Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform
|
|
- Evangeline Grant
- 6 years ago
- Views:
Transcription
1 logo Life of a Packet KubeCon Europe 2017 Michael Rubin <mrubin@google.com> TL/TLM in GKE/Kubernetes github.com/matchstick Google Cloud Platform
2 Kubernetes is about clusters Because of that, networking is pretty important Most of Kubernetes centers on network concepts Our job is to make sure your applications can communicate: With each other With the world outside your cluster Only where you want
3 The IP-per-pod model
4 Every pod has a real IP address This is different from the out-of-the-box model Docker offers No machine-private IPs No port-mapping Pod IPs are accessible from other pods, regardless of which VM they are on Linux network namespaces (aka netns ) and virtual interfaces
5 Network namespaces Node
6 Network namespaces root netns Node
7 Network namespaces root netns pod1 netns Node
8 Network namespaces root netns vethxx vethxy pod1 netns Node
9 Network namespaces root netns vethxx pod1 netns Node
10 Network namespaces root netns vethxx vethyy pod1 netns Node pod2 netns
11 Network namespaces cbr0 root netns vethxx vethyy pod1 netns Node pod2 netns
12 Life of a packet: pod-to-pod, same node root netns vethxx cbr0 vethyy pod1 netns Node pod2 netns
13 Life of a packet: pod-to-pod, same node src: pod1 dst: pod2 root netns cbr0 vethxx vethyy pod1 netns Node pod2 netns
14 Life of a packet: pod-to-pod, same node src: pod1 dst: pod2 root netns cbr0 vethxx vethyy pod1 ctr1 netns netns Node pod2 ctr2 netns
15 Life of a packet: pod-to-pod, same node src: pod1 dst: pod2 root netns cbr0 vethxx vethyy pod1 ctr1 netns netns Node pod2 ctr2 netns
16 Life of a packet: pod-to-pod, same node src: pod1 dst: pod2 root netns cbr0 vethxx vethyy pod1 ctr1 netns netns Node pod2 ctr2 netns
17 Flat network space Pods must be reachable across Nodes, too Kubernetes doesn t care HOW, but this is a requirement L2, L3, or overlay Assign a CIDR (IP block) to each Node GCP: Teach the network how to route packets
18 Life of a packet: pod-to-pod, across nodes Node1 pod1 pod2 vethxx vethyy root cbr0 root vethxx cbr0 vethyy Node2 pod3 pod4
19 Life of a packet: pod-to-pod, across nodes src: pod1 dst: pod4 Node1 root pod1 ctr1 vethxx cbr0 vethyy ctr2 pod2 root vethxx cbr0 vethyy Node2 pod3 ctr3 pod4 ctr4
20 Life of a packet: pod-to-pod, across nodes src: pod1 dst: pod4 Node1 root pod1 ctr1 vethxx cbr0 vethyy ctr2 pod2 root vethxx cbr0 vethyy Node2 pod3 ctr3 pod4 ctr4
21 Life of a packet: pod-to-pod, across nodes src: pod1 dst: pod4 Node1 root pod1 ctr1 vethxx cbr0 vethyy ctr2 pod2 root vethxx cbr0 vethyy Node2 pod3 ctr3 pod4 ctr4
22 Life of a packet: pod-to-pod, across nodes src: pod1 dst: pod4 Node1 root pod1 ctr1 vethxx cbr0 vethyy ctr2 pod2 root vethxx cbr0 vethyy Node2 pod3 ctr3 pod4 ctr4
23 Life of a packet: pod-to-pod, across nodes src: pod1 dst: pod4 Node1 root pod1 ctr1 vethxx cbr0 vethyy ctr2 pod2 root vethxx cbr0 vethyy Node2 pod3 ctr3 pod4 ctr4
24 Life of a packet: pod-to-pod, across nodes src: pod1 dst: pod4 Node1 root pod1 ctr1 vethxx cbr0 vethyy ctr2 pod2 root vethxx cbr0 vethyy Node2 pod3 ctr3 pod4 ctr4
25 Life of a packet: pod-to-pod, across nodes src: pod1 dst: pod4 Node1 root pod1 ctr1 vethxx cbr0 vethyy ctr2 pod2 root vethxx cbr0 vethyy Node2 pod3 ctr3 pod4 ctr4
26 Life of a packet: pod-to-pod, across nodes src: pod1 dst: pod4 Node1 root pod1 ctr1 vethxx cbr0 vethyy ctr2 pod2 root vethxx cbr0 vethyy Node2 pod3 ctr3 pod4 ctr4
27 Overlays
28 Overlay networks Why? Can t get enough IP space Network can t handle extra routes Want management features Encapsulate packet-in-packet Traverse the native network between Nodes
29 Overlay networks Why Not? Latency overhead in some cloud providers Complexity overhead Often not required Use it when you know you need it
30 Overlay example: Flannel (vxlan) VXLAN interface acts like any other vnic Node1 root pod1 vethxx cbr0 pod2 vethyy flannel0 root vethxx cbr0 flannel0 vethyy Node2 pod3 pod4
31 Overlay example: Flannel src: pod1 dst: pod4 Node1 root pod1 vethxx cbr0 pod2 vethyy flannel0 root vethxx cbr0 flannel0 vethyy Node2 pod3 pod4
32 Overlay example: Flannel src: pod1 dst: pod4 Node1 root pod1 vethxx cbr0 pod2 vethyy flannel0 root vethxx cbr0 flannel0 vethyy Node2 pod3 pod4
33 Overlay example: Flannel src: pod1 dst: pod4 Node1 root pod1 vethxx cbr0 pod2 vethyy flannel0 root vethxx cbr0 flannel0 vethyy Node2 pod3 pod4
34 Overlay example: Flannel src: pod1 dst: pod4 root netns Node1 vethxx cbr0 flannel0
35 Overlay example: Flannel src: pod1 dst: pod4 root netns Node1 vethxx cbr0 flannel0
36 Overlay example: Flannel Encapsulates the packet MAC Flannel device implementation: Simple VXLAN, developed by CoreOS for containers and kubernetes Uses Linux native VXLAN devices A userspace agent for address resolution Data path is in-kernel (fast) src: pod1 dst: pod4 Payload flannel0 src: node1 dst: node2 UDP src: pod1 dst: pod4 Payload
37 Overlay example: Flannel src: pod1 src: node1 dst: pod4 dst: node2 encapsulated root netns flannel0 Node1 vethxx cbr0
38 Overlay example: Flannel src: node1 dst: node2 root netns Node1 vethxx cbr0 flannel0
39 Overlay example: Flannel src: node1 dst: node2 Node1 root pod1 vethxx cbr0 pod2 vethyy flannel0 root vethxx cbr0 flannel0 vethyy Node2 pod3 pod4
40 Overlay example: Flannel src: node1 dst: node2 Node1 root pod1 vethxx cbr0 pod2 vethyy flannel0 root vethxx cbr0 flannel0 vethyy Node2 pod3 pod4
41 Overlay example: Flannel src: node1 dst: node2 flannel0 cbr0 root netns vethxx Node2
42 Overlay example: Flannel src: node1 src: pod1 dst: node2 dst: pod4 decapsulated flannel0 root netns cbr0 vethxx Node2
43 Overlay example: Flannel src: pod1 dst: pod4 Node1 root pod1 vethxx cbr0 pod2 vethyy flannel0 root vethxx cbr0 flannel0 vethyy Node2 pod3 pod4
44 Overlay example: Flannel src: pod1 dst: pod4 Node1 root pod1 vethxx cbr0 pod2 vethyy flannel0 root vethxx cbr0 flannel0 vethyy Node2 pod3 pod4
45 Dealing with change A real cluster changes over time: Rolling updates Scale-up and scale-down events Pods crash or hang Nodes reboot The pod addresses you need to reach can change without warning You need something more durable than a pod IP
46 Services
47 The service abstraction A service is a group of endpoints (usually pods) Services provide a stable VIP VIP automatically routes to backend pods Implementations can vary We will examine the default implementation The set of pods behind a service can change Clients only need the VIP, which doesn t change
48 Service What you submit is simple Other fields will be defaulted or assigned kind: Service apiversion: v1 metadata: name: store-be spec: selector: app: store role: be ports: - name: http port: 80
49 Service What you submit is simple Other fields will be defaulted or assigned The selector field chooses which pods to balance across kind: Service apiversion: v1 metadata: name: store-be spec: selector: app: store role: be ports: - name: http port: 80
50 Service What you get back has more information Automatically creates a distributed load balancer kind: Service apiversion: v1 metadata: name: store-be namespace: default creationtimestamp: T19:16:56Z resourceversion: "7" selflink: /api/v1/namespaces/default/services/store-be uid: 196d bf-11e a800fe3 Spec: type: ClusterIP selector: app: store role: be clusterip: ports: - name: http protocol: TCP port: 80 targetport: 80 sessionaffinity: None
51 Service What you get back has more information Automatically creates a distributed load balancer The default is to allocate an in-cluster IP kind: Service apiversion: v1 metadata: name: store-be namespace: default creationtimestamp: T19:16:56Z resourceversion: "7" selflink: /api/v1/namespaces/default/services/store-be uid: 196d bf-11e a800fe3 Spec: type: ClusterIP selector: app: store role: be clusterip: ports: - name: http protocol: TCP port: 80 targetport: 80 sessionaffinity: None
52 Endpoints selector: app: store role: be app: store role: be app: store role: fe app: db role: be app: store role: be app: db role: be app: store role: be
53 Endpoints selector: app: store role: be app: store role: be app: store role: fe app: db role: be app: store role: be app: db role: be app: store role: be
54 Endpoints When you create a service, a controller wakes up kind: Endpoints apiversion: v1 metadata: name: store-be namespace: default subsets: - addresses: - ip: ip: ip: ports: - name: http port: 80 protocol: TCP
55 Endpoints When you create a service, a controller wakes up Holds the IPs of the pod backends kind: Endpoints apiversion: v1 metadata: name: store-be namespace: default subsets: - addresses: - ip: ip: ip: ports: - name: http port: 80 protocol: TCP
56 Life of a packet: pod-to-service root netns vethxx cbr0 pod1 netns
57 Life of a packet: pod-to-service src: pod1 dst: svc1 root netns vethxx cbr0 pod1 ctr1 netns
58 Life of a packet: pod-to-service src: pod1 dst: svc1 root netns vethxx cbr0 pod1 ctr1 netns
59 Life of a packet: pod-to-service src: pod1 dst: svc1 root netns iptables cbr0 vethxx pod1 ctr1 netns
60 Life of a packet: pod-to-service src: pod1 dst: svc1 dst: pod99 DNAT, conntrack root netns iptables cbr0 vethxx pod1 ctr1 netns
61 Conntrack Linux kernel connection-tracking Remembers address translations Based on the 5-tuple Does a lot more, but not very relevant here Reversed on the return path { protocol = TCP src_ip = pod1 src_port = 1234 dst_ip = svc1 dst_port = 80 } => { protocol = TCP src_ip = pod1 src_port = 1234 dst_ip = pod99 dst_port = 80 }
62 Life of a packet: pod-to-service src: pod1 dst: pod99 root netns iptables cbr0 vethxx pod1 ctr1 netns
63 Life of a packet: pod-to-service src: pod99 dst: pod1 root netns iptables cbr0 vethxx pod1 ctr1 netns
64 Life of a packet: pod-to-service src: pod99 src: svc1 dst: pod1 un-dnat root netns iptables cbr0 vethxx pod1 ctr1 netns
65 Life of a packet: pod-to-service src: svc1 dst: pod1 root netns iptables cbr0 vethxx pod1 ctr1 netns
66 Life of a packet: pod-to-service src: svc1 dst: pod1 root netns iptables cbr0 vethxx pod1 ctr1 netns
67 A bit more on iptables The iptables rules look scary, but are actually simple: if dest.ip == svc1.ip && dest.port == svc1.port { pick one of the backends at random rewrite destination IP } Configured by kube-proxy - a pod running on each Node Not actually a proxy Not in the data path Kube-proxy is a controller - it watches the API for services
68 DNS Even easier: services are added to an in-cluster DNS server You would never hardcode an IP, but you might hardcode a hostname and port Serves A and SRV records DNS itself runs as pods and a service
69 DNS Service Requests a particular cluster IP Pods are auto-scaled with the cluster size Service VIP is stable kind: Service apiversion: v1 metadata: name: kube-dns namespace: kube-system spec: clusterip: selector: k8s-app: kube-dns ports: - name: dns port: 53 protocol: UDP - name: dns-tcp port: 53 protocol: TCP
70 DNS Service Requests a particular cluster IP Pods are auto-scaled with the cluster size Service VIP is stable kind: Service apiversion: v1 metadata: name: kube-dns namespace: kube-system spec: clusterip: selector: k8s-app: kube-dns ports: - name: dns port: 53 protocol: UDP - name: dns-tcp port: 53 protocol: TCP
71 Simple and powerful Can use any port you want, no conflicts Can request a particular clusterip Can remap ports
72 That s all there is to it Services are an abstraction - the API is a VIP No running process or intercepting the data-path All a client needs to do is hit the service IP:port
73 Sending external traffic Services are within a cluster What happens if you want your pod to reach google.com?
74 Egress
75 Leaving the GCP project Nodes get private IPs (in /8) Nodes can have public IPs, too GCP: Public IPs are provided by 1-to-1 NAT
76 Life of a packet: Node-to-internet 1:1 NAT Cluster root netns Node
77 Life of a packet: Node-to-internet src: internal-ip dst: Cluster 1:1 NAT root netns Node
78 Life of a packet: Node-to-internet src: internal-ip src: external-ip dst: Cluster 1:1 NAT root netns Node
79 Life of a packet: Node-to-internet src: external-ip dst: Cluster 1:1 NAT root netns Node
80 Life of a packet: Node-to-internet src: dst: external-ip Cluster 1:1 NAT root netns Node
81 Life of a packet: Node-to-internet src: dst: external-ip dst: internal-ip Cluster 1:1 NAT root netns Node
82 Life of a packet: Node-to-internet src: dst: internal-ip Cluster 1:1 NAT root netns Node
83 Life of a packet: pod-to-internet 1:1 NAT Cluster root netns vethxx cbr0 Node pod1 netns
84 Life of a packet: pod-to-internet src: pod1 dst: Cluster 1:1 NAT root netns vethxx cbr0 Node pod1 netns
85 Life of a packet: pod-to-internet src: pod1 dst: Cluster 1:1 NAT root netns vethxx cbr0 Node pod1 netns
86 Life of a packet: pod-to-internet src: pod1 dst: Cluster 1:1 NAT root netns vethxx cbr0 Node pod1 netns
87 Life of a packet: pod-to-internet dropped! Cluster 1:1 NAT root netns vethxx cbr0 Node pod1 netns
88 What went wrong? The 1:1 NAT only understands Node IPs Anything else gets dropped Pod IPs!= Node IPs When in doubt, add some more iptables MASQUERADE, aka SNAT Applies to any packet with a destination *outside* of /8
89 Life of a packet: pod-to-internet src: pod1 src: internal-ip dst: MASQUERADE Cluster root netns 1:1 NAT iptables cbr0 vethxx Node pod1 netns
90 Life of a packet: pod-to-internet src: internal-ip dst: Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
91 Life of a packet: pod-to-internet src: internal-ip src: external-ip dst: Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
92 Life of a packet: pod-to-internet src: external-ip dst: Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
93 Life of a packet: pod-to-internet src: dst: external-ip Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
94 Life of a packet: pod-to-internet src: dst: external-ip dst: internal-ip Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
95 Life of a packet: pod-to-internet src: dst: internal-ip Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
96 Life of a packet: pod-to-internet src: dst: internal-ip dst: pod1 Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
97 Life of a packet: pod-to-internet src: dst: pod1 Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
98 Life of a packet: pod-to-internet src: dst: pod1 Cluster 1:1 NAT iptables root netns vethxx cbr0 Node pod1 netns
99 Receiving external traffic Kubernetes builds on two: Network Load Balancer (L4) HTTP/S Load balancer (L7) These map to Kubernetes APIs: Service type=loadbalancer Ingress
100 L4: Service + LoadBalancer
101 Service Change the type of your service Implemented by the cloud provider controller kind: Service apiversion: v1 metadata: name: store-be spec: type: LoadBalancer selector: app: store role: be ports: - name: https port: 443
102 Service The LB info is populated when ready kind: Service apiversion: v1 metadata: name: store-be #... spec: type: LoadBalancer selector: app: store role: be clusterip: ports: #... sessionaffinity: None status: loadbalancer: ingress: - ip:
103 Life of a packet: external-to-service Cluster pod1 pod2 pod3 Node1 Node2 Node3
104 Life of a packet: external-to-service Net LB Cluster pod1 pod2 pod3 Node1 Node2 Node3
105 Life of a packet: external-to-service Net LB Cluster pod1 pod2 pod3 Node1 Node2 Node3
106 Life of a packet: external-to-service src: client dst: LB Cluster Net LB pod1 pod2 pod3 Node1 Node2 Node3
107 Life of a packet: external-to-service src: client dst: LB Cluster Net LB Choose a Node pod1 pod2 pod3 VM1 Node1 VM1 Node2 VM1 Node3
108 Life of a packet: external-to-service src: client dst: LB Cluster Net LB Choose a Node VM1 Node1 pod1 pod2 pod3 Node2 Node3
109 Life of a packet: external-to-service src: client dst: LB Cluster Net LB VM1 Node1 pod1 pod2 pod3 Node2 Node3
110 Life of a packet: external-to-service src: client dst: LB Cluster Net LB VM1 Node1 pod1 pod2 pod3 Node2 Node3
111 Balancing to Nodes Most LB only knows about Nodes Nodes do not map 1:1 with pods Node1 Node2 Node3
112 The imbalance problem Assume the LB only hits Nodes with backend pods on them The LB only knows about Nodes Cluster Net LB pod1 pod2 pod3 Node1 Node2 Node3
113 The imbalance problem Net LB Cluster 50% 50% pod1 pod2 pod3 Node1 Node2 Node3
114 The imbalance problem Net LB Cluster 50% 50% 50% 25% 25% pod1 pod2 pod3 Node1 Node2 Node3
115 Balancing to Nodes Most cloud LB only knows about Nodes Nodes do not map 1:1 with pods How do we avoid imbalance? iptables, of course Node1 Node2 Node3
116 Life of a packet: external-to-service src: client dst: LB Cluster Net LB Choose a pod iptables pod1 pod2 pod3 Node1 Node2 Node3
117 Life of a packet: external-to-service src: client dst: LB Cluster Net LB Choose a pod iptables pod1 pod2 pod3 Node1 Node2 Node3
118 Life of a packet: external-to-service src: client dst: LB dst: pod2 Cluster iptables Net LB NAT pod1 pod2 pod3 Node1 Node2 Node3
119 Life of a packet: external-to-service src: client dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
120 Life of a packet: external-to-service src: client dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
121 Life of a packet: external-to-service src: client dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
122 Life of a packet: external-to-service src: client dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
123 Life of a packet: external-to-service src: pod2 dst: client Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
124 Life of a packet: external-to-service src: pod2 dst: client Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
125 Life of a packet: external-to-service src: pod2 dst: client Cluster Net LB INVALID iptables pod1 pod2 pod3 Node1 Node2 Node3
126 Life of a packet: external-to-service src: client src: Node1 dst: LB dst: pod2 NAT Cluster iptables Net LB pod1 pod2 pod3 Node1 Node2 Node3
