SlideShare a Scribd company logo

Kubernetes Networking 101 kubecon EU 2022

S
ssuser1490e8

Introduction to Kubernetes networking

Technology
1 of 38
Download to read offline
Presenter and Dutch Uncles • @RandyAbernethy • Managing Partner at RX-M • CNCF Ambassador • Cloud Native Uncles • Chris • “kubectl said what?” at 16:00 today!! • Iliyan • Valentin • Tutorial Lab Doc: • https://github.com/ RX-M/kubecon-eu-2022/ net101.md @rxmllc Linkedin.com/company/rx-m-llc https://www.youtube.com/channel/UCyFZuVfrRposGJ86mkWcF_Q
• Concepts and Projects Explored: 1. Container Networking • CNI and Cilium 2. Kubernetes Services • Kubernetes 3. Kubernetes DNS • CoreDNS 4. Outside Access • Emissary, Envoy and MetalLB 5. Service Mesh • Linkerd
Container Networking • There’s no such thing as a Container • There are just processes running on Linux • However, we can isolate a process using Linux namespaces • A network namespace gives a process and its children a virtual ip stack • Network namespaces include private copies of: • Interfaces • loopback • eth0 • Routes • IP Tables • And so on Host if Container if
Pod Pod Architecture • Running a container under Docker places that container in its own private network namespace by default • Kubernetes collects sets of containers together in Pods • Pods are atomic in Kubernetes: • Scheduled as a unit • Scaled as a unit • Terminated as a unit • All the containers in a Pod share the same network namespace Host if Container if Container
Pod Networking • Components of distributed applications need to communicate • When we deploy services in pods, the pods need a network • We don’t really care if the pods are on the same machine or different machines, we just care that they can talk Pod Container Container Pod Container if Container if
CNI • Kubernetes relies on three key plugins for core functionality: • CRI – Container runtime interface • CNI – Container networking interface • CSI – Container storage interface • CNI is a specification that allows systems like Kubernetes to integrate with software defined networking (SDN) solutions • CNI plugins provide: • Pod network wiring • Pod IP addresses • Network policy implementation • Potentially much more
Cilium • Cilium is an incubating CNCF project • CNI compliant • Provides Pod Networking features with the help of Linux eBPF
Cilium CNI • CNI plugins are responsible for configuring a pod’s network • Interfaces, ip addresses, routes and so on • Configuration external to the pod necessary to support intrapod networking Pod Container Container Pod Container if Container if Host if Host if Cilium Cilium eBPF eBPF
Lab Step 1 – Pod Networking ssh to your lab system Install a Kubernetes cluster Install the Cilium CNI plugin Explore the Pod network
ClusterIP
Cluster IP Implementation • kube-proxy • User mode • IPTables • IPVS • CNI Plugin • User mode • eBPF • Other approaches and combinations
Independent Address Spaces • A Kubernetes solution requires several non overlapping address spaces • HostIP (node) Range – managed by IT or your Cloud • ClusterIP Range – configured when installing K8s • PodIP Range – configured when installing your CNI plugin
IPv4 and IPv6 Support • The CNI controls Pod addressing (can be IPv4/6/dual/etc) • Kubernetes Controls ClusterIP addressing: • IPv4-only GA in K8s v1.0 • Only IPv4 Services • IPv6-only GA in K8s v1.18 • If enabled, only IPv6 Services • Either IPv4/IPv6 in K8s 1.20 • Either IPv4 or IPv6 services in the same cluster • Dual-stack IPv4/IPv6 GA in K8s 1.23 [two ranges must be supplied] • Services ipFamilyPolicy can be set to: • SingleStack – uses the first configured service cluster IP range • PreferDualStack – allows you to optionally define a single ClusterIP • RequireDualStack – requires you to define IPv4 & 6 if you define ClusterIP
Specifying a Service • Services are a resource Kind • In the Core group at maturity v1 • Like all resources they require a name in the metadata • Services have: • Ports to forward • EndPoints to forward to • Selectors identify pods to generate endpoints from
Endpoints • Selectors automatically generate EndPoints for services • EndPoints can be created manually as well
