Kubernetes (K8s) is a powerful, flexible and portable open source framework for distributed containerized applications delivery and management. An important part of the services provided by most Kubernetes clusters is the containers’ networking stack. In most cases and for many applications it “just works”, but this seeming simplicity is backed by a complex stack of technologies that provide many capabilities beyond the basics.
This presentation accompanies the meetup and webinar where Oleg Chunikhin, CTO at Kublr, shows how Kubernetes networking stack works, describes main components, interfaces and extensibility options.
What is covered:
- general notions of Kubernetes networking - Pods and Network Policies
- implementation of Kubernetes networking - CNI, CNI plugins, and Linux network namespaces
- some Kubernetes CNI providers: Calico, Weave, Flanel, and Canal
- K8S networking extensibility for advanced and “exotic” use-cases with Multus CNI plugin as an example
8. Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: net-srv
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: net-pinger
ports:
- protocol: TCP
port: 8080
egress:
- {}
@olgch; @kublr
1. Network Policies are per-namespace
2. Network Policies select pods based on labels
a. Isolated Pods - if selected by at least one policy
Only traffic allowed by union of all selecting policies
b. Non-isolated Pods - not matched by any policy
All traffic is allowed
3. Network Policies are additive, never conflict
4. For traffic between pods to be allowed, egress on the source,
and ingress on the target must be allowed
5. Policy type may be Ingress, Egress, or both
6. If no policy type is specified, then Ingress is always set, and
Egress is set if there are egress rules defined
7. May include any number of ingress and egress rules
1
2
5
7
7
9. Network Policy Anatomy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-network-policy
namespace: default
spec:
podSelector: { ... }
policyTypes:
- Ingress
- Egress
ingress:
- { ... } # ingress rule 1
...
- { ... } # ingress rule N
egress:
- { ... } # egress rule 1
...
- { ... } # egress rule M
@olgch; @kublr
Metadata
podSelector:
matchLabels:
key1: value1
matchExpression:
- key: key2
operator: In # NotIn, Exists, DoesNotExist
values: [val1, val2]
● pod selector is a standard Label Matcher
● podSelector is required
● empty selector matches any pod
● requirements are AND’ed
# for ingress rules
from: [ peer1, ... , peerN ]
# for egress rules
to: [ peer1, ... , peerN ]
# for both ingress and egress
ports: [ port1, ... , portM ]
Pod Selector
Ingress and Egress Rules
ipBlock:
cidr: 10.0.0.0/24
except: [10.24.0.0/16, ...]
namespaceSelector: { ... }
podSelector: { ... }
NetworkPolicy Peer
● peers and ports are OR’ed
● empty or missing field matches all
port: 8000
endPort: 32000
protocol: TCP # UDP, SCTP
NetworkPolicy Port
● protocol defaults to TCP
● endPort is optional
● endPort is beta (on by default) since K8S 1.22
● SCTP is stable since K8S 1.20
● pod and namespace selectors are standard
Label Matchers
● if no namespaceSelector, podSelector
matches policies in the same namespace
12. Node (Virtual Machine) 1
K8S Architecture: Compute & Network
Pod 1 net ns
@olgch; @kublr
root
net ns
eth0
ctr 1a
eth0
veth0
ctr 1b
veth1
Pod 2 net ns
ctr 2a
eth0
ctr 2b
cbr0
Node 2
Pod 3 net ns
root
net ns
eth0
ctr 3a
eth0
veth0
ctr 3b
veth1
Pod 4 net ns
ctr 4a
eth0
ctr 4b
cbr0
kubelet
kube-proxy
containerd
kubelet
kube-proxy
containerd
13. CNI Plugins
@olgch; @kublr
Provider Network Model Network
Policies
Mesh Datastore Encryption
Calico Encapsulated (VXLAN or IPIP)
Unencapsulated (BGP)
Yes Yes K8S API No
Canal Encapsulated (VXLAN) Yes Yes K8S API No
Weave Encapsulated Yes Yes No Yes
Flannel Encapsulated (VXLAN) No No K8S API No
AWS Unencapsulated Yes No K8S API No