Tigera eBook:
Introduction to
Kubernetes Networking
approach Kubernetes networking, starting with basic networking concepts,
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Anatomy of a network packet
DNS
NAT
MTU
6
7
7
8
9
10
10
2. Kubernetes Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1
Kubernetes Services
Kubernetes DNS
NAT outgoing
Above and beyond
11
11
12
12
13
13
13
3. Network Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Integrates with Istio
Ingress and egress
14
14
15
16
16
16
16
16
17
17
17
18
18
18
19
19
2
4. Kubernetes Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Node port services
Above and beyond
20
21
21
22
23
23
24
24
5. Kubernetes Ingress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Show me everything!
Above and beyond
25
25
26
26
26
27
29
6. Kubernetes Egress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
NAT outgoing
Egress gateways
Above and beyond
30
30
31
31
32
7. eBPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Architecture overview
Above and beyond
33
33
33
33
34
34
35
36
37
3
8. Calico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Contributor community
38
38
38
39
39
39
40
40
40
41
41
9. Calico Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Roadmap to production with Kubernetes
42
42
43
43
44
45
45
46
47
47
47
48
49
49
49
50
Resources and Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4
Introduction
Kubernetes has become the de facto standard for managing
About the Author:
Alex Pollitt
5
Chapter 1
Networking
install guides without needing to be a
you can better understand what is happening under the covers, this guide provides a short introduction to some of the
•
•
•
•
•
•
Network layers
The process of sending and receiving data over
(referred to as the OSI model
•
•
•
•
6
Anatomy of a network packet
IP addressing, subnets and IP routing
•
192.168.27.64
7
•
1203:8fe0:fe80:b897:8990:8a7c:99bf:323d
CIDR notation
/
192.168.27.0/24
addresses from 192.168.27.0 to 192.168.27.255
system, a route of 10.48.0.128/26 via 10.0.0.12 dev eth0
10.48.0.128/26
10.0.0.12 over the eth0
BGP
Overlay networks
8
•
•
determine best networking
option
DNS
google.com to 216.58.210.46
DNS
wants to connect to a domain name, a DNS message is sent to the DNS server, which then responds with information
9
NAT
NAT
MTU
The Maximum Transmission Unit (MTU
10
Chapter 2
Kubernetes Networking
•
•
•
•
•
•
The Kubernetes network model
•
•
•
NAT)
•
Kubernetes network implementations
11
•
•
determine best networking option
Kubernetes Services
Kubernetes Services
label selector
time of the service, even though the pods backing the service may be created or destroyed, and the number of pods
•
•
advertise service IP addresses
Kubernetes DNS
•
•
my-svc.my-namespace.svc.cluster-domain.example
pod-ip-address.my-namespace.pod.cluster-domain.example
•
pod-ip-address.deployment-name.my-namespace.svc.
cluster-domain.example
This means that if there is a service named foo in Kubernetes namespace bar , then pods in the same namespace
can access the service as foo , and pods in other namespaces can access the service as foo.bar
12
the Kubernetes guide DNS for Services and Pods
NAT outgoing
overlay networks
determine best
networking option
Dual stack
dual-stack
Above and beyond
• The Kubernetes Network Model
• Video: Everything you need to know about Kubernetes pod networking on AWS
• Video: Everything you need to know about Kubernetes networking on Azure
• Video: Everything you need to know about Kubernetes networking on Google Cloud
13
Chapter 3
Network Policy
•
•
•
What is network policy?
In contrast, the Kubernetes network model
Why is network policy important?
14
Note:
Kubernetes network policy
NetworkPolicy
•
•
•
•
Get started with Kubernetes network policy
15
Calico network policy
NetworkPolicy and nonnamespaced GlobalNetworkPolicy
•
•
•
•
NetworkSets
Get started with Calico network policy
Full Kubernetes network policy support
Richer network policy
Mix Kubernetes and Calico network policy
hierarchical policy
16
Ability to protect hosts and VMs
policy for hosts
Integrates with Istio
Extendable with Calico Enterprise
Calico Enterprise
17
Best practices for network policies
Ingress and egress
Policy schemas
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: front-end
namespace: staging
spec:
podSelector:
matchLabels:
app: back-end
ingress:
- from:
- podSelector:
matchLabels:
app: front-end
ports:
- protocol: TCP
port: 443
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 27017
18
Default deny
default deny
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-app-policy
spec:
namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {“kubesystem”, “calico-system”}
types:
- Ingress
- Egress
egress:
- action: Allow
protocol: UDP
destination:
selector: k8s-app == “kube-dns”
ports:
- 53
Hierarchical policy
Calico Enterprise
19
Chapter 4
Kubernetes Services
•
•
•
•
What are Kubernetes Services?
Kubernetes Services
label selector
•
•
•
20
circumvented in some scenarios by using
native service
handling
Load balancer services
Services of type LoadBalancer
native service handling
22
Advertising service IPs
MetalLB
NodePort or LoadBalancer
When combined with services of type LoadBalancer
23
Note that in the case of services of type LoadBalancer
Calico eBPF native service handling
eBPF dataplane
Above and beyond
• Video: Everything you need to know about Kubernetes Services networking
• Blog: Introducing the Calico eBPF dataplane
• Blog: Hands on with Calico eBPF native service handling
24
Chapter 5
Kubernetes Ingress
•
•
•
•
•
What is Kubernetes Ingress?
