Embed Size (px)
Citation preview
Kubernetes Networking
Bryan Boreham, Director of Engineering
@bboreham
What does Weave do?
Weave lets devops
iterate faster with:
• observability &
monitoring
• continuous delivery
• container networks &
firewalls
Kubernetes is our #1
platform
What you should learn
1. How clients talk to services in Kubernetes
2. Connecting containers: overlay vs native
3. Connecting into your cluster: NodePort, HostPort, LoadBalancer, Ingress
4. Be better equipped to troubleshoot
https://media.timeout.com/images/103755908/630/472/image.jpg
• Docker
• Kubernetes
• Weave
Who is working with...
What is Kubernetes?
https://image.shutterstock.com/z/stock-photo-vintage-photo-of-a-man-working-on-complex-machine-1392745.jpg
What is Kubernetes?
NodeNode Node
Master
NodeNode Node
Kubernetes runs Services
Let’s talk about Ports
A service listens on a Port at an IP address– e.g. http on port 80, postgres on port 5432– or your own custom service on 9090
192.1.6.4
9090foo
Suppose we want to run two?
• Only one thing can be listening on a port• We could give the second one a new port
number
192.1.6.4
9090
9091
foo1
foo2
How do we keep track?
• Fiddling with port numbers needs a bit of book-keeping• Could have another service where we register all the
port numbers we’ve chosen• Downside: this requires that every client uses the
registry
192.1.6.4
9090
9091
Service Registry
“Where is foo2?”
foo1
foo2
Give every service its own IP address
• Container Networking means never having to say “what port is it on?”
• Every service uses its native port number
10.20.30.429090
foo1
9090foo2
10.20.30.43
Kubernetes Concepts
Pod
IP addr
Node
Container
Just one thing though
• Now, when we contact a service, we need to know its IP address.
• There is a standard way to do that
DNS
“Where is foo2?”
10.20.30.42
foo1
foo2
10.20.30.43
• Run multiple instances of a service• Clients should call one of them, don’t care
which
foo
10.20.10.1
foo
10.20.29.13
Now add Scaling and Redundancy
foo
10.20.30.42
DNS can do this. Right?
• Some clients will re-query on every call
• Some clients will cache the result too long
• Most clients will not round-robin
http://gunshowcomic.com/648
• DNS name resolves to a stable Virtual IP address
• Kube-proxy translates VIP to one Pod IP
Kubernetes Cluster IPs
kube-dns
10.20.30.42
kube-proxy100.96.0.30->10.20.30.42
foo
“Where is foo?”- 100.96.0.30 192.1.6.4
We need network packets to go from one pod to another pod, across whatever sits in the middle
Let’s talk about Pod Networking
10.20.30.42
192.1.6.4192.1.6.3
10.20.9.1
Who controls your network?
http://philippel.deviantart.com/art/DUNE-Sandworm-Rising-403336019
If you have the IP space, and you control the network, just program the routers
Pod Network: Routes
10.20.30.42
192.1.6.4192.1.6.3
10.20.30.0/24:via 192.1.6.4
10.20.9.0/24:via 192.1.6.3
10.20.9.1
Packets are encapsulated before they leave the machine
Pod Network: Overlay
10.20.30.42
192.1.6.4192.1.6.3
10.20.9.1
192.1.6.3->192.1.6.4[10.20.9.1->10.20.30.42]
The Three Commandments
...of Kubernetes Networking:
• All containers can communicate with all other
containers
• All nodes can communicate with all containers
(and vice-versa)
• The IP that a container sees itself as is the same
IP that others see it as
CNI: the Container Network Interface
kubelet
Pod
InterfacePlugin
Pod Network
ADD
• One high-numbered port, on every Node in the cluster• Can bounce from one machine to another
Exposing services: NodePort
10.20.30.42
kube-proxy:30021->10.20.30.42:80
foo
192.1.6.4 :30021
• Specific port is mapped locally on the host• “Don’t use hostPort unless it is absolutely necessary”
Exposing services: HostPort
10.20.30.42
:8080->10.20.30.42:80
foo
192.1.6.4 :8080
• Layer 4 - works for any TCP-based protocol• Available for specific implementations, e.g. ELB
Exposing services: LoadBalancer
LB
foo
cloud-controller
Programs endpoints
kube-proxy / iptables
foo
• Layer 7 - defined for http only• Available for specific implementations, e.g. nginx, ALB
Exposing services: Ingress
ingress controller
foo foo
Master
Example Ingress configapiVersion: extensions/v1beta1kind: Ingressspec:
rules:- host: foo.bar.com
http:paths:- path: /foo
backend:serviceName: s1servicePort: 80
- path: /barbackend:serviceName: s2servicePort: 80
Recap: all you need to know
• Kubernetes runs Pods which implement Services
• Pods need a Pod Network - routed or Overlay
• Pod network is driven via CNI
• Clients connect to Services via virtual Cluster IPs
• Kubernetes has many ways to expose a Service outside the cluster - each has pros and cons
Thanks! Questions?
We are hiring!Engineers in SF & London
weave.works/hiring
What’s Next?
• Try Weave Cloud– https://cloud.weave.works
• Join the Weave user group!– meetup.com/pro/Weave
• Get in touch! (Slack, Email, etc.)– weave.works/help
