Antrea轻量级高性能K8s KNI介绍

1、Antrea轻量级高性能K8s KNI介绍3AgendaKubernetes Cluster NetworkingProject Antrea Deep DiveProject Antrea Roadmap CommunityKubernetes Cluster Networking3External-to- ServicePod-to- ServicePod-to- PodKubernetes Cluster NetworkingThree connectivity scenarios must be enabledPODPODPODPPPPPP46 Pod ConnectivityPlum

2、bing eth0 (network interface) into Pod network (encapsulated or non-encapsulated) Pod egress to world SNATIP Address Management (IPAM) Service Load BalancingMake traffic available to upstream kube-proxy, or Implement native service load balancing VIP DNATNetworkPolicy Enforcement (optional)Enforcing

3、 Kubernetes Network Policy Source Spoof PreventionConnection Tracking (Stateful Firewall)What is aKubernetes CNI Network Pluginresponsible for?An open source project for Kubernetes networking based on Open vSwitch.Project Antrea+=+6What is Open vSwitch (OVS)?And why use it for Kubernetes networking?

4、A high-performance programmable virtual switchConnects to VMs (tap) and containers (veth)Linux foundation project, very activePortable: Works out of the box on all Linux distributions and supports Windows Programmability: Supports many protocols, build your own forwarding pipeline High-performanceDP

5、DK, AF_XDPHardware offload available across multiple vendorsRich feature set:Advanced CLI toolsStatistics, QoSPacket tracing7Antrea Deep Dive8Antrea AgentManages Pod network interfaces and OVS bridge.Creates overlay tunnels / establishes routes across Nodes.Implements NetworkPolicies with OVS.Antrea

6、 ControllerComputes K8s NetworkPolicies and publishes the results to Antrea Agents.Open vSwitch as dataplaneAntrea Agent programs Open vSwitch with OpenFlow flows.Geneve, VXLAN, GRE, or STT tunnel between nodesAlso supports policy-only and no-encap modesantctl CLI for debuggingConnects to Controller

7、 or AgentPacket tracing / Pod interface dumping / Support bundle etc.Octant UI PluginShows Antrea runtime informationDiagnostic Traceflow visulizationProject Antrea Technical OverviewWorker NodeWorker NodeMaster Nodekubeletantrea agentkube- proxykubeletpod Apod Bkube- apiantrea ctrlcontrol-plane dat

8、a-planeCRDsNetwork PolicyantctlGatewayGatewayTunnelCNICNIantrea agentIPtableskube- proxyIPtablesveth pairveth pairOctant UIPrometheus9Traffic Walk (in “encap” mode)10Antrea is a community driven project focused onsimplifying usability and diagnosticsadapting any network topologyimproving scaling and

9、 performance for container networking in Kubernetes.12Simplify usability and diagnosticsEasy deployment12Antrea is deployed by applying a single YAML manifest file.Antrea comes with CLI and UI tools which provide visibility and diagnostics capabilities (packet tracing, policy analysis, flow inspecti

10、on)Simplify usability and diagnosticsEasy diagnostics13Simplify usability and diagnosticsTraceflow with UI14Bare MetalPublic CloudPrivate CloudWhere can I run AntreaOur goal is to run anywhere Kubernetes runs.15LinuxSupport chaining with routed CNI implementation sAdapt any infrastructure and use ca

11、seVarious traffic mode16Better performanceSecure inter- Node Pod traffic with IPsec tunnelsSupport Geneve, VXLAN, GRE,STT tunnel typesEncapsulationEncapsulation with EncryptionNo EncapsulationNetworkPolic y OnlyHigh Performan ce1705000100001500020000350003000025000TCP Intra-Node Performance using ne

12、tperf18TCP_STREAM (Mbps)No Service (Pod-to-Pod)TCP_RR (Tps)kube-proxy (iptables)TCP_CRR (Tps)Antrea Proxy (OVS)High Performan ce2,000Nodes150,000Pods1940,000 Network Policies10,000 ServicesScalableAntrea Roadmap20Features Available Through v0.10.021Overlay ModesGeneve, VXLAN, STT, GREPolicy-only (CN

13、I chaining)No-encapHybridCloudsPrivate Cloud: bare metal, vSphere,other VM, kindPublic Cloud: Azure AKS EngineAWS EC2, EKS (beta)Google GKE (alpha)Service Load Balancingkube-proxy support in IPVS and IPtables modesOVS based kube-proxy implementationFeatures Available Through v0.10.022Network Policyn

14、etworking.k8s.io NetworkPolicy v1 (upstream)Native Policy: ClusterNetworkPolicy, NetworkPolicy, TierNetworkPolicy StatisticsSecurityServer certificate verification for Controller APIs (user provided or generated)Spoof GuardIPsec over GREVisibilityPrometheus Metrics & Monitoring CRDsTraceflowFlow inf

15、ormation exportantctl CLI & Octant UI PluginFeatures Available Through v0.10.023Operating SystemsLinuxWindows Server 2019 (alpha)Comprehensive policy modelAntrea allows native and Kubernetes policies to co-exist.24Emergency TierSecurityOps TierApplication TierK8s NetworkPoliciesTier Evaluation Prece

16、denceClusterNetworkPolicy AClusterNetworkPolicy BNamespace A NetworkPolicy AOrdered (evaluation precedence)Ordered (evaluation precedence)Ordered (evaluation precedence)ClusterNetworkPolicy CClusterNetworkPolicy DNamespace A NetworkPolicy BNamespace B NetworkPolicy AClusterNetworkPolicy EClusterNetw

17、orkPolicy FNamespace B NetworkPolicy BAntrea Network PoliciesK8s Network Policiesnetworking.k8s.io/v1 policy blockOrdered (evaluation precedence)UnordedNamespace A NetworkPolicy ANamespace B NetworkPolicy ANamespace A NetworkPolicy BFlow information exportIPFIX Records25Flow information exportWith E

18、lastic Stack2628 IPv6 Pod networkSupport IPv6 and IPv4/IPv6 dual-stack for Pod network.Enhance Antrea NetworkPolicyAdd more NetworkPolicy extensions, like traffic logging, policy realization status, more matching criteria and actions, and external endpoints.Enhance Network diagnostics and observabilityEnhance existing features and add new features to help diagnose K8s networking and NetworkPolicy implementation, and to provide good visibility into the Antrea network.Flexible IPAMimplement its own IPAM, and support more IPAM strateg