Kubernetes Network Models (why is this so dang hard?)

Kubernetes Network Models Tim Hockin, Google Sept. 10, 2020 @thockin

Kubernetes clusters are made up of nodes • Machines -
virtual or physical Those nodes exist on some network Pods run on those nodes Pods get IP addresses “Network model” describes how those pod IPs integrate with the larger network What does “network model” mean?

Wait, what?

1) Pods on a node can communicate with all pods
on all nodes without NAT 2) Agents on a node (e.g. system daemons, kubelet) can communicate with all pods on that node Kubernetes networking in 2 bullets

Let’s start with a “normal” cluster

Network: 10.0.0.0/8

Network: 10.0.0.0/8 Cluster: 10.0.0.0/16

NOTE: It’s not required that a cluster be a single
IP range, but it’s very common and makes the pictures easier

Network: 10.0.0.0/8 Cluster: 10.0.0.0/16

Network: 10.0.0.0/8 Cluster: 10.0.0.0/16 Node1: IP: 10.240.0.1 Node2: IP: 10.240.0.2

Network: 10.0.0.0/8 Cluster: 10.0.0.0/16 Node1: IP: 10.240.0.1 Pod range: 10.0.1.0/24
Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24

NOTE: It’s not required that nodes have a predeﬁned IP
range, but it’s very common and makes the pictures easier

Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24

Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-b: 10.0.1.2 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2

Pods get IPs from the node’s IP range (again, not
always, but usually)

Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-b: 10.0.1.2 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2

Kubernetes does not say anything about things outside of the
cluster

Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-b: 10.0.1.2 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Other: 10.128.1.1 ? Other: 10.128.1.2 ?

Multi-cluster makes it even more confusing

Network: 10.0.0.0/8 Other: 10.128.1.1 Cluster: 10.0.0.0/16 Node1: IP: 10.240.0.1 Pod
range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.1.0.0/16 Node1: IP: 10.240.0.3 Pod range: 10.1.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.1.2.0/24 Pod-a: 10.1.1.1 Pod-c: 10.1.2.1 Pod-d: 10.1.2.2 Pod-b: 10.1.1.2 ? ? Other: 10.128.1.2 ?

Network models (not exhaustive)

Fully-integrated (aka ﬂat)

range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.1.0.0/16 Node1: IP: 10.240.0.3 Pod range: 10.1.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.1.2.0/24 Pod-a: 10.1.1.1 Pod-c: 10.1.2.1 Pod-d: 10.1.2.2 Pod-b: 10.1.1.2 Other: 10.128.1.2

Good when: • IP space is readily available • Network
is programmable / dynamic • Need high integration / performance • Kubernetes is a large part of your footprint

Bad when: • IP fragmentation / scarcity • Hard-to-conﬁgure network
infrastructure • Kubernetes is a small part of your footprint

Fully-isolated (aka air-gapped)

range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.1.0.0/16 Node1: IP: 10.240.0.3 Pod range: 10.1.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.1.2.0/24 Pod-a: 10.1.1.1 Pod-c: 10.1.2.1 Pod-d: 10.1.2.2 Pod-b: 10.1.1.2 Other: 10.128.1.2

In fact, you can re-use all of the IPs

Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.0.0.0/16 Node1: IP: 10.240.0.1 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 same!

In fact, they are basically on different networks

Network: 10.0.0.0/8 Network: 10.0.0.0/8 Network: 10.0.0.0/8 Other: 10.128.1.1 Cluster: 10.0.0.0/16
Node1: IP: 10.240.0.1 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.0.0.0/16 Node1: IP: 10.240.0.1 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Other: 10.128.1.2

Good when: • Don’t need integration • IP space is
scarce / fragmented • Network is not programmable / dynamic • May be easier to reason about security boundaries

Bad when: • Need communication across a cluster-edge

Bridged (aka island mode)

range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.1.0.0/16 Node1: IP: 10.240.0.3 Pod range: 10.1.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.1.2.0/24 Pod-a: 10.1.1.1 Pod-c: 10.1.2.1 Pod-d: 10.1.2.2 Pod-b: 10.1.1.2 gateway gateway gateway Other: 10.128.1.2

You can re-use the Pod IPs in each cluster (a
major motivation for this model)

range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.0.0.0/16 Node1: IP: 10.240.0.3 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 gateway gateway gateway Other: 10.128.1.2 same!

Good when: • Need some integration • IP space is
scarce / fragmented • Network is not programmable / dynamic

Bad when: • Need to debug connectivity • Need direct-to-endpoint
communications • Need a lot of services exposed (especially non-HTTP) • Rely on client IPs for ﬁrewalls • Large number of nodes

Various forms of “gateway”

Gateway: nodes

Network: 10.0.0.0/8 Other: 10.128.1.1 Cluster: 10.0.0.0/16 Node1: 10.0.1.0/24 Node2: 10.0.2.0/24
Node1: IP: 10.240.0.1 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.0.0.0/16 Node1: 10.1.1.0/24 Node2: 10.1.2.0/24 Node1: IP: 10.240.0.3 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Other: 10.128.1.2

Ingress: Service NodePorts

Node1: IP: 10.240.0.1 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.1.0.0/16 Node1: 10.1.1.0/24 Node2: 10.1.2.0/24 Node1: IP: 10.240.0.3 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.0.2.0/24 Pod-a: 10.1.1.1 Pod-c: 10.1.2.1 Pod-d: 10.1.2.2 Pod-b: 10.1.1.2 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Other: 10.128.1.2

Node uses IP dst_port to route to correct service (DNAT)

You can ingress L4 into an L7 proxy and forward
from there (e.g. in-cluster ingress controllers)

Egress: IP Masquerade (aka SNAT)

SNAT obscures client IP (Traﬃc from pods on a node
appears to come from that node’s IP)

Gateway: VIP (ingress)

Node1: IP: 10.240.0.1 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.1.0.0/16 Node1: 10.1.1.0/24 Node2: 10.1.2.0/24 Node1: IP: 10.240.0.3 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 VIP VIP Other: 10.128.1.2

Similar to NodePort, but node uses IP dst_ip to route

Still needs something like SNAT to egress

Gateway: Proxy (ingress)

Node1: IP: 10.240.0.1 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.1.0.0/16 Node1: 10.1.1.0/24 Node2: 10.1.2.0/24 Node1: IP: 10.240.0.3 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Proxy Proxy Other: 10.128.1.2

Can either route to NodePort or directly to pod IPs
(e.g. proxy knows how to “get onto the island”)

Proxy obscures client IP (Traﬃc appears to come from the
proxy’s IP)

Still needs something like SNAT to egress

There’s a LOT more to know about ingress (for another
presentation)

Options for egress are poorly explored, so far

Archipelago (aka bigger islands)

Network: 10.0.0.0/8 Cluster: 10.0.0.0/16 Other: 10.128.1.1 Cluster: 10.0.0.0/16 Node1: IP:
10.240.0.1 Pod range: 10.0.1.0/24 Node2: IP: 10.240.0.2 Pod range: 10.0.2.0/24 Pod-a: 10.0.1.1 Pod-c: 10.0.2.1 Pod-d: 10.0.2.2 Pod-b: 10.0.1.2 Cluster: 10.1.0.0/16 Node1: IP: 10.240.0.3 Pod range: 10.1.1.0/24 Node2: IP: 10.240.0.4 Pod range: 10.1.1.0/24 Pod-a: 10.1.1.1 Pod-c: 10.1.2.1 Pod-d: 10.1.2.2 Pod-b: 10.1.1.2 gateway Other: 10.128.1.2 gateway

Can’t reuse pod IPs between clusters, but can between archipelagos

Good when: • Need high integration across clusters • Need
some integration with non-kubernetes • IP space is scarce / fragmented • Network is not programmable / dynamic

Bad when: • Need to debug connectivity • Need direct-to-endpoint
communications • Need a lot of services exposed to non-k8s • Rely on client IPs for ﬁrewalls • Large number of nodes across all clusters

Gateway options are similar to plain island mode

Which one should you use?

There is no “right answer”. You have to consider the
tradeoffs. Sorry.

Questions?

Sept 25: Ambassador webinar Kaslin Fields and Bowei Du will
present the webinar “The evolution of Ingress through the Gateway API” Follow https://www.cncf.io/upcoming-webinars/ for more details

Kubernetes Network Models (why is this so dang ...

Kubernetes Network Models (why is this so dang hard?)

More Decks by Tim Hockin

Other Decks in Technology

Featured

Transcript