Docker Enterprise is changing the application landscape but you still need container A to talk to B in a reliable and portable way. In this workshop you will learn key Docker Enterprise networking concepts, container networking best practices, get your hands dirty by going over use-cases and examples across both Swarm and Kubernetes. Join us to learn more.
Slides for the OpenStack Newton Summit in Austin that cover the changes done during the Mitaka cycle and the direction we will take for Neutron. Swarm and Kubernetes integrations explained
Tech Talk by Gal Sagie: Kuryr - Connecting containers networking to OpenStack...nvirters
These are slides from the Tech Talk at http://www.meetup.com/openvswitch/events/226518209/
Synopsis
Kuryr is a new project under Neutron's big tent that makes Neutron networking available to Docker containers by means of a Docker plugin.
In this session Gal will introduce Kuryr and show how it provides networking for containers in plain Docker environments and in mixed Docker, OpenStack environments. He will also present Kuryr's roadmap and integration with networking models in other orchestration engines like Kubernetes and Docker
About Gal Sagie
Gal Sagie is an open source software architect at Huawei European Research Centre, focusing work on OpenStack networking and containers networking. Working on various projects in the community like Dragonflow, OVN, Kuryr, and Multisite/Hybrid clouds in OpenStack. Blogging for anything SDN/NFV/OpenStack related at http://galsagie.github.io
Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SIDocker, Inc.
The Docker network overlay driver relies on several technologies: network namespaces, VXLAN, Netlink and a distributed key-value store. This talk will present each of these mechanisms one by one along with their userland tools and show hands-on how they interact together when setting up an overlay to connect containers. The talk will continue with a demo showing how to build your own simple overlay using these technologies.
Slides for the OpenStack Newton Summit in Austin that cover the changes done during the Mitaka cycle and the direction we will take for Neutron. Swarm and Kubernetes integrations explained
Tech Talk by Gal Sagie: Kuryr - Connecting containers networking to OpenStack...nvirters
These are slides from the Tech Talk at http://www.meetup.com/openvswitch/events/226518209/
Synopsis
Kuryr is a new project under Neutron's big tent that makes Neutron networking available to Docker containers by means of a Docker plugin.
In this session Gal will introduce Kuryr and show how it provides networking for containers in plain Docker environments and in mixed Docker, OpenStack environments. He will also present Kuryr's roadmap and integration with networking models in other orchestration engines like Kubernetes and Docker
About Gal Sagie
Gal Sagie is an open source software architect at Huawei European Research Centre, focusing work on OpenStack networking and containers networking. Working on various projects in the community like Dragonflow, OVN, Kuryr, and Multisite/Hybrid clouds in OpenStack. Blogging for anything SDN/NFV/OpenStack related at http://galsagie.github.io
Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SIDocker, Inc.
The Docker network overlay driver relies on several technologies: network namespaces, VXLAN, Netlink and a distributed key-value store. This talk will present each of these mechanisms one by one along with their userland tools and show hands-on how they interact together when setting up an overlay to connect containers. The talk will continue with a demo showing how to build your own simple overlay using these technologies.
The Havana release of OpenStack, came out in October 2013, contains several significant changes and new features in the networking component. OpenStack Networking has changed name from 'quantum' to 'neutron'. It lays the foundation for supporting heterogeneous network components with the introduction of the ML2 (modular layer 2) plugin. The first implementations of FireWall as a Service (FWaaS) and VPN as a Service (VPNaaS) are now included. These features were demonstrated by Cisco developers at the OpenStack meetup in Boston in Oct 2013.
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Cloud Native Day Tel Aviv
The Kuryr project offers an interesting approach to network cloud native workloads, by enabling container orchestration engines to consume network services from OpenStack Neutron.With pod-in-VM support, Kuryr-Kubernetes enables a whole slew of new hybrid workloads, like bare metal or in-VM pods accessing services that run on VMs, multiple COEs (e.g. Docker Swarm to Kubernetes), and more. Unified networking simplifies deployment, configuration and provides single pane of glass into management and troubleshooting.
Let’s dive into Kuryr Kubernetes and learn how different open source technologies can complement each other in order to enable number of complicated deployment scenarios.
Puppet is IT automation tool. I was a speaker for this presentation in one of Meetup and it was received well. Sharing it with open source folks who want to collaborate, learn and Win.
