Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping it simple: Cilium Mesh - networking for...

Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond

From KubeCon Amsterdam 2023 (https://sched.co/1Hyaz)

Kubernetes promises that we can run containerized workloads in any cloud, and according to a recent article InfoWorld “2023 may [finally] be the year of multicloud Kubernetes”. For this to happen, we need seamless connectivity between workloads across clusters, regardless of the cloud they’re running on. From the perspective of a developer, shouldn’t connectivity across clouds be as simple as connectivity within a cluster? This talk shows how Cilium takes care of connectivity across multiple clusters in a cloud-agnostic way, and connectivity between Kubernetes and legacy workloads.

Liz Rice

April 21, 2023
Tweet

More Decks by Liz Rice

Other Decks in Programming

Transcript

  1. Keeping It Simple: Cilium Networking for Multi-cloud Kubernetes And Beyond

    Liz Rice | @lizrice Chief Open Source Officer, Isovalent CNCF and OpenUK Board
  2. @lizrice Connect workloads in multiple clusters and non-Kubernetes environments in

    public clouds and on-prem securely: network policies and authenticated + encrypted Cilium Mesh
  3. @lizrice ❯ k get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)

    AGE kubernetes ClusterIP 192.168.0.1 <none> 443/TCP 4h20m resistance ClusterIP 192.168.0.246 <none> 80/TCP 4h19m ❯ k exec -it r2-d2 -- nslookup resistance … Name: resistance-base.default.svc.cluster.local Address: 192.168.0.246 Service names resolve to an IP address
  4. @lizrice ❯ k get endpoints NAME ENDPOINTS AGE kubernetes 172.19.0.3:6443

    4h18m resistance 10.0.0.173:8080,10.0.0.244:8080,10.0.0.31:8080 4h17m ❯ k get pods -o wide NAME READY STATUS RESTARTS AGE IP bb-8 1/1 Running 0 5m48s 10.0.0.119 resistance-5f77df8c9c-56svw 1/1 Running 0 78m 10.0.0.173 resistance-5f77df8c9c-8vvvc 1/1 Running 0 78m 10.0.0.31 resistance-5f77df8c9c-ppxjp 1/1 Running 0 78m 10.0.0.244 Pods provide endpoints for services
  5. @lizrice Cilium knows about services and endpoints ❯ ks exec

    -it $CPOD -- cilium service list ID Frontend Service Type Backend … 7 192.168.0.246:80 ClusterIP 1 => 10.0.0.31:8080 (active) 2 => 10.0.0.244:8080 (active) 3 => 10.0.0.173:8080 (active) ❯ ks exec -it $CPOD -- cilium endpoint list ENDPOINT … IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS … 59 … 135505 k8s:app=resistance-base 10.0.0.173 ready k8s:io.cilium.k8s.policy.cluster=d-qar k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default k8s:org=resistance k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default …
  6. @lizrice ClusterMesh - endpoints around the mesh ❯ ks exec

    -it $CPOD -- cilium service list ID Frontend Service Type Backend … 8 192.168.0.30:80 ClusterIP 1 => 10.0.0.31:8080 (active) 2 => 10.0.0.244:8080 (active) 3 => 10.0.0.173:8080 (active) 4 => 10.0.0.136@2:8080 (active) 5 => 10.0.0.4@2:8080 (active) 6 => 10.0.0.120@2:8080 (active) …
  7. @lizrice ❯ k describe svc ahch-to Name: ahch-to Annotations: io.cilium/global-service:

    true io.cilium/portal: true Selector: jedi=luke Type: ClusterIP IP: 192.168.0.202 IPs: 192.168.0.202 Port: <unset> 80/TCP TargetPort: 80/TCP Endpoints: <none> ❯ ks exec -it $CPOD -- cilium endpoint add --name=ahch-to --labels=jedi=luke --ip=172.19.100.2 ❯ ks exec -it $CPOD -- cilium service list ID Frontend Service Type Backend … 9 192.168.0.202:80 ClusterIP 1 => 172.19.100.2:80 (active) Add Cilium endpoints for external workloads
  8. @lizrice apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: resistance spec: endpointSelector:

    matchLabels: org: resistance ingress: - fromEndpoints: - matchLabels: org: resistance CiliumNetworkPolicies protect traffic to/from endpoints
  9. @lizrice Require authentication for connections to backends CiliumNetworkPolicy specifies authentication

    policy Auth PR: https://github.com/cilium/cilium/pull/24263 Encryption tracked under: https://github.com/cilium/cilium/issues/22215 apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: “auth-ingress” spec: endpointSelector: matchLabels: app: backend ingress: - fromEndpoints: - matchLabels: app: frontend auth: required: strict
  10. @lizrice Connect workloads in multiple clusters and non-Kubernetes environments in

    public clouds and on-prem securely: network policies and authenticated + encrypted ✅ ✅ ✅ ✅ ✅ ✅ Cilium Mesh