Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Submariner-RHTN-20210114.pdf

orimanabu
January 14, 2021
Technology
0
350

 Submariner-RHTN-20210114.pdf

orimanabu

January 14, 2021
Tweet

More Decks by orimanabu

See All by orimanabu
OpenShift.Run-2024-Medik8s
orimanabu
1
510
Podman_CRI-O_update_2024-02
orimanabu
4
1k
Podman_update_2023-11
orimanabu
2
510
OVN-Kubernetes-Introduction-ja-2023-01-27.pdf
orimanabu
2
1.4k
Podman_CRI-O_update_2022-08
orimanabu
1
790
skupper-introduction
orimanabu
0
480
OpenShift.Run-2022-makaizo
orimanabu
1
1.1k
CRI-O Introduction
orimanabu
5
5.2k
Submariner-ONIC2020-ja
orimanabu
3
260

Other Decks in Technology

See All in Technology
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
190
Cracking the KubeCon CfP
inductor
2
240
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
890
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
280
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
2
2.1k
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
170
私が trocco を推す理由
__allllllllez__
1
210
web-application-security
matsuihidetoshi
0
160
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
910

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Making Projects Easy
brettharned
108
5.5k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
RailsConf 2023
tenderlove
4
540
Facilitating Awesome Meetings
lara
42
5.6k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
How to train your dragon (web standard)
notwaldorf
73
5.2k
Adopting Sorbet at Scale
ufuk
68
8.6k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k

Transcript

  1. Submarinerの話 Manabu Ori (@orimanabu) Red Hat January 14th, 2021 RHTN

    2021.01 Lightning Talk

  2. 自己紹介 • 氏名: 織 学 (@orimanabu) • 仕事: コンサルタント

  3. Submarinerとは

  4. • https://submariner.io/ • 複数のKubernetesクラスターにまたがった Pod/Service間通信を実現する仕組み • 各クラスターにGatewayノードを設置し、Gateway間でIPsecトンネルを張る ◦ IPsec周りの設定はプラグイン形式 (strongSwan,

    LibreSwan, Wireguard VPN) • CNI Pluginに依存しない ◦ Weave, Calico, Canal, Flannel, OpenShift-SDN 等でテスト済み • 複数クラスターにまたがるサービスディスカバリ (Lighthouse) • 各クラスターでPod/Serviceネットワークのアドレスブロックが重複しても大丈夫 (GlobalNet) • Kubernetes Multi Cluster Sigのプロジェクトに登録してもらうよう提案中 • L3 connectivityを提供するのみ、Service Meshではない • おっとこんなところに ... ◦ https://github.com/open-cluster-management/submariner-addon ▪ ACM(Red Hat Advanced Cluster Management for Kubernetes)と仲良くなる予定...

  5. Pod Pod SVC SVC Pod Network Service Network Pod Pod

    SVC SVC Pod Network Service Network k8s cluster #1 k8s cluster #2 KubeDNS KubeDNS クラスタ内Serviceのサービスディスカバリ <service>.<namespace>.svc.cluster.local LightHouse DNS LightHouse DNS DNS登録 Gateway Gateway 他クラスタのServiceのサービスディスカバリ <service>.<namespace>.svc.clusterset.local Forward

  6. Pod Pod SVC SVC Pod Network Service Network Pod Pod

    SVC SVC Pod Network Service Network k8s cluster #1 k8s cluster #2 GlobalNet GlobalNet Gateway Gateway

  7. 歴史 • 2017: コンセプト考案 (Rancher) • 2018: 最初のプロトタイプ実装 (Rancher) •

    2019年3月: Submariner v0.0.1リリース

  8. アーキテクチャ

  9. アーキテクチャ • a

  10. クラスターを またいだPod間通信

  11. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 192.168.241.11 192.168.241.21 192.168.242.21 192.168.242.12 client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) name: nginx, namespace: default GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19 curl nginx.default.svc.clusterset.local (Pod IP address) (Global IP for Pod)

  12. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 公開されたcluster2のnginx Serviceにアクセスするため、 DNS 解決を試みる クラスター内のLighthouse DNS サーバがcluster2のnginx ServiceのGlobal IPを返す 公開 の nginx.default.svc.clusterset.local の アドレス 169.254.33.168 GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19

  13. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 公開されたcluster2のnginx Serviceにアクセスするため、 DNS 解決を試みる クラスター内のLighthouse DNS サーバがcluster2のnginx ServiceのGlobal IPを返す 公開 の nginx.default.svc.clusterset.local の アドレス 169.254.33.168 GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19 $ kubectl -n kube-system get cm coredns -o yaml | head -n 15 apiVersion: v1 data: Corefile: | #lighthouse clusterset.local:53 { forward . 10.141.162.221 } supercluster.local:53 { forward . 10.141.162.221 } .:53 { errors health { lameduck 5s } $ kubectl -n submariner-operator get svc NAME TYPE CLUSTER-IP EXTERNAL-IP submariner-lighthouse-coredns ClusterIP 10.141.162.221 <none> submariner-operator-metrics ClusterIP 10.141.85.172 <none>

  14. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 cluster2のGlobalNet宛ての通信 なので、VXLANトンネルを通って Gatewayノードへ curl 169.254.33.168 client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19

  15. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 cluster2のGlobalNet宛ての通信 なので、VXLANトンネルを通って Gatewayノードへ curl 169.254.33.168 client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) $ ip route show default via 192.168.241.1 dev eth0 10.241.0.0/16 dev weave proto kernel scope link src 10.241.0.1 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.32.0/19 via 240.168.241.21 dev vx-submariner proto static 192.168.241.0/24 dev eth0 proto kernel scope link src 192.168.241.11 240.0.0.0/8 dev vx-submariner proto kernel scope link src 240.168.241.11 $ ip -d link show dev vx-submariner 15: vx-submariner: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqu DEFAULT group default link/ether 92:34:a2:38:15:ff brd ff:ff:ff:ff:ff:ff promiscuity 0 vxlan id 100 remote 192.168.241.21 srcport 0 0 dstport 4800 nolearni GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19 $ ip -4 addr show dev vx-submariner 13: vx-submariner: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default inet 240.168.241.21/8 brd 240.255.255.255 scope global vx-submariner valid_lft forever preferred_lft forever

  16. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 ソースアドレスをPodのアドレス に対応するGlobal IPに変換し、 IPsecのXFRM Policyにした がってcluster2のGatewayノー ドへ curl 169.254.33.168 client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19

  17. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 IPsecのXFRM Policyにした がってcluster2のGatewayノー ドへ curl 169.254.33.168 client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) $ sudo ip xfrm policy <snip> src 169.254.0.0/19 dst 169.254.32.0/19 dir out priority 2087384 ptype main tmpl src 192.168.241.21 dst 192.168.242.21 proto esp reqid 16401 mode tunnel <snip> $ sudo ip xfrm state <snip> src 192.168.241.21 dst 192.168.242.21 proto esp spi 0x140a764a reqid 16401 mode tunnel replay-window 32 flag af-unspec aead rfc4106(gcm(aes)) 0x9f44344b333c80b5e9f62ff462cc380e981521f0cc2fb45e15017a562312a849be5f8235 128 anti-replay context: seq 0x0, oseq 0x12, bitmap 0x00000000 <snip> GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19 $ sudo iptables -S -t nat <snip> -A POSTROUTING -j SUBMARINER-POSTROUTING -A SUBMARINER-POSTROUTING -j SUBMARINER-GN-EGRESS -A SUBMARINER-GN-EGRESS -j SUBMARINER-GN-MARK -A SUBMARINER-GN-MARK -d 169.254.32.0/19 -j MARK --set-xmark 0xc0000/0xc0000 -A SUBMARINER-GN-EGRESS -s 10.241.0.4/32 -m mark --mark 0xc0000/0xc0000 -j SNAT --to-source 169.254.18.25 <snip>

  18. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 curl 169.254.33.168 Gatewayノードのiptablesルー ルに従い、Serviceの ClusterIP→Podアドレスに DNATしてPodへ client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19

  19. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 curl 169.254.33.168 Gatewayノードのiptablesルー ルに従い、Serviceの ClusterIP→Podアドレスに DNATしてPodへ client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19 $ sudo iptables -S -t nat -A PREROUTING -j SUBMARINER-GN-INGRESS -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES <snip> -A KUBE-SERVICES -d 10.142.73.136/32 -p tcp -m comment --comment "default/nginx:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-W74WBVT47KWK7FLX <snip> -A KUBE-SEP-4I5XE2BCCWVHDHTF -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.242.4.4:8080 -A KUBE-SEP-A4FGUEZKMLCAJVUL -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.242.2.3:8080 -A KUBE-SEP-FB5TTVHWC6TEALPV -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.242.1.4:8080 <snip> -A KUBE-SVC-W74WBVT47KWK7FLX -m comment --comment "default/nginx:http" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-FB5TTVHWC6TEALPV -A KUBE-SVC-W74WBVT47KWK7FLX -m comment --comment "default/nginx:http" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-A4FGUEZKMLCAJVUL -A KUBE-SVC-W74WBVT47KWK7FLX -m comment --comment "default/nginx:http" -j KUBE-SEP-4I5XE2BCCWVHDHTF <snip> -A SUBMARINER-GN-INGRESS -d 169.254.33.168/32 -j KUBE-SVC-W74WBVT47KWK7FLX によるルール によるルール

  20. api server kube dns Public Network node2 Light House Agent

    Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 戻りも同様 client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19

  21. Thank you