This document discusses Kubernetes networking using Open vSwitch and OpenFlow. It provides an overview of Open vSwitch and Kubernetes, explains how containers are networked using Docker and Kubernetes, and how the Container Network Interface (CNI) can be used with Open vSwitch to provide networking. It then covers the networking models and lifecycles of packets between pods on the same node and different nodes.
Introduction to Docker Networking options. We give in-depth description of the different options with single host examples. See our other presentations for multi-host, IPv6, and CoreOS Flannel descriptions.
This is a followup to our Docker networking tutorial. This slidedeck describes the options for deploying Docker container in a multi-host cluster environment. We introduce the LorisPack toolkit for connecting and isolating pods of containers deployed across multiple hosts.
Web scale infrastructures with kubernetes and flannelpurpleocean
La capacità di rispondere in poche frazioni di secondo alle richieste degli utenti - indipendentemente dal loro numero - è un fattore determinante per il successo dei servizi sul web. Secondo Amazon, bastano 100 millisecondi di latenza nella risposta per generare una perdita economica di circa l'1% sul
fatturato [1]. In base alle statistiche di Google AdWords, inoltre, il 2015 ha sancito l’ufficiale superamento del numero di interazioni mobile rispetto a quelle desktop [2], con la conseguente riduzione della durata media delle sessioni di navigazione web.
In uno scenario di questo tipo, la razionalizzazione dell’utilizzo delle risorse hardware e la capacità di scalare rispetto al numero di utenti sono fattori determinanti per il successo del business.
In questo talk racconteremo la nostra esperienza di migrazione di soluzioni e-commerce di tipo enterprise in Magento da un’architettura basata su VM tradizionali ad una di tipo software-defined basata su Kubernetes, Flannel e Docker. Discuteremo, quindi, delle reali difficoltà da noi incontrate nel porting su container di soluzioni in produzione e daremo evidenza di come, alla fine di questo lungo viaggio, i nostri sforzi siano stati concretamente premiati dall’aumento di resilienza, affidabilità e automazione della soluzione finale.
A supporto della conversazione, mostreremo i risultati dei benchmark da noi condotti per valutare la scalabilità della nuova architettura presentando delle evidenze delle reali capacità di Kubernetes come strumento di orchestrazione di servizi erogati in Docker container.
Concluderemo l’intervento presentando il nostro progetto di distribuzione geografica dei nodi master di Kubernetes facendo uso di reti SD-WAN per garantire performance e continuità di servizio della soluzione.
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Introduction to Docker Networking options. We give in-depth description of the different options with single host examples. See our other presentations for multi-host, IPv6, and CoreOS Flannel descriptions.
This is a followup to our Docker networking tutorial. This slidedeck describes the options for deploying Docker container in a multi-host cluster environment. We introduce the LorisPack toolkit for connecting and isolating pods of containers deployed across multiple hosts.
Web scale infrastructures with kubernetes and flannelpurpleocean
La capacità di rispondere in poche frazioni di secondo alle richieste degli utenti - indipendentemente dal loro numero - è un fattore determinante per il successo dei servizi sul web. Secondo Amazon, bastano 100 millisecondi di latenza nella risposta per generare una perdita economica di circa l'1% sul
fatturato [1]. In base alle statistiche di Google AdWords, inoltre, il 2015 ha sancito l’ufficiale superamento del numero di interazioni mobile rispetto a quelle desktop [2], con la conseguente riduzione della durata media delle sessioni di navigazione web.
In uno scenario di questo tipo, la razionalizzazione dell’utilizzo delle risorse hardware e la capacità di scalare rispetto al numero di utenti sono fattori determinanti per il successo del business.
In questo talk racconteremo la nostra esperienza di migrazione di soluzioni e-commerce di tipo enterprise in Magento da un’architettura basata su VM tradizionali ad una di tipo software-defined basata su Kubernetes, Flannel e Docker. Discuteremo, quindi, delle reali difficoltà da noi incontrate nel porting su container di soluzioni in produzione e daremo evidenza di come, alla fine di questo lungo viaggio, i nostri sforzi siano stati concretamente premiati dall’aumento di resilienza, affidabilità e automazione della soluzione finale.
A supporto della conversazione, mostreremo i risultati dei benchmark da noi condotti per valutare la scalabilità della nuova architettura presentando delle evidenze delle reali capacità di Kubernetes come strumento di orchestrazione di servizi erogati in Docker container.
Concluderemo l’intervento presentando il nostro progetto di distribuzione geografica dei nodi master di Kubernetes facendo uso di reti SD-WAN per garantire performance e continuità di servizio della soluzione.
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
In this slide, we discuss the concept of IPTABLES/EBTABLES and then show how they work in a simple docker environment.
In order to track the packet flow in those containers communication, we use the LOG module in IPTABLES/EBTABLE to track the information.
this slide is created for understand open vswitch more easily.
so I tried to make it practical. if you just follow up this scenario, then you will get some knowledge about OVS.
In this document, I mainly use only two command "ip" and "ovs-vsctl" to show you the ability of these commands.
