SlideShare une entreprise Scribd logo

Open stackaustinmeetupsept21

Télécharger en tant que PPTX, PDF
Brent Doncaster
Brent Doncaster

Presentation slides for the Sept 2017 Austin OpenStack Meetup.

Technologie
1  sur  43
Kubernetes Networking Intro for Stackers Pino de Candia @ Huawei
Talk Outline • Kubernetes networking • Kuryr • Dragonflow
Kubernetes Networking
Containers vs. Pods • Containers in the same pod communicate via loopback • Multiple containers in a Pod; single network namespace. • Containers are NOT bridged inside a Pod. Pod C1 C2 C3 eth0
Containers vs. Pods Analogy - = + H O H H O H2O C12H22O11 https://speakerdeck.com/thockin/kubernetes-understanding- pods-vs-containers - Process ~ Particle - Container ~ Atom - Pod ~ Molecule - Application ~ Combination of molecules
K8s Networking Manifesto • all containers can communicate with all other containers without NAT • all nodes can communicate with all containers (and vice-versa) without NAT • the IP that a container sees itself as is the same IP that others see it as
Minimal network setup! • IP per pod • K8s is ready to deploy Pods after install • No L2 Network, Network Port, Subnet, FloatingIP, Security Group, Router, Firewall, DHCP… • In general, user doesn’t have to draw network diagrams
Network diagram Pod Node 1 Pod Pod Pod Pod Pod DNS Pod Node 2 Node 3 Svc VIP Svc VIP Svc VIP DNS VIP DNS Pod DNS Pod IP Network
Think about Services, not Pods • Pods are grouped by label • Pods are automatically managed • Sets of pods provide a service • Service IP/port is load-balanced to pods • Service names auto-registered in DNS
The service architecture PodReplicaSet Pod Pod Endpoints Service Deployment DNS IP1 IP2 IP3 managesmanages LB reads clusterIP, externalIP reads Client Auto-scaler
ReplicationController, ReplicaSet apiVersion: v1 kind: ReplicationController metadata: name: nginx spec: replicas: 3 selector: app: nginx template: metadata: name: nginx labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 • Pets vs. Cattle • Don’t deploy just one pod • Deploy something to manage pods for you • Label your Pods
Fundamentals: Pods are ephemeral • A Pod can be killed at any time • A new Pod may be created at any time • No Pod migration! – Port/VIF/IP address doesn’t need to move – Even pods in a StatefulSet change address
Deployment apiVersion: apps/v1beta1 kind: Deployment metadata: name: my-nginx spec: replicas: 2 template: metadata: labels: run: my-nginx spec: containers: - name: my-nginx image: nginx ports: - containerPort: 80 • ReplicationController came first • ReplicaSet has a more expressive selector • Deployment enables declarative updates for ReplicaSet
Service – L4 load balancing apiVersion: v1 kind: Service metadata: name: my-nginx labels: run: my-nginx spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: run: my-nginx • Adds pods to an Endpoints object – …if a selector is defined, otherwise you manage Endpoints object some other way • supports TCP and UDP and liveness probes • East-West (pod-to-pod) using a “clusterIP” • North-South using NodePort, ExternalIP, or LoadBalancer (as specified in template) • Type LoadBalancer behavior depends on implementation (and varies by hosting cloud)
NodePort and ExternalIP use ClusterIP 10.0.0.2 Port 30001  clusterIP:port clusterIP:port  A:p1, B:p2 externalIP:port  clusterIP:port Service1 -> clusterIP:port, NodePort 30001, Endpoints1 Endpoints1-> A:p1, B:p2 10.0.0.3 Port 30001  clusterIP:port clusterIP:port  A:p1, B:p2 externalIP:port  clusterIP:port 10.0.0.4 Port 30001  clusterIP:port clusterIP:port  A:p1, B:p2 externalIP:port  clusterIP:port A B
East-West (pod-to-pod) load-balancing clusterIP:port  A:p1, B:p2 clusterIP:port  A:p1, B:p2 A B Client Pod IP unchanged, clusterIP:port changed to service Pod IP and targetPort
North-South load-balancing with NodePort 10.0.0.2 10.0.0.3 Port 30001  clusterIP:port clusterIP:port  A:p1, B:p2 10.0.0.4 A B First, SNAT+DNAT - clientIP to nodeIP, NodePort to clusterIP:port Then DNAT - clusterIP:port to service pod:targetPort
DNS records for Services • With clusterIP: – creates DNS A and SRV records of Service.Namespace  clusterIP/port • Without clusterIP (Headless): – With selectors: • manages Endpoints and creates DNS A records for each IP – Without selectors: • With ExternalName  creates DNS CNAME record • Without ExternalName  expects someone else to manage Endpoints and creates DNS A records for each IP
Service discovery • Via environment variables • Via DNS
Canonical workflow 1. Service records are registered in DNS 2. Client pod queries DNS for service 3. Client sends service request 4. KubeProxy (or other SDN) L4 load- balances it to one of the Endpoints.
Overview Diagram PodReplicaSet Pod Pod Endpoints Service Deployment DNS IP1 IP2 IP3 managesmanages LB reads clusterIP, externalIP reads Client Auto-scaler 1 2 3 4 5 6 7
Ingress – L7 routing apiVersion: extensions/v1beta1 kind: Ingress metadata: name: test annotations: ingress.kubernetes.io/rewrite-target: / spec: rules: - host: foo.bar.com http: paths: - path: /foo backend: serviceName: s1 servicePort: 80 - path: /bar backend: serviceName: s2 servicePort: 80 • Route different URL paths to different backend services • Different Ingress controllers implement different feature subsets • DNS behavior depends on the controller
Namespaces • A scope for names and labels • Mechanism to attach authorization and policy – Namespaces can map to organizations or projects • Scope for quotas – Total quotas as well as per-resource limits are defined per namespace
NetworkPolicy – Security apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379 • Anyone can query DNS for services in any namespace • By default pods receive traffic from anywhere • Pods selected by a NetworkPolicy allow in only what’s explicitly allowed – E.g. Pods with label “role:db” should allow TCP to port 6379 from pods with label “role:frontend” in namespaces with label “project:myproject” • Only ingress rules in v1.7 – Egress, QoS and other rules in progress NetworkPolicy
Comparison to OpenStack • Less networking • No DHCP • No Metadata Service or Proxy • Service is the central concept • Similar to Heat, but more opinionated • No IPSec VPN, port mirroring, QoS, service chaining…
Other network-related topics • Number of interfaces (or IPs) per pod • Federation/Ubernetes and Ubernetes Lite • Service Meshes (Istio)
Network providers/controllers • Romana • Cilium • Trireme • NGINX Ingress • GCE • AWS • Azure • KubeDNS/SkyDNS • KubeProxy • Flannel • Weave • Kuryr • Calico and Canal • Contiv
Kubernetes Admin Challenges • What’s the right combination of controllers? • How to keep users informed of the features you support. • Underlay design • VMs vs. Bare Metal • How many clusters/deployments? • Connectivity across environments and clouds
Kuryr
Kuryr motivation • It’s hard to connect VMs, bare-metal and containers • Overlay2 for containers in VMs • Smooth transition to cloud-native and micro-services
Kuryr-Kubernetes Port per Pod Pod Pod Pod Pod Pod Pod VM VM VM VM
Neutron-port-per-Pod, nested case VM Pod Pod Pod eth0 eth0.10 eth0.20 eth0.30 VM Pod Pod Pod network A network B network C network D trunk port child ports Each Pod gets a separate port-level firewall, like any VM in Neutron
Kuryr-Kubernetes Macvlan Pod PodPod PodPod PodVM VM VM VM Pods get a MAC and IP directly on the VM’s network. VM and nested Pod MACs/Ips all on the VM’s single Neutron port. Simple, but no NetworkPolicy support.
Kuryr today supports • Kubernetes native networking • Pod gets a Neutron port – Or macvlan per Pod • Single tenant • Full connectivity (default) • K8s ClusterIP Services (Neutron LBaaS) • Bare metal and Pod-in-VM
Kuryr-Kubernetes Architecture
Dragonflow
Dragonflow motivation • Enterprise-grade OpenSource SDN • That’s vendor-neutral • That’s simple, stable, flexible • And scales
Neutron-Server Dragonflow Plugin DB OVS Dragonflow DB Driver Compute Node OVS Dragonflow DB Driver Compute Node OVS Dragonflow DB Driver Compute Node OVS Dragonflow DB Driver Compute Node DB VM VM .. VM VM .. VM VM .. VM VM .. Dragonflow – distributed controller
Dragonflow scale – Redis test
Dragonflow’s pluggable DB and Pub-Sub • DB – Etcd – Redis – Zookeeper – RAMcloud – Cassandra • Pub-Sub – Redis – ZeroMQ (Neutron) – Etcd
Dragonflow Pipeline Installed in every OVS Service Traffic Classification Ingress Processing (NAT, BUM) ARP DHCP L2 Lookup L3 Lookup DVR Egress Dispatching outgoing traffic to external nodes or local ports Ingress Port Security (ARP spoofing , SG, …) Egress Port Security Egress Processing (NAT) Fully Proactive Has Reactive Flows to Controller Security Groups … Outgoing from local port Classification and tagging Dispatching Incoming traffic from external nodes to local ports
Dragonflow recent features • Pike – BGP dynamic routing – Service Function Chaining – IPv6 – Trunk ports – Distributed SNAT
Thanks

Recommandé

2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
2014 OpenStack Summit - Neutron OVS to LinuxBridge MigrationJames Denton
 
Docker networking tutorial 102
Docker networking tutorial 102Docker networking tutorial 102
Docker networking tutorial 102LorisPack Project
 
Docker networking
Docker networkingDocker networking
Docker networkinglakshman kumar Vit.Lakshman
 
OpenStack: Virtual Routers On Compute Nodes
OpenStack: Virtual Routers On Compute NodesOpenStack: Virtual Routers On Compute Nodes
OpenStack: Virtual Routers On Compute Nodesclayton_oneill
 
Docker networking Tutorial 101
Docker networking Tutorial 101Docker networking Tutorial 101
Docker networking Tutorial 101LorisPack Project
 
Docker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneDocker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneMadhu Venugopal
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridKamesh Pemmaraju
 
OpenStack Neutron Liberty Updates
OpenStack Neutron Liberty UpdatesOpenStack Neutron Liberty Updates
OpenStack Neutron Liberty Updatesmestery
 

Recommandé

2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
2014 OpenStack Summit - Neutron OVS to LinuxBridge MigrationJames Denton
 
Docker networking tutorial 102
Docker networking tutorial 102Docker networking tutorial 102
Docker networking tutorial 102LorisPack Project
 
Docker networking
Docker networkingDocker networking
Docker networkinglakshman kumar Vit.Lakshman
 
OpenStack: Virtual Routers On Compute Nodes
OpenStack: Virtual Routers On Compute NodesOpenStack: Virtual Routers On Compute Nodes
OpenStack: Virtual Routers On Compute Nodesclayton_oneill
 
Docker networking Tutorial 101
Docker networking Tutorial 101Docker networking Tutorial 101
Docker networking Tutorial 101LorisPack Project
 
Docker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneDocker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneMadhu Venugopal
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridKamesh Pemmaraju
 
OpenStack Neutron Liberty Updates
OpenStack Neutron Liberty UpdatesOpenStack Neutron Liberty Updates
OpenStack Neutron Liberty Updatesmestery
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Nati Shalom
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havanaKamesh Pemmaraju
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr David Lenwell
 
Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Dan Wendlandt
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014yfauser
 
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Dave Neary
 
Kubernetes on open stack
Kubernetes on open stackKubernetes on open stack
Kubernetes on open stackNaveen Joy
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetesJuraj Hantak
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Routercarlbaldwin
 
4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contivJuraj Hantak
 
rtnetlink
rtnetlinkrtnetlink
rtnetlinkTaku Fukushima
 
Openstack Basic with Neutron
Openstack Basic with NeutronOpenstack Basic with Neutron
Openstack Basic with NeutronKwonSun Bae
 
Building a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerBuilding a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerJorge Juan Mendoza
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networkingyfauser
 
OpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesOpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesAnil Bidari ( CEO , Cloud Enabled)
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
MidoNet deep dive
MidoNet deep diveMidoNet deep dive
MidoNet deep diveTaku Fukushima
 
Overview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/NeutronOverview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/Neutronvivekkonnect
 
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...Guillaume Morini
 
Container network security
Container network securityContainer network security
Container network securityDaisuke Nakajima
 
Demystfying container-networking
Demystfying container-networkingDemystfying container-networking
Demystfying container-networkingBalasundaram Natarajan
 

Contenu connexe

Tendances

Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Nati Shalom
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havanaKamesh Pemmaraju
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr David Lenwell
 
Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Dan Wendlandt
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014yfauser
 
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Dave Neary
 
Kubernetes on open stack
Kubernetes on open stackKubernetes on open stack
Kubernetes on open stackNaveen Joy
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetesJuraj Hantak
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Routercarlbaldwin
 
4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contivJuraj Hantak
 
Openstack Basic with Neutron
Openstack Basic with NeutronOpenstack Basic with Neutron
Openstack Basic with NeutronKwonSun Bae
 
Building a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerBuilding a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerJorge Juan Mendoza
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networkingyfauser
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Overview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/NeutronOverview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/Neutronvivekkonnect
 
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...Guillaume Morini
 

Tendances (20)

Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havana
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr
 
Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014
 
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
 
Kubernetes on open stack
Kubernetes on open stackKubernetes on open stack
Kubernetes on open stack
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Router
 
4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv
 
rtnetlink
rtnetlinkrtnetlink
rtnetlink
 
Openstack Basic with Neutron
Openstack Basic with NeutronOpenstack Basic with Neutron
Openstack Basic with Neutron
 
Building a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerBuilding a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in docker
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networking
 
OpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesOpenStack Neutron behind the Scenes
OpenStack Neutron behind the Scenes
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
 
MidoNet deep dive
MidoNet deep diveMidoNet deep dive
MidoNet deep dive
 
Overview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/NeutronOverview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/Neutron
 
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
 

Similaire à Open stackaustinmeetupsept21

Container network security
Container network securityContainer network security
Container network securityDaisuke Nakajima
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetupNathan Ness
 
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Cynthia Thomas
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch IntroductionHungWei Chiu
 
Container world hybridnetworking_rev2
Container world hybridnetworking_rev2Container world hybridnetworking_rev2
Container world hybridnetworking_rev2Prem Sankar Gopannan
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric OverviewMichelle Holley
 
Docker Networking : 0 to 60mph slides
Docker Networking : 0 to 60mph slidesDocker Networking : 0 to 60mph slides
Docker Networking : 0 to 60mph slidesDocker, Inc.
 
99cloud Docker Training module 2
99cloud Docker Training module 299cloud Docker Training module 2
99cloud Docker Training module 2Liang Bo
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingLee Calcote
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basicsJuraj Hantak
 
Docker Networking in OpenStack: What you need to know now
Docker Networking in OpenStack: What you need to know nowDocker Networking in OpenStack: What you need to know now
Docker Networking in OpenStack: What you need to know nowPLUMgrid
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_updateAkihiro Motoki
 
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...Ajeet Singh Raina
 
Kubernetes Internals
Kubernetes InternalsKubernetes Internals
Kubernetes InternalsShimi Bandiel
 
Overview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationOverview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationMichelle Holley
 

Similaire à Open stackaustinmeetupsept21 (20)

Container network security
Container network securityContainer network security
Container network security
 
Demystfying container-networking
Demystfying container-networkingDemystfying container-networking
Demystfying container-networking
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetup
 
Kubernetes networks
Kubernetes networksKubernetes networks
Kubernetes networks
 
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch Introduction
 
CloudStack and SDN
CloudStack and SDNCloudStack and SDN
CloudStack and SDN
 
Container world hybridnetworking_rev2
Container world hybridnetworking_rev2Container world hybridnetworking_rev2
Container world hybridnetworking_rev2
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
 
Docker Networking : 0 to 60mph slides
Docker Networking : 0 to 60mph slidesDocker Networking : 0 to 60mph slides
Docker Networking : 0 to 60mph slides
 
