Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bringing routes to K8s Nodes: Introducing FRR-K8S

Federico Paolinelli
February 06, 2024
100

Bringing routes to K8s Nodes: Introducing FRR-K8S

In this talk I am going to present frr-k8s, a kubernetes wrapper of the popular FRRRouting project that was just released. I will describe:

- how the project can be used to deploy FRR on a kubernetes cluster in an effective way
- what features of FRR (specifically, BGP related) can be leveraged in order to simplify cluster networking
- how to use this project in combination of MetalLB (which is a spinoff of), to leverage a single FRR instance for multiple purposes
- what are some of the network related problems that can be solved with this new component
- a quick summary of the internals of the project

By using this new project, the listeners will be able to handle some of the networking they are probably already facing in a more scalable and maintainable way.

Federico Paolinelli

February 06, 2024
Tweet

Transcript

  1. Telco Network Team @ Red Hat Contributed to: - KubeVirt

    - SR-IOV Network Operator - OPA Gatekeeper - OVN-Kubernetes hachyderm.io/@fedepaol - CNI Plugins @fedepaol - MetalLB [email protected] About me
  2. FRRouting (FRR) is a free and open source Internet routing

    protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP [...] FRR has its roots in the Quagga project. FRR
  3. MetalLB MetalLB is a load-balancer implementation for bare metal Kubernetes

    clusters, using standard routing protocols (github.com/metallb/metallb)
  4. 8 BGP Peer BGPAdv Service Code Data Go Template frr.conf

    frr-reload.py Current configuration Kubernetes API Speaker Pod BGP BGP BGP
  5. “Can I run MetalLB together with my FRR instance on

    the cluster nodes?” A Fosdem 2023 attendee
  6. Running two FRR instances Pros: • Nothing to do on

    MetalLB side! Cons: • Duplicate number of sessions (and resources) • Custom ports Node MetalLB Speaker
  7. Cascade two FRR instances Pros: • The user has control

    on the FRR config Cons: • Limits the flexibility on MetalLB • FRR was not able to peer with localhost (Issue 11366) • How about BFD? Node MetalLB Speaker
  8. Share the FRR instance with MetalLB Pros: • The extra

    configuration can scale • No waste of resources / sessions Cons: • Getting the right API is tricky • Not clear how to handle conflicts Node API MetalLB Speaker FRR Daemon User
  9. FRR-K8s github.com/metallb/frr-k8s A Kubernetes based daemonset that exposes a subset

    of the FRR API in a Kubernetes compliant manner. The rationale behind the creation of this project is to allow multiple actors to share a single FRR instance running on kubernetes nodes.
  10. 21 FRRConfiguration Code Data Go Template frr.conf frr-reload.py Current configuration

    Kubernetes API FRR-K8s Pod BGP BGP BGP FRRConfiguration FRRConfiguration
  11. https://flic.kr/p/fUF8mY How to deploy it Standalone via: - Helm -

    Kustomize - All in one manifest With MetalLB when choosing FRR-K8s mode github.com/metallb/frr-k8s?tab=readme-ov-file#installing
  12. - What granularity of the API should we expose? -

    How do we merge configurations? - Can we intercept configuration conflicts? - The interaction with MetalLB must be smooth Challenges
  13. Configuring BGP apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all
  14. Configuring BGP apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all
  15. Configuring BGP apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all
  16. Configuring BGP apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all
  17. Configuring BGP apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all
  18. Configuring BGP apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 toAdvertise: allowed: mode: all toReceive: allowed: mode: all
  19. apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: advsome namespace: frr-k8s-system spec:

    bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 prefixes: - 192.168.2.0/24 - 192.169.2.0/24 Advertising Prefixes
  20. Advertising Prefixes apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: advsome namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 prefixes: - 192.168.2.0/24 - 192.169.2.0/24 routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 prefixes: - 192.168.2.0/24 - 192.169.2.0/24
  21. Advertising Prefixes apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: advsome namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 prefixes: - 192.168.2.0/24 - 192.169.2.0/24 routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 prefixes: - 192.168.2.0/24 - 192.169.2.0/24
  22. Advertising Prefixes apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: advsome namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 prefixes: - 192.168.2.0/24 - 192.169.2.0/24 routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 prefixes: - 192.168.2.0/24 - 192.169.2.0/24
  23. Receiving Prefixes apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: recv namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toReceive: allowed: prefixes: - prefix: 192.169.1.0/24 le: 32g
  24. Receiving Prefixes apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: recv namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toReceive: allowed: prefixes: - prefix: 192.169.1.0/24 le: 32g neighbors: - address: 172.18.0.5 asn: 64512 toReceive: allowed: prefixes: - prefix: 192.169.1.0/24 le: 32 - address: 172.18.0.6 asn: 64512 toReceive: allowed: mode: all
  25. Receiving Prefixes apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: recv namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toReceive: allowed: prefixes: - prefix: 192.169.1.0/24 le: 32g neighbors: - address: 172.18.0.5 asn: 64512 toReceive: allowed: prefixes: - prefix: 192.169.1.0/24 le: 32 - address: 172.18.0.6 asn: 64512 toReceive: allowed: mode: all
  26. Node Selector apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 nodeSelector: labelSelector: role: "worker"
  27. Node Selector apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.30.0.3 asn: 64512 port: 180 nodeSelector: labelSelector: role: "worker" nodeSelector: labelSelector: role: "worker"
  28. Raw Configuration apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: raw: rawConfig: |- router bgp 64512 neighbor 172.18.0.5 remote-as 4200000000 neighbor 172.18.0.5 timers 0 0 neighbor 172.18.0.5 port 180 address-family ipv4 unicast neighbor 172.18.0.5 activate neighbor 172.18.0.5 route-map 172.18.0.5-in in neighbor 172.18.0.5 route-map 172.18.0.5-out out exit-address-family
  29. Raw Configuration apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test namespace:

    frr-k8s-system spec: raw: rawConfig: |- router bgp 64512 neighbor 172.18.0.5 remote-as 4200000000 neighbor 172.18.0.5 timers 0 0 neighbor 172.18.0.5 port 180 address-family ipv4 unicast neighbor 172.18.0.5 activate neighbor 172.18.0.5 route-map 172.18.0.5-in in neighbor 172.18.0.5 route-map 172.18.0.5-out out exit-address-family raw: rawConfig: |- router bgp 64512 neighbor 172.18.0.5 remote-as 4200000000 neighbor 172.18.0.5 timers 0 0 neighbor 172.18.0.5 port 180
  30. Node 1 FRR Daemon FRR Configuration Node 2 FRR Daemon

    FRR Configuration FRR Configuration Merging
  31. - A configuration must be self-contained - A configuration can

    only add to the existing configuration - A more permissive configuration can override a less permissive one Guiding principles
  32. Merging apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test-1 namespace: frr-k8s-system

    spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: all - address: 172.30.0.3 asn: 4200000000 prefixes: - 192.168.2.0/24 - 192.169.2.0/24 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test-0 namespace: frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: all - address: 172.30.0.3 asn: 4200000000 prefixes: - 192.168.2.0/24 - 192.169.2.0/24
  33. Merging apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test-1 namespace: frr-k8s-system

    spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: all - address: 172.30.0.3 asn: 4200000000 prefixes: - 192.168.2.0/24 - 192.169.2.0/24 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test-0 namespace: frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: all - address: 172.30.0.3 asn: 4200000000 prefixes: - 192.168.2.0/24 - 192.169.2.0/24
  34. Merging apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test-1 namespace: frr-k8s-system

    spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: all - address: 172.30.0.3 asn: 4200000000 prefixes: - 192.168.2.0/24 - 192.169.2.0/24 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test-0 namespace: frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: all - address: 172.30.0.3 asn: 4200000000 prefixes: - 192.168.2.0/24 - 192.169.2.0/24
  35. Merging apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test-1 namespace: frr-k8s-system

    spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: all - address: 172.30.0.3 asn: 4200000000 prefixes: - 192.168.2.0/24 - 192.169.2.0/24 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: test-0 namespace: frr-k8s-system spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: prefixes: - 192.168.2.0/24 neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: all - address: 172.30.0.3 asn: 4200000000 prefixes: - 192.168.2.0/24 - 192.169.2.0/24
  36. Exposing the Status apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRNodeState metadata: name: frr-k8s-worker

    spec: {} status: lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512
  37. Exposing the Status apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRNodeState metadata: name: frr-k8s-worker

    spec: {} status: lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512 lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512
  38. Exposing the Status apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRNodeState metadata: name: frr-k8s-worker

    spec: {} status: lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512 lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512
  39. Exposing the Status apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRNodeState metadata: name: frr-k8s-worker

    spec: {} status: lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512 lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512
  40. Exposing the Status apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRNodeState metadata: name: frr-k8s-worker

    spec: {} status: lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512 lastConversionResult: success lastReloadResult: success runningConfig: | Building configuration... Current configuration: ! frr version 8.4.2_git frr defaults traditional hostname frr-k8s-worker log file /etc/frr/frr.log informational ! router bgp 64512 neighbor 172.18.0.5 remote-as 64512
  41. apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: annotations: name: peer namespace: metallb-system

    spec: myASN: 64512 peerASN: 64512 peerAddress: 172.18.0.5 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: metallb-kind-worker spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: kubernetes.io/hostname: kind-worker With MetalLB
  42. apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: annotations: name: peer namespace: metallb-system

    spec: myASN: 64512 peerASN: 64512 peerAddress: 172.18.0.5 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: metallb-kind-worker spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: kubernetes.io/hostname: kind-worker With MetalLB bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: hostname: worker0
  43. apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: annotations: name: peer namespace: metallb-system

    spec: myASN: 64512 peerASN: 64512 peerAddress: 172.18.0.5 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: metallb-kind-worker spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: kubernetes.io/hostname: kind-worker With MetalLB bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: hostname: worker0
  44. apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: annotations: name: peer namespace: metallb-system

    spec: myASN: 64512 peerASN: 64512 peerAddress: 172.18.0.5 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: metallb-kind-worker spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: kubernetes.io/hostname: kind-worker With MetalLB bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: hostname: worker0
  45. apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: annotations: name: peer namespace: metallb-system

    spec: myASN: 64512 peerASN: 64512 peerAddress: 172.18.0.5 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: metallb-kind-worker spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: kubernetes.io/hostname: kind-worker With MetalLB neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: filtered prefixes: - 192.168.10.0/32 prefixes: - 192.168.10.0/32
  46. apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: annotations: name: peer namespace: metallb-system

    spec: myASN: 64512 peerASN: 64512 peerAddress: 172.18.0.5 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: metallb-kind-worker spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: kubernetes.io/hostname: kind-worker With MetalLB neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: filtered prefixes: - 192.168.10.0/32 prefixes: - 192.168.10.0/32
  47. apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: annotations: name: peer namespace: metallb-system

    spec: myASN: 64512 peerASN: 64512 peerAddress: 172.18.0.5 apiVersion: frrk8s.metallb.io/v1beta1 kind: FRRConfiguration metadata: name: metallb-kind-worker spec: bgp: routers: - asn: 64512 neighbors: - address: 172.18.0.5 asn: 64512 nodeSelector: matchLabels: kubernetes.io/hostname: kind-worker With MetalLB neighbors: - address: 172.18.0.5 asn: 64512 toAdvertise: allowed: mode: filtered prefixes: - 192.168.10.0/32 prefixes: - 192.168.10.0/32
  48. Resources - The FRR-K8s readme - The MetalLB documentation -

    The #metallb channel on the kubernetes slack - FRR docs frrouting.org