Docker networking basics & coupling with Software Defined NetworksAdrien Blind
This presentation reminds Docker networking, exposes Software Defined Network basic paradigms, and then proposes a mixed-up implementation taking benefits of a coupled use of these two technologies. Implementation model proposed could be a good starting point to create multi-tenant PaaS platforms.
As a bonus, OpenStack Neutron internal design is presented.
You can also have a look on our previous presentation related to enterprise patterns for Docker:
http://fr.slideshare.net/ArnaudMAZIN/docker-meetup-paris-enterprise-docker
How Networking works with Data Science HungWei Chiu
Introduce the basic concept of networking model, including the OSI model and TCP/IP model.
Also introduce basic ideas/function in networking, such as routing, classification, security..etc
The Docker network overlay driver relies on several technologies: network namespaces, VXLAN, Netlink and a distributed key-value store. This talk will present each of these mechanisms one by one along with their userland tools and show hands-on how they interact together when setting up an overlay to connect containers.
The talk will continue with a demo showing how to build your own simple overlay using these technologies.
This talks shows how to implement the Application-Based Routing in the common Linux Distribution. We use the NDPI to execute the DPI function to category the packet first, use the linux kernel build-it mark to pass the information from user-space to kernel space and then the policy routing system use that mark to route the packet by different destination or interface.
When it comes to networking inside Kubernetes, selecting the correct networking solution may be one of the most important decisions you may face. This is especially true if you are trying to run a Kubernetes cluster in production.
Therefore it's beneficial to have a good understanding of different CNI options out there and most importantly how these networking options are different from each other.
This presentation goes over packet by packet-level details of how the network plumbing is happening with different CNI plugins including, Flannel, Calico & Cilium.
Programmable network connectivity and network overlay technologies like Docker libnetwork, Weave Net, and Calico are essential tools for DevOps engineers using orchestration tools to manage and deploy Docker containers in production. Because network troubleshooting and optimization falls within the jurisdiction of DevOps, it’s vital that DevOps engineers understand exactly how network overlays work. Participants will learn the fundamentals of container networking, see practical examples of common network overlays, and receive guidance on effectively using and tuning network overlays.
How to build a Kubernetes networking solution from scratchAll Things Open
Presented by: Antonin Bas & Jianjun Shen, VMware
Presented at All Things Open 2020
Abstract: For the non-initiated, Kubernetes (K8s) networking can be a bit like dark magic. Many clusters have requirements beyond what the default network plugin, kubenet, can provide and require the use of a third-party Container Network Interface (CNI) plugin. But what exactly is the role of these plugins, how do they differ from each other and how does the choice of one affect your cluster?
In this talk, Antonin and Jianjun will describe how a group of developers was able to build a CNI plugin - an open source project called Antrea - from scratch and bring it to production in a matter of months. This velocity was achieved by leveraging existing open-source technologies extensively: Open vSwitch, a well-established programmable virtual switch for the data plane, and the K8s libraries for the control plane. Antonin and Jianjun will explain the responsibilities of a CNI plugin in the context of K8s and will walk the audience through the steps required to create one. They will show how Antrea integrates with the rest of the cloud-native ecosystem (e.g. dashboards such as Octant and Prometheus) to provide insight into the network and ensure that K8s networking is not just dark magic anymore.
In this slide, we discuss the concept of IPTABLES/EBTABLES and then show how they work in a simple docker environment.
In order to track the packet flow in those containers communication, we use the LOG module in IPTABLES/EBTABLE to track the information.
this slide is created for understand open vswitch more easily.
so I tried to make it practical. if you just follow up this scenario, then you will get some knowledge about OVS.
In this document, I mainly use only two command "ip" and "ovs-vsctl" to show you the ability of these commands.
Docker networking basics & coupling with Software Defined NetworksAdrien Blind
This presentation reminds Docker networking, exposes Software Defined Network basic paradigms, and then proposes a mixed-up implementation taking benefits of a coupled use of these two technologies. Implementation model proposed could be a good starting point to create multi-tenant PaaS platforms.
As a bonus, OpenStack Neutron internal design is presented.
You can also have a look on our previous presentation related to enterprise patterns for Docker:
http://fr.slideshare.net/ArnaudMAZIN/docker-meetup-paris-enterprise-docker
How Networking works with Data Science HungWei Chiu
Introduce the basic concept of networking model, including the OSI model and TCP/IP model.
Also introduce basic ideas/function in networking, such as routing, classification, security..etc
The Docker network overlay driver relies on several technologies: network namespaces, VXLAN, Netlink and a distributed key-value store. This talk will present each of these mechanisms one by one along with their userland tools and show hands-on how they interact together when setting up an overlay to connect containers.
The talk will continue with a demo showing how to build your own simple overlay using these technologies.
This talks shows how to implement the Application-Based Routing in the common Linux Distribution. We use the NDPI to execute the DPI function to category the packet first, use the linux kernel build-it mark to pass the information from user-space to kernel space and then the policy routing system use that mark to route the packet by different destination or interface.