Services
Ingress Controller
Ingress
Why use Kubernetes Ingress?
Given that Kubernetes Services
in-cluster ingress
25
Types of Ingress solutions
•
•
In-cluster ingress solutions
•
•
as a Kubernetes service, so you can use any of the standard ways of accessing the service from outside of
External ingress solutions
26
service backing pods via the node port
Show me everything!
About Kubernetes Services
Note:
27
In-cluster ingress solution exposed as service type LoadBalancer with
External ingress solution via node ports
28
External ingress solution direct to pods
Above and beyond
• Video: Everything you need to know about Kubernetes Ingress networking
• Video: Everything you need to know about Kubernetes Services networking
29
Chapter 6
Kubernetes Egress
•
•
•
•
What is Kubernetes Egress?
In this guide we are using the term Kubernetes egress to describe connections being made from pods to anything
Ingress
•
• Outgoing NAT behavior
• Egress gateways
Network Policy
default deny
Network Sets
domain names
30
L5-7 rules
of approach, read our Adopt a zero trust network model for security
NAT outgoing
NAT
IP pools
Egress gateways
31
Above and beyond
• Adopt a zero trust network model for security
• Use external IPs or networks rules in policy
• Enforce network policy using Istio
• Use HTTP methods and paths in policy rules
•
• Assign IP addresses based on topology
•
Advanced egress access controls
32
Chapter 7
eBPF
•
•
•
What is eBPF?
Why is it called eBPF?
tcpdump
What can eBPF do?
Types of eBPF program
• Tracing
33
•
( tc
programs to modify or extend the packet, drop the packet, mark it for queueing, or redirect the packet to another
• XDP
•
socket
overhead because there is no DNAT
•
•
tc
BPF maps
•
•
bpftool
Calico’s eBPF dataplane
34
Feature comparison
Factor
Standard Linux Dataplane
eBPF dataplane
Throughput
Lower
factor)
Low
Lower
Yes
Yes
Yes
Direct Server Return
Not supported
S
network)
Connection tracking
Kubernetes services
Supported
Supported (no performance advantage due to
Supported
Supported
Wireguard
Supported
Supported
Other routing
Supported
Supported
Supported
Not supported (yet)
Supported
Not supported (yet)
Supported
Not supported (yet)
Enterprise version
Not supported (yet)
35
Architecture overview
tc
36
Above and beyond
•
•
announcement blog post
Enable the eBPF dataplane
37
Chapter 8
Calico
What is Calico?
Why use Calico?
Choice of dataplanes
38
Best practices for network security
Performance
Scalability
native design patterns combined with proven standards based
39
Interoperability
Real world production hardened
Full Kubernetes network policy support
40
Contributor community
Calico Enterprise compatible
•
•
•
•
•
Learn More
•
•
•
41
Chapter 9
Calico Enterprise
•
•
•
•
•
What is Calico Enterprise?
Calico open
source
Pilot, pre-production
•
•
•
•
42
•
top three issues
Egress access controls
Calico Enterprise
Egress gateway for in-depth defense
Visibility, traceability, troubleshooting
•
connectivity issues
•
• Comprehensive network visibility and evidence of reduced time to determine root cause
43
Calico Enterprise
•
•
Packet capture
Security controls for segmentation
Calico Enterprise
• Hierarchical policy using tiers
44
• Alerts
Production, initial apps
Self-service with control and compliance
Calico Enterprise
45
• Workload two-factor authentication
• Audit logging
Policy lifecycle and automation
Calico Enterprise
• Policy recommendation
• Preview policy
• Stage policy and update policy
46
Calico Enterprise
• AWS security groups integration
•
Production, mass migration
• Security is buttoned up
•
•
•
Threat defense and anomaly detection
Calico Enterprise Intrusion Detection System (IDS)
Threat intelligence feeds
47
Honeypods
any resources do reach the honeypods, you can assume the connection is suspicious, and that a resource may be
•
• Resources enumeration
•
•
•
Anomaly detection
Single management plane and federation
48
Calico Enterprise
Multi-cluster management
Federated endpoint identity and services
Protect non-cluster hosts with policy
Calico Enterprise
Compliance
•
•
•
•
•
•
•
•
Zero trust network security model
assumes that something in your application or infrastructure is compromised,
and is currently hosting some form of malware.
49
Calico Enterprise
• Multiple sources of identity
• Multiple enforcements points
• Multiple layers of encryption
Roadmap to production with Kubernetes
• To start a roadmap to production, contact Tigera Support
•
•
Tigera Support
Calico Enterprise technical documentation
50
Resources and Getting Started
Contact Us
Getting Started
Get Started
Calico Enterprise Free Trial
Start Free Trial
Free Training
Sign Up Today
51