Download as PDF, PPTX
![apiVersion: v1 kind: Pod metadata: name: test spec: restartPolicy: Never containers: - name: test image: alpine command: ["/bin/sh"] args: ["-c", "echo 'GET / HTTP/1.1rnrn' | nc 10.244.0.18 8080"] test.yml](https://image.slidesharecdn.com/kubernetesnetworking-191017074359/75/Kubernetes-networking-basics-20-2048.jpg)
![What is a netfilter and iptables[tl;dr] • netfilter is a rules-based packet processing engine. It runs in kernel space and gets a look at every packet at various points in its life cycle. • It matches packets against rules and when it finds a rule that matches it takes the specified action. • Among the many actions it can take is redirecting the packet to another destination. • iptables is a user space interface to netfilter](https://image.slidesharecdn.com/kubernetesnetworking-191017074359/75/Kubernetes-networking-basics-28-2048.jpg)
Kubernetes networking - basics
- 1. Tvorba siete vKubernetes pre začiatočníkov alebo pre tých, čo nevedia čo je iptables Marián Kuna mkunask@gmail.com 4. Kubernetes Meetup October 16th 2019
- 3. Kto je GedeonMajunke? a) Postava z epizódy IX Hviezdnych Vojen - The Rise of Skywalker b)Ministerský predseda Ugandy c) Slovenský architekt, staviteľ Teryho Chaty
- 6. Pod • A Podis the basic execution unit of a Kubernetes application • A Pod encapsulates an application’s container (or, in some cases, multiple containers), storage resources, a unique network IP, and options that govern how the container(s) should run. • Docker is the most common container runtime used in a Kubernetes Pod
- 7. Cluster Networking There are4 distinct networking problems to solve: • Highly-coupled container-to-container communications • Pod-to-Pod communications • Kubernetes assumes that pods can communicate with other pods, regardless of which host they land on • Service-to-Pod communications • External-to-Service communications
- 8. Linux containers host eth0 10.100.0.2 Container 2 veth0 172.17.0.3 veth2 Container1 Docker0 172.17.0.1 veth1 veth0 172.17.0.2
- 10. Pod • A Podis the basic execution unit of a Kubernetes application • A Pod encapsulates an application’s container (or, in some cases, multiple containers), storage resources, a unique network IP, and options that govern how the container(s) should run.
- 11. Docker networking host eth0 10.100.0.2 Container 2 veth0 172.17.0.3 Container1 Docker0 172.17.0.1 veth0 172.17.0.2
- 12. Docker networking host eth0 10.100.0.2 Container 2Container1 Docker0 172.17.0.1 veth0 172.17.0.2
- 14. Docker networking host eth0 10.100.0.2 Container 2Container1 Docker0 172.17.0.1 Pause veth0 172.17.0.2 Pod
- 15. Cluster Networking There are4 distinct networking problems to solve: • Highly-coupled container-to-container communications • Pod-to-Pod communications • Kubernetes assumes that pods can communicate with other pods, regardless of which host they land on • Service-to-Pod communications • External-to-Service communications
- 16.
- 17. Pod networking node ens3 10.0.10.3 cni0 10.244.1.1 pod 1 veth0 10.244.1.2 node ens3 10.0.11.3 Switch pod2 veth0 10.244.1.3 cni0 10.244.2.1 pod 1 veth0 10.244.2.2 pod 2 veth0 10.244.2.3 10.244.2.0/24 via 10.0.11.3 ens3 Routes 10.244.1.0/24 via 10.0.10.3 ens3 Routes to: 10.244.2.2 10.0.0.0/16 default via 10.244.1.1 veth0 Routes default via 10.244.2.1 veth0 Routes
- 19. apiVersion: extensions/v1beta1 kind: Deployment metadata: name:microcities labels: run: microcities spec: replicas: 2 strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: run: microcities spec: containers: - name: microcities image: bluesnake/microcities imagePullPolicy: Always ports: - name: microcities containerPort: 8080 protocol: TCP restartPolicy: Always deployment.yml
- 20. apiVersion: v1 kind: Pod metadata: name:test spec: restartPolicy: Never containers: - name: test image: alpine command: ["/bin/sh"] args: ["-c", "echo 'GET / HTTP/1.1rnrn' | nc 10.244.0.18 8080"] test.yml
- 21.
- 22. Cluster Networking There are4 distinct networking problems to solve: • Highly-coupled container-to-container communications • Pod-to-Pod communications • Kubernetes assumes that pods can communicate with other pods, regardless of which host they land on • Service-to-Pod communications • External-to-Service communications
- 23. apiVersion: extensions/v1beta1 kind: Deployment metadata: name:microcities labels: run: microcities spec: replicas: 2 strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: run: microcities spec: containers: - name: microcities image: bluesnake/microcities imagePullPolicy: Always ports: - name: microcities containerPort: 8080 protocol: TCP restartPolicy: Always deployment.yml kind: Service apiVersion: v1 metadata: name: microcities-svc spec: selector: run: microcities ports: - port: 80 targetPort: 8080 type: ClusterIP service.yml
- 25. Pods λ kubectl apply-f deployment.yml deployments "microcities" created λ kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP microcities-65944d6586-8chwt 1/1 Running 0 38m 10.244.0.18 microcities-65944d6586-hwgvz 1/1 Running 0 38m 10.244.2.11 λ kubectl apply -f service.yml service "microcities-svc" created λ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE microcities-svc ClusterIP 10.96.226.20 <none> 80/TCP 4m45s
- 26.
- 27.
- 28. What is anetfilter and iptables[tl;dr] • netfilter is a rules-based packet processing engine. It runs in kernel space and gets a look at every packet at various points in its life cycle. • It matches packets against rules and when it finds a rule that matches it takes the specified action. • Among the many actions it can take is redirecting the packet to another destination. • iptables is a user space interface to netfilter
- 29.
- 30. Cluster Networking There are4 distinct networking problems to solve: • Highly-coupled container-to-container communications • Pod-to-Pod communications • Kubernetes assumes that pods can communicate with other pods, regardless of which host they land on • Service-to-Pod communications • External-to-Service communications
- 31. External Access node ens3 10.0.10.3 cni0 10.244.1.1 microcities veth0 10.244.1.2 node ens3 10.0.11.3 test veth1 10.244.1.3 cni0 10.244.2.1 Microcities veth0 10.244.2.2 to: 10.96.226.20:80 Switch gateway destinationnext hop External Client kube-proxy netfilter kube-proxy netfilter 10.96.226.0/24 10.0.10.3
- 32. kind: Service apiVersion: v1 metadata: name:microcities-swc spec: selector: run: microcities ports: - port: 80 targetPort: 8080 type: ClusterIP service.yml
- 33. kind: Service apiVersion: v1 metadata: name:microcities-swc spec: selector: run: microcities ports: - port: 80 targetPort: 8080 type: NodePort service.yml
- 34. External Access node ens3 10.0.10.3 cni0 10.244.1.1 microcities veth0 10.244.1.2 node ens3 10.0.11.3 test veth1 10.244.1.3 cni0 10.244.2.1 Microcities veth0 10.244.2.2 Switch gateway External Client kube-proxy netfilter kube-proxy netfilter listen:10.0.10.3: 32601 10.96.226.20:80 > 10.244.2.2:8080 Kubernetes master 10.0.0.3: 32601 > 10.96.226.20:80
- 35. External Access node ens3 10.0.10.3 cni0 10.244.1.1 microcities veth0 10.244.1.2 node ens3 10.0.11.3 test veth1 10.244.1.3 cni0 10.244.2.1 Microcities veth0 10.244.2.2 Switch gateway kube-proxy netfilter kube-proxy netfilter listen: 10.0.10.3:32601 10.96.226.20:80 > 10.244.2.2:8080 10.0.0.3: 32601 > 10.96.226.20:80 External Client Loadbalancer LB public IP 10.0.10.2: 32601 10.011.3: 32601
- 36. kind: Service apiVersion: v1 metadata: name:microcities-swc spec: selector: run: microcities ports: - port: 80 targetPort: 8080 type: LoadBalancer service.yml
- 37. apiVersion: extensions/v1beta1 kind: Ingress metadata: name:microcities-ing annotations: kubernetes.io/ingress.class: 'nginx' ingress.kubernetes.io/add-base-url: 'true' ingress.kubernetes.io/rewrite-target: / nginx.org/hsts-max-age: '0' nginx.org/hsts-include-subdomains: '0' spec: tls: - secretName: tls-secret rules: - http: paths: - path: /meetup/microcities backend: serviceName: microcities-svc servicePort: 80 ingress.yml
- 38. Ingress node ens3 10.0.10.3 cni0 10.244.1.1 microcities veth0 10.244.1.2 node ens3 10.0.11.3 Ingress CTRL veth1 10.244.1.6 cni0 10.244.2.1 Microcities veth0 10.244.2.2 netfilter kube-proxy listen: 10.0.10.3:30021 10.0.0.3:30021 > ingress_svc_ClusterIP ingress_svc_ClusterIP > 10.244.1.6:80 kube-proxy netfilter Ingress */meetup/microcities > microcities_svc_ClusterIP gateway External Client <LBpublicIP>/meetup/microcities 10. 0.10.3:30021/* 10.0.11.3:30021/* Loadbalancer Ingress CTRL veth1 10.244.2.5 microcities_svc_ClusterIP > 10.244.1.2:8080
- 40. apiVersion: extensions/v1beta1 kind: Deployment metadata: name:microcities labels: run: microcities spec: replicas: 2 strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: run: microcities spec: containers: - name: microcities image: bluesnake/microcities imagePullPolicy: Always ports: - name: microcities containerPort: 8080 protocol: TCP restartPolicy: Always deployment.yml kind: Service apiVersion: v1 metadata: name: microcities-svc spec: selector: run: microcities ports: - port: 80 targetPort: 8080 type: ClusterIP service.yml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: microcities-ing annotations: kubernetes.io/ingress.class: 'nginx' ingress.kubernetes.io/add-base-url: 'true' ingress.kubernetes.io/rewrite-target: / nginx.org/hsts-max-age: '0' nginx.org/hsts-include-subdomains: '0' spec: tls: - secretName: tls-secret rules: - http: paths: - path: /meetup/microcities backend: serviceName: microcities-svc servicePort: 80 ingress.yml
- 41. Pods $ kubectl apply-f ingress.yml --namespace=meetup $ kubectl get ingress –-namespace=meetup NAME HOSTS ADDRESS PORTS AGE microcities-ing * 80, 443 5m32s http://132.145.10.92/meetup/microcities
- 42. References • https://kubernetes.io/docs/concepts/cluster-administration/networking/ • https://medium.com/google-cloud/understanding-kubernetes-networking-pods-7117dd28727 •https://medium.com/@ApsOps/an-illustrated-guide-to-kubernetes-networking-part-1-d1ede3322727 • https://developer.ibm.com/recipes/tutorials/networking-your-docker-containers-using-docker0-bridge/ • https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md • https://kubernetes.io/docs/concepts/services-networking/service/