Introduce the basic concept of load-balancing, common implementations of load-balancing and the detail fo kubernetes service. In the last, demonstrate how to modify the linux iptable kernel module to fulfill the layer-7 load-balcning for kubernetes
2. Who Am I
• Hung-Wei Chiu (hwchiu)
• Member of Technical Staff at
Open Networking Foundation
• https://www.hwchiu.com
• Co-Organizer of SDNDS-TW/CNTUG
5. Functionality
• Ensure high availability and reliability
• Only send requests to servers that are online
• Provides the flexibility to add or subtract servers
as demand dictates
• Distributes client requests or network load
efficiently across multiple servers.
https://www.nginx.com/resources/glossary/load-balancing/
6. Distribute Algorithm
• Round Robin
• Header Hash
• Layer 3
• Layer 4
• Layer 7
• Server Status
• Connection number
• …etc
7. OSI / TCP-IP
OSI – TCP/IP
https://techdifferences.com/difference-between-tcp-ip-and-osi-model.html
Layer1
Layer2
Layer3
Layer4
Layer5
Layer6
Layer7
15. How it works
• Type
• Client-Side
• Middleware
• Connection Statue
• Proxy
• Transparency
16. Client-Side
• Client directly sends request to backend server.
• Query all possible addresses of backend
servers
• Apply distributed algorithm
• Send request to backend server
• Someone should provide address list of all
backend server
21. Real Case
• gRPC is a layer 7 protocol, multiple gRPC request
rely on the same TCP connection.
• gRPC in Kubernetes environment
• Server type: Headless
• Return a set of PodIPs
• https://medium.com/google-cloud/loadbalancing-
grpc-for-kubernetes-cluster-services-3ba9a8d8fc03
22. Middleware
• Client sends packets to a middleware
• Middleware handles the traffic load-balancing
• Client doesn’t need to know the IP address of
backend servers, only the middleware.
• Different implementation
• Proxy
• Transparency
23. Proxy
• Usually, a demand daemon to handle the
incoming traffic.
• Establish a new network connection.
• One to one
• One to many
• SSL-terminator
25. Real Case
• gRPC is a layer 7 protocol, multiple gRPC request rely on the
same TCP connection.
• Layer 4 proxy can’t identify gRPC connection.
• All gRPC request will be forward to same backend server.
• Layer 7 proxy if supports gRPC
• One to Many
• Identify gRPC format
• Envoy/LinkerD
https://www.bugsnag.com/blog/envoy
30. Transparency
• Modify packets to make it be routed to backend
server.
• Keep the same connection, no additional one.
• Client still doesn’t know the IP address of
backend servers.
33. Real Case
• gRPC is a layer 7 protocol, multiple gRPC
request rely on the same TCP connection.
• gRPC load-balancing can’t work correctly in this
mode.
• Only single TCP connection.
• TCP is a connection based protocol (3 way
handshake)
36. Example
• Kubernetes Service (by default)
• ClusterIP/NodeIP
• Packet are modified by iptables
• Connection persistence are maintained by
kernel conntrack.
47. Answer
• Only the first packet meets NAT rules
• Kernel modifies the packets for you
• You need the conntrack tool to control it.
• You should choose the destination before you
see the real data packets.
48. Kubernetes service
• People always said kubernetes only supports
layer 4 load-balancing
• Is it possible to provide layer 7 load-balancing in
?
• Without modifying kubernetes source code
49. I think
• For normal TCP implementation, No.
• Should be Yes for customized TCP protocol
• Real zero-RTT TCP.
• How about other protocols ?
• UDP ?
50. DEMO
• Source code
• https://github.com/cloud-native-taiwan/k8s-
course/pull/5/files
• Modify the iptables linux kernel module
• Statistic module
• Parse the UDP payload and try to match