchSDN controller OVSDB OpenFlow
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu What is Kubernetes? The de facto production quality, container-orchestration framework § Originally developed by Google (Borg project) § Now maintained by the Cloud Native Compute Foundation § Automating deployment, scaling, and management of containerized applications
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Basic Kubernetes Terminology Kubernetes Master § Controller of a Kubernetes cluster Kubernetes Node (Worker / Minion) § Hosts (server or VM) that run Kubernetes applications Container § Unit of packaging Pod § Unit of deployment Labels and Selectors § Key-Value pairs for identification Replication Set § Ensures availability and scalability Services § Collection of pods exposed as an endpoint Node Port § Expose services internally Load Balancer § The way for external access
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Docker Model Docker Host eth0 Root namespace Container 1 docker0 172.17.0.1/24 vethxx vethxy
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Docker Model Docker Host eth0 Root namespace Container 1 docker0 172.17.0.1/24 vethxx eth0 172.17.0.2
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Docker Model Docker Host eth0 Root namespace Container 1 Container 2 docker0 172.17.0.1/24 vethxx eth0 vethyy eth0 172.17.0.2 172.16.0.3
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Docker Model Docker Host 1 Docker Host 2 Docker Host 3 Container 172.17.0.2 Container 172.17.0.3 Container 172.17.0.2 Container 172.17.0.2 NAT NAT NAT NAT NAT
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Docker Host Ports 172.17.0.2 172.17.0.3 172.17.0.280 5001 9898 17472 26432 SNAT SNAT This is unfeasible in a very large cluster! Host 1: 10.0.0.10 Host 2: 10.0.0.20
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Networking in Kubernetes Pod-to-Pod communication § Each Pod in a Kubernetes cluster is assigned an IP in a flat shared networking namespace § All PODs can communicate with all other PODs without NAT § The IP that a PODs sees itself as is the same IP that others see it as Pod-to-Service communication § Requests to the Service IPs are intercepted by a Kube-proxy process running on all hosts § Kube-proxy is then responsible for routing to the correct POD External-to-Internal communication § All nodes can communicate with all PODs (and vice-versa) without NAT § Node ports are can be assigned to a service on every Kuberentes host § Public IPs can be implemented by configuring external Load Balancers which target all nodes in the cluster § Once traffic arrives at a node, it is routed to the correct Service backends by Kube-proxy
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Container Network Interface
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Kubernetes Node eth0 Root namespace br0 10.244.1.1 CNI in Kubernetes Script / binary placed on every host § Kubelet calls it with the right environmental variables and STDIN parameters Example for configuration - /etc/cni/net.d/01-dunlin.conf
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Kubernetes Node eth0 Root namespace br0 10.244.1.1 CNI in Kubernetes Script / binary placed on every host § Kubelet calls it with the right environmental variables and STDIN parameters Example environment variables § CNI_command: add or delete § CNI_netns: /proc/<PID>/ns/net § CNI_ifname: eth0 § CNI_path: /opt/bin/cni § CNI_containerid § K8S_pod_name § K8S_pod_namespace
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 veth1
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Add interface to OVS bridge § ovs-vsctl add-port br0 veth0 Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 veth1
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Add interface to OVS bridge § ovs-vsctl add-port br0 veth0 Add the other interface to namespace § ip set link veth1 netns $CNI_netns Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 veth1
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Add interface to OVS bridge § ovs-vsctl add-port br0 veth0 Add the other interface to namespace § ip set link veth1 netns $CNI_netns Rename and setup interface § ip netns exec $CNI_netns § ip link set dev veth1 name eth0 § ip link set dev eth0 address 10.244.1.2 § ip link set dev eth0 mtu 1450 § ip route add default via 10.244.1.1 Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 eth0
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Add interface to OVS bridge § ovs-vsctl add-port br0 veth0 Add the other interface to namespace § ip set link veth1 netns $CNI_netns Rename and setup interface § ip netns exec $CNI_netns § ip link set dev veth1 name eth0 § ip link set dev eth0 address 10.244.1.2 § ip link set dev eth0 mtu 1450 § ip route add default via 10.244.1.1 Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 eth0
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Kubernetes Model – The IP per POD Model Kubernetes Node 1 10.244.1.0/24 Kubernetes Node 2 10.244.2.0/24 Kubernetes Node 3 10.244.3.0/24 POD 10.244.1.2 POD 10.244.1.3 POD 10.244.2.2 POD 10.244.3.2 br0 ? Host 1: 10.0.0.10 Host 2: 10.0.0.20 Host 3: 10.0.0.30
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Cluster Networking in Kubernetes
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Same Node Kubernetes Node eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: pod2 L3 src: pod1 L3 dst: pod2
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Same Node Kubernetes Node eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: pod2 L3 src: pod1 L3 dst: pod2 Linux Bridge § MAC learning Open vSwitch § MAC learning: action=normal § L2 rule: dl_dst=pod2,action=output:2 § L3 rule: ip,nw_dst=pod2, action=output:2
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Same Node Kubernetes Node eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: pod2 L3 src: pod1 L3 dst: pod2 Linux Bridge § MAC learning Open vSwitch § MAC learning: action=normal § L2 rule: dl_dst=pod2,action=output:2 § L3 rule: ip,nw_dst=pod2, action=output:2
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Using an overlay network • An overlay network obscures the underlying network architecture from the pod network through traffic encapsulation (for example VxLAN, GRE) • Encapsulation reduces performance, though exactly how much depends on your solution Where to go from here??
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric Without an overlay network • Configure the underlying network fabric (switches, routers, etc.) to be aware of pod IP addresses • This does not require the encapsulation provided by an overlay, and so can achieve better performance L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Where to go from here??
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Kubernetes Cluster Networking Plugins Public clouds which supports Kuberentes program this into the fabric § E.g. in Google Container Engine: “everything to 10.1.1.0/24, send to this VM” In other cases we need to use an external plugin § Flannel § Calico § Canal § Romana § Weave § Cisco Contiv § Huawei CNI-Genie § Nuage Networks VCS (by Nokia) § Open Virtual Network
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Calico defines BGP agents and advertises the POD subnets to the fabric It uses IP-IP encapsulation
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Flannel and Weave creates VxLAN tunnels between nodes using a kernel implementation
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Set-up VxLAN ports to every other node § ovs-vsctl add-port br0 vxlan4 -- set interface vxlan4 type=vxlan option:remote_ip={node4_ip} Add rule for their subnet § ip,nw_dst={node4_subnet}, action=output:vxlan4
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Set-up VxLAN one port § ovs-vsctl add-port br0 vxlan0 – set interface vxlan0 type=vxlan option:key=flow option:remote_ip=flow Add rule including tunnel destenation § ip,nw_dest= {node4_subnet},actions= set_field:{node4_ip}->tun_dst,output:vxlan0
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: node1 br0 L2 dst: node4 br0 L3 src: pod1 L3 dst: pod4 Set-up VxLAN one port § ovs-vsctl add-port br0 vxlan0 – set interface vxlan0 type=vxlan option:key=flow option:remote_ip=flow Add rule including tunnel destenation § ip,nw_dest= {node4_subnet},actions= set_field:{node4_ip}->tun_dst,output:vxlan0
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: br0 (node4) L2 dst: pod4 L3 src: pod1 L3 dst: pod4 Set-up VxLAN one port § ovs-vsctl add-port br0 vxlan0 – set interface vxlan0 type=vxlan option:key=flow option:remote_ip=flow Add rule including tunnel destenation § ip,nw_dest= {node4_subnet},actions= set_field:{node4_ip}->tun_dst,output:vxlan0
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu For This, You Will Need a Control Plane Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric Control Plane SoftwareKubernetes API State information Rule installation via OpenFlow and OVSDB
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Pod to Service Communication in Kubernetes
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Services in Kubernetes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Definition: § Service is an abstraction to define a logical set of Pods bound by a policy by to access them § Defined by labels and selectors § Supports TCP and UDP § Interfaces with Kube-Proxy to manipulate IPtables § Service can be exposed internally by cluster/service IP Remember: PODs are Mortal!!!
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Services in Kubernetes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 This will be the IP of the service This will be the port of the service This is the POD port This will be the DNS name of the service Selector for PODs
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: br0 L3 src: pod1 L3 dst: svc1
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: br0 L3 src: pod1 L3 dst: svc1
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: br0 L3 src: pod1 L3 dst: svc1 IPtables
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables L3 src: pod1 L3 dst: svc1 L3 dst: pod88 DNAT, conntrack Remember: § Every node should reach every POD in the cluster § ip route add {global_pod_cidr} via br0 e.g. 10.244.0.0/16
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Example for IPtables Ruleset
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables L3 src: pod1 L3 dst: pod88 via tunnel network
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables L3 src: pod88 L3 dst: pod1 via tunnel network
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables L3 src: pod88 L3 dst: pod1 via tunnel network https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L3 src: pod88 L3 src: svc1 L3 dst: pod1 un-DNAT IPtables https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L3 src: svc1 L3 dst: pod1 IPtables https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ L3 src: svc1 L3 dst: pod1 Unfortunately, you can’t do the same with OVS
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Handling Service Communication with OVS: Option 1 Use ct* flow rules: § It uses the same conntrack kernel module as IPtables § You can specify similar NAT rules than you would in IPtables § For load balancing between POD backend, you can use group rules * ct rules are actually not OpenFlow compatible table=0,ip,nw_src={pod_cidr},nw_dst={service_cidr},ct_state=-trk,action=ct(table=2) table=0,ip,nw_src={pod_cidr},nw_dst={pod_cidr},ct_state=-trk,action=ct(table=4) table=2,ip,nw_dst={svc1_ip},tp_dst={svc1_port},ct_state=+trk+new,action=group:1 table=2,ip,nw_dst={svc2_ip},tp_dst={svc2_port},ct_state=+trk+new,action=group:2 table=2,ct_state=+trk-new,action=table:4 table=4 contains the original switching / routing rules group_id=1,type=select, bucket=ct(commit,nat(dst={pod1_ip}:{pod_port}),table=4, bucket=ct(commit,nat(dst={pod2_ip}:{pod_port}),table=4, bucket=ct(commit,nat(dst={pod3_ip}:{pod_port}),table=4
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Handling Service Communication with OVS: Option 2 Use stateless NAT rules: § If we see a Service IP we switch the destination IP to a POD backend § But at the same time we modify the source IP to a shifted domain (e.g. 10.244.x.y à 172.24.x.y) § This way we don’t use any kernel specific rules which allows the integration into user-space (e.g. DPDK) * NXM stands for Nicira eXtended Match rules which are also not OpenFlow compatible table=0,ip,nw_src={pod_cidr},nw_dst={service_cidr},action=table:2 table=0,ip,nw_src={pod_cidr},nw_dst={shifted_pod_cidr},action=table:3 table=0,ip,nw_src={pod_cidr},nw_dst={pod_cidr},action=table:4 table=2,ip,nw_dst={svc1_ip},tp_dst={svc1_port},actions=load:44056->NXM_OF_IP_SRC[16..31],group:1 table=3,ip,nw_src={pod1_ip},tp_src={pod_port},actions=mod_nw_src:{svc1_ip},mod_tp_src:{svc1_port} ,load:2804->NXM_OF_IP_DST[16..31],resubmit:4 table=4 contains the original switching / routing rules group_id=1,type=select, bucket=mod_nw_dst:{pod1_ip},mod_tp_dst:{pod_port},resubmit=4, bucket=mod_nw_dst:{pod2_ip},mod_tp_dst:{pod_port},resubmit=4, bucket=mod_nw_dst:{pod3_ip},mod_tp_dst:{pod_port},resubmit=4
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Finally, it’s demo time J
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Performance Comparison: Google Cloud
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Performance Comparison: Amazon Cloud
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Performance Comparison: Packet
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Kubernetes Networking with Open vSwitch Pure OVS solution § CNI binary attaching PODs to and OVS bridge § POD-to-POD and POD-to-Service communication with OpenFlow rules § Enhanced monitoring using Prometheus and OVS-exporter § Speed and latency is comparable with leading plugins (Flannel, Calico, Weave) § DPDK integration possibility § 100% open source: https://github.com/dunlinplugin dunlin.io
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Backup Slides
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu IPtables Latency by Google
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Pod to External Communication in Kubernetes
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 src: pod1 dst: 8.8.8.8 IPtables
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 dst: 8.8.8.8 POD IP address is private § Needs NAT to communicate with external
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 src: NodeIP dst: 8.8.8.8 MASQUERADE POD IP address is private § Needs NAT to communicate with external Node IPs are usually also private
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables POD IP address is private § Needs NAT to communicate with external Node IPs are usually also private § Needs second NAT by the fabric Network Fabric src: NodeIP src: PublicIP dst: 8.8.8.8 MASQUERADE
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables POD IP address is private § Needs NAT to communicate with external Node IPs are usually also private § Needs second NAT by the fabric Network Fabric src: PublicIP dst: 8.8.8.8
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Hairpin Problem Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 dst: svc1 dst: pod1 DNAT, conntrack
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Hairpin Problem Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 dst: pod1
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Hairpin Problem Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 dst: pod1 The reply for this packet would not leave this POD at all! Only SNAT at the in IPtables can solve this problem
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Hairpin Problem Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 src: cbr0 dst: svc1 dst: pod1 DNAT, conntrack
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External to Internal Communication in Kubernetes
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 pod 12 cbr0 vethxx eth0 vethyy eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns pod 21 pod 22 cbr0 vethzz eth0 vethvv eth0 Serveices can be exposed to the outside by § Node port § Load Balancer Example: frontend § pod 11 § pod 31 § pod 32 IPtables IPtables IPtables
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 Serveices can be exposed to the outside by § Node port § Load Balancer Example: frontend § pod 11 § pod 31 § pod 32 IPtables IPtables IPtables
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public!
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public! src: xxx:yyy dst: Node2:30001 Translates to one of the pod IP randomly 1/3 1/3 1/3
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public! src: xxx:yyy dst: Node2:30001 src: Node2:xxxx dst: pod11:8080 1/3
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public! src: xxx:yyy dst: Node3:30001 Translates to one of the pod IP randomly 1/3 1/3 1/3
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public! src: xxx:yyy dst: Node3:30001 src: Node3:xxxx dst: pod11:8080 1/3
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 Packet arrives to Load Balancer’s public IP
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 dst: Node Port Packet has to be forwarded to one of the nodes
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 dst: Node Port If the LB is smart it will only forward to nodes with pod
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 dst: Node1 If IPtables is smart it won’t reroute to other node
Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 Even then load balance might not be perfect! 50% 50% 50% 25% 25%

Recommended

Packet walks in_kubernetes-v4
Packet walks in_kubernetes-v4Packet walks in_kubernetes-v4
Packet walks in_kubernetes-v4
InfraEngineer
 
OpenStack 2012 fall summit observation - Quantum/SDN
OpenStack 2012 fall summit observation - Quantum/SDNOpenStack 2012 fall summit observation - Quantum/SDN
OpenStack 2012 fall summit observation - Quantum/SDN
Te-Yen Liu
 
Docker networking Tutorial 101
Docker networking Tutorial 101Docker networking Tutorial 101
Docker networking Tutorial 101
LorisPack Project
 
Docker networking tutorial 102
Docker networking tutorial 102Docker networking tutorial 102
Docker networking tutorial 102
LorisPack Project
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
purpleocean
 
Docker network Present in VietNam DockerDay 2015
Docker network Present in VietNam DockerDay 2015Docker network Present in VietNam DockerDay 2015
Docker network Present in VietNam DockerDay 2015
Van Phuc
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes
Zhichao Liang
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 

Recommended

Packet walks in_kubernetes-v4
Packet walks in_kubernetes-v4Packet walks in_kubernetes-v4
Packet walks in_kubernetes-v4
InfraEngineer
 
OpenStack 2012 fall summit observation - Quantum/SDN
OpenStack 2012 fall summit observation - Quantum/SDNOpenStack 2012 fall summit observation - Quantum/SDN
OpenStack 2012 fall summit observation - Quantum/SDN
Te-Yen Liu
 
Docker networking Tutorial 101
Docker networking Tutorial 101Docker networking Tutorial 101
Docker networking Tutorial 101
LorisPack Project
 
Docker networking tutorial 102
Docker networking tutorial 102Docker networking tutorial 102
Docker networking tutorial 102
LorisPack Project
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
purpleocean
 
Docker network Present in VietNam DockerDay 2015
Docker network Present in VietNam DockerDay 2015Docker network Present in VietNam DockerDay 2015
Docker network Present in VietNam DockerDay 2015
Van Phuc
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes
Zhichao Liang
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES Introduction
HungWei Chiu
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networking
Lorenzo Fontana
 
Networking in Docker Containers
Networking in Docker ContainersNetworking in Docker Containers
Networking in Docker Containers
Attila Kanto
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
YongKi Kim
 
Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined Networks
Adrien Blind
 
Docker network
Docker networkDocker network
Docker network
Mohammadreza Amini
 
How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science
HungWei Chiu
 
Deep dive in Docker Overlay Networks
Deep dive in Docker Overlay NetworksDeep dive in Docker Overlay Networks
Deep dive in Docker Overlay Networks
Laurent Bernaille
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
Sim Janghoon
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 
Docker-OVS
Docker-OVSDocker-OVS
Docker-OVS
snrism
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv
Juraj Hantak
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
Te-Yen Liu
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
어형 이
 
Application-Based Routing
Application-Based RoutingApplication-Based Routing
Application-Based Routing
HungWei Chiu
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In Kubernetes
Don Jayakody
 
Docker 1.12 networking deep dive
Docker 1.12 networking deep diveDocker 1.12 networking deep dive
Docker 1.12 networking deep dive
Madhu Venugopal
 
DevOps Guide to Container Networking
DevOps Guide to Container NetworkingDevOps Guide to Container Networking
DevOps Guide to Container Networking
Dirk Wallerstorfer
 
Docker Networking
Docker NetworkingDocker Networking
Docker Networking
Weaveworks
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
All Things Open
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
Paul Czarkowski
 

More Related Content

What's hot

Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
Sim Janghoon
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
어형 이
 

What's hot (20)

IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES Introduction
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networking
 
Networking in Docker Containers
Networking in Docker ContainersNetworking in Docker Containers
Networking in Docker Containers
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
 
Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined Networks
 
Docker network
Docker networkDocker network
Docker network
 
How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science
 
Deep dive in Docker Overlay Networks
Deep dive in Docker Overlay NetworksDeep dive in Docker Overlay Networks
Deep dive in Docker Overlay Networks
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
 
Docker-OVS
Docker-OVSDocker-OVS
Docker-OVS
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
 
Application-Based Routing
Application-Based RoutingApplication-Based Routing
Application-Based Routing
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In Kubernetes
 
Docker 1.12 networking deep dive
Docker 1.12 networking deep diveDocker 1.12 networking deep dive
Docker 1.12 networking deep dive
 
DevOps Guide to Container Networking
DevOps Guide to Container NetworkingDevOps Guide to Container Networking
DevOps Guide to Container Networking
 
Docker Networking
Docker NetworkingDocker Networking
Docker Networking
 

Similar to Kubernetes networking-made-easy-with-open-v switch

How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
All Things Open
 
Scaling Docker with Kubernetes
Scaling Docker with KubernetesScaling Docker with Kubernetes
Scaling Docker with Kubernetes
Carlos Sanchez
 
Meetup docker using software defined networks
Meetup docker using software defined networksMeetup docker using software defined networks
Meetup docker using software defined networks
OCTO Technology
 
DevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes IntegrationDevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes Integration
Hank Preston
 

Similar to Kubernetes networking-made-easy-with-open-v switch (20)

How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
Scaling Docker with Kubernetes
Scaling Docker with KubernetesScaling Docker with Kubernetes
Scaling Docker with Kubernetes
 
Chris Swan at Container.Camp: Docker networking
Chris Swan at Container.Camp: Docker networkingChris Swan at Container.Camp: Docker networking
Chris Swan at Container.Camp: Docker networking
 
Octo talk : docker multi-host networking
Octo talk : docker multi-host networking Octo talk : docker multi-host networking
Octo talk : docker multi-host networking
 
Kubernetes networks
Kubernetes networksKubernetes networks
Kubernetes networks
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
 
Open stackaustinmeetupsept21
Open stackaustinmeetupsept21Open stackaustinmeetupsept21
Open stackaustinmeetupsept21
 
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
 
Network plugins for kubernetes
Network plugins for kubernetesNetwork plugins for kubernetes
Network plugins for kubernetes
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basics
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Single Host Docker Networking
Single Host Docker NetworkingSingle Host Docker Networking
Single Host Docker Networking
 
DockerDay2015: Docker Networking
DockerDay2015: Docker NetworkingDockerDay2015: Docker Networking
DockerDay2015: Docker Networking
 
Openstack openswitch basics
Openstack openswitch basicsOpenstack openswitch basics
Openstack openswitch basics
 
Meetup docker using software defined networks
Meetup docker using software defined networksMeetup docker using software defined networks
Meetup docker using software defined networks
 
DevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes IntegrationDevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes Integration
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
 

More from InfraEngineer

More from InfraEngineer (18)

Linux Kernel 101 for Beginner
Linux Kernel 101 for BeginnerLinux Kernel 101 for Beginner
Linux Kernel 101 for Beginner
 
삐약삐약 네트워크 엔지니어 이야기
삐약삐약 네트워크 엔지니어 이야기삐약삐약 네트워크 엔지니어 이야기
삐약삐약 네트워크 엔지니어 이야기
 
시니어가 들려주는 "내가 알고 있는 걸 당신도 알게 된다면"
시니어가 들려주는 "내가 알고 있는 걸 당신도 알게 된다면"시니어가 들려주는 "내가 알고 있는 걸 당신도 알게 된다면"
시니어가 들려주는 "내가 알고 있는 걸 당신도 알게 된다면"
 
주니어의 쿠버네티스 생태계에서 살아남기
주니어의 쿠버네티스 생태계에서 살아남기주니어의 쿠버네티스 생태계에서 살아남기
주니어의 쿠버네티스 생태계에서 살아남기
 
클라우드 엔지니어 취업 고군 분투기
클라우드 엔지니어 취업 고군 분투기클라우드 엔지니어 취업 고군 분투기
클라우드 엔지니어 취업 고군 분투기
 
CKA(Kubernetes 자격증) 잘 준비하는 법_
CKA(Kubernetes 자격증) 잘 준비하는 법_CKA(Kubernetes 자격증) 잘 준비하는 법_
CKA(Kubernetes 자격증) 잘 준비하는 법_
 
HTTP2도 잘 모르는데 벌써 HTTP3 (v2)
HTTP2도 잘 모르는데 벌써 HTTP3 (v2)HTTP2도 잘 모르는데 벌써 HTTP3 (v2)
HTTP2도 잘 모르는데 벌써 HTTP3 (v2)
 
[MeetUp][3rd] 아무도 이야기하지 않는 클라우드 3사 솔직 비교
[MeetUp][3rd] 아무도 이야기하지 않는 클라우드 3사 솔직 비교[MeetUp][3rd] 아무도 이야기하지 않는 클라우드 3사 솔직 비교
[MeetUp][3rd] 아무도 이야기하지 않는 클라우드 3사 솔직 비교
 
[MeetUp][3rd] Prometheus 와 함께하는 모니터링 및 시각화
[MeetUp][3rd] Prometheus 와 함께하는 모니터링 및 시각화[MeetUp][3rd] Prometheus 와 함께하는 모니터링 및 시각화
[MeetUp][3rd] Prometheus 와 함께하는 모니터링 및 시각화
 
F5 container ingress_service_in_kuernetes_with_calico_cni_by_duck_in_korea
F5 container ingress_service_in_kuernetes_with_calico_cni_by_duck_in_koreaF5 container ingress_service_in_kuernetes_with_calico_cni_by_duck_in_korea
F5 container ingress_service_in_kuernetes_with_calico_cni_by_duck_in_korea
 
Calico routing modes_trans_by_duck_in_korean
Calico routing modes_trans_by_duck_in_koreanCalico routing modes_trans_by_duck_in_korean
Calico routing modes_trans_by_duck_in_korean
 
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
 
[MeetUp][2nd] 컭on턺
[MeetUp][2nd] 컭on턺[MeetUp][2nd] 컭on턺
[MeetUp][2nd] 컭on턺
 
[MeetUp][2nd] 알아두면 쓸모있는 테라폼
[MeetUp][2nd] 알아두면 쓸모있는 테라폼[MeetUp][2nd] 알아두면 쓸모있는 테라폼
[MeetUp][2nd] 알아두면 쓸모있는 테라폼
 
IT 인프라 엔지니어에게 길을 묻다
IT 인프라 엔지니어에게 길을 묻다IT 인프라 엔지니어에게 길을 묻다
IT 인프라 엔지니어에게 길을 묻다
 
[MeetUp][1st] 오리뎅이의_쿠버네티스_네트워킹
[MeetUp][1st] 오리뎅이의_쿠버네티스_네트워킹[MeetUp][1st] 오리뎅이의_쿠버네티스_네트워킹
[MeetUp][1st] 오리뎅이의_쿠버네티스_네트워킹
 
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화
 
[MeetUp][1st] 자동화를 왜 해야하나요
[MeetUp][1st] 자동화를 왜 해야하나요[MeetUp][1st] 자동화를 왜 해야하나요
[MeetUp][1st] 자동화를 왜 해야하나요
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