Tectonic Summit 2016: Networking for Kubernetes CoreOS
Sreekanth Pothanis, Cloud Engineering, eBay shares a networking Kubernetes tale from the trenches.
Networking is the hardest component in any ones infrastructure, everything depends on it. Specifically when we have web scale infrastructure with tens of thousands of servers. eBay is investing heavily in Kubernetes and networking again is one of the areas we have the most difficulty with.
During the course of this talk we will go through various approaches we tried to make container networking conform to Kubernetes networking principles, while ensuring that it adapts to the existing networking models our infrastructure supports.
We would also cover how we have automated the process of setting up networking for Kubernetes clusters and how it offers seamless integration with non-Kubernetes workloads.
12/12/16
Gaetano Borgione's presentation from the 2017 Open Networking Summit.
Networking is vital for cloud-native apps where distributed computing and development models require speed, simplicity, and scale for massive number of ephemeral containers. Two of the most prevalent container networking models are CNI and CNM for developers using Docker, Mesos, or Kubernetes. This session will present an overview of distributed development, how CNI and CNM models work, and how container frameworks use these models for networking. Gaetano will also discuss the additional functions users need to consider in the control plane and data plane to achieve operational scale and efficiency.
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Software Defined Networking is seeing a lot of momentum these days. With server virtualization solving the virtual machines problem, and large scale object storage solving the distributed storage challenge, SDN is seen as key in virtual networking.
In this talk we don't try to define SDN but rather dive straight into what in our opinion is the core enabled of SDN: the virtual switch OVS.
OVS can help manage VLAN for guest network isolation, it can re-route any traffic at L2-L4 by keeping forwarding tables controlled by a remote controller (Openfow controller). We show these few OVS capabilities and highlight how they are used in CloudStack and Xen.
Xen Summit presentation of CloudStack and Software Defined Networks. OpenVswitch is the default bridge in Xen and supported in XenServer and Xen Cloud Platform
2014 OpenStack Summit - Neutron OVS to LinuxBridge MigrationJames Denton
Presentation titled 'Migrating production workloads from OVS to LinuxBridge'. Presented at the Fall 2014 OpenStack summit in Paris, this slide deck introduced the possibility of migrating live workloads from Open vSwitch to LinuxBridge with minimal downtime.
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Cynthia Thomas
This session offers techniques for securing Docker containers and hosts using open source network virtualization technologies to implement microsegmentation. Come learn real tips and tricks that you can apply to keep your production environment secure.
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...Cloud Native Day Tel Aviv
Kuryr is a new project, started by Gal Sagie, that makes Neutron networking available to containers networking used in Docker / Kubernetes and others.
Kuryr aims at bridging the gap between containers orchestration engines and models to OpenStack networking abstraction and expose Neutron flexibility/features and advanced services to containers networking.
Kubernetes has two simple but powerful network concepts: every Pod is connected to the same network, and Services let you talk to a Pod by name. Bryan will take you through how these concepts are implemented - Pod Networks via the Container Network Interface (CNI), Service Discovery via kube-dns and Service virtual IPs, then on to how Services are exposed to the rest of the world.
Collabnix Slack Channel accomodates around 1300+ members and conducted the first online webinar. One of Dockerlabs contributor "Balasundaram Natarajan" talked around Demystifying Docker & Kubernetes Networking.
The Havana release of OpenStack, came out in October 2013, contains several significant changes and new features in the networking component. OpenStack Networking has changed name from 'quantum' to 'neutron'. It lays the foundation for supporting heterogeneous network components with the introduction of the ML2 (modular layer 2) plugin. The first implementations of FireWall as a Service (FWaaS) and VPN as a Service (VPNaaS) are now included. These features were demonstrated by Cisco developers at the OpenStack meetup in Boston in Oct 2013.
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Cloud Native Day Tel Aviv
The Kuryr project offers an interesting approach to network cloud native workloads, by enabling container orchestration engines to consume network services from OpenStack Neutron.With pod-in-VM support, Kuryr-Kubernetes enables a whole slew of new hybrid workloads, like bare metal or in-VM pods accessing services that run on VMs, multiple COEs (e.g. Docker Swarm to Kubernetes), and more. Unified networking simplifies deployment, configuration and provides single pane of glass into management and troubleshooting.
