Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping it simple: Cilium Mesh - networking for...

Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond

From KubeCon Amsterdam 2023 (https://sched.co/1Hyaz)

Kubernetes promises that we can run containerized workloads in any cloud, and according to a recent article InfoWorld “2023 may [finally] be the year of multicloud Kubernetes”. For this to happen, we need seamless connectivity between workloads across clusters, regardless of the cloud they’re running on. From the perspective of a developer, shouldn’t connectivity across clouds be as simple as connectivity within a cluster? This talk shows how Cilium takes care of connectivity across multiple clusters in a cloud-agnostic way, and connectivity between Kubernetes and legacy workloads.

Avatar for Liz Rice

Liz Rice

April 21, 2023
Tweet

More Decks by Liz Rice

Other Decks in Programming

Transcript

  1. Keeping It Simple: Cilium Networking for Multi-cloud Kubernetes And Beyond

    Liz Rice | @lizrice Chief Open Source Officer, Isovalent CNCF and OpenUK Board
  2. @lizrice Connect workloads in multiple clusters and non-Kubernetes environments in

    public clouds and on-prem securely: network policies and authenticated + encrypted Cilium Mesh
  3. @lizrice ❯ k get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)

    AGE kubernetes ClusterIP 192.168.0.1 <none> 443/TCP 4h20m resistance ClusterIP 192.168.0.246 <none> 80/TCP 4h19m ❯ k exec -it r2-d2 -- nslookup resistance … Name: resistance-base.default.svc.cluster.local Address: 192.168.0.246 Service names resolve to an IP address
  4. @lizrice ❯ k get endpoints NAME ENDPOINTS AGE kubernetes 172.19.0.3:6443

    4h18m resistance 10.0.0.173:8080,10.0.0.244:8080,10.0.0.31:8080 4h17m ❯ k get pods -o wide NAME READY STATUS RESTARTS AGE IP bb-8 1/1 Running 0 5m48s 10.0.0.119 resistance-5f77df8c9c-56svw 1/1 Running 0 78m 10.0.0.173 resistance-5f77df8c9c-8vvvc 1/1 Running 0 78m 10.0.0.31 resistance-5f77df8c9c-ppxjp 1/1 Running 0 78m 10.0.0.244 Pods provide endpoints for services
  5. @lizrice Cilium knows about services and endpoints ❯ ks exec

    -it $CPOD -- cilium service list ID Frontend Service Type Backend … 7 192.168.0.246:80 ClusterIP 1 => 10.0.0.31:8080 (active) 2 => 10.0.0.244:8080 (active) 3 => 10.0.0.173:8080 (active) ❯ ks exec -it $CPOD -- cilium endpoint list ENDPOINT … IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS … 59 … 135505 k8s:app=resistance-base 10.0.0.173 ready k8s:io.cilium.k8s.policy.cluster=d-qar k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default k8s:org=resistance k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default …
  6. @lizrice ClusterMesh - endpoints around the mesh ❯ ks exec

    -it $CPOD -- cilium service list ID Frontend Service Type Backend … 8 192.168.0.30:80 ClusterIP 1 => 10.0.0.31:8080 (active) 2 => 10.0.0.244:8080 (active) 3 => 10.0.0.173:8080 (active) 4 => 10.0.0.136@2:8080 (active) 5 => 10.0.0.4@2:8080 (active) 6 => 10.0.0.120@2:8080 (active) …
  7. @lizrice ❯ k describe svc ahch-to Name: ahch-to Annotations: io.cilium/global-service:

    true io.cilium/portal: true Selector: jedi=luke Type: ClusterIP IP: 192.168.0.202 IPs: 192.168.0.202 Port: <unset> 80/TCP TargetPort: 80/TCP Endpoints: <none> ❯ ks exec -it $CPOD -- cilium endpoint add --name=ahch-to --labels=jedi=luke --ip=172.19.100.2 ❯ ks exec -it $CPOD -- cilium service list ID Frontend Service Type Backend … 9 192.168.0.202:80 ClusterIP 1 => 172.19.100.2:80 (active) Add Cilium endpoints for external workloads
  8. @lizrice apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: resistance spec: endpointSelector:

    matchLabels: org: resistance ingress: - fromEndpoints: - matchLabels: org: resistance CiliumNetworkPolicies protect traffic to/from endpoints
  9. @lizrice Require authentication for connections to backends CiliumNetworkPolicy specifies authentication

    policy Auth PR: https://github.com/cilium/cilium/pull/24263 Encryption tracked under: https://github.com/cilium/cilium/issues/22215 apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: “auth-ingress” spec: endpointSelector: matchLabels: app: backend ingress: - fromEndpoints: - matchLabels: app: frontend auth: required: strict
  10. @lizrice Connect workloads in multiple clusters and non-Kubernetes environments in

    public clouds and on-prem securely: network policies and authenticated + encrypted ✅ ✅ ✅ ✅ ✅ ✅ Cilium Mesh