99cloud Docker Training module 2
99cloud Docker Training module 299cloud Docker Training module 2
99cloud Docker Training module 2
 
Container Networking Deep Dive
Container Networking Deep DiveContainer Networking Deep Dive
Container Networking Deep Dive
 
Quick introduction to Kubernetes
Quick introduction to KubernetesQuick introduction to Kubernetes
Quick introduction to Kubernetes
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container Networking
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basics
 
Docker Networking in OpenStack: What you need to know now
Docker Networking in OpenStack: What you need to know nowDocker Networking in OpenStack: What you need to know now
Docker Networking in OpenStack: What you need to know now
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
 
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
 
Kubernetes Internals
Kubernetes InternalsKubernetes Internals
Kubernetes Internals
 
Overview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine IntegrationOverview of OpenDaylight Container Orchestration Engine Integration
Overview of OpenDaylight Container Orchestration Engine Integration
 

Dernier

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Dernier (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Open stackaustinmeetupsept21

  • 1. Kubernetes Networking Intro for Stackers Pino de Candia @ Huawei
  • 2. Talk Outline • Kubernetes networking • Kuryr • Dragonflow
  • 4. Containers vs. Pods • Containers in the same pod communicate via loopback • Multiple containers in a Pod; single network namespace. • Containers are NOT bridged inside a Pod. Pod C1 C2 C3 eth0
  • 5. Containers vs. Pods Analogy - = + H O H H O H2O C12H22O11 https://speakerdeck.com/thockin/kubernetes-understanding- pods-vs-containers - Process ~ Particle - Container ~ Atom - Pod ~ Molecule - Application ~ Combination of molecules
  • 6. K8s Networking Manifesto • all containers can communicate with all other containers without NAT • all nodes can communicate with all containers (and vice-versa) without NAT • the IP that a container sees itself as is the same IP that others see it as
  • 7. Minimal network setup! • IP per pod • K8s is ready to deploy Pods after install • No L2 Network, Network Port, Subnet, FloatingIP, Security Group, Router, Firewall, DHCP… • In general, user doesn’t have to draw network diagrams
  • 8. Network diagram Pod Node 1 Pod Pod Pod Pod Pod DNS Pod Node 2 Node 3 Svc VIP Svc VIP Svc VIP DNS VIP DNS Pod DNS Pod IP Network
  • 9. Think about Services, not Pods • Pods are grouped by label • Pods are automatically managed • Sets of pods provide a service • Service IP/port is load-balanced to pods • Service names auto-registered in DNS
  • 10. The service architecture PodReplicaSet Pod Pod Endpoints Service Deployment DNS IP1 IP2 IP3 managesmanages LB reads clusterIP, externalIP reads Client Auto-scaler
  • 11. ReplicationController, ReplicaSet apiVersion: v1 kind: ReplicationController metadata: name: nginx spec: replicas: 3 selector: app: nginx template: metadata: name: nginx labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 • Pets vs. Cattle • Don’t deploy just one pod • Deploy something to manage pods for you • Label your Pods
  • 12. Fundamentals: Pods are ephemeral • A Pod can be killed at any time • A new Pod may be created at any time • No Pod migration! – Port/VIF/IP address doesn’t need to move – Even pods in a StatefulSet change address
  • 13. Deployment apiVersion: apps/v1beta1 kind: Deployment metadata: name: my-nginx spec: replicas: 2 template: metadata: labels: run: my-nginx spec: containers: - name: my-nginx image: nginx ports: - containerPort: 80 • ReplicationController came first • ReplicaSet has a more expressive selector • Deployment enables declarative updates for ReplicaSet
  • 14. Service – L4 load balancing apiVersion: v1 kind: Service metadata: name: my-nginx labels: run: my-nginx spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: run: my-nginx • Adds pods to an Endpoints object – …if a selector is defined, otherwise you manage Endpoints object some other way • supports TCP and UDP and liveness probes • East-West (pod-to-pod) using a “clusterIP” • North-South using NodePort, ExternalIP, or LoadBalancer (as specified in template) • Type LoadBalancer behavior depends on implementation (and varies by hosting cloud)
  • 15. NodePort and ExternalIP use ClusterIP 10.0.0.2 Port 30001  clusterIP:port clusterIP:port  A:p1, B:p2 externalIP:port  clusterIP:port Service1 -> clusterIP:port, NodePort 30001, Endpoints1 Endpoints1-> A:p1, B:p2 10.0.0.3 Port 30001  clusterIP:port clusterIP:port  A:p1, B:p2 externalIP:port  clusterIP:port 10.0.0.4 Port 30001  clusterIP:port clusterIP:port  A:p1, B:p2 externalIP:port  clusterIP:port A B
  • 16. East-West (pod-to-pod) load-balancing clusterIP:port  A:p1, B:p2 clusterIP:port  A:p1, B:p2 A B Client Pod IP unchanged, clusterIP:port changed to service Pod IP and targetPort
  • 17. North-South load-balancing with NodePort 10.0.0.2 10.0.0.3 Port 30001  clusterIP:port clusterIP:port  A:p1, B:p2 10.0.0.4 A B First, SNAT+DNAT - clientIP to nodeIP, NodePort to clusterIP:port Then DNAT - clusterIP:port to service pod:targetPort
  • 18. DNS records for Services • With clusterIP: – creates DNS A and SRV records of Service.Namespace  clusterIP/port • Without clusterIP (Headless): – With selectors: • manages Endpoints and creates DNS A records for each IP – Without selectors: • With ExternalName  creates DNS CNAME record • Without ExternalName  expects someone else to manage Endpoints and creates DNS A records for each IP
  • 19. Service discovery • Via environment variables • Via DNS
  • 20. Canonical workflow 1. Service records are registered in DNS 2. Client pod queries DNS for service 3. Client sends service request 4. KubeProxy (or other SDN) L4 load- balances it to one of the Endpoints.
  • 21. Overview Diagram PodReplicaSet Pod Pod Endpoints Service Deployment DNS IP1 IP2 IP3 managesmanages LB reads clusterIP, externalIP reads Client Auto-scaler 1 2 3 4 5 6 7
  • 22. Ingress – L7 routing apiVersion: extensions/v1beta1 kind: Ingress metadata: name: test annotations: ingress.kubernetes.io/rewrite-target: / spec: rules: - host: foo.bar.com http: paths: - path: /foo backend: serviceName: s1 servicePort: 80 - path: /bar backend: serviceName: s2 servicePort: 80 • Route different URL paths to different backend services • Different Ingress controllers implement different feature subsets • DNS behavior depends on the controller
  • 23. Namespaces • A scope for names and labels • Mechanism to attach authorization and policy – Namespaces can map to organizations or projects • Scope for quotas – Total quotas as well as per-resource limits are defined per namespace
  • 24. NetworkPolicy – Security apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379 • Anyone can query DNS for services in any namespace • By default pods receive traffic from anywhere • Pods selected by a NetworkPolicy allow in only what’s explicitly allowed – E.g. Pods with label “role:db” should allow TCP to port 6379 from pods with label “role:frontend” in namespaces with label “project:myproject” • Only ingress rules in v1.7 – Egress, QoS and other rules in progress NetworkPolicy
  • 25. Comparison to OpenStack • Less networking • No DHCP • No Metadata Service or Proxy • Service is the central concept • Similar to Heat, but more opinionated • No IPSec VPN, port mirroring, QoS, service chaining…
  • 26. Other network-related topics • Number of interfaces (or IPs) per pod • Federation/Ubernetes and Ubernetes Lite • Service Meshes (Istio)
  • 27. Network providers/controllers • Romana • Cilium • Trireme • NGINX Ingress • GCE • AWS • Azure • KubeDNS/SkyDNS • KubeProxy • Flannel • Weave • Kuryr • Calico and Canal • Contiv
  • 28. Kubernetes Admin Challenges • What’s the right combination of controllers? • How to keep users informed of the features you support. • Underlay design • VMs vs. Bare Metal • How many clusters/deployments? • Connectivity across environments and clouds
  • 29. Kuryr
  • 30. Kuryr motivation • It’s hard to connect VMs, bare-metal and containers • Overlay2 for containers in VMs • Smooth transition to cloud-native and micro-services
  • 31. Kuryr-Kubernetes Port per Pod Pod Pod Pod Pod Pod Pod VM VM VM VM
  • 32. Neutron-port-per-Pod, nested case VM Pod Pod Pod eth0 eth0.10 eth0.20 eth0.30 VM Pod Pod Pod network A network B network C network D trunk port child ports Each Pod gets a separate port-level firewall, like any VM in Neutron
  • 33. Kuryr-Kubernetes Macvlan Pod PodPod PodPod PodVM VM VM VM Pods get a MAC and IP directly on the VM’s network. VM and nested Pod MACs/Ips all on the VM’s single Neutron port. Simple, but no NetworkPolicy support.
  • 34. Kuryr today supports • Kubernetes native networking • Pod gets a Neutron port – Or macvlan per Pod • Single tenant • Full connectivity (default) • K8s ClusterIP Services (Neutron LBaaS) • Bare metal and Pod-in-VM
  • 37. Dragonflow motivation • Enterprise-grade OpenSource SDN • That’s vendor-neutral • That’s simple, stable, flexible • And scales
  • 38. Neutron-Server Dragonflow Plugin DB OVS Dragonflow DB Driver Compute Node OVS Dragonflow DB Driver Compute Node OVS Dragonflow DB Driver Compute Node OVS Dragonflow DB Driver Compute Node DB VM VM .. VM VM .. VM VM .. VM VM .. Dragonflow – distributed controller
  • 39. Dragonflow scale – Redis test
  • 40. Dragonflow’s pluggable DB and Pub-Sub • DB – Etcd – Redis – Zookeeper – RAMcloud – Cassandra • Pub-Sub – Redis – ZeroMQ (Neutron) – Etcd
  • 41. Dragonflow Pipeline Installed in every OVS Service Traffic Classification Ingress Processing (NAT, BUM) ARP DHCP L2 Lookup L3 Lookup DVR Egress Dispatching outgoing traffic to external nodes or local ports Ingress Port Security (ARP spoofing , SG, …) Egress Port Security Egress Processing (NAT) Fully Proactive Has Reactive Flows to Controller Security Groups … Outgoing from local port Classification and tagging Dispatching Incoming traffic from external nodes to local ports
  • 42. Dragonflow recent features • Pike – BGP dynamic routing – Service Function Chaining – IPv6 – Trunk ports – Distributed SNAT

Notes de l'éditeur

  1. K8s networking defined itself in contrast to Docker’s “host-private” networking that forced mapping node ports to container ports. K8s NodePort Service type inherits from Docker’s thinking.
  2. K8s networking defined itself in contrast to Docker’s “host-private” networking. K8s NodePort Service type inherits from Docker’s thinking.
  3. From the deployer’s perspective Services matter more than Pods.
  4. Let there be pods!
  5. Now we get to the networking.
  6. NodePort is a remnant from Docker’s early host-private network model, which relied heavily on NAT and mapping ports between nodes and containers.
  7. The SNAT forces the reply back through the node that received the request.
  8. DNS is an add-on. You don’t have to enable it, but it’s strongly recommended.
  9. Now we get to the networking.
  10. This model works both for K8s on OpenStack and for K8s on Neutron (shared network with OpenStack).
  11. Needs a special CNI driver. Leverages OpenStack Neutron TrunkPort
  12. <10k Lines-of-code Mirantis tests from Dec. 16… And people don’t run clusters beyond a few hundred nodes. DF addresses greater scale, but is also great for small/medium clusters (fewer components that can break).
  13. <10k Lines-of-code Mirantis tests from Dec. 16… And people don’t run clusters beyond a few hundred nodes. DF addresses greater scale, but is also great for small/medium clusters (fewer components that can break).
  14. <10k Lines-of-code Mirantis tests from Dec. 16… And people don’t run clusters beyond a few hundred nodes. DF addresses greater scale, but is also great for small/medium clusters (fewer components that can break).
  15. Talk about how easy drivers are to add – 100-200 lines of code