Networking
Routing, Switching, Gateways
To find gateway:
route
# or
ip route listTo add entries into the routing table. Where 2nd ip is gateway
ip route add 192.168.1.0/24 via 192.168.2.1If forwarding between machines required for communication without a router:
/proc/sys/net/ipv4/ip_forward must be enabled:
echo 1 > /proc/sys/net/ipv4/ip_forwardTo persist:
# /etc/sysctl.conf
net.ipv4.ip_forward=1DNS
In /etc/resolv.conf set DNS server:
nameserver 192.168.1.100We can set order for /etc/hosts or DNS server in:
/etc/nsswitch.conf:
hosts: files dnsWe can use nslookup, dig to query DNS servers:
nslookup google.ca
dig google.caNetwork Namespaces
Lets us have isolated routing and arp tables along with virtual interfaces.
ip netns add b
ip netns listRun in ns:
ip netns exec red ip link
# or
ip -n res linkTo connect namespaces we can use a virtual pair (or pipe):
To create a virtual cable
ip link add veth-red type veth peer name veth-blueTo attach with the network namespaces
ip link set veth-red netns red
ip link set veth-blue netns blueTo add an IP address
ip -n red addr add 192.168.15.1/24 dev veth-red
ip -n blue addr add 192.168.15.2/24 dev veth-blueTo set up ns interfaces
ip -n red link set veth-red up
ip -n blue link set veth-blue upCheck the connectivity
ip netns exec red ping 192.168.15.2When we have many NS, we create a switch (bridge)
Putting this all together we can have the bridge reach the external network by talking to our host as the Gateway, and have connections go back in to the private network by implementing NAT on our host via:
iptables -t nat -A PREROUTING --dport 80 --to-destination 192.168.15.2:80 -j DNATPod Networking
The rules of kubernetes pod networking are that:
every pod should have an IP address
every pod should be able to communicate with every other pod in the same node
every pod should be able to communicate with every other pod on other nodes without NAT
We create a bridge on each node for the containers. Each bridge has a private subnet. To allow cross-node communications we add routes between nodes or use a router.
See kube-controller-manager --cluster-cidr= for pod range.
CNI in Kubernetes
We specify CNI plugin on container runtime in /etc/cni/net.d, bins in /opt/cni/bin
Kubernetes networking Solutions will typically install agents on every node (DaemonSet) along with bridges and then deal with peer-to-peer communication
IP Address Managements (IPAM)
Who assigns IPs to containers. CNI plugin manages the IP management.
Service Networking
Pods communicate via services and each gets a cluster-wide IP.
kube-proxy watches for service creation, and creates one. This is done by each node setting up forwarding rules on each node.
proxy-mode defines how forwarding rules are created on kube-proxy.
service-cluster-ip-range defines ip range for services.
ps -aux | grep kube-apiserver--secure-port=6443 --service-account-key-file=/etc/kubernetes/pki/sa.pub --
service-cluster-ip-range=10.96.0.0/12DNS in Kubernetes
Whenever we create services they get a DNS entry so any pod can access.
If in same namespace, can use just service name, eg 'service'
In different namespace add namespace suffix, eg 'service.default'.
Full domain is 'service.default.svc' or FQDN 'service.default.svc.cluster.local'
By default pods do not get entry, but we can enable DNS enties for them, thry get entry:
'IP-WITH-DASHES.namespace.pod'
eg '10-244-2-5.default.pod'
CoreDNS
Config in /etc/coredns/Corefile
.:53 {
errors
health { lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
}kubectl get configmap -n kube-systemKubelet configures DNS server for pods by setting nameserver in /etc/resolv.conf
resolv.conf also contains a search query to allow PARTIAL FQDN:
search default.svc.cluster.local svc.cluster.local cluster.localIngress Controllers
Native internal loadbalancing.
Not deployed by default.
GCE, nginx maintained by k8s (currently)
Create an ingress service account, and service.
Create a deployment with:
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configurationapiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-controller
spec:
replicas: 1
selector:
matchLabels:
name: nginx-ingress
template:
metadata:
labels:
name: nginx-ingress
spec:
serviceAccountName: ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443To configure ingress, create an ingress-resource:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear
spec:
backend:
serviceName: wear-service
servicePort: 80kubectl get ingressTo define rules for paths:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear-watch
spec:
rules:
- http:
paths:
- path: /wear
backend:
serviceName: wear-service
servicePort: 80
- path: /watch
backend:
serviceName: watch-service
servicePort: 80For domain name rules:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear-watch
spec:
rules:
- host: wear.my-online-store.com
http:
paths:
- backend:
serviceName: wear-service
servicePort: 80
- host: watch.my-online-store.com
http:
paths:
- backend:
serviceName: watch-service
servicePort: 80Last updated