Submariner-RHTN-20210114.pdf

Slide 1

Slide 1 text

Submarinerの話 Manabu Ori (@orimanabu) Red Hat January 14th, 2021 RHTN 2021.01 Lightning Talk

Slide 2

Slide 2 text

自己紹介 ● 氏名: 織学 (@orimanabu) ● 仕事: コンサルタント

Slide 3

Slide 3 text

Submarinerとは

Slide 4

Slide 4 text

● https://submariner.io/ ● 複数のKubernetesクラスターにまたがった Pod/Service間通信を実現する仕組み ● 各クラスターにGatewayノードを設置し、Gateway間でIPsecトンネルを張る ○ IPsec周りの設定はプラグイン形式 (strongSwan, LibreSwan, Wireguard VPN) ● CNI Pluginに依存しない ○ Weave, Calico, Canal, Flannel, OpenShift-SDN 等でテスト済み ● 複数クラスターにまたがるサービスディスカバリ (Lighthouse) ● 各クラスターでPod/Serviceネットワークのアドレスブロックが重複しても大丈夫 (GlobalNet) ● Kubernetes Multi Cluster Sigのプロジェクトに登録してもらうよう提案中 ● L3 connectivityを提供するのみ、Service Meshではない ● おっとこんなところに ... ○ https://github.com/open-cluster-management/submariner-addon ■ ACM(Red Hat Advanced Cluster Management for Kubernetes)と仲良くなる予定...

Slide 5

Slide 5 text

Pod Pod SVC SVC Pod Network Service Network Pod Pod SVC SVC Pod Network Service Network k8s cluster #1 k8s cluster #2 KubeDNS KubeDNS クラスタ内Serviceのサービスディスカバリ ..svc.cluster.local LightHouse DNS LightHouse DNS DNS登録 Gateway Gateway 他クラスタのServiceのサービスディスカバリ ..svc.clusterset.local Forward

Slide 6

Slide 6 text

Pod Pod SVC SVC Pod Network Service Network Pod Pod SVC SVC Pod Network Service Network k8s cluster #1 k8s cluster #2 GlobalNet GlobalNet Gateway Gateway

Slide 7

Slide 7 text

歴史 ● 2017: コンセプト考案 (Rancher) ● 2018: 最初のプロトタイプ実装 (Rancher) ● 2019年3月: Submariner v0.0.1リリース

Slide 8

Slide 8 text

アーキテクチャ

Slide 9

Slide 9 text

アーキテクチャ ● a

Slide 10

Slide 10 text

クラスターをまたいだPod間通信

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

api server kube dns Public Network node2 Light House Agent Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 cluster2のGlobalNet宛ての通信なので、VXLANトンネルを通って Gatewayノードへ curl 169.254.33.168 client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) $ ip route show default via 192.168.241.1 dev eth0 10.241.0.0/16 dev weave proto kernel scope link src 10.241.0.1 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.32.0/19 via 240.168.241.21 dev vx-submariner proto static 192.168.241.0/24 dev eth0 proto kernel scope link src 192.168.241.11 240.0.0.0/8 dev vx-submariner proto kernel scope link src 240.168.241.11 $ ip -d link show dev vx-submariner 15: vx-submariner: mtu 1450 qdisc noqu DEFAULT group default link/ether 92:34:a2:38:15:ff brd ff:ff:ff:ff:ff:ff promiscuity 0 vxlan id 100 remote 192.168.241.21 srcport 0 0 dstport 4800 nolearni GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19 $ ip -4 addr show dev vx-submariner 13: vx-submariner: mtu 1450 qdisc noqueue state UNKNOWN group default inet 240.168.241.21/8 brd 240.255.255.255 scope global vx-submariner valid_lft forever preferred_lft forever

Slide 16

Slide 16 text

Slide 17

Slide 17 text

api server kube dns Public Network node2 Light House Agent Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 IPsecのXFRM Policyにしたがってcluster2のGatewayノードへ curl 169.254.33.168 client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) $ sudo ip xfrm policy src 169.254.0.0/19 dst 169.254.32.0/19 dir out priority 2087384 ptype main tmpl src 192.168.241.21 dst 192.168.242.21 proto esp reqid 16401 mode tunnel $ sudo ip xfrm state src 192.168.241.21 dst 192.168.242.21 proto esp spi 0x140a764a reqid 16401 mode tunnel replay-window 32 flag af-unspec aead rfc4106(gcm(aes)) 0x9f44344b333c80b5e9f62ff462cc380e981521f0cc2fb45e15017a562312a849be5f8235 128 anti-replay context: seq 0x0, oseq 0x12, bitmap 0x00000000 GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19 $ sudo iptables -S -t nat -A POSTROUTING -j SUBMARINER-POSTROUTING -A SUBMARINER-POSTROUTING -j SUBMARINER-GN-EGRESS -A SUBMARINER-GN-EGRESS -j SUBMARINER-GN-MARK -A SUBMARINER-GN-MARK -d 169.254.32.0/19 -j MARK --set-xmark 0xc0000/0xc0000 -A SUBMARINER-GN-EGRESS -s 10.241.0.4/32 -m mark --mark 0xc0000/0xc0000 -j SNAT --to-source 169.254.18.25

Slide 18

Slide 18 text

Slide 19

Slide 19 text

api server kube dns Public Network node2 Light House Agent Light House DNS Route Agent node1 client Light House DNS Route Agent gw2 Gate way Global Net Route Agent gw1 master1 etcd Gate way Global Net Route Agent node1 Light House Agent Light House DNS Route Agent node2 nginx Light House DNS Route Agent gw1 Global Net Gate way Route Agent gw2 kube dns api server master1 etcd Global Net Gate Way Route Agent cluster1 cluster2 curl 169.254.33.168 Gatewayノードのiptablesルールに従い、Serviceの ClusterIP→Podアドレスに DNATしてPodへ client Pod: 10.241.0.4 (169.254.18.25) target pod: 10.242.2.3 (169.254.32.40) target svc: 10.142.73.136 (169.254.33.168) GlobalNet: 169.254.0.0/19 GlobalNet: 169.254.32.0/19 $ sudo iptables -S -t nat -A PREROUTING -j SUBMARINER-GN-INGRESS -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES -A KUBE-SERVICES -d 10.142.73.136/32 -p tcp -m comment --comment "default/nginx:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-W74WBVT47KWK7FLX -A KUBE-SEP-4I5XE2BCCWVHDHTF -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.242.4.4:8080 -A KUBE-SEP-A4FGUEZKMLCAJVUL -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.242.2.3:8080 -A KUBE-SEP-FB5TTVHWC6TEALPV -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.242.1.4:8080 -A KUBE-SVC-W74WBVT47KWK7FLX -m comment --comment "default/nginx:http" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-FB5TTVHWC6TEALPV -A KUBE-SVC-W74WBVT47KWK7FLX -m comment --comment "default/nginx:http" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-A4FGUEZKMLCAJVUL -A KUBE-SVC-W74WBVT47KWK7FLX -m comment --comment "default/nginx:http" -j KUBE-SEP-4I5XE2BCCWVHDHTF -A SUBMARINER-GN-INGRESS -d 169.254.33.168/32 -j KUBE-SVC-W74WBVT47KWK7FLX によるルールによるルール