Let’s dive into Kuryr Kubernetes and learn how different open source technologies can complement each other in order to enable number of complicated deployment scenarios.
Puppet is IT automation tool. I was a speaker for this presentation in one of Meetup and it was received well. Sharing it with open source folks who want to collaborate, learn and Win.
Tectonic Summit 2016: Networking for Kubernetes CoreOS
Sreekanth Pothanis, Cloud Engineering, eBay shares a networking Kubernetes tale from the trenches.
Networking is the hardest component in any ones infrastructure, everything depends on it. Specifically when we have web scale infrastructure with tens of thousands of servers. eBay is investing heavily in Kubernetes and networking again is one of the areas we have the most difficulty with.
During the course of this talk we will go through various approaches we tried to make container networking conform to Kubernetes networking principles, while ensuring that it adapts to the existing networking models our infrastructure supports.
We would also cover how we have automated the process of setting up networking for Kubernetes clusters and how it offers seamless integration with non-Kubernetes workloads.
12/12/16
Gaetano Borgione's presentation from the 2017 Open Networking Summit.
Networking is vital for cloud-native apps where distributed computing and development models require speed, simplicity, and scale for massive number of ephemeral containers. Two of the most prevalent container networking models are CNI and CNM for developers using Docker, Mesos, or Kubernetes. This session will present an overview of distributed development, how CNI and CNM models work, and how container frameworks use these models for networking. Gaetano will also discuss the additional functions users need to consider in the control plane and data plane to achieve operational scale and efficiency.
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Software Defined Networking is seeing a lot of momentum these days. With server virtualization solving the virtual machines problem, and large scale object storage solving the distributed storage challenge, SDN is seen as key in virtual networking.
In this talk we don't try to define SDN but rather dive straight into what in our opinion is the core enabled of SDN: the virtual switch OVS.
OVS can help manage VLAN for guest network isolation, it can re-route any traffic at L2-L4 by keeping forwarding tables controlled by a remote controller (Openfow controller). We show these few OVS capabilities and highlight how they are used in CloudStack and Xen.
Xen Summit presentation of CloudStack and Software Defined Networks. OpenVswitch is the default bridge in Xen and supported in XenServer and Xen Cloud Platform
2014 OpenStack Summit - Neutron OVS to LinuxBridge MigrationJames Denton
Presentation titled 'Migrating production workloads from OVS to LinuxBridge'. Presented at the Fall 2014 OpenStack summit in Paris, this slide deck introduced the possibility of migrating live workloads from Open vSwitch to LinuxBridge with minimal downtime.
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Cynthia Thomas
This session offers techniques for securing Docker containers and hosts using open source network virtualization technologies to implement microsegmentation. Come learn real tips and tricks that you can apply to keep your production environment secure.
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...Cloud Native Day Tel Aviv
Kuryr is a new project, started by Gal Sagie, that makes Neutron networking available to containers networking used in Docker / Kubernetes and others.
Kuryr aims at bridging the gap between containers orchestration engines and models to OpenStack networking abstraction and expose Neutron flexibility/features and advanced services to containers networking.
Kubernetes has two simple but powerful network concepts: every Pod is connected to the same network, and Services let you talk to a Pod by name. Bryan will take you through how these concepts are implemented - Pod Networks via the Container Network Interface (CNI), Service Discovery via kube-dns and Service virtual IPs, then on to how Services are exposed to the rest of the world.
Collabnix Slack Channel accomodates around 1300+ members and conducted the first online webinar. One of Dockerlabs contributor "Balasundaram Natarajan" talked around Demystifying Docker & Kubernetes Networking.
"One network to rule them all" - OpenStack Summit Austin 2016Phil Estes
Presentation at IBM Client Day by Kyle Mestery and Phil Estes, OpenStack Summit 2016 - Austin, Texas on April 26, 2016. "Open, Scalable and Integrated Networking for Containers and VMs" covering Project Kuryr, Docker's libnetwork, and Neutron & OVS and OVN network stacks
An in-depth look into Docker Networking. We will cover all the networking features natively available in Docker and take you through hands-on exercises designed to help you learn the skills you need to deploy and maintain Docker containers in your existing network environment.
Led by Docker Networking Pros:
Madhu Venugopal
Jana Radhakrishnan
Kubernetes has a very complex network architecture. It is the networking that enables Kubernetes to redefine the latest container technology.