127 Life of a packet: external-to-service src: Node1 dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
128 Life of a packet: external-to-service src: Node1 dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
129 Life of a packet: external-to-service src: Node1 dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
130 Life of a packet: external-to-service src: Node1 dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
131 Life of a packet: external-to-service src: pod2 dst: Node1 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
132 Life of a packet: external-to-service src: pod2 dst: Node1 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
133 Life of a packet: external-to-service src: pod2 dst: Node1 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
134 Life of a packet: external-to-service src: pod2 src: LB dst: Node1 dst: client Cluster iptables Net LB pod1 pod2 pod3 Node1 Node2 Node3
135 Life of a packet: external-to-service src: LB dst: client Cluster Net LB pod1 pod2 pod3 Node1 Node2 Node3
136 Life of a packet: external-to-service src: LB dst: client Cluster Net LB pod1 pod2 pod3 Node1 Node2 Node3
137 Explain the complexity To avoid imbalance, we re-balance inside Kubernetes A backend is chosen randomly from all pods Good: Well balanced, in practice Bad: Can cause an extra network hop Hides the client IP from the user s backend Users wanted to make the trade-off themselves
138 OnlyLocal Specify an external-traffic policy iptables will always choose a pod on the same node Preserves client IP Risks imbalance kind: Service apiversion: v1 metadata: name: store-be annotations: service.beta.kubernetes.io/external-traffic: OnlyLocal spec: type: LoadBalancer selector: app: store role: be ports: - name: https port: 443
139 Opt-in to the imbalance problem In practice Kubernetes spreads pods across nodes If pods >> nodes: OK If nodes >> pods: OK If pods ~= nodes: risk Cluster Net LB 50% 50% iptables iptables 50% 25% 25% pod1 pod2 pod3 Node1 Node2 Node3
140 Life of a packet: external-to-service Not considered Health-check fails if no backends Cluster Net LB pod1 pod2 pod3 Node1 Node2 Node3
141 Life of a packet: external-to-service src: client dst: LB Cluster Net LB pod1 pod2 pod3 Node1 Node2 Node3
142 Life of a packet: external-to-service src: client dst: LB Cluster Net LB Choose a Node pod1 pod2 pod3 VM1 Node1 Node2 VM1 Node3
143 Life of a packet: external-to-service src: client dst: LB Cluster Net LB Node1 pod1 pod2 pod3 Node2 VM1 Node3
144 Life of a packet: external-to-service src: client dst: LB Cluster Net LB pod1 pod2 pod3 Node1 Node2 VM1 Node3
145 Life of a packet: external-to-service src: client dst: LB Cluster Net LB iptables Choose a pod pod1 pod2 pod3 Node1 Node2 Node3
146 Life of a packet: external-to-service src: client dst: LB dst: pod2 Cluster Net LB iptables DNAT pod1 pod2 pod3 Node1 Node2 Node3
147 Life of a packet: external-to-service src: client dst: pod2 Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
148 Life of a packet: external-to-service src: pod2 src: LB dst: client Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
149 Life of a packet: external-to-service src: LB dst: client Cluster Net LB iptables pod1 pod2 pod3 Node1 Node2 Node3
150 Life of a packet: external-to-service src: LB dst: client Cluster Net LB pod1 pod2 pod3 Node1 Node2 Node3
151 Life of a packet: external-to-service src: LB dst: client Cluster Net LB pod1 pod2 pod3 Node1 Node2 Node3
152 Network Policy
153 Network Policy A common pattern for applications is to organize into micro-services or tiers Example: The classic three-tier app Users want to lock down the network. app: store role: fe app: store role: be Allow some tiers to communicate with others, but not a free-for-all. app: store role: db
154 Network Policy Networks can disallow communication between tiers that are not allowed An FE should never reach around to the DB An FE should never talk to another FE Labels are dynamic so these rules must be so also app: store role: fe app: store role: be X X app: store role: db
155 Namespaces Private scope for creating and managing objects (Pods, Services, NetworkPolicies...) Namespaced objects are always namespaced If you don t specify a namespace in YAML, use kubectl command-line or the current context kubectl -n my-namespace create -f file.yaml
156 Network Policy When first created, the namespace allows all pods to reach each other. Remember we said all pods can reach each other. app: store role: fe app: store role: be app: store role: db
157 Network Policy Describe the allowed links Example: Pods labelled role: be can receive traffic from role: fe Pods labelled role: db can receive traffic from role: be app: store role: fe app: store role: be app: store role: db
158 Network Policy Install policies Per-namespace API Specify: Pods subject to this policy Pods allowed to connect to the subjects Port(s) allowed apiversion: extensions/v1beta1 kind: NetworkPolicy metadata: name: store-net-policy spec: podselector: matchlabels: role: db ingress: - from: - podselector: matchlabels: role: be ports: - protocol: tcp port: 6379
159 Network Policy Switch the network isolation mode to DefaultDeny Absent policies, no network traffic can flow app: store role: fe X app: store role: be app: store role: db X X X X
160 Network Policy kind: Namespace apiversion: v1 metadata: name: store-namespace annotations: net.beta.kubernetes.io/network-policy: { "ingress": { "isolation": "DefaultDeny" } }
161 Network Policy Connections allowed by NetworkPolicies are OK Ordering is very important for these steps app: store role: fe X app: store role: be X app: store role: db
162 Network Policy There may be multiple NetworkPolicies in a Namespace Purely additive There is no way to specify deny in NetworkPolicy Implemented at L3/L4, no L7 support app: store role: fe app: store role: be app: store role: db
163 Open implementation Beta in v1.6 Expected GA in v1.7 Kubernetes allows the user to select the best method to implement Network policy. Today there is a wide range of choices: Calico Contiv Openshift Romana Trireme WeaveNet And more...
164 Watch this space Kubernetes Networking is a moving target The efforts of Open Source developers continue to improve and simplify the system Hopefully the next KubeCon we will have the opportunity to present more.
165 Kubernetes is Open open community open design open source open to ideas Code: github.com/kubernetes/kubernetes Chat: slack.k8s.io Google Cloud Platform
Kubernetes - Networking. Konstantinos Tsakalozos
Kubernetes - Networking Konstantinos Tsakalozos Kubernetes From the greek word κυβερνήτης originally designed by Google and donated to the Cloud Native Computing Foundation. Presented at "Large-scale cluster
More information10 Kube Commandments
10 Kube Commandments We've been in the game for years That in itself is admirable There's rules to this biz We wrote y'all a manual A step-by-step conf talk for you to get... Your clusters on track And
More informationProject Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.
Project Calico v3.2 Overview Benefits Simplicity. Traditional Software Defined Networks (SDNs) are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified
More informationKubernetes Container Networking with NSX-T Data Center Deep Dive
Kubernetes Container Networking with NSX-T Data Center Deep Dive Yasen Simeonov, VMware, Inc. #vmworld NET1677BU #NET1677BU Disclaimer This presentation may contain product features or functionality that
More informationProject Calico v3.1. Overview. Architecture and Key Components
Project Calico v3.1 Overview Benefits Simplicity. Traditional Software Defined Networks (SDNs) are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified
More informationWolfram Richter Red Hat. OpenShift Container Netzwerk aus Sicht der Workload
Wolfram Richter Red Hat OpenShift Container Netzwerk aus Sicht der Workload Why this session? OpenShift is great for web applications, but we want to do X will this work? X { Analytics, Non-HTTP, High-
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET1522BE Kubernetes Networking with NSX-T Deep Dive Ali Al Idrees Yves Fauser #VMworld #NET1522BE Disclaimer This presentation may contain product features that are currently under development. This overview
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET1522BU Kubernetes Networking with NSX-T Deep Dive #VMworld #NET1522BU Disclaimer This presentation may contain product features that are currently under development. This overview of new technology
More informationAuthorized Source IP for OpenShift Project
Page 1 of 11 Authorized Source IP for OpenShift Project Identification view online Avi Vantage can securely identify OpenShift projects using source IP addresses for traffic initiated from within the OpenShift
More informationKubernetes Integration Guide
Kubernetes Integration Guide Cloud-Native Security www.aporeto.com Aporeto Kubernetes Integration Guide The purpose of this document is to describe the features of Aporeto that secure application services
More informationNetworking Approaches in. a Container World. Flavio Castelli Engineering Manager
Networking Approaches in a Container World Flavio Castelli Engineering Manager fcastelli@suse.com Rossella Sblendido Engineering Manager rsblendido@suse.com Disclaimer There a many container engines, I
More informationKuber-what?! Learn about Kubernetes
DEVNET-1999 Kuber-what?! Learn about Kubernetes Ashley Roach, Principal Engineer Evangelist Agenda Objectives A brief primer on containers The problems with running containers at scale Orchestration systems
More informationNote: Currently (December 3, 2017), the new managed Kubernetes service on Azure (AKS) does not yet support Windows agents.
Create a Hybrid Kubernetes Linux/Windows Cluster in 7 Easy Steps Azure Container Service (ACS) makes it really easy to provision a Kubernetes cluster in Azure. Today, we'll walk through the steps to set
More informationServices and Networking
This chapter contains the following topics: Load Balancing Kubernetes Services using NGINX, on page 1 Network Policies, on page 6 Load Balancer Services, on page 7 Load Balancing Kubernetes Services using
More informationSecure Kubernetes Container Workloads
Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation
More informationKubernetes Container Networking
Kubernetes Container Networking Frank Brockners Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join
More informationScaling Jenkins with Docker and Kubernetes Carlos
Scaling Jenkins with Docker and Kubernetes Carlos Sanchez @csanchez Containers & micro services But it is not trivial @YourTwitterHandle Docker Linux containers Union File System File System Processes
More informationDeployment Strategies on Kubernetes. By Etienne Tremel Software engineer at Container February 13th, 2017
Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions @etiennetremel February 13th, 2017 Agenda Kubernetes in brief Look at 6 different strategies Recreate Ramped
More informationCode: Slides:
Workshop Resources Code: https://github.com/beekpr/public-workshops Slides: https://tinyurl.com/yc2uo3wk Make sure minikube and kubectl is setup (labs/1-setup-cluster.md has some instructions) Kubernetes
More informationMaximizing Network Throughput for Container Based Storage David Borman Quantum
Maximizing Network Throughput for Container Based Storage David Borman Quantum 1 Agenda Assumptions Background Information Methods for External Access Descriptions, Pros and Cons Summary 2 Assumptions
More informationImplementing Container Application Platforms with Cisco ACI
BRKDCN-2627 Implementing Container Application Platforms with Cisco ACI Andres Vega Product Manager, Engineering Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationQuestion: 2 Kubernetes changed the name of cluster members to "Nodes." What were they called before that? Choose the correct answer:
Volume: 89 Questions + 17 Labs Question: 1 Containers are run on which of these? A. Services B. Controllers C. Nodes D. None of these Answer: C Nodes run the pods. Question: 2 Kubernetes changed the name
More informationKubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS
Kubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS Who am I? Casey Callendrello Red Hat (née CoreOS) github.com/squeed @squeed Rkt developer CNI maintainer Outline
More informationKubernetes Ingress Virtual Service Configuration
Page 1 of 10 Kubernetes Ingress Virtual Service Configuration view online In a Kubernetes cloud, Kubernetes Ingress creation triggers creation of north-south or Ingress Avi Vantage virtual service and
More informationKubernetes Ingress Virtual Service Configuration
Page 1 of 9 Kubernetes Ingress Virtual Service Configuration view online In an Kubernetes cloud, Kubernetes ingress creation triggers creation of north-south or ingress Avi Vantage VirtualService and Pool
More information& the architecture along the way!
QCon London March 2019 & the architecture along the way! mt165.co.uk Objectives Learn how a packet traverses an Istio//Kubernetes system See what control plane calls are made in that process Build a useful
More informationKubernetes introduction. Container orchestration
Kubernetes introduction Container orchestration Container Orchestration Why we need container orchestration? Restart containers if they are not healthy. Provide private container network. Service discovery.
