Over the past few months I’ve been trying to learn everything there is to know about Kubernetes. Kubernetes is an amazing technology for deploying and scaling containers though it comes with a cost. It’s an incredibly complex piece of software and there are a ton of bells and whistles to become familiar with. One way that I’ve found for coming up to speed is Joe Beda’s weekly TGIK live broadcast. This occurs each Friday at 4PM EST and is CHOCK full of fantastic information. In episode forty-five Kris Nova discusses the calico CNI plug-in. You can watch it here:
Here are some of my takeways from the episode:
Create a useful iptables alias to list all rules:
$ alias iptables-list-all='iptables -vL -t filter && iptables -vL -t nat && iptables -vL mange && iptables -vL -t raw && iptables -vL -t security
You can pass a YAML configuration file to kubeadm with the “–config” option:
$ kubeadm init --config ~/kubeadm/configs/mycluster-config.yaml
CNI defines the specification for network plugins as well as the interfaces and APIs to utilize it
The kubelet “–network-plugin=cni” option is used to select the network plugin type
Kubernetes will exec() the CNI plugin from the directory passed to the “–cni-bin-dir” option
The commands in the “–cni-bin-dir” behave in a standardized way defined by the CNI specification
Calico solves two problems:
Enforcing network policy
Assist with managing the pod network configuration
Spports Linux ipvs
Runs as a DaemonSet
Can use a dedicated etcd cluster for network policy management
Calico node is as a helper container that bundles together the various components required for networking containers with Calico
Calico node consists of three things:
Felix
Bird
confd
Calico felix is responsible for the underlying networking. It programs routes and ACLs to provide the needed connectivity
Bird is an opensource BGP implementation
Confd is a templating engine that monitors etcd for BGP configuration changes
The network policy controller is responsible for mutating policy on your hosts
The ip utility can produce color’ed output similar to ifconfig:
$ ip -c a
Calico creates 2 CNI configuration files in /etc/cni/net.d
The ip utility has an option to show the route it will take to a destination:
$ ip r get <destination>
ip can also be used to show your neighbor table:
$ ip neigh
The kubectl run command can be passed the “–expose” option to create a service:
$ kubectl run nginx --image=nginx --expose --port 80
Pods are not isolated by default. Network policy is required to provide isolation
Network policy is specified with the NetworkPolicy resource (the example below adds a default deny policy):