Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Similar documents
Project Calico v3.1. Overview. Architecture and Key Components

Cloud Native Networking

Kubernetes - Networking. Konstantinos Tsakalozos

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform

Kubernetes networking in the telco space

Red Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Singapore. Service Proxy, Container Networking & K8s. Acknowledgement: Pierre Pfister, Jerome John DiGiglio, Ray

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment

Networking Approaches in. a Container World. Flavio Castelli Engineering Manager

Building NFV Solutions with OpenStack and Cisco ACI

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Dan Williams Networking Services, Red Hat

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

Simplify Container Networking With ican. Huawei Cloud Network Lab

AGENDA Introduction Pivotal Cloud Foundry NSX-V integration with Cloud Foundry New Features in Cloud Foundry Networking NSX-T with Cloud Fou

Provisioning Overlay Networks

Kubernetes Integration Guide

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

Contrail Networking: Evolve your cloud with Containers

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Build Cloud like Rackspace with OpenStack Ansible

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM

VXLAN Overview: Cisco Nexus 9000 Series Switches

Securing Microservice Interactions in Openstack and Kubernetes

Defining Security for an AWS EKS deployment

Wolfram Richter Red Hat. OpenShift Container Netzwerk aus Sicht der Workload

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment

Secure Kubernetes Container Workloads

Enabling Efficient and Scalable Zero-Trust Security

MidoNet Scalability Report

Implementing Container Application Platforms with Cisco ACI

Provisioning Overlay Networks

Cisco Virtual Networking Solution for OpenStack

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Linux Clusters Institute: OpenStack Neutron

Kubernetes Container Networking with NSX-T Data Center Deep Dive

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

OpenStack and OpenDaylight, the Evolving Relationship in Cloud Networking Charles Eckel, Open Source Developer Evangelist

Enterprise Kubernetes

Kubernetes: Twelve KeyFeatures

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Openstack Networking Design

Next-Generation Data Center Interconnect Powered by the Adaptive Cloud Fabric

Cloud I - Introduction

VMware Integrated OpenStack User Guide. VMware Integrated OpenStack 4.1

Cross-Site Virtual Network Provisioning in Cloud and Fog Computing

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.1

OpenStack and OVN What s New with OVS 2.7 OpenStack Summit -- Boston 2017

Project Kuryr. Antoni Segura Puimedon (apuimedo) Gal Sagie (gsagie)

Virtual Infrastructure: VMs and Containers

Virtual Machine Manager Domains

Virtual Private Cloud. User Guide. Issue 03 Date

Cisco ACI Virtual Machine Networking

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Maximizing Network Throughput for Container Based Storage David Borman Quantum

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Multiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei

Cisco ACI Virtual Machine Networking

Building a Video Optimized Private Cloud Platform on Cisco Infrastructure Rohit Agarwalla, Technical

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc

Huawei CloudFabric and VMware Collaboration Innovation Solution in Data Centers

Oracle Cloud Infrastructure Virtual Cloud Network Overview and Deployment Guide ORACLE WHITEPAPER JANUARY 2018 VERSION 1.0

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.0

Azure Compute. Azure Virtual Machines

Container Networking and Openstack. Fernando Sanchez Fawad Khaliq March, 2016

Locator ID Separation Protocol (LISP) Overview

Kubernetes 101. Doug Davis, STSM September, 2017

Weiterentwicklung von OpenStack Netzen 25G/50G/100G, FW-Integration, umfassende Einbindung. Alexei Agueev, Systems Engineer

A Comparision of Service Mesh Options

Service Mesh and Microservices Networking

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Virtualized Network Services SDN solution for enterprises

Thomas Lin, Naif Tarafdar, Byungchul Park, Paul Chow, and Alberto Leon-Garcia

Zero to Microservices in 5 minutes using Docker Containers. Mathew Lodge Weaveworks

Container Orchestration on Amazon Web Services. Arun

Dockercon 2017 Networking Workshop

Running RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018

VMware Integrated OpenStack User Guide

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Exam Name: VMware Certified Associate Network Virtualization

2018 Cisco and/or its affiliates. All rights reserved.

Virtualized Network Services SDN solution for service providers

SUSE OpenStack Cloud Production Deployment Architecture. Guide. Solution Guide Cloud Computing.

Pluribus Adaptive Cloud Fabric

SD-WAN Deployment Guide (CVD)

Virtualization Design

NETWORK OVERLAYS: AN INTRODUCTION

EIGRP Over the Top. Finding Feature Information. Information About EIGRP Over the Top. EIGRP Over the Top Overview

Kuber-what?! Learn about Kubernetes

Higher scalability to address more Layer 2 segments: up to 16 million VXLAN segments.

Introduction to Segment Routing

An Introduction to Kubernetes

Evaluation of virtualization and traffic filtering methods for container networks

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

Delivering Red Hat OpenShift at Ease on Red Hat OpenStack and RHV

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Layer-4 to Layer-7 Services

Transcription:

Project Calico v3.2 Overview Benefits Simplicity. Traditional Software Defined Networks (SDNs) are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified networking model designed for the demands of today s cloud-native applications. Scale. Unlike SDNs requiring a central controller that limits scalability, Calico is built on a fully distributed, scale-out architecture. So it scales smoothly from a single developer laptop to large enterprise deployments. Performance. Calico s architectural simplicity and use of the standard Linux data plane effectively deliver bare metal performance for virtual workloads. Security. Defining secure network policy used to be reserved for skilled network engineers. Calico s powerful micro-segmentation capabilities build on a simple policy language that naturally expresses the developer s intent. Open Source, Open Community. Calico is 100% open source, meaning it is free to use and modify. An active community of hundreds of contributors and thousands of users ensures the vibrancy and sustainability of the project. Project Calico provides network security for containers and virtual machine workloads. Calico creates and manages a flat Layer 3 network, assigning each workload a fully routable IP address. Workloads can communicate without IP encapsulation or network address translation for bare metal performance, easier troubleshooting, and better interoperability. In environments that require an overlay, Calico uses IP-in-IP tunneling or can work with other overlay networking such as flannel. Calico also provides dynamic enforcement of network security rules. Using Calico s simple policy language, you can achieve fine-grained control over communications between containers, virtual machine workloads, and bare metal host endpoints. Calico is proven in production at scale with a variety of orchestrators. Calico features integrations with Kubernetes, OpenShift, and OpenStack. Calico is also embedded in Amazon, Microsoft, Google, and IBM s Kubernetes services. Architecture and Key Components Orchestrator API host syncing component host container or workload Linux kernel orchestration component routing component routing iptables Felix Key/Value Store calicocti legacy host (optional) Linux kernel routing Felix iptables physical network Generalized Calico Architecture

Calico applies networking (routing) and network policy rules to virtual interfaces for orchestrated containers and virtual machines, as well as enforcement of network policy rules on host interfaces for servers and virtual machines. Each orchestrator (e.g., OpenStack, Kubernetes) has its own plug-in mechanisms, but the general architecture is the same across all orchestrators. A Calico plug-in interfaces with the orchestrator to listen for events related to workload creation/destruction and (if applicable) network policy configuration via the orchestrator APIs. The calicoctl CLI command provides operator access to commands and configuration options complementing the features available via the orchestrator plug-in. Either Calico or the orchestrator, depending on the platform, assigns IP addresses to each new workload. Global state (workload identity, IP addresses, and network policy) is shared among all nodes via a highly available distributed key/value store. Generally Calico uses etcd for this function, but when running in Kubernetes it can also use the Kubernetes API datastore (instead of accessing etcd directly). Note that there are some small functional restrictions when using the Kubernetes API datastore. The Calico Felix agent runs on each node, programs kernel routes to local workloads, and calculates and enforces the local filtering rules required by the current policies applied to the cluster. The Calico routing agent communicates with other nodes (and optionally the underlying network infrastructure) to ensure routability between all nodes within the cluster.

Features Routing BGP Peering Mesh mode All Automatically configures the Border Gateway Protocol control plane between hosts without any additional configuration or external route reflectors required. BGP Peering Infrastructure mode All Enables manual Border Gateway Protocol configuration to infrastructure routers and route reflectors. Configurable 4-byte AS number All Enables advanced networking configuration with larger autonomous system (AS) address space Native cloud networking (no overlay) All Enables communication between workloads without any overlay/encapsulation traffic is routed via standard IP protocols Flannel integration (Canal) Kubernetes Enables Calico policy to be applied in conjunction with Flannel networking Floating IPs OpenStack Enables OpenStack floating IP functionality - assigning a virtual IP to a specific VM Neutron host routes OpenStack For VMs with multiple NICs, enables specification of which NIC should be used for data to particular prefixes. Multiple IPs per VM OpenStack Enables assignment of multiple IP addresses (including mixed IPv4/v6) to a workload. Route Reflector All Calico includes a basic virtual route reflector for deployment scenarios an external route reflector is not available IP Address Management Calico IPAM Kubernetes (etcd only), IP Address Management (when used, Calico is responsible for assigning IP addresses to workloads; if not used, assignment is performed by the orchestrator) Dual stack (IPv4/v6) Allows multiple pools, each specified by an IPv4 or IPv6 CIDR Address aggregation: /26 per node, /26 advertised via BGP; rack aggregation Per-pod address or IP pool selection (Enables selection of a specific address, or which IP pool to assign an address from, via a pod annotation) CNI IPAM Kubernetes Support for CNI IPAM enables Calico to interoperate with external IP address management solutions Host Local IPAM, with endpoints advertised as multiple host routes (when using etcd) or aggregated (when using Kubernetes API datastore) Dual Stack (IPv4/v6) OpenStack Neutron IPAM* Integration OpenStack Calico interoperates with Neutron assignment of IP addresses to workloads (advertised as multiple host routes) IPAM override Kubernetes Manual IPv4 and IPv6 address assignment to pod, bypassing IPAM, via Kubernetes pod annotation