More informationFD.io VPP & Ligato Use Cases. Contiv-VPP CNI plugin for Kubernetes IPSEC VPN gateway
FD.io & Ligato Use Cases Contiv- CNI plugin for Kubernetes IPSEC VPN gateway Project at Linux Foundation Multi-party Multi-project Software Dataplane High throughput Low Latency Feature Rich Resource Efficient
More informationKubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS
Kubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS Who am I? Casey Callendrello RedHat (neé CoreOS) github.com/squeed @squeed Rkt developer CNI maintainer Outline 0:
More informationContinuous delivery while migrating to Kubernetes
Continuous delivery while migrating to Kubernetes Audun Fauchald Strand Øyvind Ingebrigtsen Øvergaard @audunstrand @oyvindio FINN Infrastructure History Kubernetes at FINN Agenda Finn Infrastructure As
More informationScheduling in Kubernetes October, 2017
Scheduling in Kubernetes October, 2017 What to look for Kubernetes overview Scheduling algorithm Scheduling controls Advanced scheduling techniques Examples and use cases Kubernetes Technology stack Docker
More informationDockercon 2017 Networking Workshop
Dockercon 2017 Networking Workshop Mark Church, Technical Account Manager @ Docker Lorenzo Fontana, Docker Captain Nico Kabar, Solutions Architect @ Docker Agenda 1. Container Network Model 2. Docker Networking
More informationKubernetes Love at first sight?
Kubernetes Love at first sight? 15, February 2018 Joost Hofman (Lead Developer @ Albert Heijn IT Online) Milo van der zee (Senior Developer @Albert Heijn IT Online) Agenda Kubernetes Why at AH? How? Questions
More informationNSX Data Center Load Balancing and VPN Services
NET2761BU NSX Data Center Load Balancing and VPN Services Derek Deukyoon Kang, VMware, Inc. Vinay Reddy, VMware, Inc. #vmworld #NET2761BU Disclaimer This presentation may contain product features or functionality
More informationEfficiently exposing apps on Kubernetes at scale. Rasheed Amir, Stakater
Efficiently exposing apps on Kubernetes at scale Rasheed Amir, Stakater Problem Kubernetes runs container workloads in Pods... but these are not automatically accessible outside the cluster What options
More informationCONTAINERS AND MICROSERVICES WITH CONTRAIL
CONTAINERS AND MICROSERVICES WITH CONTRAIL Scott Sneddon Sree Sarva DP Ayyadevara Sr. Director Sr. Director Director Cloud and SDN Contrail Solutions Product Line Management This statement of direction
More informationgcp / gke / k8s microservices
gcp / gke / k8s microservices managing microservices with kubernetes 08.17.2016 Austin GCPUG Lou Scalpati CTO RxWiki microservices What are Microservices generally REST APIs returning json organized around
More informationKubernetes: Twelve KeyFeatures
Kubernetes: Twelve KeyFeatures Kubernetes is a Greek word which means helmsman, or the pilot of a ship. It is an open source project that was started by Google and derived from Borg, which is used inside
More informationService discovery in Kubernetes with Fabric8
Service discovery in Kubernetes with Fabric8 Andy Moncsek Senior Consultant Andy.Moncsek@trivadis.com Twitter: @AndyAHCP BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENF HAMBURG KOPENHAGEN
More informationHacking and Hardening Kubernetes
SESSION ID: HT-W02 Hacking and Hardening Kubernetes Jay Beale CTO InGuardians, Inc @jaybeale and @inguardians Adam Crompton Senior Security Analyst InGuardians, Inc. @3nc0d3r and @inguardians Table of
More informationVMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.1
VMware Integrated OpenStack with Kubernetes Getting Started Guide VMware Integrated OpenStack 4.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationKubernetes 101. Doug Davis, STSM September, 2017
Kubernetes 101 Doug Davis, STSM September, 2017 Today's Agenda What is Kubernetes? How was Kubernetes created? Where is the Kubernetes community? Technical overview What's the current status of Kubernetes?
More informationBuenos Aires 31 de Octubre de 2018
Buenos Aires 31 de Octubre de 2018 VMware NSX Data Center & Containers in the Dell EMC Ecosystem Gonzalo Atienza Sr Systems Engineer, Network & Security Business Unit, VMware Containers are Here to stay!
More informationBuilding an on premise Kubernetes cluster DANNY TURNER
Building an on premise Kubernetes cluster DANNY TURNER Outline What is K8s? Why (not) run k8s? Why run our own cluster? Building what the public cloud provides 2 Kubernetes Open-Source Container Management
More informationAn Introduction to Kubernetes
8.10.2016 An Introduction to Kubernetes Premys Kafka premysl.kafka@hpe.com kafkapre https://github.com/kafkapre { History }???? - Virtual Machines 2008 - Linux containers (LXC) 2013 - Docker 2013 - CoreOS
More informationIntroduction to Kubernetes
Introduction to Kubernetes Neil Peterson @nepeters #ITDEVCONNECTIONS Session Topics - Quick primer on containers - Container mgmt solutions - Kubernetes basics - Kubernetes deeper dive - Kubernetes beyond
More information$ wget V SOLUTIONS.tar.bz2 \ --user=lftraining --password=penguin2014
3.5. LABS 1 Exercise 3.1: Install Kubernetes Overview There are several Kubernetes installation tools provided by various vendors. In this lab we will learn to use kubeadm As an independent tool, it is
More informationCloud Native Networking
Webinar Series Cloud Native Networking January 12, 2017 Your Presenters Christopher Liljenstolpe CTO, Tigera / Founder, Project Calico Bryan Boreham Director of Engineering, WeaveWorks 2 Networking in
More informationagenda PAE Docker Docker PAE
Docker 2016.03.26 agenda PAE Docker Docker PAE 2 3 PAE PlCloud APP Engine Docker Docker Caas APP 4 APP APP volume images 5 App 6 APP Show Time 7 8 Docker Public DockerHup Private registry push pull AUFS
More informationImprove Performance of Kube-proxy and GTP-U using VPP
Improve Performance of Kube-proxy and GTP-U using VPP Hongjun Ni (hongjun.ni@intel.com) Danny Zhou (danny.zhou@intel.com) Johnson Li (johnson.li@intel.com) Network Platform Group, DCG, Intel Acknowledgement:
More informationMicroservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,
Microservices Chaos Kontrolle mit Kubernetes Robert Kubis - Developer Advocate, Google @hostirosti About me Robert Kubis Developer Advocate Google Cloud Platform London, UK hostirosti github.com/hostirosti
More informationDocker Networking: From One to Many. Don Mills
Docker Networking: From One to Many Don Mills What we are going to talk about Overview of traditional Docker networking Some demonstrations Questions New Docker features Some more demonstrations Questions
More informationMultiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei
Multiple Networks and Isolation in Kubernetes Haibin Michael Xie / Principal Architect Huawei Agenda CNI and network plug-ins Multiple network use cases, design and implementation Network multi-tenancy
More informationASP.NET Core & Docker
ASP.NET Core & Docker From 0 to Azure in 75 minutes Marco De Sanctis Visual Studio and Development Technologies MVP info@marcodesanctis.it @crad77 What s Docker and why should I care ASP.NET Core & Docker
More informationDefining Security for an AWS EKS deployment
Defining Security for an AWS EKS deployment Cloud-Native Security www.aporeto.com Defining Security for a Kubernetes Deployment Kubernetes is an open-source orchestrator for automating deployment, scaling,
More informationContainerisation with Docker & Kubernetes
Containerisation with Docker & Kubernetes Hello! I m Dan! Senior Field Engineer at Heptio VMware Ex: Heptio Docker Hewlett-Packard Enterprise SkyBet European Space Agency Still a maintainer and contributor
More informationFirewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization
More informationEnabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds. John Joyce Robert Li
Enabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds John Joyce Robert Li Introduction Extending an Application across Multiple Clouds Public Cloud microservice
More informationKubernetes on Openstack
Kubernetes on Openstack Saverio Proto saverio.proto@switch.ch Lugano 2018 SWITCH 1 Infrastructure & Data Services Your added value Our customers Our offer 2018 SWITCH 2 Your added value SWITCH made Swiss
More informationWhat s New in K8s 1.3
What s New in K8s 1.3 Carter Morgan Background: 3 Hurdles How do I write scalable apps? The App How do I package and distribute? What runtimes am I locked into? Can I scale? The Infra Is it automatic?
More informationDan Williams Networking Services, Red Hat
Networking Containers with Kubernetes and OpenShift Dan Williams Networking Services, Red Hat Kubernetes Components Web UI Pod apiserver etcd Container 1 Container 2 scheduler controller Command-line interface
More information@briandorsey #kubernetes #GOTOber
1 Kubernetes Changing the way we think and talk about computing GOTO Berlin - December 2015 2 What is this talk? Container 3 Brian Dorsey Developer Advocate - Google Cloud platform +BrianDorsey @briandorsey
More informationOracle Cloud Infrastructure Virtual Cloud Network Overview and Deployment Guide ORACLE WHITEPAPER JANUARY 2018 VERSION 1.0
Oracle Cloud Infrastructure Virtual Cloud Network Overview and Deployment Guide ORACLE WHITEPAPER JANUARY 2018 VERSION 1.0 Table of Contents Purpose of this Whitepaper 1 Scope & Assumptions 1 Virtual Cloud
More informationTable of Contents HOL CNA
Table of Contents Lab Overview - - Kubernetes - Getting Started... 2 Lab Guidance... 3 Module 1 - Introduction to Kubernetes (30 minutes)... 9 Introduction... 10 What is container orchestration and why
More informationLayer-4 to Layer-7 Services
Overview, page 1 Tenant Edge-Firewall, page 1 LBaaS, page 2 FWaaS, page 4 Firewall Configuration, page 6 Overview Layer-4 through Layer-7 services support(s) end-to-end communication between a source and
More informationKubernetes deep dive
Kubernetes deep dive Hello! אני מיקי חיוט, מתמחה בתחום כ- 20 שנים וב- 4 שנים האחרונות עובד בבית התוכנה "אינפיניטי" המעניק פתרונות טכנולוגיים בתחומי דבאופס, תשתיות, פיתוח, אבטחת מידע ובסיסי נתונים. Kubernetes
More informationCilium Documentation. Release v0.8. Cilium Authors
Cilium Documentation Release v0.8 Cilium Authors May 23, 2017 Contents: 1 Introduction to Cilium 1 1.1 What is Cilium?............................................. 1 1.2 Why Cilium?...............................................
More informationLinux Clusters Institute: OpenStack Neutron
Linux Clusters Institute: OpenStack Neutron Yale, August 13 th 17 th 2018 John Michael Lowe Senior Cloud Engineer Indiana University jomlowe@iu.edu Neutron SDN or not Network Namespaces Components Security
More informationKubernetes: What s New
Kubernetes: What s New LISA 15 Tim Hockin Senior Staff Software Engineer @thockin This is Kubernetes 201 If you re lost, I m happy to answer questions later or at the BoF tonight Obligatory
More informationDocker & Mesos/Marathon in production at OVH. Balthazar Rouberol https://ovh.to/6brrkan
Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6brrkan 1 About Docker at OVH 2014-2015: Home-made container orchestrator, Sailabove, based on LXC 2016: Switch to Docker
More informationOpenShift Dedicated 3 Release Notes
OpenShift Dedicated 3 Release Notes Last Updated: 2018-05-17 OpenShift Dedicated 3 Release Notes Legal Notice Copyright 2018 Red Hat, Inc. The text of and illustrations in this document are licensed by
More informationKubernetes. Introduction
Kubernetes Introduction WOJCIECH BARCZYŃSKI (hiring) Senior Software Engineer Lead of Warsaw Team - SMACC System Engineer background Interests: working software Hobby: teaching software engineering BACKGROUND
More informationCilium Documentation. Release v0.8. Cilium Authors
Cilium Documentation Release v0.8 Cilium Authors Apr 24, 2017 Table of contents: 1 Introduction to Cilium 1 1.1 What is Cilium?............................................. 1 1.2 Why Cilium?...............................................
More informationWhat s New in K8s 1.3
What s New in K8s 1.3 Carter Morgan Background: 3 Hurdles How do I write scalable apps? The App How do I package and distribute? What runtimes am I locked into? Can I scale? The Infra Is it automatic?