When it comes to networking inside Kubernetes, selecting the correct networking solution may be one of the most important decisions you may face. This is especially true if you are trying to run a Kubernetes cluster in production.
Therefore it's beneficial to have a good understanding of different CNI options out there and most importantly how these networking options are different from each other.
This presentation goes over packet by packet-level details of how the network plumbing is happening with different CNI plugins including, Flannel, Calico & Cilium.
Programmable network connectivity and network overlay technologies like Docker libnetwork, Weave Net, and Calico are essential tools for DevOps engineers using orchestration tools to manage and deploy Docker containers in production. Because network troubleshooting and optimization falls within the jurisdiction of DevOps, it’s vital that DevOps engineers understand exactly how network overlays work. Participants will learn the fundamentals of container networking, see practical examples of common network overlays, and receive guidance on effectively using and tuning network overlays.
How to build a Kubernetes networking solution from scratchAll Things Open
Presented by: Antonin Bas & Jianjun Shen, VMware
Presented at All Things Open 2020
Abstract: For the non-initiated, Kubernetes (K8s) networking can be a bit like dark magic. Many clusters have requirements beyond what the default network plugin, kubenet, can provide and require the use of a third-party Container Network Interface (CNI) plugin. But what exactly is the role of these plugins, how do they differ from each other and how does the choice of one affect your cluster?
In this talk, Antonin and Jianjun will describe how a group of developers was able to build a CNI plugin - an open source project called Antrea - from scratch and bring it to production in a matter of months. This velocity was achieved by leveraging existing open-source technologies extensively: Open vSwitch, a well-established programmable virtual switch for the data plane, and the K8s libraries for the control plane. Antonin and Jianjun will explain the responsibilities of a CNI plugin in the context of K8s and will walk the audience through the steps required to create one. They will show how Antrea integrates with the rest of the cloud-native ecosystem (e.g. dashboards such as Octant and Prometheus) to provide insight into the network and ensure that K8s networking is not just dark magic anymore.
XP Days Ukraine 2015 Talk http://xpdays.com.ua/programs/scaling-docker-with-kubernetes/
Kubernetes is an open source project to manage a cluster of Linux containers as a single system, managing and running Docker containers across multiple Docker hosts, offering co-location of containers, service discovery and replication control. It was started by Google and now it is supported by Microsoft, RedHat, IBM and Docker Inc amongst others.
Once you are using Docker containers the next question is how to scale and start containers across multiple Docker hosts, balancing the containers across them. Kubernetes also adds a higher level API to define how containers are logically grouped, allowing to define pools of containers, load balancing and affinity.
Chris Swan's presentation on Docker Networking from Container.Camp in London 12 September 2014
A look at how stock Docker does networking, and how containers can be connected together. Introduction to libchan and pipework projects, and a look at container internetworking using Open vSwitch and kernel VXLAN. Docker can also be used as a place to run layer 4-7 network application services like SSL termination, proxying, load balancing, content caching and intrusion detection.
Kubernetes has a very complex network architecture. It is the networking that enables Kubernetes to redefine the latest container technology.
1. Docker containers networks
2. Containers communication in a Pod
3. Pods communication cross different nodes
4. Pod to Service communication
"One network to rule them all" - OpenStack Summit Austin 2016Phil Estes
Presentation at IBM Client Day by Kyle Mestery and Phil Estes, OpenStack Summit 2016 - Austin, Texas on April 26, 2016. "Open, Scalable and Integrated Networking for Containers and VMs" covering Project Kuryr, Docker's libnetwork, and Neutron & OVS and OVN network stacks
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...Guillaume Morini
Docker Enterprise is changing the application landscape but you still need container A to talk to B in a reliable and portable way. In this workshop you will learn key Docker Enterprise networking concepts, container networking best practices, get your hands dirty by going over use-cases and examples across both Swarm and Kubernetes. Join us to learn more.
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
DevNetCreate - ACI and Kubernetes IntegrationHank Preston
These are slides from my hands on lab workshop at DevNet Create 2019 in April. https://developer.cisco.com/devnetcreate/2019/agenda
Description:
Enterprises all over are embracing Kubernetes as the foundation for their cloud native, micro service applications. As they are, network security is becoming a top of mind question. The ACI CNI Plugin for Kubernetes brings the power of Application Centric Infrastructure (granular segmentation, robust operational visibility, and unsurpassed network performance) to the Docker container driven infrastructure of Kubernetes. In this session, you'll have a chance to see all of this in action through a guided exploration of your very own Kubernetes cluster integrated with an ACI fabric. You'll start by diving into how a typical application looks after being deployed to Kubernetes within the ACI fabric. See each individual container and pod show up within the ACI operational dashboards. Look at how the load balancing and traffic routing is handled within the network by ACI, just like any other application environment. Then begin to enhance the policies applied to the application by segmenting applications by name spaces for better isolation between running applications. But we won't stop there, before you're done you'll build contracts to explicitly control the flow of traffic between the tiers of your application to ensure business and security policies are applied to containerized applications running within Kubernetes with the same contracts and filters you're using for traditional workloads.