Types of Services • Headless (special case of ClusterIP) • Supports name resolution but not forwarding • ClusterIP • For load balanced intra-cluster service communications • NodePort • For external service access via a universal port • LoadBalancer • Uses a plugin to enable an external load balancer • ExternalName • Aliases this service to the specified externalName
Lab Step 2 - Services Create a Deployment Create a ClusterIP Service Figure out how it works
DNS in Kubernetes • Pod Container Filesystem hacks: • /etc/resolv.conf • /etc/hostname • /etc/hosts • CoreDNS • Deployment (ReplicaSet, 2 Pods) • AutoScaler in some distros • Service • 10.96.0.10
Service Name Resolution • myservice.mynamespace.svc.cluster.local • myservice – the service name • mynamespace – the namespace • svc – the directory for services • cluster.local – the cluster suffix set when installing the cluster • Realistic example: • web.production.svc.k8s54.rx-m.com • Resolves to ClusterIP
Headless Services • Used for StatefulSets where loadbalancing does not make sense • You need to talk to who you need to talk to, pods are not replicas • Services with no ClusterIP are Headless • Resolving the Service name produces the list of endpoints for all pods in the service • You can also resolve a specific pod by ordinal • redis-0.redis.datans.svc.cluster.local • redis-1.redis.datans.svc.cluster.local • redis-2.redis.datans.svc.cluster.local • …
Overriding Kubelet DNS config • Default resolv.conf settings can be overridden in Pod specs • Nameservers • Searches • Options
Lab Step 3 - DNS Work with DNS Create a Headless Service Use Headless DNS
Outside Access • How can we reach services inside the cluster from outside the cluster? • HostPort – Pod feature that forwards a port from the host • NodePort – Service type that adds a NodePort forwarded on every node • LoadBalancer – Service type, calls a plugin to create an external load balancer • Ingress – Kubernetes framework for HTTP/HTTPS proxying • Gateway – Like ingress but more sophisticated • Almost all schemes for inbound cluster access depend on either host ports or node ports
HostPort • Pods can define host ports • Maps a port on the worker node interface to the container interface port • Useful for cluster admins • Typically in combination with DaemonSets • Not good for applications • Deployments create pods that are scheduled, how do we know the port will be open on a given machine? • You have to know where the pod lands to reach it
NodePort • Similar to host port in that it maps a port on the host • Unlike a host port, the service is assigned a unique high number port from an admin defined range • The NodePort is forwarded on every node in the cluster to the service • NodePort services also have all of the features of a ClusterIP service
LoadBalancer • LoadBalancer services provision an external load balancer through a cluster plugin • Cloud Solutions • AWS Elastic Load Balancer • Azure Load Balancer • GCP Network Load Balancer • On Prem Solutions • MetalLB • Netris • KubeVIP • Avi (VMware) • F5 • Citrix ADC • LoadBalancer services also have all of the features of a NodePort service
Ingress • A Kubernetes framework • Kubernetes defines the Ingress resource type • HTTP/HTTPS only • An ingress controller must be installed to implement Ingress resource functionality
Gateway • Not a Kubernetes thing • Often an Ingress Controller on steroids • Common features: • Advanced Security and Auth features • Sophisticated routing and load balancing • Support for other protocols • gRPC • SCTP • UDP • TCP • Apache Thrift • Protocol translation and upgrade • Uses CRDs for config
Lab Step 4 NodePort Services Ingress Gateways
Service Mesh Functionality • A Service Mesh can implement cross cutting concerns that are desired by all of your service • mTLS • Communications Metrics • Communications Policy • Traces • Fault Injection/Chaos support • Advanced Traffic Management • A Service Mesh can also simplify cross cluster communications
Types of Service Mesh • Proxy Based • Implemented using the ambassador pattern • Most common and most tested • eBPF Based • Bleeding edge • Promises performance benefits but includes some downsides • Library Based • Implemented in the app process by a library • e.g. gRPC • New, fast but requires all apps to use “the library”
@RandyAbernethy rx-m.com

Recommended

99cloud Docker Training module 2
99cloud Docker Training module 299cloud Docker Training module 2
99cloud Docker Training module 2Liang Bo
 
CNCF Projects Overview
CNCF Projects OverviewCNCF Projects Overview
CNCF Projects OverviewNeependra Khare
 
ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...
ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...
ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...Frank Lyaruu
 
Docker Online Meetup #22: Docker Networking
Docker Online Meetup #22: Docker NetworkingDocker Online Meetup #22: Docker Networking
Docker Online Meetup #22: Docker NetworkingDocker, Inc.
 
RedisConf18 - Redis Enterprise on Cloud Native Platforms
RedisConf18 - Redis Enterprise on Cloud Native Platforms RedisConf18 - Redis Enterprise on Cloud Native Platforms
RedisConf18 - Redis Enterprise on Cloud Native Platforms Redis Labs
 
Why Kubernetes as a container orchestrator is a right choice for running spar...
Why Kubernetes as a container orchestrator is a right choice for running spar...Why Kubernetes as a container orchestrator is a right choice for running spar...
Why Kubernetes as a container orchestrator is a right choice for running spar...DataWorks Summit
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Huy Vo
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetupNathan Ness
 

Recommended

99cloud Docker Training module 2
99cloud Docker Training module 299cloud Docker Training module 2
99cloud Docker Training module 2Liang Bo
 
CNCF Projects Overview
CNCF Projects OverviewCNCF Projects Overview
CNCF Projects OverviewNeependra Khare
 
ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...
ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...
ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...Frank Lyaruu
 
Docker Online Meetup #22: Docker Networking
Docker Online Meetup #22: Docker NetworkingDocker Online Meetup #22: Docker Networking
Docker Online Meetup #22: Docker NetworkingDocker, Inc.
 
RedisConf18 - Redis Enterprise on Cloud Native Platforms
RedisConf18 - Redis Enterprise on Cloud Native Platforms RedisConf18 - Redis Enterprise on Cloud Native Platforms
RedisConf18 - Redis Enterprise on Cloud Native Platforms Redis Labs
 
Why Kubernetes as a container orchestrator is a right choice for running spar...
Why Kubernetes as a container orchestrator is a right choice for running spar...Why Kubernetes as a container orchestrator is a right choice for running spar...
Why Kubernetes as a container orchestrator is a right choice for running spar...DataWorks Summit
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Huy Vo
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetupNathan Ness
 
OpenStack and Windows
OpenStack and WindowsOpenStack and Windows
OpenStack and WindowsAlessandro Pilotti
 
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Cynthia Thomas
 
Containers, Serverless and Functions in a nutshell
Containers, Serverless and Functions in a nutshellContainers, Serverless and Functions in a nutshell
Containers, Serverless and Functions in a nutshellEugene Fedorenko
 
Open stackaustinmeetupsept21
Open stackaustinmeetupsept21Open stackaustinmeetupsept21
Open stackaustinmeetupsept21Brent Doncaster
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetesrajdeep
 
The Application Server Platform of the Future - Container & Cloud Native and ...
The Application Server Platform of the Future - Container & Cloud Native and ...The Application Server Platform of the Future - Container & Cloud Native and ...
The Application Server Platform of the Future - Container & Cloud Native and ...Lucas Jellema
 
Container orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesContainer orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesRajesh Kolla
 
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...Tony Erwin
 
DevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineDevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineKit Merker
 
Service Discovery: From Classic to VPC
Service Discovery: From Classic to VPCService Discovery: From Classic to VPC
Service Discovery: From Classic to VPCMark Corwin
 
Quick introduction to Kubernetes
Quick introduction to KubernetesQuick introduction to Kubernetes
Quick introduction to KubernetesEduardo Garcia Moyano
 
Developing Java based microservices ready for the world of containers
Developing Java based microservices ready for the world of containersDeveloping Java based microservices ready for the world of containers
Developing Java based microservices ready for the world of containersClaus Ibsen
 
Migrating Enterprise Microservices From Cloud Foundry to Kubernetes
Migrating Enterprise Microservices From Cloud Foundry to KubernetesMigrating Enterprise Microservices From Cloud Foundry to Kubernetes
Migrating Enterprise Microservices From Cloud Foundry to KubernetesTony Erwin
 
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018Mandi Walls
 
Kubernetes as Orchestrator for A10 Lightning Controller
Kubernetes as Orchestrator for A10 Lightning ControllerKubernetes as Orchestrator for A10 Lightning Controller
Kubernetes as Orchestrator for A10 Lightning ControllerAkshay Mathur
 
Kubernetes meetup - 2018-05-23
Kubernetes meetup - 2018-05-23Kubernetes meetup - 2018-05-23
Kubernetes meetup - 2018-05-23Ruben Ernst
 
Kubernetes Internals
Kubernetes InternalsKubernetes Internals
Kubernetes InternalsShimi Bandiel
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsJim Bugwadia
 
Learned from KIND
Learned from KIND Learned from KIND
Learned from KIND HungWei Chiu
 
DockerCon SF 2015: Networking Breakout
DockerCon SF 2015: Networking BreakoutDockerCon SF 2015: Networking Breakout
DockerCon SF 2015: Networking BreakoutDocker, Inc.
 
