Shulou(Shulou.com)06/02 Report--

How to understand Kubernetes and its network solutions and comparison, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Kubernetes is undoubtedly the hottest container layout tool at present, and network is a very important part of kubernetes. This paper mainly introduces some corresponding network principles and terms, as well as network schemes and comparisons in kubernetes. Kubernetes itself does not provide network functions, but only opens up the network interface and implements it in the form of plug-ins. In order to meet different network functions and requirements and easily configure the container network when creating or destroying the container, CNI (Container Network Interface) arises at the historic moment. CNI aims to define the interface between the runtime and plug-ins. In kubernetes, CNI connects kubelet and network plug-ins to configure the corresponding network settings for the container.

1 background

The container network is the mechanism by which the container chooses to connect to other containers, hosts, and external networks. In the design of kubernetes network model, it is often required that each Pod has an independent IP address, and it is assumed that all pod are in a directly connected, flat network space. Users do not need to think about how to establish a connection between Pod, nor do they need to think about mapping container ports to host ports. All nodes can communicate with all containers without NAT, and the address of the container is the same as the address seen by others.

2 Technical terms

IPAM:IP address management; this IP address management is not unique to containers. Traditional networks such as DHCP are actually a kind of IPAM. In the container era, we talk about IPAM, the two mainstream methods: IP address segment allocation based on CIDR or precise allocation of IP to each container. But in short, once a container host cluster is formed, the above containers will assign it a globally unique IP address, which involves the topic of IPAM.

Overlay: build a separate network on top of the existing layer 2 or layer 3 network, which usually has its own independent IP address space, switching, or routing implementation.

BGP: a routing protocol for backbone autonomous networks that manages the routing of packets between edge routers. BGP helps figure out how to send data from one network to another by considering available paths, routing rules, and specific network policies. BGP is sometimes used as a routing mechanism in CNI plug-ins rather than an encapsulated overlay network.

Encapsulation: encapsulation refers to the process of encapsulating network packets in an additional layer to provide other context and information. In overlay networks, encapsulation is used to convert from the virtual network to the underlying address space so that it can be routed to different locations (packets can be de-encapsulated and continue to their destination).

3 CNI

Container Network Interface (CNI) is the container network specification initiated by CoreOS and is the basis of the Kubernetes network plug-in. The basic idea is that when Container Runtime creates the container, first create the network namespace, then call the CNI plug-in to configure the network for the netns, and then start the processes in the container.

CNI Plugin is responsible for configuring the network for the container. It must be implemented as an executable file called by the container management system (rkt or kubernetes), including two basic APIs:

Configure the network: AddNetwork (net NetworkConfig, rt RuntimeConf) (types.Result, error)

Clean up the network: DelNetwork (net NetworkConfig, rt RuntimeConf) error

In Kubernetes, kubelet determines which network the container should join and which plug-in it needs to call. The plug-in then adds the interface to the container network namespace as one side of a veth pair. It then makes changes on the host, such as connecting the rest of the veth to the bridge. It then allocates the IP address and sets the route by calling a separate IPAM (IP address Management) plug-in.

4 IPAM

The above CNI plug-ins solve the problem of network configuration in Pod, but there is another problem to be solved in the network is IP management. In order to decouple network configuration and ip management, CNI defines a second type of plug-in-ip address management plug-in (IPAM plug-in).

Like the CNI plug-in, the IPAM plug-in is called by running an executable file. The IPAM plug-in is responsible for configuring and managing IP addresses for the interface.

The CNI plug-in calls the IPAM plug-in during execution, and the IPAM plug-in determines the interface IP / subnet, gateway and routing information, thus assigns the IP address and configures the network when the container is started, and returns this information to the CNI plug-in, which is called again when the container is deleted to clean up these resources.

The IPAM plug-in can obtain information through protocols such as dhcp, data stored on the local file system, the "ipam" section of the network profile, or a combination of the above.

5 introduce two common k8s network schemes

Flannel

Flannel is a network scheme designed by CoreOS team, which uses etcd as storage, assigns a globally unique IP address to each container on node, and communicates with each other through overlay network.

The communication between Pod is as follows:

Pod1 and pod are not on the same host.

After the data is sent from the source container, it is forwarded to the flannel0 virtual network card (veth pair) via the host's docker0 virtual network card. The flanneld service listens on the other end of the network card. Flannel maintains a routing table between nodes through the Etcd service, manages the allocable IP address segment resources using etcd, and monitors the actual address of each Pod in the etcd. The flanneld service of the source host encapsulates the original data content UDP and delivers it to the flanneld service of the destination node according to its own routing table. After the data arrives, it is unpackaged, and then directly enters the flannel0 virtual network card of the destination node, and then is forwarded to the docker0 virtual network card of the destination host. Finally, like the local container communication, there is a docker0 route to the destination container.

Pod1 and Pod2 are on the same host.

If Pod1 and Pod2 are on the same host, the Docker0 bridge forwards the request directly to Pod2 without going through Flannel.

Calico

Calico is a pure 3-layer data center network solution and seamlessly integrates IaaS cloud architecture like OpenStack to provide controllable IP communication among VM, containers, and bare metal.

By compressing the scalable IP network principle of the whole Internet to the data center level, Calico uses Linux Kernel to achieve an efficient vRouter for data forwarding at each computing node, and each vRouter is responsible for spreading the routing information of the workload running on it like the entire Calico network through the BGP protocol-small-scale deployment can be directly interconnected, and large-scale deployment can be done through a specified BGP route reflector. This ensures that all data traffic between workload is interconnected through IP routing.

Calico node networking can directly utilize the network structure of the data center (whether L2 or L3) without additional NAT, tunnel or Overlay Network.

Calico also provides rich and flexible network Policy to ensure that Workload's multi-tenant isolation, security groups, and other accessibility restrictions are provided through the ACLs on each node.

After reading the above, have you mastered how to understand Kubernetes and its network solutions and comparison methods? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.