Kubernetes networking-made-easy-with-open-v switch

  • 1.
  • 2. Kubernetes Networking Made Easy with Open vSwitch and OpenFlow Péter Megyesi Co-founder @ LeanNet ltd.
  • 3. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Who Am I? PhD in Telecommunications @ Budapest University of Technology § Measurement and monitoring in Software Defined Networks § Participating in 5G-PPP EU projects § Graduated in the EIT Digital Doctoral School Co-founder & CTO @ LeanNet Ltd. § Evangelist of open networking solutions § Currently focusing on SDN in cloud native environments megyesi@leannet.eu twitter.com/M3gy0 linkedin.com/in/M3gy0
  • 4. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu What is Open vSwitch? The de facto production quality, multilayer virtual switch § Originally developed by Nicira (the inventors of SDN and OpenFlow) § Now it’s developed under the Linux Foundation § Designed to be programmable by OVSDB and OpenFlow § Compatible with standard management interfaces (NetFlow, sFlow, IPFIX, RSPAN, LACP) § The basis of VMware NSX-T, OpenStack and many other public clouds… § Able to run in user-space mode via DPDK, thus can provide speed up to ~80 Gbps Server NIC VM 1 VM 2 Open vSwitchSDN controller OVSDB OpenFlow
  • 5. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu What is Kubernetes? The de facto production quality, container-orchestration framework § Originally developed by Google (Borg project) § Now maintained by the Cloud Native Compute Foundation § Automating deployment, scaling, and management of containerized applications
  • 6. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Basic Kubernetes Terminology Kubernetes Master § Controller of a Kubernetes cluster Kubernetes Node (Worker / Minion) § Hosts (server or VM) that run Kubernetes applications Container § Unit of packaging Pod § Unit of deployment Labels and Selectors § Key-Value pairs for identification Replication Set § Ensures availability and scalability Services § Collection of pods exposed as an endpoint Node Port § Expose services internally Load Balancer § The way for external access
  • 7. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Docker Model Docker Host eth0 Root namespace Container 1 docker0 172.17.0.1/24 vethxx vethxy
  • 8. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Docker Model Docker Host eth0 Root namespace Container 1 docker0 172.17.0.1/24 vethxx eth0 172.17.0.2
  • 9. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Docker Model Docker Host eth0 Root namespace Container 1 Container 2 docker0 172.17.0.1/24 vethxx eth0 vethyy eth0 172.17.0.2 172.16.0.3
  • 10. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Docker Model Docker Host 1 Docker Host 2 Docker Host 3 Container 172.17.0.2 Container 172.17.0.3 Container 172.17.0.2 Container 172.17.0.2 NAT NAT NAT NAT NAT
  • 11. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Docker Host Ports 172.17.0.2 172.17.0.3 172.17.0.280 5001 9898 17472 26432 SNAT SNAT This is unfeasible in a very large cluster! Host 1: 10.0.0.10 Host 2: 10.0.0.20
  • 12. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Networking in Kubernetes Pod-to-Pod communication § Each Pod in a Kubernetes cluster is assigned an IP in a flat shared networking namespace § All PODs can communicate with all other PODs without NAT § The IP that a PODs sees itself as is the same IP that others see it as Pod-to-Service communication § Requests to the Service IPs are intercepted by a Kube-proxy process running on all hosts § Kube-proxy is then responsible for routing to the correct POD External-to-Internal communication § All nodes can communicate with all PODs (and vice-versa) without NAT § Node ports are can be assigned to a service on every Kuberentes host § Public IPs can be implemented by configuring external Load Balancers which target all nodes in the cluster § Once traffic arrives at a node, it is routed to the correct Service backends by Kube-proxy
  • 13. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Container Network Interface
  • 14. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Kubernetes Node eth0 Root namespace br0 10.244.1.1 CNI in Kubernetes Script / binary placed on every host § Kubelet calls it with the right environmental variables and STDIN parameters Example for configuration - /etc/cni/net.d/01-dunlin.conf
  • 15. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Kubernetes Node eth0 Root namespace br0 10.244.1.1 CNI in Kubernetes Script / binary placed on every host § Kubelet calls it with the right environmental variables and STDIN parameters Example environment variables § CNI_command: add or delete § CNI_netns: /proc/<PID>/ns/net § CNI_ifname: eth0 § CNI_path: /opt/bin/cni § CNI_containerid § K8S_pod_name § K8S_pod_namespace
  • 16. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 veth1
  • 17. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Add interface to OVS bridge § ovs-vsctl add-port br0 veth0 Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 veth1
  • 18. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Add interface to OVS bridge § ovs-vsctl add-port br0 veth0 Add the other interface to namespace § ip set link veth1 netns $CNI_netns Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 veth1
  • 19. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Add interface to OVS bridge § ovs-vsctl add-port br0 veth0 Add the other interface to namespace § ip set link veth1 netns $CNI_netns Rename and setup interface § ip netns exec $CNI_netns § ip link set dev veth1 name eth0 § ip link set dev eth0 address 10.244.1.2 § ip link set dev eth0 mtu 1450 § ip route add default via 10.244.1.1 Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 eth0
  • 20. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu CNI With Open vSwitch Create virtual ethernet port pair § ip link add veth0 type veth peer name veth1 Add interface to OVS bridge § ovs-vsctl add-port br0 veth0 Add the other interface to namespace § ip set link veth1 netns $CNI_netns Rename and setup interface § ip netns exec $CNI_netns § ip link set dev veth1 name eth0 § ip link set dev eth0 address 10.244.1.2 § ip link set dev eth0 mtu 1450 § ip route add default via 10.244.1.1 Kubernetes Node eth0 Root namespace Container NS br0 10.244.1.1 veth0 eth0
  • 21. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Kubernetes Model – The IP per POD Model Kubernetes Node 1 10.244.1.0/24 Kubernetes Node 2 10.244.2.0/24 Kubernetes Node 3 10.244.3.0/24 POD 10.244.1.2 POD 10.244.1.3 POD 10.244.2.2 POD 10.244.3.2 br0 ? Host 1: 10.0.0.10 Host 2: 10.0.0.20 Host 3: 10.0.0.30
  • 22. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Cluster Networking in Kubernetes
  • 23. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Same Node Kubernetes Node eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: pod2 L3 src: pod1 L3 dst: pod2
  • 24. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Same Node Kubernetes Node eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: pod2 L3 src: pod1 L3 dst: pod2 Linux Bridge § MAC learning Open vSwitch § MAC learning: action=normal § L2 rule: dl_dst=pod2,action=output:2 § L3 rule: ip,nw_dst=pod2, action=output:2
  • 25. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Same Node Kubernetes Node eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: pod2 L3 src: pod1 L3 dst: pod2 Linux Bridge § MAC learning Open vSwitch § MAC learning: action=normal § L2 rule: dl_dst=pod2,action=output:2 § L3 rule: ip,nw_dst=pod2, action=output:2
  • 26. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric
  • 27. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4
  • 28. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Using an overlay network • An overlay network obscures the underlying network architecture from the pod network through traffic encapsulation (for example VxLAN, GRE) • Encapsulation reduces performance, though exactly how much depends on your solution Where to go from here??
  • 29. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric Without an overlay network • Configure the underlying network fabric (switches, routers, etc.) to be aware of pod IP addresses • This does not require the encapsulation provided by an overlay, and so can achieve better performance L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Where to go from here??
  • 30. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Kubernetes Cluster Networking Plugins Public clouds which supports Kuberentes program this into the fabric § E.g. in Google Container Engine: “everything to 10.1.1.0/24, send to this VM” In other cases we need to use an external plugin § Flannel § Calico § Canal § Romana § Weave § Cisco Contiv § Huawei CNI-Genie § Nuage Networks VCS (by Nokia) § Open Virtual Network
  • 31. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Calico defines BGP agents and advertises the POD subnets to the fabric It uses IP-IP encapsulation
  • 32. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Flannel and Weave creates VxLAN tunnels between nodes using a kernel implementation
  • 33. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Set-up VxLAN ports to every other node § ovs-vsctl add-port br0 vxlan4 -- set interface vxlan4 type=vxlan option:remote_ip={node4_ip} Add rule for their subnet § ip,nw_dst={node4_subnet}, action=output:vxlan4
  • 34. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: pod1 L2 dst: br0 (gw) L3 src: pod1 L3 dst: pod4 Set-up VxLAN one port § ovs-vsctl add-port br0 vxlan0 – set interface vxlan0 type=vxlan option:key=flow option:remote_ip=flow Add rule including tunnel destenation § ip,nw_dest= {node4_subnet},actions= set_field:{node4_ip}->tun_dst,output:vxlan0
  • 35. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: node1 br0 L2 dst: node4 br0 L3 src: pod1 L3 dst: pod4 Set-up VxLAN one port § ovs-vsctl add-port br0 vxlan0 – set interface vxlan0 type=vxlan option:key=flow option:remote_ip=flow Add rule including tunnel destenation § ip,nw_dest= {node4_subnet},actions= set_field:{node4_ip}->tun_dst,output:vxlan0
  • 36. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-POD, Between Nodes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric L2 src: br0 (node4) L2 dst: pod4 L3 src: pod1 L3 dst: pod4 Set-up VxLAN one port § ovs-vsctl add-port br0 vxlan0 – set interface vxlan0 type=vxlan option:key=flow option:remote_ip=flow Add rule including tunnel destenation § ip,nw_dest= {node4_subnet},actions= set_field:{node4_ip}->tun_dst,output:vxlan0
  • 37. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu For This, You Will Need a Control Plane Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Kubernetes Node 4 eth0 Root namespace pod 3 pod 4 br0 vethzz eth0 vethvv eth0 Network Fabric Control Plane SoftwareKubernetes API State information Rule installation via OpenFlow and OVSDB
  • 38. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Pod to Service Communication in Kubernetes
  • 39. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Services in Kubernetes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 Definition: § Service is an abstraction to define a logical set of Pods bound by a policy by to access them § Defined by labels and selectors § Supports TCP and UDP § Interfaces with Kube-Proxy to manipulate IPtables § Service can be exposed internally by cluster/service IP Remember: PODs are Mortal!!!
  • 40. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Services in Kubernetes Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 This will be the IP of the service This will be the port of the service This is the POD port This will be the DNS name of the service Selector for PODs
  • 41. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: br0 L3 src: pod1 L3 dst: svc1
  • 42. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: br0 L3 src: pod1 L3 dst: svc1
  • 43. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L2 src: pod1 L2 dst: br0 L3 src: pod1 L3 dst: svc1 IPtables
  • 44. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables L3 src: pod1 L3 dst: svc1 L3 dst: pod88 DNAT, conntrack Remember: § Every node should reach every POD in the cluster § ip route add {global_pod_cidr} via br0 e.g. 10.244.0.0/16
  • 45. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Example for IPtables Ruleset
  • 46. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables L3 src: pod1 L3 dst: pod88 via tunnel network
  • 47. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables L3 src: pod88 L3 dst: pod1 via tunnel network
  • 48. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables L3 src: pod88 L3 dst: pod1 via tunnel network https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
  • 49. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L3 src: pod88 L3 src: svc1 L3 dst: pod1 un-DNAT IPtables https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
  • 50. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 L3 src: svc1 L3 dst: pod1 IPtables https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
  • 51. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a Packet: POD-to-Service Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 br0 vethxx eth0 vethyy eth0 IPtables https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ L3 src: svc1 L3 dst: pod1 Unfortunately, you can’t do the same with OVS
  • 52. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Handling Service Communication with OVS: Option 1 Use ct* flow rules: § It uses the same conntrack kernel module as IPtables § You can specify similar NAT rules than you would in IPtables § For load balancing between POD backend, you can use group rules * ct rules are actually not OpenFlow compatible table=0,ip,nw_src={pod_cidr},nw_dst={service_cidr},ct_state=-trk,action=ct(table=2) table=0,ip,nw_src={pod_cidr},nw_dst={pod_cidr},ct_state=-trk,action=ct(table=4) table=2,ip,nw_dst={svc1_ip},tp_dst={svc1_port},ct_state=+trk+new,action=group:1 table=2,ip,nw_dst={svc2_ip},tp_dst={svc2_port},ct_state=+trk+new,action=group:2 table=2,ct_state=+trk-new,action=table:4 table=4 contains the original switching / routing rules group_id=1,type=select, bucket=ct(commit,nat(dst={pod1_ip}:{pod_port}),table=4, bucket=ct(commit,nat(dst={pod2_ip}:{pod_port}),table=4, bucket=ct(commit,nat(dst={pod3_ip}:{pod_port}),table=4
