34. The NSX-T Platform
Single platform for Networking, Security & Monitoring for Containers & VMs
PKS PAS/PCFOpenShift VM
Networking, Security, Monitoring
Kubernetes
34
35. Address all K8s Networking Functions
Load Balancing, IPAM, Routing, Firewalling
Complete automation and dynamic provisioning of
Network Objects required for K8s and Workloads
Support for different topology choices for
Pod and Node Networks (NAT/No-NAT)
Network Security Policies for Kubernetes Clusters,
Namespaces and Individual Services
Full Network traceability/visibility using NSX-T in-built
operational tools for Kubernetes
How does PKS with NSX-T add value over opensource solutions
35
36. NSX-T: operational tools and automation
36
Traceflow, Port-Connection,
Topology View
Back-Up & Restore
Selective Tech Support Logs
Monitoring & Stats
REST API support
Dynamic libraries available in
multiple languages (Java, Python,
Terraform)
Upstream OpenStack Support and
Partner Ecosystem
Getting started wizards
Dashboards
IPFIX, Port Mirroring, Port
Connection
Granular RBAC
Upgrade Coordinator
vRealize Log Insight / Splunk
plugins
Automation Operations Troubleshooting
36
39. PRINCIPAL
IDENTITY
39
K8s Cluster Management Nodes
T1
T1 for LB NSX-T LB
K8s cluster 1
K8s cluster 2
K8s cluster n
Ops-Manager BOSH PKS
Control Plane
Harbor
T1
PKS
mgmt
plane
NSX-T
Edge Cluster
NSX-T
Controllers
vCenter
NSX-T
Manager
vCenter
Physical
L2/L3
switches
Internet
K8s Cluster and NSX-T Provisioning
VIP
API Server https://api.cluster.pks.customer.com
Master VM#1, VM#2, VM#3
39
pks create-cluster my-cluster --plan small --num-nodes 3
Worker ‘VM’ Worker ‘VM’ Worker ‘VM’
Master ‘VM’
Master ‘VM’
Master ‘VM’
etcd
API
srv
sched
ctrlr
mgr
Worker ‘VM’ Worker ‘VM’ Worker ‘VM’
NSX
NCP
dash
board
NA NANA
Kube
DNS
40. Cluster Provisioning Workflow
41
PKS API
1
NSX-T
Proxy Broker
named_cloud_config
2
• pre-deployment provisioning
o allocate cluster subnet
o create named_cloud_config
o create Node Network
o create SNAT rule, if required, from k8s nodes to external
• post-destroy decommissioning
o delete SNAT rule, if required
o release Virtual IP for API Server
o delete Node Network
o delete named_cloud_config
o remove Principal Identity
o run clean-up script for NSX-T cluster resources
3
manifest
Service
Adapter
5
CFCR
release
pks-nsx-t
release
7
Ops Manager OD-Broker
cloud_config
4
vSphere CPI
6
BOSH
pks create-cluster my-cluster --plan small --num-nodes 3
41
41
41. Cluster Provisioning Workflow (cont.)
42
o NCP
o NSX-CNI
o OpenvSwitch
o NSX scripts
BOSH
CFCR
release
vSphere CPI
pks-nsx-t
release
7
Worker ‘VM’ Worker ‘VM’ Worker ‘VM’
Master ‘VM’
Master ‘VM’
Master ‘VM’
8
VMs tagged with BOSH ID
9
BOSH Job on Master Node to perform cluster-level provisioning
o create Principal Identity
o create Load Balancer for the new Cluster
o reserve Virtual IP for API Server
10
42
42
42. PKS and NSX-T integration: Key Components
NSX Container Plugin (NCP)
43
NCM
Infra
K8s / OS
Adapter
CloudFoundry
Adapter
NSX Container Plugin
More…
NSX
Manager
API Client
NSX
Manager
NS: foo NS: bar
NSX Example K8s topology
K8s master
etcd
API-Server
Scheduler
• NCP is a software component
provided by Vmware, running on a
K8s Node..
• NCP is built in a modular way, so
that individual adapters can be
added for different CaaS and
PaaS systems
• NCP ‘listens’ to Kubernetes/CF to
create the required NSX-T
constructs.
• CNI Integration is used.
43. PKS + NSX-T: built-in Load Balancing
Kubernetes Ingress and Svc Type LB support
NCM
Infra
K8s / OS
Adapter
CloudFoundry
Adapter
Libnetwork
Adapter
NSX Container Plugin
More…
NSX
Manager
API Client
NSX
Manager
K8s master
etcd
API-Server
Scheduler
Virtual Server
10.114.209.209HTTP and/or
HTTPS traffic
Server Pool 1
Server Pool 2Rule 2
/bar/
Rule 1
/foo/
LB Service
NCM
Infra
K8s / OS
Adapter
CloudFoundry
Adapter
Libnetwork
Adapter
NSX Container Plugin
More…
NSX
Manager
API Client
NSX
Manager
K8s master
etcd
API-Server
Scheduler
Virtual Server
10.114.209.212TCP and/or
UDP traffic
Server Pool
LB Service
Built-in support for Ingress (L7) and Svc Type LB (L4) w/t NSX-T integration. Most other K8s
networking choice don't support Svc Type LB (L4), and you need an additional technology like NGINX
from Ingress (L7).
44
44. admin@k8s-master:~$ kubectl create namespace foo
namespace ”foo" created
admin@k8s-master:~$ kubectl create namespace bar
namespace ”bar" created
admin@k8s-master:~$ kubectl run nginx-foo --image=nginx -n foo
deployment "nginx-foo" created
admin@k8s-master:~$ kubectl run nginx-bar --image=nginx -n bar
deployment "nginx-bar" created
Namespace: foo Namespace: bar
NSX / K8s topology
10.24.0.0/24 10.24.1.0/24 10.24.2.0/24
NAT
boundary
NAT
boundary
K8s nodesK8s Masters
45
PKS + NSX-T: Namespaces
45
45