Shulou(Shulou.com)06/01 Report--

This article shows you how to integrate Tungsten Fabric with K8s and create isolated namespaces. The content is concise and easy to understand. It will definitely make your eyes shine. I hope you can learn something from the detailed introduction of this article.

After K8s is integrated with Tungsten Fabric, there are four configuration modes: default mode, custom isolation mode, namespace isolation mode and nested mode. Default mode: Tungsten Fabric creates a virtual network shared by all namespaces and assigns IP addresses for services and pods from it, all pods in all namespaces spawned in the Kubernetes cluster being able to communicate with each other. Custom isolation mode: Administrators and application developers can add comments ("opencontrail.org/network: ") to specify virtual networks. In this virtual network, one or all pods in a command space will be launched in this virtual network. If the annotation is configured on a pod, the pod will start in that network; if the annotation is configured in a namespace, all pods in the namespace will start in that network. Namespace isolation mode: Cluster administrators can add a comment ("opencontrail.org/isolation: true") to enable command space isolation when creating a new command space. Therefore, services in that namespace cannot be accessed from other namespaces unless security groups or network policies are explicitly defined to allow access, or the startup annotation ("opencontrail.org/isolation.service: false") alone allows services in that namespace to be accessed by pods in other command spaces. Nested pattern: Tungsten Fabric supports integration with Kubernetes clusters based on OpenStack VM deployments. Tungsten Fabric provides a collapsible control and data plane, a TF control plane and a network stack management and services in both OpenStack and Kubernetes clusters. With a unified control and data plane, these clusters can interact and configure seamlessly, eliminating the need to deploy TF separately for each cluster.

Create an isolated namespace

An isolated namespace named isolated-ns will be created, with the following configuration file:

After executing the kubectl create command, the corresponding namespace is created.

TF policy: k8s-isolated-ns-pod-service-np allows virtual networks with this policy to access service clusterip in command space isolated-ns. TF network: k8s-isolated-ns-pod-network , k8s-isolated-ns-service-network

These two networks use IPAM in namespace default, so the IP pool assigned to pod and service created by default in this command space isolated-ns is the same as that in namespace default, namely pod (10.32.0.0/12) and service (10.96.0.0/12).

Verify network connectivity with non-isolated command spaces

Next, create pod and service in the isolated command space isolated-ns, verifying that isolated-ns is connected to other command spaces. First create two pods and one service in the default and isolated-ns command spaces.

Therefore, the current resources are: 2 namespaces: default, isolated-ns2 services: nginx-default (10.105.147.31), nginx-isolated (10.97.162.157)4 pods: nginx-default-test01 (10.47.255.251)nginx-default-test02 (10.47.255.250)nginx-isolated-test01 (10.47.255.249)nginx-isolated-test02 (10.47.255.247) Network connectivity verification process: 1. From pod nginx-default-test01 in namespace default to ping the other three pods, the result is that pod nginx-default-test01 can only connect pods in the same namespace, but cannot connect pods in isolated namespaces.

2. From pod nginx-isolated-test01 in namespace isolated-ns to ping the other three pods, the result is that pod nginx-isolated-test01 can only connect pods in the same namespace, but cannot connect pods in other namespaces.

3. Curl service in both command spaces from pod nginx-default-test01 in namespace default. The result is that pod nginx-default-test01 can only request service in default and kube-system, which are non-isolated namespaces, but cannot request service in isolated namespaces.

4. From pod nginx-isolated-test01 in the isolated-ns namespace to curl services in the two command spaces, the result is that pod nginx-isolated-test01 can only request services in the default and kube-system non-isolated namespaces, but cannot request services in the isolated namespace, even if the service is in its own namespace.

The result of all the validation is that pods built after non-isolated namespaces and isolated namespaces cannot visit each other by default-even in the same IPAM, and non-isolated services can be accessed by any pod, while isolated namespaces cannot be accessed by default. Now we need to add TF policy to enable connectivity between pods and between pods and services. For access between pods, add the TF policy that connects two networks, k8s-default-pod-network and k8s-isolated-ns-pod-network.

After creation, append this Policy to pod networks in isolated namespace and non-isolated command space, k8s-default-pod-network and k8s-isolated-ns-pod-network, respectively.

At this point, the network connection between the pods is verified, and the result is that the pods of the two namespaces can already communicate.

For access between pod and service, add TF policy that allows the specified network to access isolated-ns service.

Once created, attach this Policy to pod networks for isolated namespaces and non-isolated command spaces, k8s-default-pod-network and k8s-isolated-ns-pod-network, and service networks for isolated namespaces, k8s-isolated-ns-service-network.

At this point, the network connection between the pod and the service is verified, and the result is that the pods in both namespaces can access the service in the isolated namespace.

After the traffic between isolated namespaces and non-isolated namespaces is fully communicated, further traffic control can be done through security policies. That's how Tungsten Fabric integrates with K8s and creates isolated namespaces. Have you learned anything or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.