Networking Architecture

Pod Network(Pause Container, Network Plugin), Service Network(iptables, IPVS)
강의자료 PDF
Networking Architecture with PodNetwork, ServiceNetwork for Kubernetes.


1. Pod Network - Pause Container

Pause Container on Pod Network for Kubernetes.

1-1) Pause Container

apiVersion: v1
kind: Pod
metadata:
  name: pod-pause
spec:
  nodeSelector:
    kubernetes.io/hostname: k8s-node1
  containers:
  - name: container1
    image: kubetm/p8000
    ports:
    - containerPort: 8000
  - name: container2
    image: kubetm/p8080
    ports:
    - containerPort: 8080

Pause Container 확인

ctr -n k8s.io containers list --quiet | xargs -I {} ctr -n k8s.io containers info {} | jq -r '"Container ID: \(.ID) | Name: \(.Labels."io.kubernetes.pod.name") | Image: \(.Image)"' | grep pod-pause
docker ps | grep pod-pause

Pause Container 인터페이스 확인 

ctr -n k8s.io containers info <container-id> | jq -r '.Spec.linux.namespaces[] | select(.type == "network") | .path'
//ex. ctr -n k8s.io containers info df24e759c6f454dbae6d6a1ff289f31d4bd5a46d1d998d22fac2bf02a852b17e | jq -r '.Spec.linux.namespaces[] | select(.type == "network") | .path'

ip netns exec <SandboxKey> ip a
//ex. ip netns exec "cni-fd1c8ebf-df33-53cc-54a2-a50b78c43490" ip a
docker inspect <container-id> -f "{{json .NetworkSettings}}"
sudo ln -s /var/run/docker/netns /var/run/netns
ip netns exec <SandboxKey> ip a


1-2) Calico Interface 확인

route 명령 설치

yum -y install net-tools

route으로 Pod IP와 연결 되어 있는 인터페이스 확인

route | grep cal

route로 확인된 가상인터페이스 ID가 호스트 네트워크에 있는지 확인

ip addr

1-3) Pause Container Network Namespaces 확인

Pause Container와 타 Container간에 연결 확인

// container-type, sandbox-id 확인
ctr -n k8s.io containers info <container-id> | jq '.Spec.annotations'
//ex. ctr -n k8s.io containers info 5d958917edfee74f3dc51ab0b1d9d16becf1797e9fad578e3e1e8023a7efb8e3 | jq '.Spec.annotations'
docker inspect <container-id> -f "{{json .HostConfig.NetworkMode}}"

Docker Container NetworkMode

NetworkMode - Sets the networking mode for the container. 
Supported standard values are: bridge, host, none, and container:<name|id>. 
Any other value is taken as a custom network’s name to which this container should connect to.

2. Pod Network - Calico

Calico Network Plugin on Pod Network for Kubernetes.

2-1) Pod (source)

apiVersion: v1
kind: Pod
metadata:
  name: pod-src
  labels:
    type: src  
spec:
  nodeSelector:
    kubernetes.io/hostname: k8s-node2
  containers:
  - name: container
    image: kubetm/init
    ports:
    - containerPort: 8080

2-2) Pod (destination)

apiVersion: v1
kind: Pod
metadata:
  name: pod-dest
  labels:
    type: dest
spec:
  nodeSelector:
    kubernetes.io/hostname: k8s-node1
  containers:
  - name: container
    image: kubetm/app
    ports:
    - containerPort: 8080

2-3) Overlay Network(IP-in-IP) 트래픽 확인

Calico Overlay Network 확인

kubectl describe IPPool

Cluster의 Pod Network CIDR 확인

kubectl cluster-info dump | grep -m 1 cluster-cidr

2-4) 트래픽 확인

tcpdump 설치

yum -y install tcpdump

트래픽 확인

route | grep cal
tcpdump -i <interface-name>


3. Service Network[clusterIP] - Calico

ClusterIP with Calico on Service Network for Kubernetes.

3-1) service (clusterIP)

apiVersion: v1
kind: Service
metadata:
  name: svc-clusterip
spec:
  selector:
    type: dest
  ports:
  - port: 8080
    targetPort: 8080
  type: ClusterIP

3-2) 트래픽 확인

route | grep cal
tcpdump -i <interface-name>


4. Service Network[NodePort] - Calico

NodePort with Calico on Service Network for Kubernetes.

4-1) service (NodePort)

apiVersion: v1
kind: Service
metadata:
  name: svc-nodeport
spec:
  selector:
    type: dest
  ports:
  - port: 8080
    targetPort: 8080
    nodePort: 31080
  type: NodePort

4-2) nodeport 확인

netstat -anp | grep 31080

4-3) 트래픽 확인

tcpdump -i <interface-name>


Referenece

Kubernetes

Others