Multiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei

Similar documents
Dan Williams Networking Services, Red Hat

Introduction to Kubernetes

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Infoblox IPAM Driver for Kubernetes User's Guide

Infoblox IPAM Driver for Kubernetes. Page 1

Service discovery in Kubernetes with Fabric8

Kubernetes - Networking. Konstantinos Tsakalozos

Overview of Container Management

Question: 2 Kubernetes changed the name of cluster members to "Nodes." What were they called before that? Choose the correct answer:

Kubernetes Container Networking with NSX-T Data Center Deep Dive

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Simplify Container Networking With ican. Huawei Cloud Network Lab

Hacking and Hardening Kubernetes

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.1

Project Calico v3.1. Overview. Architecture and Key Components

Implementing SaaS on Kubernetes

Kubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS

An Introduction to Kubernetes

Datacenter Network Solutions Group

Scaling Jenkins with Docker and Kubernetes Carlos

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.0

Wolfram Richter Red Hat. OpenShift Container Netzwerk aus Sicht der Workload

Code: Slides:

Secure Kubernetes Container Workloads

Kubernetes and the CNI: Where we are and What s Next Casey Callendrello RedHat / CoreOS

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack.

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Scheduling in Kubernetes October, 2017

Efficiently exposing apps on Kubernetes at scale. Rasheed Amir, Stakater

OpenStack Magnum Hands-on. By Saulius Alisauskas and Bryan Havenstein

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform

Multitenancy Deep Dive

Kuber-what?! Learn about Kubernetes

Kubernetes 101. Doug Davis, STSM September, 2017

OpenShift Dedicated 3 Release Notes

Kubernetes networking in the telco space

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Getting Started with VMware Integrated OpenStack with Kubernetes. VMware Integrated OpenStack 5.1

Federated Prometheus Monitoring at Scale

Simplify Networking for Containers 叶磊曹水 华为中央软件院云网络实验室

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Kubernetes introduction. Container orchestration

The speed of containers, the security of VMs

$ wget V SOLUTIONS.tar.bz2 \ --user=lftraining --password=penguin2014

Services and Networking

Note: Currently (December 3, 2017), the new managed Kubernetes service on Azure (AKS) does not yet support Windows agents.

Continuous delivery while migrating to Kubernetes

Triangle Kubernetes Meet Up #3 (June 9, 2016) From Beginner to Expert

Singapore. Service Proxy, Container Networking & K8s. Acknowledgement: Pierre Pfister, Jerome John DiGiglio, Ray

Cloud Native Networking

The speed of containers, the security of VMs. KataContainers.io

Maximizing Network Throughput for Container Based Storage David Borman Quantum

Kubernetes - Load Balancing For Virtual Machines (Pods)

Kubernetes: Twelve KeyFeatures

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Project Kuryr. Antoni Segura Puimedon (apuimedo) Gal Sagie (gsagie)

Kubernetes on Openstack

Kubernetes: What s New

Oracle Cloud 1z0-932

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat

A day in the life of a log message Kyle Liberti, Josef

Table of Contents HOL NET

Stackube Documentation

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

Kubernetes Love at first sight?

A REFERENCE ARCHITECTURE FOR DEPLOYING WSO2 MIDDLEWARE ON KUBERNETES

Creating a Multi-Container Pod

Project Kuryr. Here comes advanced services for containers networking. Antoni Segura

Cisco Virtual Update Container networking. Hans Donnerborg, Lars Granberg, Maj 2018

Dockercon 2017 Networking Workshop

Dataplane Networking journey in Containers

Container Orchestration on Amazon Web Services. Arun

Kubernetes Ingress Virtual Service Configuration

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment

Continuous Delivery of Micro Applications with Jenkins, Docker & Kubernetes at Apollo

Kubernetes Ingress Virtual Service Configuration

agenda PAE Docker Docker PAE

Table of Contents HOL CNA

Using Custom Resources to Provide Cloud Native API Management Frank B Greco Jr, Cloud Native Engineer, Northwestern Mutual

OPENSTACK + KUBERNETES + HYPERCONTAINER. The Container Platform for NFV

FD.io VPP & Ligato Use Cases. Contiv-VPP CNI plugin for Kubernetes IPSEC VPN gateway

Node Feature Discovery

Implementing Container Application Platforms with Cisco ACI

Kubernetes on Azure. Daniel Neumann Technology Solutions Professional Microsoft. Build, run and monitor your container applications

Kubernetes 1.9 Features and Future

Infoblox Kubernetes1.0.0 IPAM Plugin

S6245 IT-as-a-Service With Visually Intensive VDI TONY FOSTER PRINCIPAL TECHNICAL MARKETING ENGINEER

