PostHole
Compose
Login
SE Radio 619: James Strong on Kubernetes Networking
Infrastructure engineer and Kubernetes ingress-Nginx maintainer James Strong joins host Robert Blumen to discuss the Kubernetes networking layer. The discussion draws on content from Strong's book on the topic and covers a lot of ground, including: the Kubernetes network's use of different IP ranges than the host network; overlay network with its own IP ranges compared to using expanded portions of the host network ranges; adding routes with kernel extension points; programming kernel extension points with IP tables compared to eBPF; how routes are updated as the host network gains or loses nodes, the use of the Linux network namespace to isolate each pod; routing between pods on the same host; routing between pods across the host network; the container-network interface (CNI); the CNI ecosystem; differences between CNIs; choosing a CNI when running on a public cloud service; the Kubernetes service abstraction with a cluster-wide IP address; monitoring and telemetry of the Kubernetes network; and troubleshooting the Kubernetes network. Brought to you by IEEE Software magazine and IEEE Computer Society.
Infrastructure engineer and Kubernetes ingress-Nginx maintainer James Strong joins host Robert Blumen to discuss the Kubernetes networking layer. The discussion draws on content from Strong’s book on the topic and covers a lot of ground, including: the Kubernetes network’s use of different IP ranges than the host network; overlay network with its own IP ranges compared to using expanded portions of the host network ranges; adding routes with kernel extension points; programming kernel extension points with IP tables compared to eBPF; how routes are updated as the host network gains or loses nodes, the use of the Linux network namespace to isolate each pod; routing between pods on the same host; routing between pods across the host network; the container-network interface (CNI); the CNI ecosystem; differences between CNIs; choosing a CNI when running on a public cloud service; the Kubernetes service abstraction with a cluster-wide IP address; monitoring and telemetry of the Kubernetes network; and troubleshooting the Kubernetes network. Brought to you by IEEE Software magazine and IEEE Computer Society.
Show Notes
Transcript
Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.
Robert Blumen 00:00:19 For Software Engineering Radio, this is Robert Blumen. I have with me today James Strong. James is a Cloud native and infrastructure engineer. He is a maintainer on the Kubernetes Ingress-NGINX project and is currently a Senior Solutions Architect at ISO Valent. James is the co-author with Valerie Lacey of the book Networking and Kubernetes: A Layered Approach published by O’Reilly. And that will be the subject of our conversation today. James, welcome to Software Engineering Radio.
James Strong 00:00:55 I am super excited to be here Robert, I love talking about networking. I love going as deep as possible. Itís also interesting to talk about networking without diagrams, so we’ll see how well we can describe things together.
Robert Blumen 00:01:09 Yeah, that is a common challenge that we face on software engineering radio. Unless there’s anything else you’d like to say about your background, we can dive right in.
James Strong 00:01:19 That’s a pretty good wrap up. I say that now and I, we’re going to talk a lot about software engineering and a lot of the times these days I’m talking to a lot of network engineers who are getting just into Kubernetes and Cloud native space. So a lot of those questions I’ve had the same. When I started, I thought I wanted to be a network engineer. I was on the path to try to get a CCIE and the Cloud just came around. I was like, this is very interesting. I went around working with that for a little while and then Kubernetes popped up as well to try to be this operating system for the data center. All those conversations, like the abstraction, all of that. And I just slowly migrated to doing the Kubernetes piece just because it was infrastructure, it was networking, it was software. It was a good cross section of all of those things. So yeah, that was a real quick overview of just, I’ve been through that transition and hopefully I can have an intelligent conversation about that. And I answered a lot of questions last week in KubeCon about how to go from being a network engineer to working on Kubernetes networking.
Robert Blumen 00:02:24 Your career path is relevant to our audience and our podcast. The podcast software engineering radio has been around for about 20 years. When it started, we really focused a lot on the writing code aspect of software engineering. But over time, the topics that we talk about have broadened to include many things in networking and security, which are now considered normal for software engineer to know about and use in their job. I think you have a great background to talk about this topic.
James Strong 00:02:56 I think everyone should understand how the network works. Now there’s a saying in networking, it’s guilty till proven innocent. So, we can skip that step and just have a conversation about performance issues or other things like that, that’d be great.
Robert Blumen 00:03:09 We’ll be talking about the Kubernetes network. We have some existing content on Kubernetes, in particular 445 on ePVF and 586 on VPCs and a bunch of other Kubernetes topics in the archive. But nothing specifically about the network. I’m going to say to introduce this, when I started looking at Kubernetes, it differs from other distributed systems. Many distributed systems you have some hosts, you have a network, you run the service on the hosts, and they use the host network. That is not how Kubernetes works. What is the big difference?
James Strong 00:03:49 I would like to challenge that assumption because I hear that a lot where again, having this conversation with folks who are just getting into Kubernetes, one of the big things that I’ve learned while going through this and troubleshooting and helping doing, standing up Kubernetes clusters and migrating applications to Kubernetes is that Linux networking. It’s still, if you have a Linux networking background, you understand how interfaces work, how IP addresses get signed, how routing works. You just need to learn how Kubernetes talks about it from that perspective. So you’re still setting up network interfaces. So there are abstractions and software that do it for you instead of having someone else do it. So you’re not putting in a ticket to get an IP address and get a CIS admin to set up a network interface. There’s software that does it for you. And one of those abstractions, and I’m sure we’ll talk about this more, is the container network interface. So Kubernetes relies on the routing of the underlying hosts as well as the software, the container network interface to set up the networking for us. Kubernetes doesn’t know about the underlying networking from that perspective. So it expects that nodes can talk to each other. So there are some underlying expectations and assumptions and then there’s also just, again, it is just Linux networking from that perspective.
Robert Blumen 00:05:12 I talk at a high level. I start out with my initial premise that Kubernetes is different than a standard distributed system and you’re pushing back on that. So maybe if you could bear with me a bit, I’m wrong, but why did I think that and explain why I’m wrong, but why is there something about that that is at least partially true or how is Kubernetes networking not got more layers to it than the flat distributed system that I described?
[...]