Kubernetes SIG-Network Intro (KubeCon Barcelona 2019)
An introduction to the Kubernetes network SIG. This presentation covers the basics responsibilities of the SIG, ways to get involved, and takes a technical look at service networking in Kubernetes.
SIG Basics ● Responsible for the Kubernetes network stack. ○ Ensuring pod networking across nodes. ○ Providing service abstractions. ○ Allowing external systems to connect to pods. Meet every other Thursday, at 21:00 UTC. #sig-network on slack.k8s.io https://github.com/kubernetes/community/tree/master/sig-network (Don’t worry, we’ll show this again at the end)
● Services provide a high-level construct for pod networking ○ “I have a server (or group of servers) and I expect clients to find and access them” ● Services “expose” a group of pods. ○ Port and protocol ○ Includes service discovery ○ Includes load balancing Service
Service Spec kind: Service apiVersion: v1 metadata: name: my-service spec: ports: - protocol: TCP port: 80 targetPort: 9376 Domain Port pair list Port for the service Port on the containers
Service DNS Records ● The service controller creates DNS records that point to the service’s IP address. ..svc.cluster.local ● This is commonly accessed by an alias to the service name, within the namespace. ○ EG https://myapp
Endpoints ● Endpoints map to the individual pods in a service. ○ Only contains ready pods. ○ The Endpoints object can be consumed for alternative service load balancing. ● All pod IPs for a service are stored in 1 endpoint. ○ 1 pod == 1 endpoint IP. ○ This has scalability implications, EG a service of 1000s of pods would have a large endpoints object that would likely change often. ○ New proposal to address this: EndpointSlices. Create multiple, smaller sets of Endpoints for a service. http://bit.ly/sig-net-endpoint-slice-doc
● DNS runs as pods in the cluster. ● Containers are automatically configured by the kubelet to point to a kube-dns endpoint. ● kube-dns adds support for service-name DNS records. kube-dns
● Runs on every Kubernetes node. ● Sends network requests from an endpoint to an individual pod. ○ Each kube-proxy captures requests to virtual IPs, called ClusterIPs. ○ A ClusterIP maps to a specific set of Endpoints. ○ kube-proxy ensures requests route to a some IP (pod) in the Endpoints list. kube-proxy
ClusterIP • An virtual, internal IP that corresponds to a service. • Each node has records for the same ClusterIPs, to capture outbound traffic. • Provides a stable interface for connecting to pods. • Requests to the ClusterIP are load balanced by kube-proxy. • Kube-proxy has multiple “modes”, which change the routing backend and behavior.
Service Type: ExternalName ● Returns a CNAME record for a domain or IP address. ● Used to route to external systems. ○ Does not map to endpoints/pods, has no ClusterIP.
Service Type: ClusterIP (default) ● Points the service DNS to a persistent virtual IP address. ● The virtual IP load balances requests between endpoints. ● Q: Why not use DNS for load balancing? A: DNS sucks. (Uncontrollable client behavior around TTLs, uneven load, etc)
Service Type: LoadBalancer ● Combination of ClusterIP, NodePort (and external cloud provider integration). ● Allows load balancers to route to NodePorts on any node, which kube-proxy can forward internally to an endpoint. ● The service is exposed normally within the cluster, for internal use.
● Ingress ○ Standard for exposing HTTP to the outside world, and routing to Services. ● Low-level routing ○ Aside from constructs like ClusterIPs, there’s a lot of semi-hidden glue to handle internal routing within the cluster, and aspects like kubelet → apiserver communication. ○ Can include addons like network overlays. Other Important Areas
● https://github.com/kubernetes/kubernetes/issues ● File bugs, cleanup recommendations, and feature requests. ● Find issues to help with! ○ Especially ones labelled “good first issue” and “help wanted”. ○ Triage issues (is this a valid issue?) labelled “triage/unresolved”. Issues
Ongoing Areas of Work ● Cleanup! ○ Kubernetes deliberately acquired a lot of tech debt, we are slowly paying it back. ● Ingress v1 GA. ● Low-level network features & improvements (better IPVS, dual ipv4/ipv6, etc). ● Always so much more.
vllry
yoyoyopg
interu
hankehly
optim
kohbis
mot_techtalk
charmichokshi
dzeyelid
gotok365
mercari
weblyzard
keithyokoma
sferik
morganepeng
mraible
keathley
stephaniewalter
philhawksworth
palkan
pedronauck
chrislema
eileencodes
marcduiker
eitanlees