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...Cloud Native Day Tel Aviv
Kuryr is a new project, started by Gal Sagie, that makes Neutron networking available to containers networking used in Docker / Kubernetes and others.
Kuryr aims at bridging the gap between containers orchestration engines and models to OpenStack networking abstraction and expose Neutron flexibility/features and advanced services to containers networking.
Similar to Kubernetes networking-made-easy-with-open-v switch (20)
박강민(pr0gr4m) / Linux Kernel Contributor - <Linux Kernel 101 for Beginner>
"리눅스 커널에 관심은 있지만, 커널을 어떻게 공부해야 하는지 모르는 분들을 위해 준비한 시간입니다.
입문자 분들이 리눅스 커널 공부를 시작하는 방법에 대해 소개합니다"
영상: https://youtu.be/96T6OCEqZNk
주최: https://www.facebook.com/groups/InfraEngineer
조준희 / Cisco - <삐약삐약 네트워크 엔지니어 이야기>
"그저 전공 공부만 하던 꿈이 없던 대학생이 네트워크엔지니어가 되는 과정과,
주니어인 제가 생각하는 네트워크 엔지니어에 대해 이야기합니다."
영상: https://youtu.be/D259i3pBYLA
주최: https://www.facebook.com/groups/InfraEngineer
이성민 / Netflix - [특별 발표]<시니어가 들려주는 "내가 알고 있는 걸 당신도 알게 된다면">
"모든 엔지니어는 실패를 통해 성장하고 저 또한 그랬습니다.
제가 주니어 때 알았다면 좋았을 이야기들, 오늘 이 자리에서 나누어보고자 합니다."
영상: https://youtu.be/MXl_t1vjkyU
주최: https://www.facebook.com/groups/InfraEngineer
https://www.facebook.com/groups/InfraEngineer
GIF pack include version
https://docs.google.com/presentation/d/1BTwGPUG6KGwc3xoW1_vU7CmloHXW-ardytNWomPdSy4/edit?usp=sharing
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
3. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Who Am I?
PhD in Telecommunications @ Budapest University of Technology
§ Measurement and monitoring in Software Defined Networks
§ Participating in 5G-PPP EU projects
§ Graduated in the EIT Digital Doctoral School
Co-founder & CTO @ LeanNet Ltd.
§ Evangelist of open networking solutions
§ Currently focusing on SDN in cloud native environments
megyesi@leannet.eu
twitter.com/M3gy0
linkedin.com/in/M3gy0
4. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
What is Open vSwitch?
The de facto production quality, multilayer virtual switch
§ Originally developed by Nicira (the inventors of SDN and OpenFlow)
§ Now it’s developed under the Linux Foundation
§ Designed to be programmable by OVSDB and OpenFlow
§ Compatible with standard management interfaces (NetFlow, sFlow, IPFIX, RSPAN, LACP)
§ The basis of VMware NSX-T, OpenStack and many other public clouds…
§ Able to run in user-space mode via DPDK, thus can provide speed up to ~80 Gbps
Server
NIC
VM 1 VM 2
Open vSwitchSDN controller
OVSDB
OpenFlow
5. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
What is Kubernetes?
The de facto production quality, container-orchestration framework
§ Originally developed by Google (Borg project)
§ Now maintained by the Cloud Native Compute Foundation
§ Automating deployment, scaling, and management of containerized applications
6. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Basic Kubernetes Terminology
Kubernetes Master
§ Controller of a Kubernetes cluster
Kubernetes Node (Worker / Minion)
§ Hosts (server or VM) that run Kubernetes
applications
Container
§ Unit of packaging
Pod
§ Unit of deployment
Labels and Selectors
§ Key-Value pairs for identification
Replication Set
§ Ensures availability and scalability
Services
§ Collection of pods exposed as an
endpoint
Node Port
§ Expose services internally
Load Balancer
§ The way for external access
7. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Docker Model
Docker Host
eth0
Root namespace
Container 1
docker0 172.17.0.1/24
vethxx
vethxy
8. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Docker Model
Docker Host
eth0
Root namespace
Container 1
docker0 172.17.0.1/24
vethxx
eth0
172.17.0.2
9. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Docker Model
Docker Host
eth0
Root namespace
Container 1 Container 2
docker0 172.17.0.1/24
vethxx
eth0
vethyy
eth0
172.17.0.2 172.16.0.3
10. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Docker Model
Docker Host 1
Docker Host 2
Docker Host 3
Container
172.17.0.2
Container
172.17.0.3
Container
172.17.0.2
Container
172.17.0.2
NAT
NAT
NAT
NAT
NAT
11. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Docker Host Ports
172.17.0.2
172.17.0.3
172.17.0.280
5001
9898
17472
26432
SNAT
SNAT
This is unfeasible in a very large cluster!