1. Docker containers networks
2. Containers communication in a Pod
3. Pods communication cross different nodes
4. Pod to Service communication
Orchestrating Microservices with Kubernetes Weaveworks
- Kubernetes Concepts
- Hands on: Using kubeadm to stand up a Kubernetes cluster
- Hands on: Using kubectl to make changes to running Kubernetes cluster
How to Install and Use Kubernetes by Weaveworks Weaveworks
Kubernetes is exploding with over 10,000 people in the Kubernetes Slack channel and hundreds joining every day. Why is it so popular with software developers and DevOps folks? This talk covers:
• The benefits of using containers and microservices
• An overview of Kubernetes concepts including Pods, Replica Sets, Deployments, Services and Selectors, and how they all fit together
• How to install your own Kubernetes cluster onto any machine running Linux
• How to deploy the microservices sample app, the Sock Shop, to a Kubernetes cluster
For more information read our blog: https://www.weave.works/blog/k8s-future-simplified-kubernetes-installation/
Interested in future Weave Events? Please join our Meetup group: https://www.meetup.com/Weave-User-Group/
Overview of Docker 1.11 features(Covers Docker release summary till 1.11, runc/containerd, dns load balancing ipv6 service discovery, labels, macvlan/ipvlan)
This talk is a gentle introduction to the core concepts required to successfully deploy your first few apps to Kubernetes, followed by an overview of the Kubernetes architecture to enable you to understand how to deploy a cluster yourself. The tool kubeadm is then used to easily set up Kubernetes clusters on any computers running Linux. We'll then try out the theory we learned by deploying some Pods, Deployments and Services to our new cluster and observing their behaviour.
Docker Networking in OpenStack: What you need to know nowPLUMgrid
Learn how you bring secure, scalable, available and open software defined networking to Docker containers managed by OpenStack. This session will cover how Docker virtual networks function, how to plumb them into the virtual network fabric and reliably assign information such as IP addresses, virtual interfaces and more. In addition, this session will also cover how to securely wrap Docker containers using security policies and encryption.
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...Patrick Chanezon
In two years, Docker hit the sweet spot for devs and ops, with tools for building, shipping, and running distributed apps architected as a set of collaborating microservices packaged as Linux containers. One area of the Docker ecosystem that saw a lot of innovation in the past year is container orchestration systems. This session compares and contrasts various Docker orchestration systems (Swarm, Machine, and Compose), the batteries included with Docker itself, Mesos, Kubernetes, CoreOS/Fleet, Deis, Cloud Foundry, and Tutum. It includes a demo of how to deploy a Java 8 app with MongoDB on several of these systems. The goal of the session is to give you a framework to help evaluate how these systems can meet your particular requirements.
Demo code at https://github.com/chanezon/docker-tips/blob/master/orchestration-networking/README.md
How to build a Kubernetes networking solution from scratchAll Things Open
Presented by: Antonin Bas & Jianjun Shen, VMware
Presented at All Things Open 2020
Abstract: For the non-initiated, Kubernetes (K8s) networking can be a bit like dark magic. Many clusters have requirements beyond what the default network plugin, kubenet, can provide and require the use of a third-party Container Network Interface (CNI) plugin. But what exactly is the role of these plugins, how do they differ from each other and how does the choice of one affect your cluster?
In this talk, Antonin and Jianjun will describe how a group of developers was able to build a CNI plugin - an open source project called Antrea - from scratch and bring it to production in a matter of months. This velocity was achieved by leveraging existing open-source technologies extensively: Open vSwitch, a well-established programmable virtual switch for the data plane, and the K8s libraries for the control plane. Antonin and Jianjun will explain the responsibilities of a CNI plugin in the context of K8s and will walk the audience through the steps required to create one. They will show how Antrea integrates with the rest of the cloud-native ecosystem (e.g. dashboards such as Octant and Prometheus) to provide insight into the network and ensure that K8s networking is not just dark magic anymore.
Lessons learned and challenges faced while running Kubernetes at ScaleSidhartha Mani
Kubernetes lessons learned from running it at scale in production.
From my talk at Scale 15x in Pasadena CA https://www.socallinuxexpo.org/scale/15x/presentations/orchestrating-orchestrators-challenges-faced-and-lessons-learned-managing
Practical Design Patterns in Docker NetworkingDocker, Inc.
Migrating an application to Docker creates an opportunity to utilize new networking topologies and features, which can provide new functionality to an existing application. This talk will provide an overview of Docker networking with a focus on the architectural choices when migrating applications. Taking sample applications we will look at the existing networking topology and cover the options available to create a simple migration and provide additional functionality.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
7. Docker Swarm Networking Goals
Make multi-host
networking simple
Make networks first
class citizens in a
Docker environment
Make applications
more portable
Make networks
secure and
scalable
Create a pluggable
network stack
Support multiple
OS platforms
8. Docker Swarm Networking Design Philosophy
Developers and
Operations
Batteries included
but removable
Put Users First Plugin API Design
10. Single-host networking!
• Simple to configure and troubleshoot
• Useful for basic test and dev
What is Docker Bridge Networking
Docker host
Bridge
Cntnr1 Cntnr2 Cntnr1
11. • The bridge driver creates a bridge (virtual
switch) on a single Docker host
• Containers get plumbed into this bridge
• All containers on this bridge can
communicate
• The bridge is a private network restricted to
a single Docker host
What is Docker Bridge Networking
Docker host
Bridge
Cntnr1 Cntnr2 Cntnr1
12. What is Docker Bridge Networking
Docker host 1
Bridge
CntnrA CntnrB
Docker host 2
Bridge
CntnrC CntnrD
Docker host 3
Bridge 1
CntnrE CntnrF
Bridge 2
Containers on different bridge networks cannot communicate
13. • The bridge created by the bridge driver for
the pre-built bridge network is called
docker0
• Each container is connected to a bridge
network via a veth pair
• Provides single-host networking
• External access requires port mapping
Bridge networking in a bit more
detail Docker host
Cntnr1 Cntnr2 Cntnr1
veth
Bridge
veth veth
eth0
14. What is Service Discovery?
The ability to discover
services within a Swarm
Every service registers its
name with the Swarm
Every task registers its name
with the Swarm
Service discovery uses the DNS resolver
embedded inside each container and the
DNS server inside of each Docker Engine
Clients can lookup service names
15. Bridge networking and port mapping
Docker host 1
Cntnr1
10.0.0.8
Bridge
L2/L3 physical network
172.14.3.55
$ docker run -p 8080:80 ...
Host port Container port
:80
:8080
16. • Creates a private internal network
(single-host)
• External access is via port mappings
on a host interface
• There is a default bridge network
called bridge
• Can create user-defined bridge
networks
Bridge Networking Summary
Docker host
Cntnr1 Cntnr2 Cntnr1
veth
Bridge “docker0”
veth veth
eth0
17. The overlay driver enables simple and secure multi-host networking
What is Docker Overlay Networking?
Docker host 1
CntnrA CntnrB
All containers on the overlay network can communicate!
Docker host 2
CntnrC CntnrD
Docker host 3
CntnrE CntnrF
Overlay Network
18. Docker host 2Docker host 1
Building an Overlay Network (High level)
172.31.1.5
Overlay 10.0.0.0/24
192.168.1.25
10.0.0.410.0.0.3
19. • The overlay driver uses VXLAN technology
to build the network
• A VXLAN tunnel is created through the
underlay network(s)
• At each end of the tunnel is a VXLAN tunnel
end point (VTEP)
• The VTEP performs encapsulation and de-
encapsulation
• The VTEP exists in the Docker Host’s
network namespace
Docker Overlay Networks and VXLAN
Docker host 2Docker host 1
172.31.1.5 192.168.1.25
VTEPVTEP VXLAN Tunnel
Layer 3 transport
(underlay networks)
20. Service Discovery in a bit more detail
“mynet” network (overlay, MACVLAN, user-defined bridge)
Docker host 1
task1.myservice task2.myservice
Docker host 2
task3.myservice
task1.myservice 10.0.1.19
task2.myservice 10.0.1.20
task3.myservice 10.0.1.21
myservice
10.0.1.18
Swarm DNS (service discovery)
21. Service Discovery in a bit more detail
task1.yourservice 192.168.56.51
yourservice 192.168.56.50
task1.myservice 10.0.1.19
task2.myservice 10.0.1.20
task3.myservice 10.0.1.21
myservice 10.0.1.18
Swarm DNS (service discovery)
“mynet” network (overlay, MACVLAN, user-defined bridge)
Docker host 1
task1.myservice task2.myservice
DNS resolver
127.0.0.11
DNS resolver
127.0.0.11
Engine DNS
server
Docker host 2
task3.myservice
DNS resolver
127.0.0.11
DNS resolver
127.0.0.11
Engine DNS
server
task1.yourservice
“yournet” network
22. • Every service gets a VIP when it’s created
− This stays with the service for its entire life
• Lookups against the VIP get load-balanced across all
healthy tasks in the service
• Behind the scenes it uses Linux kernel IPVS to perform
transport layer load balancing
• docker inspect <service> (shows the service VIP)
Service Virtual IP Load Balancing
NAME HEALTHY IP
Myservice 10.0.1.18
task1.myservice Y 10.0.1.19
task2.myservice Y 10.0.1.20
task3.myservice Y 10.0.1.21
task4.myservice Y 10.0.1.22
task5.myservice Y 10.0.1.23
Service VIP
Load balance
group
23. What is a Routing Mesh?
Native load balancing of
requests coming from an
external source
Services get published on a single
port across the entire Swarm
A special overlay network called
“Ingress” is used to forward the
requests to a task in the service
Traffic is internally load balanced as
per normal service VIP load balancing
Incoming traffic to the published port
can be handled by all Swarm nodes
24. Routing Mesh Example
1. Three Docker hosts
2. New service with 2 tasks
3. Connected to the mynet overlay
network
4. Service published on port 8080
swarm-wide
5. External LB sends request to
Docker host 3 on port 8080
6. Routing mesh forwards the
request to a healthy task using
the ingress network
Docker host 2
task2.myservice
Docker host 1
task1.myservice
Docker host 3
IPVS IPVS IPVS
Ingress network
8080 8080
“mynet” overlay network
LB
8080
25. Routing Mesh Example
1. Three Docker hosts
2. New service with 2 tasks
3. Connected to the mynet overlay
network
4. Service published on port 8080
swarm-wide
5. External LB sends request to
Docker host 3 on port 8080
6. Routing mesh forwards the
request to a healthy task using
the ingress network
Docker host 2
task2.myservice
Docker host 1
task1.myservice
Docker host 3
IPVS IPVS IPVS
Ingress network
8080 8080
“mynet” overlay network
LB
8080
28. Overview
• Kubernetes Networking Concepts
• Calico CNI Model and Calico CNI Plug-in
• Services, Service Discovery, Ingress, Network Policies
• Docker Enterprise Networking Architecture with Calico
• Network Deployment Models
29. Kubernetes Networking Concepts
• All containers communicate with all other containers without NAT
(Network Address Traversal)
• All nodes can communicate with all containers and vice-versa
without NAT
• The IP that the container uses is the same IP that others see it
as
30. Container Network Interface (CNI)
CNI Plugin
Kubernetes
IPAM
Network Namespace
Pod
veth
CNI Plugin
Library
N
e
t
w
o
r
k
31. Calico Networking Plugin
Project Calico is an open source container networking provider and network policy engine
and implements the CNI Interface
• IP address management
• container (pod) networking — Linux kernel L3 routing
• inter-node — IP routing
Calico provides a highly scalable networking and network policy solution for connecting
Kubernetes pods based on the same IP networking principles as the internet.
Calico can be deployed without encapsulation or overlays to provide high-performance,
high-scale data center networking.
Calico also provides fine-grained, intent based network security policy for Kubernetes pods
via its distributed firewall.
32. Secure Networking with Project Calico Built-in But Swappable
• Pre-integrated with Project Calico:
− Highly scalable distributed networking model
integrates well with various infrastructure platforms
(inc. cloud and on-prem)
− Integration with Kubernetes Network Policies
• “Batteries included, but swappable”: CNI plug-in is
swappable for other solutions
• Get a highly scalable networking solution out-of-the-box
with the option to swap with your preferred solution
• Define networking policies once and apply them
consistently across different infrastructure platforms
KEY BENEFITS
FEATURE / CAPABILITY
NetworkPolicy
default-deny
ingress
33. Services
• Services enable you to expose a
single address backed by multiple
pods
• kube-proxy runs on each node,
and performs basic load balancing
between the pods
34. Service Discovery
• Service IPs are advertised to other pods via DNS
• Kube includes an internal DNS server, kubedns
• Kubernetes creates a DNS record for:
− every Service (including the DNS server itself)
My-svc.my-namespace.svc.cluster.local
− Pods (where configured)
pod-ip-address.my-namespace.pod.cluster.local
35. Ingress
Ingress
Pod Pod Pod Pod Pod Pod Pod Pod Pod
Service Service Service
foo.mydomain.com mydomain.com/bar Other
Traffic
• Kubernetes Ingress API allows you to configure provisioning of a dedicated load balancer
• Allows use of more advanced LB algorithms than kube-proxy
• Ingress controller runs as a pod, specific to each LB
• may itself be a software load balancer (e.g. NGINX)
• or configuration gateway for external LB appliance
38. Kubernetes Network Policy
● Specifies how groups of pods are allowed to communicate with each other and other network
endpoints using:
○ Pod label selector
○ Namespace label selector
○ Protocol + Ports
● Pods selected by a NetworkPolicy:
○ Are isolated by default
○ Are allowed incoming traffic if that traffic matches a NetworkPolicy ingress rule.
● Requires a controller to implement the API - Calico does this in Docker Enterprise:
https://kubernetes.io/docs/concepts/services-networking/network-policies/
40. Calico Architecture
● Distributed control plane, calico/node
on each host
● Shared state in etcd key/value store
● Overlay (IP-IP) or unencapsulated (flat
networking) — IP-IP default in
Enterprise
● BGP for route distribution (optionally
peer with infrastructure)
● Network policy enforced on container
and host interfaces
42. Overlay Data Plane with Full Mesh Control Plane (Default)
Calico Deployment
Models
UCP Worker UCP Worker
UCP Worker UCP Worker
pod pod
IPIP Tunnel
BGP Peering
Mesh
This is the default mode for
Kubernetes networking in UCP.
It is the most portable and
hands-off deployment model.
Each Calico router is peered via
BGP with every other Calico
router. This can have scaling
limitations at greater than 100
nodes within a single cluster
(depending on node resourcing).
The overlay encapsulates pod
traffic using the IPIP tunnel
using separate subnets for the
overlay traffic and the underlay
host-to-host traffic.
Example:
Pod Network - 192.168.10.0/16
Host Network - 192.168.20.0/16
43. Calico Route
Reflector
Calico Route
Reflector
Overlay Data Plane with Route Reflector Control Plane
Calico Deployment
Models
UCP Worker UCP Worker
UCP Worker UCP Worker
pod pod
Less overall BGP peers makes
this deployment model more
performant and scalable by
centralizing the BGP peer
connections on a pair of
redundant Route Reflectors.
Requires a redeployment of
Calico with RRs. The RRs must
be placed on dedicated nodes
with no other workloads. The
RRs are highly available by
default.
UCP Worker UCP Worker
IPIP Tunnel
44. Kubernetes Network Encryption
Use Case
● Apply default encryption without intervention or
awareness from users
● Protect internal application traffic on untrusted or
shared infrastructure by default
Usage
● Optional feature in UCP
● Deploy encryption daemonset to encrypt all host-to-
host traffic between all pods within the Kubernetes
cluster
● Key management and rotation managed centrally by
add-on encryption module
● IPSec encryption
Host
Pod
app
Host
Pod
app
Kubernetes
Networking
45. Kubernetes Network Encryption
UCP Worker
Pod
app
UCP Worker
Pod
app
DS
Secure
Overlay
Agent
DS
Secure
Overlay
Agent
UCP Manager
Pod
Secure
Overlay
Manager
Architecture
● Secure Overlay Manager manages and rotates keys within the
cluster
● Secure Overlay Agent manages the encryption tunnels
between hosts in the cluster. Does not sit in the traffic path.
● Traffic is encrypted by the in-kernel IPSec capabilities of Linux
Kubernetes
Networking
46. Review
● Container Networking — Simple, IP-based. Overlay
optional. Calico is shipped out of the box with Docker
Enterprise
● Services — Cluster-internal load balancing. Implemented
by kube-proxy
● Service Discovery — KubeDNS
● Ingress — Routing of external traffic into cluster (e.g. with
NGINX)
● Network Policy — Traffic isolation within cluster.
Implemented by Calico in Docker Enterprise