  • 53. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Handling Service Communication with OVS: Option 2 Use stateless NAT rules: § If we see a Service IP we switch the destination IP to a POD backend § But at the same time we modify the source IP to a shifted domain (e.g. 10.244.x.y à 172.24.x.y) § This way we don’t use any kernel specific rules which allows the integration into user-space (e.g. DPDK) * NXM stands for Nicira eXtended Match rules which are also not OpenFlow compatible table=0,ip,nw_src={pod_cidr},nw_dst={service_cidr},action=table:2 table=0,ip,nw_src={pod_cidr},nw_dst={shifted_pod_cidr},action=table:3 table=0,ip,nw_src={pod_cidr},nw_dst={pod_cidr},action=table:4 table=2,ip,nw_dst={svc1_ip},tp_dst={svc1_port},actions=load:44056->NXM_OF_IP_SRC[16..31],group:1 table=3,ip,nw_src={pod1_ip},tp_src={pod_port},actions=mod_nw_src:{svc1_ip},mod_tp_src:{svc1_port} ,load:2804->NXM_OF_IP_DST[16..31],resubmit:4 table=4 contains the original switching / routing rules group_id=1,type=select, bucket=mod_nw_dst:{pod1_ip},mod_tp_dst:{pod_port},resubmit=4, bucket=mod_nw_dst:{pod2_ip},mod_tp_dst:{pod_port},resubmit=4, bucket=mod_nw_dst:{pod3_ip},mod_tp_dst:{pod_port},resubmit=4
  • 54. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Finally, it’s demo time J
  • 55. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Performance Comparison: Google Cloud
  • 56. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Performance Comparison: Amazon Cloud
  • 57. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Performance Comparison: Packet
  • 58. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Kubernetes Networking with Open vSwitch Pure OVS solution § CNI binary attaching PODs to and OVS bridge § POD-to-POD and POD-to-Service communication with OpenFlow rules § Enhanced monitoring using Prometheus and OVS-exporter § Speed and latency is comparable with leading plugins (Flannel, Calico, Weave) § DPDK integration possibility § 100% open source: https://github.com/dunlinplugin dunlin.io
  • 59. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Backup Slides
  • 60. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu IPtables Latency by Google
  • 61. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Pod to External Communication in Kubernetes
  • 62. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 src: pod1 dst: 8.8.8.8 IPtables
  • 63. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 dst: 8.8.8.8 POD IP address is private § Needs NAT to communicate with external
  • 64. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 src: NodeIP dst: 8.8.8.8 MASQUERADE POD IP address is private § Needs NAT to communicate with external Node IPs are usually also private
  • 65. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables POD IP address is private § Needs NAT to communicate with external Node IPs are usually also private § Needs second NAT by the fabric Network Fabric src: NodeIP src: PublicIP dst: 8.8.8.8 MASQUERADE
  • 66. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu Life of a packet: pod-to-external Kubernetes Node eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables POD IP address is private § Needs NAT to communicate with external Node IPs are usually also private § Needs second NAT by the fabric Network Fabric src: PublicIP dst: 8.8.8.8
  • 67. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Hairpin Problem Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 dst: svc1 dst: pod1 DNAT, conntrack
  • 68. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Hairpin Problem Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 dst: pod1
  • 69. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Hairpin Problem Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 dst: pod1 The reply for this packet would not leave this POD at all! Only SNAT at the in IPtables can solve this problem
  • 70. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu The Hairpin Problem Kubernetes Node 1 eth0 Root namespace pod 1 pod 2 cbr0 vethxx eth0 vethyy eth0 IPtables src: pod1 src: cbr0 dst: svc1 dst: pod1 DNAT, conntrack
  • 71. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External to Internal Communication in Kubernetes
  • 72. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 pod 12 cbr0 vethxx eth0 vethyy eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns pod 21 pod 22 cbr0 vethzz eth0 vethvv eth0 Serveices can be exposed to the outside by § Node port § Load Balancer Example: frontend § pod 11 § pod 31 § pod 32 IPtables IPtables IPtables
  • 73. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 Serveices can be exposed to the outside by § Node port § Load Balancer Example: frontend § pod 11 § pod 31 § pod 32 IPtables IPtables IPtables
  • 74. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public!
  • 75. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public! src: xxx:yyy dst: Node2:30001 Translates to one of the pod IP randomly 1/3 1/3 1/3
  • 76. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public! src: xxx:yyy dst: Node2:30001 src: Node2:xxxx dst: pod11:8080 1/3
  • 77. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public! src: xxx:yyy dst: Node3:30001 Translates to one of the pod IP randomly 1/3 1/3 1/3
  • 78. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Node port § One port on every node gets rerouted to a certain service § Typically port number > 30000 § ∀NodeIP:30001 à 10.9.8.15:8080 § Node IPs are usually not public! src: xxx:yyy dst: Node3:30001 src: Node3:xxxx dst: pod11:8080 1/3
  • 79. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer
  • 80. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 Packet arrives to Load Balancer’s public IP
  • 81. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 dst: Node Port Packet has to be forwarded to one of the nodes
  • 82. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 dst: Node Port If the LB is smart it will only forward to nodes with pod
  • 83. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 dst: Node1 If IPtables is smart it won’t reroute to other node
  • 84. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu External-to-Internal Traffic Kubernetes Node 1 eth0 Root ns pod 11 cbr0 vethxx eth0 Kubernetes Node 3 eth0 Root ns pod 31 pod 32 cbr0 vethoo eth0 vethpp eth0 Network Fabric Kubernetes Node 2 eth0 Root ns cbr0 IPtables IPtables IPtables Load Balancer § One public IP that maps to a certain service § Fabric has to manage it! § GCE § AWS § OpenStack Load Balancer src: xxx:yyy dst: 95.67.12.3 Even then load balance might not be perfect! 50% 50% 50% 25% 25%