Host 1: 10.0.0.10
Host 2: 10.0.0.20
12. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Networking in Kubernetes
Pod-to-Pod communication
§ Each Pod in a Kubernetes cluster is assigned an IP in a flat shared networking namespace
§ All PODs can communicate with all other PODs without NAT
§ The IP that a PODs sees itself as is the same IP that others see it as
Pod-to-Service communication
§ Requests to the Service IPs are intercepted by a Kube-proxy process running on all hosts
§ Kube-proxy is then responsible for routing to the correct POD
External-to-Internal communication
§ All nodes can communicate with all PODs (and vice-versa) without NAT
§ Node ports are can be assigned to a service on every Kuberentes host
§ Public IPs can be implemented by configuring external Load Balancers which target all
nodes in the cluster
§ Once traffic arrives at a node, it is routed to the correct Service backends by Kube-proxy
13. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Container Network Interface
14. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Kubernetes Node
eth0
Root namespace
br0 10.244.1.1
CNI in Kubernetes
Script / binary placed on every host
§ Kubelet calls it with the right
environmental variables and
STDIN parameters
Example for configuration
- /etc/cni/net.d/01-dunlin.conf
15. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Kubernetes Node
eth0
Root namespace
br0 10.244.1.1
CNI in Kubernetes
Script / binary placed on every host
§ Kubelet calls it with the right
environmental variables and
STDIN parameters
Example environment variables
§ CNI_command: add or delete
§ CNI_netns: /proc/<PID>/ns/net
§ CNI_ifname: eth0
§ CNI_path: /opt/bin/cni
§ CNI_containerid
§ K8S_pod_name
§ K8S_pod_namespace
16. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
CNI With Open vSwitch
Create virtual ethernet port pair
§ ip link add veth0 type veth peer name veth1
Kubernetes Node
eth0
Root namespace
Container NS
br0 10.244.1.1
veth0 veth1
17. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
CNI With Open vSwitch
Create virtual ethernet port pair
§ ip link add veth0 type veth peer name veth1
Add interface to OVS bridge
§ ovs-vsctl add-port br0 veth0
Kubernetes Node
eth0
Root namespace
Container NS
br0 10.244.1.1
veth0
veth1
18. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
CNI With Open vSwitch
Create virtual ethernet port pair
§ ip link add veth0 type veth peer name veth1
Add interface to OVS bridge
§ ovs-vsctl add-port br0 veth0
Add the other interface to namespace
§ ip set link veth1 netns $CNI_netns
Kubernetes Node
eth0
Root namespace
Container NS
br0 10.244.1.1
veth0
veth1
19. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
CNI With Open vSwitch
Create virtual ethernet port pair
§ ip link add veth0 type veth peer name veth1
Add interface to OVS bridge
§ ovs-vsctl add-port br0 veth0
Add the other interface to namespace
§ ip set link veth1 netns $CNI_netns
Rename and setup interface
§ ip netns exec $CNI_netns
§ ip link set dev veth1 name eth0
§ ip link set dev eth0 address 10.244.1.2
§ ip link set dev eth0 mtu 1450
§ ip route add default via 10.244.1.1
Kubernetes Node
eth0
Root namespace
Container NS
br0 10.244.1.1
veth0
eth0
20. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
CNI With Open vSwitch
Create virtual ethernet port pair
§ ip link add veth0 type veth peer name veth1
Add interface to OVS bridge
§ ovs-vsctl add-port br0 veth0
Add the other interface to namespace
§ ip set link veth1 netns $CNI_netns
Rename and setup interface
§ ip netns exec $CNI_netns
§ ip link set dev veth1 name eth0
§ ip link set dev eth0 address 10.244.1.2
§ ip link set dev eth0 mtu 1450
§ ip route add default via 10.244.1.1
Kubernetes Node
eth0
Root namespace
Container NS
br0 10.244.1.1
veth0
eth0
21. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Kubernetes Model – The IP per POD Model
Kubernetes Node 1
10.244.1.0/24
Kubernetes Node 2
10.244.2.0/24
Kubernetes Node 3
10.244.3.0/24
POD
10.244.1.2
POD
10.244.1.3
POD
10.244.2.2
POD
10.244.3.2
br0
?
Host 1: 10.0.0.10
Host 2: 10.0.0.20
Host 3: 10.0.0.30
22. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Cluster Networking in Kubernetes
23. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Same Node
Kubernetes Node
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
L2 src:
pod1
L2 dst:
pod2
L3 src:
pod1
L3 dst:
pod2
24. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Same Node
Kubernetes Node
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
L2 src:
pod1
L2 dst:
pod2
L3 src:
pod1
L3 dst:
pod2
Linux Bridge
§ MAC learning
Open vSwitch
§ MAC learning: action=normal
§ L2 rule: dl_dst=pod2,action=output:2
§ L3 rule: ip,nw_dst=pod2, action=output:2
25. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Same Node
Kubernetes Node
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
L2 src:
pod1
L2 dst:
pod2
L3 src:
pod1
L3 dst:
pod2
Linux Bridge
§ MAC learning
Open vSwitch
§ MAC learning: action=normal
§ L2 rule: dl_dst=pod2,action=output:2
§ L3 rule: ip,nw_dst=pod2, action=output:2
26. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
27. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
L2 src: pod1
L2 dst: br0 (gw)
L3 src: pod1
L3 dst: pod4
28. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
L2 src: pod1
L2 dst: br0 (gw)
L3 src: pod1
L3 dst: pod4
Using an overlay network
• An overlay network obscures the underlying
network architecture from the pod network through
traffic encapsulation (for example VxLAN, GRE)
• Encapsulation reduces performance, though
exactly how much depends on your solution
Where to go
from here??
29. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
Without an overlay network
• Configure the underlying network fabric (switches,
routers, etc.) to be aware of pod IP addresses
• This does not require the encapsulation provided
by an overlay, and so can achieve better
performance
L2 src: pod1
L2 dst: br0 (gw)
L3 src: pod1
L3 dst: pod4
Where to go
from here??
30. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Kubernetes Cluster Networking Plugins
Public clouds which supports Kuberentes program this into the fabric
§ E.g. in Google Container Engine: “everything to 10.1.1.0/24, send to this VM”
In other cases we need to use an external plugin
§ Flannel
§ Calico
§ Canal
§ Romana
§ Weave
§ Cisco Contiv
§ Huawei CNI-Genie
§ Nuage Networks VCS (by Nokia)
§ Open Virtual Network
31. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
L2 src: pod1
L2 dst: br0 (gw)
L3 src: pod1
L3 dst: pod4
Calico defines BGP agents and
advertises the POD subnets to the
fabric
It uses IP-IP encapsulation
32. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
L2 src: pod1
L2 dst: br0 (gw)
L3 src: pod1
L3 dst: pod4
Flannel and Weave creates VxLAN tunnels
between nodes using a kernel implementation
33. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
L2 src: pod1
L2 dst: br0 (gw)
L3 src: pod1
L3 dst: pod4
Set-up VxLAN ports to every other node
§ ovs-vsctl add-port br0 vxlan4 -- set interface
vxlan4 type=vxlan option:remote_ip={node4_ip}
Add rule for their subnet
§ ip,nw_dst={node4_subnet},
action=output:vxlan4
34. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
L2 src: pod1
L2 dst: br0 (gw)
L3 src: pod1
L3 dst: pod4
Set-up VxLAN one port
§ ovs-vsctl add-port br0 vxlan0 – set interface
vxlan0 type=vxlan option:key=flow
option:remote_ip=flow
Add rule including tunnel destenation
§ ip,nw_dest= {node4_subnet},actions=
set_field:{node4_ip}->tun_dst,output:vxlan0
35. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
L2 src: node1
br0
L2 dst: node4
br0
L3 src: pod1
L3 dst: pod4
Set-up VxLAN one port
§ ovs-vsctl add-port br0 vxlan0 – set interface
vxlan0 type=vxlan option:key=flow
option:remote_ip=flow
Add rule including tunnel destenation
§ ip,nw_dest= {node4_subnet},actions=
set_field:{node4_ip}->tun_dst,output:vxlan0
36. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-POD, Between Nodes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
L2 src: br0
(node4)
L2 dst: pod4
L3 src: pod1
L3 dst: pod4
Set-up VxLAN one port
§ ovs-vsctl add-port br0 vxlan0 – set interface
vxlan0 type=vxlan option:key=flow
option:remote_ip=flow
Add rule including tunnel destenation
§ ip,nw_dest= {node4_subnet},actions=
set_field:{node4_ip}->tun_dst,output:vxlan0
37. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
For This, You Will Need a Control Plane
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Kubernetes Node 4
eth0 Root
namespace
pod 3 pod 4
br0
vethzz
eth0
vethvv
eth0
Network
Fabric
Control Plane SoftwareKubernetes API
State information
Rule installation
via OpenFlow and
OVSDB
38. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Pod to Service Communication
in Kubernetes
39. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Services in Kubernetes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
Definition:
§ Service is an abstraction to define a logical set of Pods bound
by a policy by to access them
§ Defined by labels and selectors
§ Supports TCP and UDP
§ Interfaces with Kube-Proxy to manipulate IPtables
§ Service can be exposed internally by cluster/service IP
Remember:
PODs are Mortal!!!
40. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Services in Kubernetes
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
This will be the IP of the service
This will be the port of the service
This is the POD port
This will be the DNS name of the service
Selector for PODs
41. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
L2 src: pod1
L2 dst: br0
L3 src: pod1
L3 dst: svc1
42. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
L2 src: pod1
L2 dst: br0
L3 src: pod1
L3 dst: svc1
43. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
L2 src: pod1
L2 dst: br0
L3 src: pod1
L3 dst: svc1
IPtables
44. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
IPtables
L3 src: pod1
L3 dst: svc1
L3 dst: pod88
DNAT, conntrack
Remember:
§ Every node should reach every POD in the cluster
§ ip route add {global_pod_cidr} via br0
e.g. 10.244.0.0/16
45. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Example for IPtables Ruleset
46. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
IPtables
L3 src: pod1
L3 dst: pod88
via tunnel
network
47. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
IPtables
L3 src: pod88
L3 dst: pod1
via tunnel
network
48. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
IPtables
L3 src: pod88
L3 dst: pod1
via tunnel
network
https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
49. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
L3 src: pod88
L3 src: svc1
L3 dst: pod1
un-DNAT
IPtables
https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
50. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
L3 src: svc1
L3 dst: pod1
IPtables
https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
51. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a Packet: POD-to-Service
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
br0
vethxx
eth0
vethyy
eth0
IPtables
https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
L3 src: svc1
L3 dst: pod1
Unfortunately, you can’t do the same with OVS
52. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Handling Service Communication with OVS: Option 1
Use ct* flow rules:
§ It uses the same conntrack kernel module as IPtables
§ You can specify similar NAT rules than you would in IPtables
§ For load balancing between POD backend, you can use group rules
* ct rules are actually not OpenFlow compatible
table=0,ip,nw_src={pod_cidr},nw_dst={service_cidr},ct_state=-trk,action=ct(table=2)
table=0,ip,nw_src={pod_cidr},nw_dst={pod_cidr},ct_state=-trk,action=ct(table=4)
table=2,ip,nw_dst={svc1_ip},tp_dst={svc1_port},ct_state=+trk+new,action=group:1
table=2,ip,nw_dst={svc2_ip},tp_dst={svc2_port},ct_state=+trk+new,action=group:2
table=2,ct_state=+trk-new,action=table:4
table=4 contains the original switching / routing rules
group_id=1,type=select, bucket=ct(commit,nat(dst={pod1_ip}:{pod_port}),table=4,
bucket=ct(commit,nat(dst={pod2_ip}:{pod_port}),table=4,
bucket=ct(commit,nat(dst={pod3_ip}:{pod_port}),table=4
53. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Handling Service Communication with OVS: Option 2
Use stateless NAT rules:
§ If we see a Service IP we switch the destination IP to a POD backend
§ But at the same time we modify the source IP to a shifted domain (e.g. 10.244.x.y à 172.24.x.y)
§ This way we don’t use any kernel specific rules which allows the integration into user-space (e.g. DPDK)
* NXM stands for Nicira eXtended Match rules which are also not OpenFlow compatible
table=0,ip,nw_src={pod_cidr},nw_dst={service_cidr},action=table:2
table=0,ip,nw_src={pod_cidr},nw_dst={shifted_pod_cidr},action=table:3
table=0,ip,nw_src={pod_cidr},nw_dst={pod_cidr},action=table:4
table=2,ip,nw_dst={svc1_ip},tp_dst={svc1_port},actions=load:44056->NXM_OF_IP_SRC[16..31],group:1
table=3,ip,nw_src={pod1_ip},tp_src={pod_port},actions=mod_nw_src:{svc1_ip},mod_tp_src:{svc1_port}
,load:2804->NXM_OF_IP_DST[16..31],resubmit:4
table=4 contains the original switching / routing rules
group_id=1,type=select, bucket=mod_nw_dst:{pod1_ip},mod_tp_dst:{pod_port},resubmit=4,
bucket=mod_nw_dst:{pod2_ip},mod_tp_dst:{pod_port},resubmit=4,
bucket=mod_nw_dst:{pod3_ip},mod_tp_dst:{pod_port},resubmit=4
54. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Finally, it’s demo time J
55. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Performance Comparison: Google Cloud
56. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Performance Comparison: Amazon Cloud
57. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Performance Comparison: Packet
58. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Kubernetes Networking with Open vSwitch
Pure OVS solution
§ CNI binary attaching PODs to and OVS bridge
§ POD-to-POD and POD-to-Service communication with OpenFlow rules
§ Enhanced monitoring using Prometheus and OVS-exporter
§ Speed and latency is comparable with leading plugins (Flannel, Calico, Weave)
§ DPDK integration possibility
§ 100% open source: https://github.com/dunlinplugin
dunlin.io
59. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Backup Slides
60. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
IPtables Latency by Google
61. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Pod to External Communication
in Kubernetes
62. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a packet: pod-to-external
Kubernetes Node
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
src: pod1
dst: 8.8.8.8
IPtables
63. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a packet: pod-to-external
Kubernetes Node
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
IPtables
src: pod1
dst: 8.8.8.8
POD IP address is private
§ Needs NAT to communicate with external
64. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a packet: pod-to-external
Kubernetes Node
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
IPtables
src: pod1
src: NodeIP
dst: 8.8.8.8
MASQUERADE
POD IP address is private
§ Needs NAT to communicate with external
Node IPs are usually also private
65. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a packet: pod-to-external
Kubernetes Node
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
IPtables
POD IP address is private
§ Needs NAT to communicate with external
Node IPs are usually also private
§ Needs second NAT by the fabric
Network
Fabric
src: NodeIP
src: PublicIP
dst: 8.8.8.8
MASQUERADE
66. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
Life of a packet: pod-to-external
Kubernetes Node
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
IPtables
POD IP address is private
§ Needs NAT to communicate with external
Node IPs are usually also private
§ Needs second NAT by the fabric
Network
Fabric
src: PublicIP
dst: 8.8.8.8
67. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Hairpin Problem
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
IPtables
src: pod1
dst: svc1
dst: pod1
DNAT, conntrack
68. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Hairpin Problem
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
IPtables
src: pod1
dst: pod1
69. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Hairpin Problem
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
IPtables
src: pod1
dst: pod1
The reply for this packet would not leave this POD at all!
