1.6 KiB
1.6 KiB
title, weight, tags
| title | weight | tags | |||
|---|---|---|---|---|---|
| Unleashing the tides of kubernetes networking by removing kube-proxy | 6 |
|
{{% button href="https://github.com/ttarczynski/cilium-kpr-demo" style="info" icon="code" %}}Code/Demo{{% /button %}}
A talk by isovalent (now part of cisco - god i love that they have to say this every time). It'S a good baseline introduction to how kubernetes service routing works but also a bit dry (in terms of the presentation itself). I skipped the introduction to cilium in these notes. The docs exist for a reason.
Kubernetes Services - a baseline
- East-West: ClusterIP -> App2App inside the cluster
- North-South: NodePort -> External Client to app in Cluster
Kube-Proxy - IPTables Mode
- IPTables: Traffics flows through different tables/chains - most imporantly the NAT-Table
- Every Node has it's own kube-proxy next to the kubelet
- ClusterIP: Scales to a huge numer of rules when exposing multiple services
- NodePort: Masquerades sources if routing cross-node (Source-IP is lost)
TODO: Steal iptables visualizer TODO: Steal livecycle of a packet clusterip TODO: Steal livecycle of a packet nodeport
Kube-Proxy free
- Cilium deploys one agent pod per node that handles management of eBPF on the kernel
- ClusterIP: LoadBalancing happens on the socket-level
- NodePort: Also does SNAT
- Adds hubble for observability