More informationNGINX: From North/South to East/West
NGINX: From North/South to East/West Reducing Complexity with API and Microservices Traffic Management and NGINX Plus Speakers: Alan Murphy, Regional Solution Architect, APAC September, 2018 About NGINX,
More informationKubernetes Basics. Christoph Stoettner Meetup Docker Mannheim #kubernetes101
Kubernetes Basics Christoph Stoettner +49 173 8588719 christoph.stoettner@panagenda.com 1 @stoeps Meetup Docker Mannheim #kubernetes101 Christoph Stoettner Senior Consultant at panagenda Linux (Slackware)
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
CNA1509BU Developer-Ready Infrastructure from VMware and Pivotal Merlin Glynn, VMware Ramiro Salas, Pivotal #VMworld #CNA1509BU Disclaimer This presentation may contain product features that are currently
More informationDocker Networking Deep Dive online meetup
Docker Networking Deep Dive online meetup 08/24/2016 @MadhuVenugopal Agenda What is libnetwork CNM 1.12 Features Multihost networking Secured Control plane & Data plane Service Discovery Native Loadbalacing
More informationLoadbalancer.org Virtual Appliance quick start guide v6.3
Loadbalancer.org Virtual Appliance quick start guide v6.3 What are your objectives?...2 What is the difference between a one-arm and a two-arm configuration?...2 What are the different load balancing methods
More informationBitnami s Kubernetes Projects Leverage Application delivery on Next Generation Platforms
Bitnami s Kubernetes Projects Leverage Application delivery on Next Generation Platforms Kubeapps Application Delivery Environment Kubeless Leading Kubernetes Native Serverless Platform Helm Charts The
More informationOverview of Container Management
Overview of Container Management Wyn Van Devanter @wynv Vic Kumar Agenda Why Container Management? What is Container Management? Clusters, Cloud Architecture & Containers Container Orchestration Tool Overview
More informationAGENDA Introduction Pivotal Cloud Foundry NSX-V integration with Cloud Foundry New Features in Cloud Foundry Networking NSX-T with Cloud Fou
NET1523BE INTEGRATING NSX AND CLOUD FOUNDRY Usha Ramachandran Staff Product Manager, Pivotal Sai Chaitanya Product Line Manager, VMware VMworld 2017 Content: Not for publication #VMworld AGENDA 1 2 3 4
More informationSingapore. Service Proxy, Container Networking & K8s. Acknowledgement: Pierre Pfister, Jerome John DiGiglio, Ray
Singapore Service Proxy, Container Networking & K8s Hongjun Ni Intel Email: hongjun.ni@intel.com Acknowledgement: Pierre Pfister, Jerome Tollet @Cisco John DiGiglio, Ray Kinsella @Intel Agenda What is
More informationTop Nine Kubernetes Settings You Should Check Right Now to Maximize Security
White Paper Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security If you use Kubernetes, you know how much it can increase development velocity and reduce operational complexity.
More informationK8s(Kubernetes) and SDN for Multi-access Edge Computing deployment
K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment Open Source Summit Japan 2017.06.02 Red Hat Hyde SUGIYAMA Senior Principal Technologist NFV SDN ICT Red Hat APAC Office of Technology
More informationBuilding a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto
Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia Alexandros Kosiaris Giuseppe Lavagetto Introduction The Wikimedia Foundation is the organization running the infrastructure supporting Wikipedia
More informationIPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy
IPv6 NAT Open Source Days 9th-10th March 2013 Copenhagen, Denmark Patrick McHardy Netfilter and IPv6 NAT historically http://lists.netfilter.org/pipermail/netfilter/2005-march/059463.html
More informationOpenStack and OVN What s New with OVS 2.7 OpenStack Summit -- Boston 2017
OpenStack and OVN What s New with OVS 2.7 OpenStack Summit -- Boston 2017 Russell Bryant (@russellbryant) Justin Pettit (@Justin_D_Pettit) Ben Pfaff (@Ben_Pfaff) Virtual Networking Overview Provides a
More informationA Comparision of Service Mesh Options
A Comparision of Service Mesh Options Looking at Istio, Linkerd, Consul-connect Syed Ahmed - CloudOps Inc Introduction About Me Cloud Software Architect @ CloudOps PMC for Apache CloudStack Worked on network
More informationNeutron: peeking behind the curtains
Neutron: peeking behind the curtains (that is to say how Neutron builds virtual networks) Salvatore Orlando VMware Twitter: @taturiello IRC: salv-orlando Email: sorlando(at)vmware.com Before we start Make
More informationProject Kuryr. Antoni Segura Puimedon (apuimedo) Gal Sagie (gsagie)
Project Kuryr Antoni Segura Puimedon (apuimedo) Gal Sagie (gsagie) What are the problems? Reinventing networking abstractions Changing and vendor specific solutions Flannel Weave SocketPlane Overlay2 for
More informationHow Container Runtimes matter in Kubernetes?
How Container Runtimes matter in Kubernetes? Kunal Kushwaha NTT OSS Center About me Works @ NTT Open Source Software Center Contributes to containerd and other related projects. Docker community leader,
More informationKubernetes networking in the telco space
Kubernetes networking in the telco space LFN Developer Forum Gergely Csatari (using the materials of Robert Springer, and Peter Megyesi with the help of Levente Kale, Laszo Janosi and Gergo Huszty) 26-03-2018
More informationTable of Contents HOL NET
Table of Contents Lab Overview - - VMware NSX-T with Kubernetes... 2 Lab Guidance... 3 Module 1 - Introduction to Kubernetes and NSX-T (15 minutes)... 9 In this section, we will learn about Kubernetes....
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
CNA1142BE Developer-Ready Infrastructure from VMware and Pivotal Merlin Glynn (Vmware) Ramiro Salas (Pivotal) #VMworld #CNA1142BE Disclaimer This presentation may contain product features that are currently
More informationSo, I have all these containers! Now what?
So, I have all these containers! Now what? Image by Connie Zhou Developer View job hello_world = { runtime = { cell = 'ic' } // Cell (cluster) to run in binary = '.../hello_world_webserver' // Program
More informationPVS Deployment in the Cloud. Last Updated: June 17, 2016
PVS Deployment in the Cloud Last Updated: June 17, 2016 Contents Amazon Web Services Introduction 3 Software Requirements 4 Set up a NAT Gateway 5 Install PVS on the NAT Gateway 11 Example Deployment 12
More informationSimplify Container Networking With ican. Huawei Cloud Network Lab
Simplify Container Networking With ican Huawei Cloud Network Lab Container Network Defined By Application 2 What we face today Automation Deployment and Orchestration: Automate deploy resource for application
More informationF5 Solutions for Containers
Agility 2018 Hands-on Lab Guide F5 Solutions for Containers F5 Networks, Inc. 2 Contents: 1 Getting Started 5 2 Class 1: Introduction to Docker 7 3 Class 2: Introduction to Kubernetes 13 4 Class 3: Introduction
More informationVNS3 Configuration. ElasticHosts
VNS3 Configuration ElasticHosts Table of Contents Introduction 3 ElasticHosts Deployment Setup 9 VNS3 Configuration Document Links 23 2 Requirements 3 Requirements You have a ElasticHosts account (For
More information