Control Plane Direct etcd access All Calico global state is stored in an etcd distributed data store (configurable, can be dedicated or shared) Kubernetes API datastore Kubernetes Calico global state is stored via calls to the Kubernetes API server (ultimately in the Kubernetes etcd) Data Plane Dual stack IPv4/6 All Data plane supports IPv4 and IPv6 datagrams Packet forwarding All Linux kernel Layer 3 forwarding L3/4 filtering All Filtering at Layer 3/4 via Linux kernel iptables with ipsets Access Control Lists Packet format options All Options for formatting of IP packets: Unencapsulated IP-IP (always or cross-subnet) VxLAN (via Flannel) Configurable MTU All The maximum transmission unit (MTU) size is configurable (either via CNI or calicoctl) for optimal network performance SNAT All Optional outgoing SNAT configured per IP pool Kube-proxy Compatibility All Standard upstream Kube-proxy supported without modifications. iptables and ipvs kube-proxy modes supported Network Policy Kubernetes Network Policy API Kubernetes Kubernetes Network Policy implementation is embedded in Amazon, Microsoft, Google, and IBM s Kubernetes services and supports: Namespace scope Ingress Egress (from Kubernetes 1.8) Allow/deny access to/from namespaces Labels CIDRs (ipblock) (from K8s 1.8) TCP/UDP ports Calico policy All Calico policies support the following capabilities: Ingress Egress Global or namespace scope Selections using label expressions across a range of resources (e.g. Pods, Namespaces, Service Accounts, Network Sets)Labels CIDRs Layer 4 protocols: TCP, UDP, ICMP, SCTP, UDPlite, numbered (1-255); all or selected port range Positive or negative match on protocol, CIDR, selector label expression ICMP type & code Ordering Optional conntrack bypassing Optional Pre-DNAT enforcement Actions: Allow/Deny

Network Policy (con t) Dynamic enforcement of fine-grained network access control All Calico policies are enforced in real-time, typically within a small number of milliseconds, as workloads are created/moved/destroyed, labels are applied/updated/deleted, and policies are created/updated/deleted. Application Layer Support for Calico Kubernetes Supports writing policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities. Network sets Kubernetes For applying policy to traffic coming from (or going to) external, non- Calico, networks. Policy enforcement host interfaces All Supports enforcement of network policies on host interfaces: Local host protection for non-virtualized workloads Gateway for transit/forwarded traffic Policy enforcement containers Kubernetes Supports enforcement of network policies on container virtual ethernet interfaces Policy enforcement virtual machines OpenStack Supports enforcement of network policies on VM tap interfaces Monitoring Readiness and liveness checks (for Felix and Typha components) Kubernetes Integrates with Kubernetes readiness/liveness checking Prometheus statistics (beta) All Enables reporting of key Calico performance metrics via Prometheus time series database Logging (via syslog) All Supports logging with: Multiple levels (Felix): none, debug, info, warning, error, critical Configurable local log file Configurable syslog threshold Horizon liveness reporting OpenStack Liveness reporting to the Horizon dashboard for Felix agent and each configured TAP interface Supported Platforms Orchestrators Calico supports the following versions. Other platforms and/or versions may work but have not been tested. Orchestrator Versions Kubernetes 1.8, 1.9, 1.10, 1.1 OpenStack Queens OpenShift 3.9

Public Cloud Calico has been successfully deployed across many public cloud providers including: AWS Microsoft Azure Google Cloud Platform IBM Cloud In addition, Calico is integrated with Amazon Elastic Container Service for Kubernetes (EKS) Microsoft Azure Container Service (AKS) Microsoft Azure Container Service Engine (ACS Engine) Google Container Engine IBM Cloud Container Service About Project Calico Calico is a community-driven open source (Apache 2.0 licensed) project, led by Tigera (www.tigera.io), with many contributors from across its diverse user and vendor community. For more information including access to community forums, documentation, and commercial support services, visit www.projectcalico.org. All specifications subject to change without notice. Features marked * are supported by Calico 2.6.4, and planned for Calico 3.1. Project Calico and the Project Calico logo are registered trademarks of Tigera, Inc. in the United States and other countries. Copyright 2018 Tigera, Inc. All rights reserved. Support, Training, Professional Services and Enterprise Software provided by Tigera

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback