rethinking kubernetes networking with srv6 and contiv vpp
play

Rethinking kubernetes networking with SRv6 and Contiv-VPP - PowerPoint PPT Presentation

Nov 01, 2022 •118 likes •817 views

FOSDEM 20 Rethinking kubernetes networking with SRv6 and Contiv-VPP Abdelsalam, Cisco Systems ; ; Daniel Bernier, Bell Canada ; Ah Ahmed Ab ; Rastislav Szabo, Filip Gs Gschwandtner, , Pantheon.tech ; ; Mi Miroslaw Wa Walukiewicz, ,

  1. FOSDEM ’20 Rethinking kubernetes networking with SRv6 and Contiv-VPP Abdelsalam, Cisco Systems ; ; Daniel Bernier, Bell Canada ; Ah Ahmed Ab ; Rastislav Szabo, Filip Gs Gschwandtner, , Pantheon.tech ; ; Mi Miroslaw Wa Walukiewicz, , Intel FOSDEM 2020

  2. Agend nda • Kubernetes networking • SRv6 – Introduction to SRv6 – Kubernetes networking with SRv6 • Contiv-VPP – Introduction to Contiv-VPP – SRv6 support in Contiv-VPP • Accelerating SRv6 with Intel N3000 smartNIC FOSDEM 2020

  3. Kuberne netes ne networking ng (1) • Kubernetes does not provide any solution for handling containers networking – It offloads networking to third-party certified plugins called CNI plugins vs 1 vs 2 • Connectivity B:B:B:1:1:0:C:3/128 B:B:B:1:1:0:C:2/128 B:B:B:1:1:0:C:1/128 B:B:B:2:2:0:C:2/128 B:B:B:2:2:0:C:3/128 B:B:B:2:2:0:C:1/128 – Create an interface inside the pod – Connect the pod interface to the fabric – Allocate the Pod IP • Reachability K8s-worker-node K8s-worker-node Make Pod IP reachable by the whole cluster. – FOSDEM 2020

  4. Kuberne netes ne networking ng (2) • Problem statement – All your Containers need IP addresses – We do not have more enough IPv4 addresses • Solution – IPv6 https://ripe78.ripe.ne ht net/present ntations ns/39-2019 2019-05 05-23 23-bgp2 bgp2018.pdf pdf https://twitter.com/ripenc ht ncc/status/1198977232452145152 FOSDEM 2020

  5. Kuberne netes ne networking ng (3) • Problem statement – Pod-to-Pod – Network policy – Kubernetes services – Ingress – Service chaining – Inter-cluster, hybrid cloud, multi-cloud, … • Solution – SRv6 FOSDEM 2020

  6. Kuberne netes ne networking ng (4) • Problem statement – Dataplane for fast packet I/O > Kernel forwarding > XDP > VPP ht https://arxiv.org/pdf/2001.06182v1.pdf • Solution – VPP – smartNIC (accelerated VPP) ht https://www.int ntel.la/cont ntent nt/dam/www/programmable/us/en/ n/pdfs/liter ature/wp/wp-01295 at 01295-hc hcl-se segment-ro routing-ov over-ip ipv6-ac accelerat ation- us using-in intel-fp fpga-pr progr grammabl ble-ac accelerat ation-ca card-n3 n3000.pdf FOSDEM 2020

  7. SRv6 FOSDEM 2020

  8. Segment nt Routing ng • Source Routing – A node steers a packet through an ordered list of instructions, called "segments". – Each segment has a segment identifier (SID) based on the dataplane instantiation – the topological and service (NFV) path is encoded in packet header • Scalability – the network fabric does not hold any per-flow state for TE or NFV • Simplicity – automation: TILFA sub-50msec FRR – protocol elimination: LDP, RSVP-TE, NSH, VXLAN… • End-to-End – DC, Metro, WAN FOSDEM 2020

  9. Tw Two dataplane ne ins nstant ntiations ns MPLS - SRMPLS • leverage the mature MPLS HW with only SW upgrade • 1 SID = 1 MPLS label • SID list = MPLS label stack Segment Routing IPv6 – SRv6 • leverages RFC8200 provision for source routing extension header • 1 SID = 1 IPv6 address • defines a new IPv6 extension header, called SRH. • SID list = an address list in the SRH FOSDEM 2020

  10. Open-Source Networking Stacks SR SRv6 Ec Ecosyste tem Network Equipment Manufacturers Merchant Silicon Smart NIC Open-Source Applications NFV Partners SERA Pyroute2 FOSDEM 2020

  11. SRv6 Network programming ng • The SRv6 Network Programming framework enables a network operator or an application to specify a packet packet processing program by encoding a sequence of instructions in the IPv6 packet header. • Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet. • IETF standardization in progress – https://tools.ietf.org/html/draft-ietf-spring-srv6-network-programming-08 FOSDEM 2020

  12. Network ins nstruction Locator Function • 128-bit SRv6 SID – Locator: routed to the node performing the function – Function: any possible function either local to NPU or app in VM/Container – Flexible bit-length selection FOSDEM 2020

  13. Network Program in the Packet Header IPv6 header Source Address So Locator 1 Lo Fu Func nction on 1 Segment Active Segment Lo Locator 1 Fu Func nction on 1 Routing Lo Locator 2 Func Fu nction on 2 Header Locator 3 Lo Fu Func nction on 3 IPv6 payload TCP, UD TC UDP, QUI UIC FOSDEM 2020

  14. SR SRv6 Header TAG TA Se Segments Left Lo Locator 1 Fu Func nction on 1 Locator 2 Lo Fu Func nction on 2 Lo Locator 3 Fu Func nction on 3 Metadata TLV FOSDEM 2020

  15. SRv6 beha haviors specs summary He Headend Be Behavior Us Use-cas case H.Encaps SR Headend with Encapsulation in an SRv6 Policy L3 Traffic H.Encaps.L2 H.Encaps Applied to Received L2 Frames L2 traffic En Endpoint Be Behavior Us Use-cas case End Endpoint TE (underlay) End.X Endpoint with Layer-3 cross-connect End.DX6 Endpoint with decapsulation and IPv6 cross-connect IPv6 L3VPN (overlay) End.DT6 Endpoint with decapsulation and specific IPv6 table lookup End.DX4 Endpoint with decapsulation and IPv4 cross-connect IPv4 L3VPN (overlay) End.DT4 Endpoint with decapsulation and specific IPv4 table lookup End.DX2 Endpoint with decapsulation and Layer-2 cross-connect L2VPN (overlay) End.AS Endpoint to SR-unaware APP via static proxy End.AD Endpoint to SR-unaware APP via dynamic proxy Service chaining End.AM Endpoint to SR-unaware APP via masquerading proxy FOSDEM 2020

  16. T/ T/64 Overlay 3 SA = T::1, DA = V: V::2 IPv6 Hdr Payload • Automated Green Overlay 1 V/64 • No tunnel to configure via A2::C4 • Simple IPv6 Hdr SA = A1 A1::0 , DA = A2 A2::C4 • Protocol elimination IPv6 Hdr SA = T::1, DA = V: V::2 Payload • Efficient • SRv6 for everything 2 IPv6 Hdr SA = T::1, DA = V: V::2 Payload 4 V/64 V/ FOSDEM 2020

  17. T/64 T/ Overlay with Underlay Control 3 SA = T::1, DA = V: V::2 IPv6 Hdr Payload • SRv6 does not only eliminate Green Overlay 1 unneeded overlay protocols V/64 IPv6 Hdr SA = A1 A1::0 , DA = A3 A3::1 via A2::C4 • SRv6 solves problems that SR Hdr < A3 A3::1 , A2::C4 > with Latency IPv6 Hdr SA = T::1, DA = V: V::2 these protocols cannot solve Payload 3 IPv6 Hdr SA = A1 A1::0 , DA = A2 A2::C4 SR Hdr < A3::1, A2 A2::C4 > IPv6 Hdr SA = T::1, DA = V: V::2 Payload 2 IPv6 Hdr SA = T::1, DA = V: V::2 Payload 4 V/64 V/ FOSDEM 2020

  18. Kubernetes networking with SRv6 FOSDEM 2020

  19. kuberne netes ne networking ng (current ntly) • CNI plugins are responsible for networking in kubernetes – Load Balancing à Linux iptables NAT / VPP NAT – P ort Forwarding à Linux iptables NAT / VPP NAT – Network Policy à Linux iptables firewall/VPP ACLs – Overlay networking à VXLAN/IP-in-IP/GENEVE/GRE/... – Service chaining à stitching of interfaces/VXLAN tunnels • The result – NAT everywhere – Complex network policy model that relies on container IPs – iptables everywhere which uses non scalable linear search matching – Service chaining is very complex “nearly impossible” – Inter-cluster communication, hybrid cloud, multi-cloud, network wide policy ??? FOSDEM 2020

  20. kuberne netes ne networking ng (IPv6 + SRv6) • IPv6 for reachability • SRv6 for everything – Overlay with no extra protocols à SRv6 Encap + Decap – Scalable network policy model à Leveraging SRH TAG – Port forwarding à An IPv6 address per application – Load Balancing à One SR policy + multiple SID lists – Service chaining à Out-of-box using the SRH SID list – Inter-cluster, hybrid cloud, multi-cloud, … à SRv6 + NSM FOSDEM 2020

  21. Network policy using ng SRv6 • Scalable policy table • Fully integrated with the overlay • Independent of container IP’s Spine2 Spine1 Policies table src dst action Red Blue ACCEPT Red Green DROP Leaf2 Leaf1 Leaf3 SA: Vs1 , DA: Vs2 SA: Vs1 , DA: Vs2 SRH: [TAG]=Red SRH: [TAG]=Red SA: R1 , DA: B3 SA: R1 , DA: B3 vS2 vS1 vS3 Payload Payload SA: R1 , DA: B3 SA: R1 , DA: B3 G2 R2 B2 G1 B3 R1 B1 R3 G3 Payload Payload Compute-2 Compute-1 Compute-3 FOSDEM 2020

  22. Contiv-VPP CNI Intro FOSDEM 2020

  23. Contiv-VPP CNI • Uses FD.io VPP with DPDK as the data-plane for packet forwarding • Kube-proxy implemented in the user space (on VPP) • Production-ready CNI (passes all k8s conformance tests) • Swiss army knife CNI for cloud-native networking deployments : • Multiple network interfaces per pod • Multiple isolated L2/L3 networks • Service chaining between pods for CNF (Cloud-Native Network Functions) deployments • IPv6 support • SRv6 support

  24. Contiv-VPP Data Plane Kubernetes node Other Kubernetes nodes Pod 1 Pod 2 VPP Interconnection Fabric Contiv vSwitch pod

  25. Multiple Pod Interfaces & Custom Networks --- apiVersion: contivpp.io/v1 kind: CustomNetwork metadata: name: l2net spec: type: L2 --- kind: Pod metadata: name: linux-cnf1 annotations: contivpp.io/custom-if : tap1/tap/l2net spec: … https://github.com/contiv/vpp/tree/master/k8s/examples/custom-network

  26. Service Chaining Between CNF Pods (L2-XConnect -Based) --- apiVersion: contivpp.io/v1 kind: ServiceFunctionChain metadata: name: vpp-chain spec: chain: - name: CNF 1 type: Pod podSelector: cnf: vpp-cnf1 interface: memif1 - name: CNF 2 type: Pod podSelector: cnf: vpp-cnf2 inputInterface: memif1 outputInterface: memif2 - name: CNF 3 type: Pod podSelector: cnf: vpp-cnf3 interface: memif1 https://github.com/contiv/vpp/tree/master/k8s/examples/sfc

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker &amp; Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker &amp; Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker &amp; Kubernetes Enthusiast Speaker at Meetups Email: apurvbhandari@gmail.com LinkedIn: https://www.linkedin.com/in/apurvabhandari-linux GitHub:

2.16k views • 28 slides
Brings OpenStack networking and storage to containers Kubernetes Neutron Networking

Brings OpenStack networking and storage to containers Kubernetes Neutron Networking

Brings OpenStack networking and storage to containers Kubernetes Neutron Networking Native OpenStack infrastructure for mixed workloads spec: podSelector: matchLabels: role: db policyTypes: -

773 views • 8 slides
SRv6 Network Programming (draft-filsfils-spring-srv6-network-programming-00) C. Filsfils (Cisco)

SRv6 Network Programming (draft-filsfils-spring-srv6-network-programming-00) C. Filsfils (Cisco)

IETF 98 Chicago Mar 2017 SRv6 Network Programming (draft-filsfils-spring-srv6-network-programming-00) C. Filsfils (Cisco) G . Naik (Drexel University) J. Leddy (Comcast) H. Elmalky (Ericsson) D. Voyer (Bell Canada) P . Jonnalagadda

386 views • 14 slides
SRv6 for Mobile User- Plane drafu-matsushima-spring-dmm-srv6-mobile-uplane IETF99 Satoru

SRv6 for Mobile User- Plane drafu-matsushima-spring-dmm-srv6-mobile-uplane IETF99 Satoru

SRv6 for Mobile User- Plane drafu-matsushima-spring-dmm-srv6-mobile-uplane IETF99 Satoru Matsushima (Presenter) Clarence Filsfjls A Current Mobile Network Example Well fragmented to RAN, EPC and SGi. Per-session tunnel creation and

1.36k views • 8 slides
Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh,

Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh,

Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh, Director, AT&amp;T Uday T Kumar, Solution Architect, Ericsson There is no such thing as Container Networking Kelsey Hightower,

928 views • 9 slides
Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation Antoni is in Ops and wants to help CIA

458 views • 31 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Tales Of The Kubernetes Ingress Networking: Deployment Patterns For External Load Balancers 1

Tales Of The Kubernetes Ingress Networking: Deployment Patterns For External Load Balancers 1

Tales Of The Kubernetes Ingress Networking: Deployment Patterns For External Load Balancers 1 How To Access The Slides? Slides (HTML): https://containous.github.io/slides/webinar-cncf-jan-2020 Slides (PDF):

1.02k views • 49 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source platform designed to automate deploying , scaling , and operating application containers . Kubernetes v1.0 was released in 2015. It utilizes

916 views • 52 slides
K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi @marcoceppi Ryan Beisner @ryanbeisner Why Kubernetes Computing in the modern age Virtual Process Machines Containers Traditional Container

516 views • 24 slides
From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang Developer Advocate Google Cloud Platform @saturnism | +RayTsang @saturnism @googlecloud #kubernetes Ray Tsang Developer Architect Traveler

1.29k views • 65 slides
Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes &amp; Cloud Native Meetups in Jakarta and Bandung https://www.meetup.com/jakarta-kubernetes/ https://www.meetup.com/Microservice-JKT/ You can find

709 views • 47 slides
Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes?

Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes?

@MELANIECEBULA / MARCH 2019 / CON LONDON Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes? @MELANIECEBULA Who am I? A BRIEF HISTORY @MELANIECEBULA Why Microservices? 4000000 3000000 2000000 MONOLITH

1.74k views • 111 slides
Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software

Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software

Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software Engineer at Google working on GKE and OSS Kubernetes My mission is to make using Kubernetes simple and enjoyable You might have come across me

1.12k views • 27 slides
Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes Ceph Storage Operation NVRAMOS 2019 10/28/2019 Cloud Service Model On Premises IaaS CaaS PaaS SaaS Applications Applications

660 views • 36 slides
Lessons Learned: Building Scalable &amp; Elastic Akka Clusters on Google Managed Kubernetes -

Lessons Learned: Building Scalable &amp; Elastic Akka Clusters on Google Managed Kubernetes -

Lessons Learned: Building Scalable &amp; Elastic Akka Clusters on Google Managed Kubernetes - Timo Mechler &amp; Charles Adetiloye About MavenCode MavenCode is a Data Analytics software company offering training, product development, and

426 views • 18 slides
PlanetLab: Evolution vs Intelligent Design in Global Network Infrastructure Larry Peterson

PlanetLab: Evolution vs Intelligent Design in Global Network Infrastructure Larry Peterson

PlanetLab: Evolution vs Intelligent Design in Global Network Infrastructure Larry Peterson Princeton University PlanetLab 670 machines spanning 325 sites and 35 countries nodes within a LAN-hop of &gt; 3M users Supports distributed

560 views • 40 slides
Rumor Spreading and Conductance Flavio Chierichetti Silvio Lattanzi Alessandro Panconesi Sapienza

Rumor Spreading and Conductance Flavio Chierichetti Silvio Lattanzi Alessandro Panconesi Sapienza

Rumor Spreading and Conductance Flavio Chierichetti Silvio Lattanzi Alessandro Panconesi Sapienza University of Rome Why is rumor spreading fast in social networks? How to answer this question? How to define rumor spreading? What

1.31k views • 119 slides
Centrality, treeness and miscellaneous Social and Technological Networks Rik Sarkar University

Centrality, treeness and miscellaneous Social and Technological Networks Rik Sarkar University

Centrality, treeness and miscellaneous Social and Technological Networks Rik Sarkar University of Edinburgh, 2016. Centrality How central is a node in a network? A noIon of importance of the node E.g. degree, pagerank,

646 views • 20 slides
The Synergy of Finite State Machines Yuval Emek Technion Israel Institute of Technology The

The Synergy of Finite State Machines Yuval Emek Technion Israel Institute of Technology The

The Synergy of Finite State Machines Yuval Emek Technion Israel Institute of Technology The 22nd International Conference on Principles of Distributed Systems 18-Dec-2018 Hong Kong Joint work with Yehuda Afek and Noa Kolikant Yuval Emek

437 views • 19 slides
Syntactic Theory Tree-Adjoining Grammar (TAG) Yi Zhang Department of Computational Linguistics

Syntactic Theory Tree-Adjoining Grammar (TAG) Yi Zhang Department of Computational Linguistics

Syntactic Theory Tree-Adjoining Grammar (TAG) Yi Zhang Department of Computational Linguistics Saarland University November 10th, 2009 Outline Tree-Adjoining Grammar ( TAG ) Adding Constraints to TAG Formal Properties of TAG Linguistic

336 views • 22 slides
Efficient Non-Segregated Routing for Reconfigurable Demand-Aware Networks Thomas Fenz, Klaus-Tycho

Efficient Non-Segregated Routing for Reconfigurable Demand-Aware Networks Thomas Fenz, Klaus-Tycho

Efficient Non-Segregated Routing for Reconfigurable Demand-Aware Networks Thomas Fenz, Klaus-Tycho Foerster, Stefan Schmid, and Anas Villedieu From: Al-Fares et al. 2008 Today s Data Center Topologies Often Clos -based (e.g. Fat-tree )

1.35k views • 41 slides
Cracking Drupal Title slide Security concepts and pitfalls Subtitle Peter Wolanin Michael Hess

Cracking Drupal Title slide Security concepts and pitfalls Subtitle Peter Wolanin Michael Hess

Please open http://vuln.rocks/crackdru Cracking Drupal Title slide Security concepts and pitfalls Subtitle Peter Wolanin Michael Hess Add speaker name here http://vuln.rocks/crackdru Special thanks to Klaus Purer for creating the original

1.13k views • 63 slides

More recommend