Red Hat OpenShift -- Innovation without limitation.pdf
Red Hat OpenShift -- Innovation without limitation.pdfRed Hat OpenShift -- Innovation without limitation.pdf
Red Hat OpenShift -- Innovation without limitation.pdfssuser1490e8
 
Portworx 201 Customer Deck.pptx
Portworx 201 Customer Deck.pptxPortworx 201 Customer Deck.pptx
Portworx 201 Customer Deck.pptxssuser1490e8
 

More Related Content

Similar to Kubernetes Networking 101 kubecon EU 2022

Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Cynthia Thomas
 
Containers, Serverless and Functions in a nutshell
Containers, Serverless and Functions in a nutshellContainers, Serverless and Functions in a nutshell
Containers, Serverless and Functions in a nutshellEugene Fedorenko
 
Open stackaustinmeetupsept21
Open stackaustinmeetupsept21Open stackaustinmeetupsept21
Open stackaustinmeetupsept21Brent Doncaster
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetesrajdeep
 
The Application Server Platform of the Future - Container & Cloud Native and ...
The Application Server Platform of the Future - Container & Cloud Native and ...The Application Server Platform of the Future - Container & Cloud Native and ...
The Application Server Platform of the Future - Container & Cloud Native and ...Lucas Jellema
 
Container orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesContainer orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesRajesh Kolla
 
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...Tony Erwin
 
DevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineDevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineKit Merker
 
Service Discovery: From Classic to VPC
Service Discovery: From Classic to VPCService Discovery: From Classic to VPC
Service Discovery: From Classic to VPCMark Corwin
 
Developing Java based microservices ready for the world of containers
Developing Java based microservices ready for the world of containersDeveloping Java based microservices ready for the world of containers
Developing Java based microservices ready for the world of containersClaus Ibsen
 
Migrating Enterprise Microservices From Cloud Foundry to Kubernetes
Migrating Enterprise Microservices From Cloud Foundry to KubernetesMigrating Enterprise Microservices From Cloud Foundry to Kubernetes
Migrating Enterprise Microservices From Cloud Foundry to KubernetesTony Erwin
 
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018Mandi Walls
 
Kubernetes as Orchestrator for A10 Lightning Controller
Kubernetes as Orchestrator for A10 Lightning ControllerKubernetes as Orchestrator for A10 Lightning Controller
Kubernetes as Orchestrator for A10 Lightning ControllerAkshay Mathur
 
Kubernetes meetup - 2018-05-23
Kubernetes meetup - 2018-05-23Kubernetes meetup - 2018-05-23
Kubernetes meetup - 2018-05-23Ruben Ernst
 
Kubernetes Internals
Kubernetes InternalsKubernetes Internals
Kubernetes InternalsShimi Bandiel
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsJim Bugwadia
 
Learned from KIND
Learned from KIND Learned from KIND
Learned from KIND HungWei Chiu
 
DockerCon SF 2015: Networking Breakout
DockerCon SF 2015: Networking BreakoutDockerCon SF 2015: Networking Breakout
DockerCon SF 2015: Networking BreakoutDocker, Inc.
 

Similar to Kubernetes Networking 101 kubecon EU 2022 (20)

OpenStack and Windows
OpenStack and WindowsOpenStack and Windows
OpenStack and Windows
 
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
 
Containers, Serverless and Functions in a nutshell
Containers, Serverless and Functions in a nutshellContainers, Serverless and Functions in a nutshell
Containers, Serverless and Functions in a nutshell
 
Open stackaustinmeetupsept21
Open stackaustinmeetupsept21Open stackaustinmeetupsept21
Open stackaustinmeetupsept21
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
The Application Server Platform of the Future - Container & Cloud Native and ...
The Application Server Platform of the Future - Container & Cloud Native and ...The Application Server Platform of the Future - Container & Cloud Native and ...
The Application Server Platform of the Future - Container & Cloud Native and ...
 
