kubernetes networking 101
TRANSCRIPT
![Page 1: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/1.jpg)
Kubernetes Networking
Bryan Boreham, Director of Engineering
@bboreham
![Page 2: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/2.jpg)
What does Weave do?
Weave lets devops
iterate faster with:
• observability &
monitoring
• continuous delivery
• container networks &
firewalls
Kubernetes is our #1
platform
![Page 3: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/3.jpg)
What you should learn
1. How clients talk to services in Kubernetes
2. Connecting containers: overlay vs native
3. Connecting into your cluster: NodePort, HostPort, LoadBalancer, Ingress
4. Be better equipped to troubleshoot
https://media.timeout.com/images/103755908/630/472/image.jpg
![Page 4: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/4.jpg)
• Docker
• Kubernetes
• Weave
Who is working with...
![Page 5: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/5.jpg)
What is Kubernetes?
https://image.shutterstock.com/z/stock-photo-vintage-photo-of-a-man-working-on-complex-machine-1392745.jpg
![Page 6: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/6.jpg)
What is Kubernetes?
NodeNode Node
Master
![Page 7: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/7.jpg)
NodeNode Node
Kubernetes runs Services
![Page 8: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/8.jpg)
Let’s talk about Ports
A service listens on a Port at an IP address– e.g. http on port 80, postgres on port 5432– or your own custom service on 9090
192.1.6.4
9090foo
![Page 9: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/9.jpg)
Suppose we want to run two?
• Only one thing can be listening on a port• We could give the second one a new port
number
192.1.6.4
9090
9091
foo1
foo2
![Page 10: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/10.jpg)
How do we keep track?
• Fiddling with port numbers needs a bit of book-keeping• Could have another service where we register all the
port numbers we’ve chosen• Downside: this requires that every client uses the
registry
192.1.6.4
9090
9091
Service Registry
“Where is foo2?”
foo1
foo2
![Page 11: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/11.jpg)
Give every service its own IP address
• Container Networking means never having to say “what port is it on?”
• Every service uses its native port number
10.20.30.429090
foo1
9090foo2
10.20.30.43
![Page 12: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/12.jpg)
Kubernetes Concepts
Pod
IP addr
Node
Container
![Page 13: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/13.jpg)
Just one thing though
• Now, when we contact a service, we need to know its IP address.
• There is a standard way to do that
DNS
“Where is foo2?”
10.20.30.42
foo1
foo2
10.20.30.43
![Page 14: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/14.jpg)
• Run multiple instances of a service• Clients should call one of them, don’t care
which
foo
10.20.10.1
foo
10.20.29.13
Now add Scaling and Redundancy
foo
10.20.30.42
![Page 15: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/15.jpg)
DNS can do this. Right?
• Some clients will re-query on every call
• Some clients will cache the result too long
• Most clients will not round-robin
http://gunshowcomic.com/648
![Page 16: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/16.jpg)
• DNS name resolves to a stable Virtual IP address
• Kube-proxy translates VIP to one Pod IP
Kubernetes Cluster IPs
kube-dns
10.20.30.42
kube-proxy100.96.0.30->10.20.30.42
foo
“Where is foo?”- 100.96.0.30 192.1.6.4
![Page 17: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/17.jpg)
We need network packets to go from one pod to another pod, across whatever sits in the middle
Let’s talk about Pod Networking
10.20.30.42
192.1.6.4192.1.6.3
10.20.9.1
![Page 18: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/18.jpg)
Who controls your network?
http://philippel.deviantart.com/art/DUNE-Sandworm-Rising-403336019
![Page 19: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/19.jpg)
If you have the IP space, and you control the network, just program the routers
Pod Network: Routes
10.20.30.42
192.1.6.4192.1.6.3
10.20.30.0/24:via 192.1.6.4
10.20.9.0/24:via 192.1.6.3
10.20.9.1
![Page 20: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/20.jpg)
Packets are encapsulated before they leave the machine
Pod Network: Overlay
10.20.30.42
192.1.6.4192.1.6.3
10.20.9.1
192.1.6.3->192.1.6.4[10.20.9.1->10.20.30.42]
![Page 21: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/21.jpg)
The Three Commandments
...of Kubernetes Networking:
• All containers can communicate with all other
containers
• All nodes can communicate with all containers
(and vice-versa)
• The IP that a container sees itself as is the same
IP that others see it as
![Page 22: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/22.jpg)
CNI: the Container Network Interface
kubelet
Pod
InterfacePlugin
Pod Network
ADD
![Page 23: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/23.jpg)
• One high-numbered port, on every Node in the cluster• Can bounce from one machine to another
Exposing services: NodePort
10.20.30.42
kube-proxy:30021->10.20.30.42:80
foo
192.1.6.4 :30021
![Page 24: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/24.jpg)
• Specific port is mapped locally on the host• “Don’t use hostPort unless it is absolutely necessary”
Exposing services: HostPort
10.20.30.42
:8080->10.20.30.42:80
foo
192.1.6.4 :8080
![Page 25: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/25.jpg)
• Layer 4 - works for any TCP-based protocol• Available for specific implementations, e.g. ELB
Exposing services: LoadBalancer
LB
foo
cloud-controller
Programs endpoints
kube-proxy / iptables
foo
![Page 26: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/26.jpg)
• Layer 7 - defined for http only• Available for specific implementations, e.g. nginx, ALB
Exposing services: Ingress
ingress controller
foo foo
Master
![Page 27: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/27.jpg)
Example Ingress configapiVersion: extensions/v1beta1kind: Ingressspec:
rules:- host: foo.bar.com
http:paths:- path: /foo
backend:serviceName: s1servicePort: 80
- path: /barbackend:serviceName: s2servicePort: 80
![Page 28: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/28.jpg)
Recap: all you need to know
• Kubernetes runs Pods which implement Services
• Pods need a Pod Network - routed or Overlay
• Pod network is driven via CNI
• Clients connect to Services via virtual Cluster IPs
• Kubernetes has many ways to expose a Service outside the cluster - each has pros and cons
![Page 29: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/29.jpg)
Thanks! Questions?
We are hiring!Engineers in SF & London
weave.works/hiring
![Page 30: Kubernetes Networking 101](https://reader034.vdocuments.net/reader034/viewer/2022052117/5aaba4677f8b9ac7658b4611/html5/thumbnails/30.jpg)
What’s Next?
• Try Weave Cloud– https://cloud.weave.works
• Join the Weave user group!– meetup.com/pro/Weave
• Get in touch! (Slack, Email, etc.)– weave.works/help