James's Ramblings

Kubernetes: Networking

Created: September 20, 2020
  • Kubernetes uses Linux network namespaces.

  • Different plugins can be installed to provide networking.

  • It’s difficult and time consuming to change network plugin retrospectively, so using the right plugin for a cluster is important.

Plugins

  • Project Calico.
    • A flat Layer 3 network that communicates without IP encapsulation.
    • Scales well.
    • Canal, part of Calico allows integration with Flannel.
    • Network security policy support.

  • Flannel.

    • A Layer 3 network.

    • Flannel runs a small, single binary agent called flanneld on each host.

    • flanneld is responsible for allocating a subnet lease to each host out of a larger, preconfigured address space.

    • Either the Kubernetes API or etcd directly to store the network configuration, the allocated subnets, and any auxiliary data.

    • Packets are forwarded using one of several backend mechanisms including:

      • VXLAN (recommended).

      • host-gw is recommended for more experienced users who want the performance improvement and whose infrastructure support it (typically it can’t be used in cloud environments).

      • UDP for debugging or very old kernels without VXLAN support.

      • AWS, GCE, and AliVPC are experimental and unsupported.

    • No network security policy support.

  • Kube-Router

    • Currently alpha.
    • Distributed load balancer, firewall, and router purposely built for Kubernetes.

  • Romana

    • Romana automates the creation of isolated cloud native networks and secures applications with a distributed firewall that applies access control policies consistently across all endpoints (pods or VMs) and services, wherever they run.

    • Through Romana’s topology aware IPAM, endpoints receive natively routable addresses: No overlays or tunnels are required, increasing performance and providing operational simplicity.

    • Because IP addresses are assigned with network topology in mind, routes within the network are highly aggregated, reducing the impact on networking hardware, and allowing more secure configurations.

    • Supports Kubernetes and OpenStack clusters, on premise or on AWS.

  • Weave Net.

    • An overlay network.
    • In-built IPAM.
    • Network policy support.
    • Encryption in transit.
    • Distributed firewall.
    • Service discovery.
    • Enables UDP mulicast.