Container orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesContainer orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes services
 
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...
Migration of an Enterprise UI Microservice System from Cloud Foundry to Kuber...
 
DevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineDevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container Engine
 
Service Discovery: From Classic to VPC
Service Discovery: From Classic to VPCService Discovery: From Classic to VPC
Service Discovery: From Classic to VPC
 
Quick introduction to Kubernetes
Quick introduction to KubernetesQuick introduction to Kubernetes
Quick introduction to Kubernetes
 
Developing Java based microservices ready for the world of containers
Developing Java based microservices ready for the world of containersDeveloping Java based microservices ready for the world of containers
Developing Java based microservices ready for the world of containers
 
Migrating Enterprise Microservices From Cloud Foundry to Kubernetes
Migrating Enterprise Microservices From Cloud Foundry to KubernetesMigrating Enterprise Microservices From Cloud Foundry to Kubernetes
Migrating Enterprise Microservices From Cloud Foundry to Kubernetes
 
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
 
Kubernetes as Orchestrator for A10 Lightning Controller
Kubernetes as Orchestrator for A10 Lightning ControllerKubernetes as Orchestrator for A10 Lightning Controller
Kubernetes as Orchestrator for A10 Lightning Controller
 
Kubernetes meetup - 2018-05-23
Kubernetes meetup - 2018-05-23Kubernetes meetup - 2018-05-23
Kubernetes meetup - 2018-05-23
 
Kubernetes Internals
Kubernetes InternalsKubernetes Internals
Kubernetes Internals
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOps
 
Learned from KIND
Learned from KIND Learned from KIND
Learned from KIND
 
DockerCon SF 2015: Networking Breakout
DockerCon SF 2015: Networking BreakoutDockerCon SF 2015: Networking Breakout
DockerCon SF 2015: Networking Breakout
 

More from ssuser1490e8

Red Hat OpenShift -- Innovation without limitation.pdf
Red Hat OpenShift -- Innovation without limitation.pdfRed Hat OpenShift -- Innovation without limitation.pdf
Red Hat OpenShift -- Innovation without limitation.pdfssuser1490e8
 
Portworx 201 Customer Deck.pptx
Portworx 201 Customer Deck.pptxPortworx 201 Customer Deck.pptx
Portworx 201 Customer Deck.pptxssuser1490e8
 
Portworx Data Services 101 Deck.pdf
Portworx Data Services 101 Deck.pdfPortworx Data Services 101 Deck.pdf
Portworx Data Services 101 Deck.pdfssuser1490e8
 
continuous-lifecycle-london-2018-event-keynote-97418556.pdf
continuous-lifecycle-london-2018-event-keynote-97418556.pdfcontinuous-lifecycle-london-2018-event-keynote-97418556.pdf
continuous-lifecycle-london-2018-event-keynote-97418556.pdfssuser1490e8
 
Death_of_DevOps.pdf
Death_of_DevOps.pdfDeath_of_DevOps.pdf
Death_of_DevOps.pdfssuser1490e8
 
OpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfOpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfssuser1490e8
 

More from ssuser1490e8 (6)

Red Hat OpenShift -- Innovation without limitation.pdf
Red Hat OpenShift -- Innovation without limitation.pdfRed Hat OpenShift -- Innovation without limitation.pdf
Red Hat OpenShift -- Innovation without limitation.pdf
 
Portworx 201 Customer Deck.pptx
Portworx 201 Customer Deck.pptxPortworx 201 Customer Deck.pptx
Portworx 201 Customer Deck.pptx
 
Portworx Data Services 101 Deck.pdf
Portworx Data Services 101 Deck.pdfPortworx Data Services 101 Deck.pdf
Portworx Data Services 101 Deck.pdf
 
continuous-lifecycle-london-2018-event-keynote-97418556.pdf
continuous-lifecycle-london-2018-event-keynote-97418556.pdfcontinuous-lifecycle-london-2018-event-keynote-97418556.pdf
continuous-lifecycle-london-2018-event-keynote-97418556.pdf
 
Death_of_DevOps.pdf
Death_of_DevOps.pdfDeath_of_DevOps.pdf
Death_of_DevOps.pdf
 
OpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfOpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdf
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 

Kubernetes Networking 101 kubecon EU 2022

  • 1.
  • 2. Presenter and Dutch Uncles • @RandyAbernethy • Managing Partner at RX-M • CNCF Ambassador • Cloud Native Uncles • Chris • “kubectl said what?” at 16:00 today!! • Iliyan • Valentin • Tutorial Lab Doc: • https://github.com/ RX-M/kubecon-eu-2022/ net101.md @rxmllc Linkedin.com/company/rx-m-llc https://www.youtube.com/channel/UCyFZuVfrRposGJ86mkWcF_Q
  • 3. • Concepts and Projects Explored: 1. Container Networking • CNI and Cilium 2. Kubernetes Services • Kubernetes 3. Kubernetes DNS • CoreDNS 4. Outside Access • Emissary, Envoy and MetalLB 5. Service Mesh • Linkerd
  • 4.
  • 5. Container Networking • There’s no such thing as a Container • There are just processes running on Linux • However, we can isolate a process using Linux namespaces • A network namespace gives a process and its children a virtual ip stack • Network namespaces include private copies of: • Interfaces • loopback • eth0 • Routes • IP Tables • And so on Host if Container if
  • 6. Pod Pod Architecture • Running a container under Docker places that container in its own private network namespace by default • Kubernetes collects sets of containers together in Pods • Pods are atomic in Kubernetes: • Scheduled as a unit • Scaled as a unit • Terminated as a unit • All the containers in a Pod share the same network namespace Host if Container if Container
  • 7. Pod Networking • Components of distributed applications need to communicate • When we deploy services in pods, the pods need a network • We don’t really care if the pods are on the same machine or different machines, we just care that they can talk Pod Container Container Pod Container if Container if
  • 8. CNI • Kubernetes relies on three key plugins for core functionality: • CRI – Container runtime interface • CNI – Container networking interface • CSI – Container storage interface • CNI is a specification that allows systems like Kubernetes to integrate with software defined networking (SDN) solutions • CNI plugins provide: • Pod network wiring • Pod IP addresses • Network policy implementation • Potentially much more
  • 9. Cilium • Cilium is an incubating CNCF project • CNI compliant • Provides Pod Networking features with the help of Linux eBPF
  • 10. Cilium CNI • CNI plugins are responsible for configuring a pod’s network • Interfaces, ip addresses, routes and so on • Configuration external to the pod necessary to support intrapod networking Pod Container Container Pod Container if Container if Host if Host if Cilium Cilium eBPF eBPF
  • 11. Lab Step 1 – Pod Networking ssh to your lab system Install a Kubernetes cluster Install the Cilium CNI plugin Explore the Pod network
  • 12.
  • 14. Cluster IP Implementation • kube-proxy • User mode • IPTables • IPVS • CNI Plugin • User mode • eBPF • Other approaches and combinations
  • 15. Independent Address Spaces • A Kubernetes solution requires several non overlapping address spaces • HostIP (node) Range – managed by IT or your Cloud • ClusterIP Range – configured when installing K8s • PodIP Range – configured when installing your CNI plugin
  • 16. IPv4 and IPv6 Support • The CNI controls Pod addressing (can be IPv4/6/dual/etc) • Kubernetes Controls ClusterIP addressing: • IPv4-only GA in K8s v1.0 • Only IPv4 Services • IPv6-only GA in K8s v1.18 • If enabled, only IPv6 Services • Either IPv4/IPv6 in K8s 1.20 • Either IPv4 or IPv6 services in the same cluster • Dual-stack IPv4/IPv6 GA in K8s 1.23 [two ranges must be supplied] • Services ipFamilyPolicy can be set to: • SingleStack – uses the first configured service cluster IP range • PreferDualStack – allows you to optionally define a single ClusterIP • RequireDualStack – requires you to define IPv4 & 6 if you define ClusterIP
  • 17. Specifying a Service • Services are a resource Kind • In the Core group at maturity v1 • Like all resources they require a name in the metadata • Services have: • Ports to forward • EndPoints to forward to • Selectors identify pods to generate endpoints from
  • 18. Endpoints • Selectors automatically generate EndPoints for services • EndPoints can be created manually as well