Only SNAT at the in IPtables can solve this problem
70. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
The Hairpin Problem
Kubernetes Node 1
eth0 Root
namespace
pod 1 pod 2
cbr0
vethxx
eth0
vethyy
eth0
IPtables
src: pod1
src: cbr0
dst: svc1
dst: pod1
DNAT, conntrack
71. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External to Internal Communication
in Kubernetes
72. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11 pod 12
cbr0
vethxx
eth0
vethyy
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
pod 21 pod 22
cbr0
vethzz
eth0
vethvv
eth0
Serveices can be exposed to the outside by
§ Node port
§ Load Balancer
Example: frontend
§ pod 11
§ pod 31
§ pod 32
IPtables IPtables IPtables
73. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
Serveices can be exposed to the outside by
§ Node port
§ Load Balancer
Example: frontend
§ pod 11
§ pod 31
§ pod 32
IPtables IPtables IPtables
74. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Node port
§ One port on every node gets rerouted to a certain service
§ Typically port number > 30000
§ ∀NodeIP:30001 à 10.9.8.15:8080
§ Node IPs are usually not public!
75. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Node port
§ One port on every node gets rerouted to a certain service
§ Typically port number > 30000
§ ∀NodeIP:30001 à 10.9.8.15:8080
§ Node IPs are usually not public!
src: xxx:yyy
dst:
Node2:30001
Translates to one
of the pod IP
randomly
1/3
1/3
1/3
76. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Node port
§ One port on every node gets rerouted to a certain service
§ Typically port number > 30000
§ ∀NodeIP:30001 à 10.9.8.15:8080
§ Node IPs are usually not public!
src: xxx:yyy
dst:
Node2:30001
src: Node2:xxxx
dst: pod11:8080
1/3
77. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Node port
§ One port on every node gets rerouted to a certain service
§ Typically port number > 30000
§ ∀NodeIP:30001 à 10.9.8.15:8080
§ Node IPs are usually not public!
src: xxx:yyy
dst:
Node3:30001
Translates to one
of the pod IP
randomly
1/3
1/3 1/3
78. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Node port
§ One port on every node gets rerouted to a certain service
§ Typically port number > 30000
§ ∀NodeIP:30001 à 10.9.8.15:8080
§ Node IPs are usually not public!
src: xxx:yyy
dst:
Node3:30001
src: Node3:xxxx
dst: pod11:8080
1/3
79. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Load Balancer
§ One public IP that maps to a certain service
§ Fabric has to manage it!
§ GCE
§ AWS
§ OpenStack
Load Balancer
80. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Load Balancer
§ One public IP that maps to a certain service
§ Fabric has to manage it!
§ GCE
§ AWS
§ OpenStack
Load Balancer
src: xxx:yyy
dst: 95.67.12.3
Packet arrives to
Load Balancer’s
public IP
81. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Load Balancer
§ One public IP that maps to a certain service
§ Fabric has to manage it!
§ GCE
§ AWS
§ OpenStack
Load Balancer
src: xxx:yyy
dst: 95.67.12.3
dst: Node Port
Packet has to be
forwarded to one
of the nodes
82. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Load Balancer
§ One public IP that maps to a certain service
§ Fabric has to manage it!
§ GCE
§ AWS
§ OpenStack
Load Balancer
src: xxx:yyy
dst: 95.67.12.3
dst: Node Port
If the LB is smart it
will only forward
to nodes with pod
83. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Load Balancer
§ One public IP that maps to a certain service
§ Fabric has to manage it!
§ GCE
§ AWS
§ OpenStack
Load Balancer
src: xxx:yyy
dst: 95.67.12.3
dst: Node1
If IPtables is smart
it won’t reroute to
other node
84. Péter Megyesi: Kubernetes Networking Made Easy with Open vSwitch and OpenFlow www.leannet.eu
External-to-Internal Traffic
Kubernetes Node 1
eth0 Root
ns
pod 11
cbr0
vethxx
eth0
Kubernetes Node 3
eth0 Root
ns
pod 31 pod 32
cbr0
vethoo
eth0
vethpp
eth0
Network
Fabric
Kubernetes Node 2
eth0 Root
ns
cbr0
IPtables IPtables IPtables
Load Balancer
§ One public IP that maps to a certain service
§ Fabric has to manage it!
§ GCE
§ AWS
§ OpenStack
Load Balancer
src: xxx:yyy
dst: 95.67.12.3
Even then load
balance might not
be perfect!
50% 50%
50% 25% 25%