2. Labyrinth Labs
Rock-solid infrastructure and DevOps
● Building rock-solid and secure foundations for all your digital operations. Our
mission is to let you focus on your business without ever needing to worry about
technical issues again.
● Making you ready for growing traffic, safe against new security vulnerabilities and
data-loss.
2
3. Kubernetes Architecture
● Master acts as the control plane for Kubernetes. Kubernetes master is
responsible for maintaining the desired state for cluster. The “master” refers to a
collection of processes managing and is responsible at a minimum for running
scheduler, cluster controller, API Server.
● Nodes acts as the “worker” of Kubernetes cluster. The nodes in a cluster are the
machines (VMs, physical servers, etc) that run your applications and cloud
workflows. The Kubernetes master controls each node.
3
7. Kubernetes Plugins
● CRI (Container Runtime Interface) is an interface used for communication
between kubelet and container runtime
○ Docker
○ Cri-o
○ rkt
● CSI (Container Storage Interface) is an unified interface between container
orchestration systems and storage vendors
○ EBS
○ NetApp
○ Ceph
● CNI (Container Networking Interface) is an interface between network namespace
and container runtime
7
8. What is a CNI Plugin ?
● Simplest interface between container runtime and network
implementation
● Originated at CoreOS as part of Rkt Container runtime
● CNCF project
● Repository: https://github.com/containernetworking/cni
● Specification: the API between runtimes and network plugins
8
9. Kubernetes CNI Requirements
● pods on a node can communicate with all pods on all nodes without NAT
● agents on a node (e.g. system daemons, kubelet) can communicate with all pods
on that node
● pods in the host network of a node can communicate with all pods on all nodes
without NAT
● containers within a Pod share their network namespaces
○ You can access other container services through localhost
9
10. Kubernetes CNI Implementation
● Containers in a pod exists within network namespace and share same IP -
○ this setup allow for intrapod communication over localhost
● Pod are given cluster unique IP for the duration of its lifecycle
● Services are given a persistent cluster unique IP that spans Pods lifecycle
● External connectivity is generally handled by an infrastructure (default GWs)
10
11. Kubernetes CNI Workflow
● Container runtime executes CNI plugin with given config
● CNI Plugin executes IPAM module to configure IP addresses on a configured
interface
11
12. Demo Time vol.1
● Show
● CNI Plugin executes IPAM module to configure IP addresses on a configured
interface
12
16. Calico - Detailed description
● Best overall choice for performance, flexibility and power
● Calico requires Layer 3 network which is using BGP protocol to route packets
between hosts and pods
● Network Policies can be created to manage network access between pods
16
18. Kube-router - Detailed description
● Turnkey solutions for:
○ Pod Networking
■ kube-router handles Pod networking efficiently with direct routing thanks to the BGP
protocol and the GoBGP Go library.
○ IPVS/LVS Service Proxy
■ Kube-router uses battle-tested Linux LVS/IPVS to provide a service proxy and provides rich
set of scheduling options and enables advanced use-cases like DSR
○ Network Load Balancer
■ Kube-router has the ability to advertise service VIP's to L3 fabric BGP peers. So you can do
network load balancing with ECMP.
18
19. AWS VPC CNI - Detailed description
● Plugin used only in AWS deployments offers
○ High throughput
○ High availability
○ Low latency
○ Minimal network jitter
● Allocates/Attaches new AWS Elastic Networking Interfaces (ENIs) to nodes
○ There is a maximum number of interfaces attachable to running instance
○ VPC flow logs
○ VPC routing policies
○ security groups
19
Connect to one K8s node and show where CNI config is. Show how pod looks like from inside a node.
cat /etc/cni/net.d/10-calico.conflist
kubectl run my-bash --rm --restart=Never -it --image=haad/ubuntu-fat:latest -- bash
ip a s
calicoctl.sh ipam show --ip=10.233.121.84
calicoctl.sh get -o yaml ipPool