  • 19. Types of Services • Headless (special case of ClusterIP) • Supports name resolution but not forwarding • ClusterIP • For load balanced intra-cluster service communications • NodePort • For external service access via a universal port • LoadBalancer • Uses a plugin to enable an external load balancer • ExternalName • Aliases this service to the specified externalName
  • 20. Lab Step 2 - Services Create a Deployment Create a ClusterIP Service Figure out how it works
  • 21.
  • 22. DNS in Kubernetes • Pod Container Filesystem hacks: • /etc/resolv.conf • /etc/hostname • /etc/hosts • CoreDNS • Deployment (ReplicaSet, 2 Pods) • AutoScaler in some distros • Service • 10.96.0.10
  • 23. Service Name Resolution • myservice.mynamespace.svc.cluster.local • myservice – the service name • mynamespace – the namespace • svc – the directory for services • cluster.local – the cluster suffix set when installing the cluster • Realistic example: • web.production.svc.k8s54.rx-m.com • Resolves to ClusterIP
  • 24. Headless Services • Used for StatefulSets where loadbalancing does not make sense • You need to talk to who you need to talk to, pods are not replicas • Services with no ClusterIP are Headless • Resolving the Service name produces the list of endpoints for all pods in the service • You can also resolve a specific pod by ordinal • redis-0.redis.datans.svc.cluster.local • redis-1.redis.datans.svc.cluster.local • redis-2.redis.datans.svc.cluster.local • …
  • 25. Overriding Kubelet DNS config • Default resolv.conf settings can be overridden in Pod specs • Nameservers • Searches • Options
  • 26. Lab Step 3 - DNS Work with DNS Create a Headless Service Use Headless DNS
  • 27.
  • 28. Outside Access • How can we reach services inside the cluster from outside the cluster? • HostPort – Pod feature that forwards a port from the host • NodePort – Service type that adds a NodePort forwarded on every node • LoadBalancer – Service type, calls a plugin to create an external load balancer • Ingress – Kubernetes framework for HTTP/HTTPS proxying • Gateway – Like ingress but more sophisticated • Almost all schemes for inbound cluster access depend on either host ports or node ports
  • 29. HostPort • Pods can define host ports • Maps a port on the worker node interface to the container interface port • Useful for cluster admins • Typically in combination with DaemonSets • Not good for applications • Deployments create pods that are scheduled, how do we know the port will be open on a given machine? • You have to know where the pod lands to reach it
  • 30. NodePort • Similar to host port in that it maps a port on the host • Unlike a host port, the service is assigned a unique high number port from an admin defined range • The NodePort is forwarded on every node in the cluster to the service • NodePort services also have all of the features of a ClusterIP service
  • 31. LoadBalancer • LoadBalancer services provision an external load balancer through a cluster plugin • Cloud Solutions • AWS Elastic Load Balancer • Azure Load Balancer • GCP Network Load Balancer • On Prem Solutions • MetalLB • Netris • KubeVIP • Avi (VMware) • F5 • Citrix ADC • LoadBalancer services also have all of the features of a NodePort service
  • 32. Ingress • A Kubernetes framework • Kubernetes defines the Ingress resource type • HTTP/HTTPS only • An ingress controller must be installed to implement Ingress resource functionality
  • 33. Gateway • Not a Kubernetes thing • Often an Ingress Controller on steroids • Common features: • Advanced Security and Auth features • Sophisticated routing and load balancing • Support for other protocols • gRPC • SCTP • UDP • TCP • Apache Thrift • Protocol translation and upgrade • Uses CRDs for config
  • 34. Lab Step 4 NodePort Services Ingress Gateways
  • 35.
  • 36. Service Mesh Functionality • A Service Mesh can implement cross cutting concerns that are desired by all of your service • mTLS • Communications Metrics • Communications Policy • Traces • Fault Injection/Chaos support • Advanced Traffic Management • A Service Mesh can also simplify cross cluster communications
  • 37. Types of Service Mesh • Proxy Based • Implemented using the ambassador pattern • Most common and most tested • eBPF Based • Bleeding edge • Promises performance benefits but includes some downsides • Library Based • Implemented in the app process by a library • e.g. gRPC • New, fast but requires all apps to use “the library”