WHITE PAPER. Kubernetes Deployment Models: The Ultimate Guide

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM

ASP.NET Core & Docker

Cloud I - Introduction

10 Kube Commandments

Important DevOps Technologies (3+2+3days) for Deployment

Installation and setup guide of 1.1 demonstrator

Kubernetes Integration Guide

Transcription:

Multiple Networks and Isolation in Kubernetes Haibin Michael Xie / Principal Architect Huawei

Agenda CNI and network plug-ins Multiple network use cases, design and implementation Network multi-tenancy requirement and implementation Demo

CNI and Network Plug-ins What is CNI Common container network interface specification and libraries for writing plugins to configure network interfaces in Linux containers. Assign IP to pod Kubelet startup parameter --network-plugin=cni --pod-cidr for pod IP addresses Network plugin assigns one IP from the CIDR to each pod Many third party network plugins https://github.com/containernetworking/cni

Definition of Multiple Networks Multiple physical networks Multiple logical networks Multiple network interfaces per container Multiple network address spaces per cluster Multiple network tenants per cluster Kubernetes Cluster Physical Network 1 Physical Network 2 Logical Network A Pod Logical Network B Logical Network C Pod Logical Network D Pod Pod

Multiple Networks Node1 Load Balancer Node2 Load Balancer Service1 Service2 Service1 Service2 eth0 eth1 eth0 eth1 flannel0 ican0 flannel0 ican0 veth0 veth1 veth0 veth1 veth3 eth0 SrcPod eth1 eth0 DestPodA eth1 DestPodB eth1

Why Multiple Networks Logical network abstraction IP space, quota/speed, network policies Multiple network tenants Physical isolation and logical isolation Use multiple network solutions User scenarios: NFV: access to control plane, data plane and monitor plane Applications that want to separate different traffic such as video streaming application IPV6 co-existing with IPV4 Applications have both internal and public access Servers that want to isolate traffic from multiple clients Utilizing multiple physical NICs on host

Changes to Kubernetes New physical network object New logical network object Pod object with multiple networks Service in specific logical network Network based scheduling Network tenancy isolation, bandwidth, QPS limiting etc

Multiple Network Workflow Physical network PhysicalNetworks.yaml { "provider": [ { name: phy_net0, description: ***}, { name: phy_net1, description: ***} ] } Service.yaml kind: Service apiversion: v1 metadata: name: my-service annotations: network: management spec: selector: app: MyApp ports: Logical network 1 2 4 ETCD ApiServer 3 Scheduler 1 2 CNS Master (ican master, flannel master ) LogicalNetwork.yaml apiversion: v1 kind: Network metadata: name: management labels: spec: physicalnet: phy_net0 plugin: Flannel ican subnet: 10.10.0.0/16 pod.yaml spec: containers: - image: test-webserver name: test-container metadata: annotations: networks: management:eth0 data:eth1 Master 2 Register node HostPhysicalNetwork.yaml { "provider": [{ alias: phy_net0, ref_nic: eth1, },{ alias: phy_net1, ref_nic: eth2, }] } kubelet 5 ican CNI Genie AND AND AND Network plugins flannel Slave

Network Tenancy Requirements Network isolation among tenants Limit access to other tenants containers/services Limit access to host network Limit access to other tenant s network resources like load balancers and DNS records Network connectivity Containers have internet access Allow services to have external IP for ingress Access other tenants containers/services

Network Tenancy How Logical network, Kubernetes namespace and tenant mappings Network isolation: Physical isolation IPTables VLAN/VXLAN DNS isolation access control, dedicated DNS Gateway for ingress/egress Misc: NodePort? Support multiple namespaces and/or multiple logical networks in one tenant Network based scheduling Network quota allocation Tenancy in federated clusters, cross data center or region

CNI-Genie Multiple physical and logical networks Adaptor to any network plug-in Network isolation with policy Admission control: validation, access control, scheduling SLA monitoring and enforcement

Example Usage List of slave nodes Node description List of Physical Networks List of Logical Networks

Example Usage Deploy pod

Example Usage Query pod

More? Code repository: https://github.com/huawei- PaaS/CNI-Genie/ Watch demo videos: - Physical network and logical network: https://asciinema.org/a/xu5jjejwq11ls3yiqnlyjrczh - Multiple IPs per pod: - https://asciinema.org/a/120338 - Co-existence of multiple plugins: - https://asciinema.org/a/120279 - CNI-Genie admission control: https://asciinema.org/a/klptt8j37jnjbtwkxzpgvkbui - Network policy controller: https://asciinema.org/a/kn4j3pcdx0hzj3me7a19qrnsw

Thank you Haibin Michael Xie haibin.michael.xie@huawei.com wechat: 153346957

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback