CNCF BordeauxKubinception Network Deep Dive

CNCF BordeauxKubinception
Kubinception

Kevin GEORGES
@0xd33d33
Passionate about distributed
systems
Love to share experience and
to contribute to tech
communities
Flutter

Pierre PERONNET
Flutter
DevOps @OVH
Automation adept. Do not craft
it, code it.

Sebastien JARDIN
Sebastien_Jard1
SRE Engineer
Tech lovers
Flutter

OVH: Our solutions
Cloud
Web
Hosting
▪ Dedicated Server
▪ Data Storage
▪ Network and
Security
▪ Licences
Mobile
Hosting Telecom
VoIP
SMS/Fax
Virtual desktop
Cloud HubiC
Over theBox
Containers
Compute
Database
Object Storage
Securities
Messaging
VPS
Public Cloud
Private Cloud
Serveur dédié
Cloud Desktop
Hybrid Cloud
Domain names
Email
CDN
Web hosting
MS Office
MS solutions

OVH: Platform
Metrics
Platform
Logs
Platform
Managed
Kubernetes

OVH: Managed Kubernetes
Launched at OVH Summit
End 2018

OVH: Managed Kubernetes
+ 2000 clusters
+ 10k pods running
+ 1500 cpu cores
+ 22 Tb memory

Kubernetes
Way more than a buzzword!

Masters and nodes

Some more details

Key components
● ETCD
● ApiServer
● Kube proxy

Managed Kubernetes
Don't try it at home, folks!

Kubinception: running K8s on K8s
Using Kubernetes to run Kubernetes

Kubinception: where are the nodes?

Kubinception with several customers

Kubernetes communication

Node port
Kubinception client side networking
Incoming
connections
● Access thanks to the node IP
(or with Round-Robin DNS)
● Routed with port number
● Sensitive to node failures

K8S LB
Incoming
connections
● Based on OVH IPLB product
● Routed by destination IP
● HA by design
● Highly scalable

API Server
connections
External → API Server
● OVH IPLB
● Node Port
● Ingress nginx + SNI routing
● Full TCP connexion
no SSL termination before API Server
OVH IPLBNode Port
Adminnode
Ingress
Nginx
kubectl
com
m
ands

API Server
connections
Node initiate a TCP tunnel
● called WormHole from Kubernikus project
Connections from Kube components are
routed through the tunnel
N
ot accessible
from
clients nodes
due
to
private
network

The long road to prod
A journey not for the faint of heart

ETCD

ETCD as a pod?

ETCD as a pod?
● Easy to bootstrap ● Hard to maintain thousands of them
● Use local, non persistent storage as
default
● Too much risk of total quorum loss
using persistent volumes

ETCD with an operator?

ETCD with an operator?
● Built by the community
● Handle etcd lifecycle:
○ creation
○ destruction
○ resizing
○ failover
○ rolling upgrades, backups…
● Use local, non persistent storage as
default
● Too much risk of total quorum loss
using persistent volumes

ETCD with stateful sets?

ETCD with stateful sets?
● Can handle a full cluster disruption ● No lifecycle management
● Resource cost
● Requires distant persistent volumes
● Performance issues

ETCD multi-tenant?
Deployed as an
multi-tenant etcd
cluster on
dedicated servers

ETCD multi-tenant?
● Dedicated hardware
● Can handle a full cluster disruption
● Easy to manage
● High perf

Network

Network
CNI?
Calico
Cannal
Flannel
Cilium
Contiv
Romana

Network
CVE
● 2018-03-28 - CVE-2019-9946
● 2018-11-13 - TTA-2018-001
Young
● Many implementations
● Need something battle tested

Network
No CNI :)

Network - First L2
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod

Network
Why BREX?

Network - First L2
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
who has 10.0.0.1 ?

Network - First L2
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
10.0.0.1 is-at
00:00:00:00:00:01

Network - First L2
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
10.0.0.1 is-at
00:00:00:00:00:01
10.0.0.1
00:00:00:00:00:01

Network - Then L3
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
SYN 10.0.0.1
10.0.0.1
00:00:00:00:00:01

Network - Then L3
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
SYN 10.0.0.1
10.0.0.1
00:00:00:00:00:01
net.ipv4.ip_forward=1

Network - Then L3
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
SYN 10.0.0.1
10.0.0.1
00:00:00:00:00:01
10.100.0.2
00:00:00:00:21:42
net.ipv4.ip_forward=1

Network - Then L3
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
who has 10.100.0.2 ?
10.0.0.1
00:00:00:00:00:01
10.100.0.2
00:00:00:00:21:42

Network - Then L3
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
10.100.0.2 is-at
00:00:00:00:00:02
10.0.0.1
00:00:00:00:00:01
10.100.0.2
00:00:00:00:21:42

Network - Then L3
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
SYN/ACK 10.100.0.2
10.0.0.1
00:00:00:00:00:01
10.100.0.2
00:00:00:00:21:42
10.100.0.2
00:00:00:00:00:02

Network - Then L3
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
SYN/ACK 10.100.0.2
10.0.0.1
00:00:00:00:00:01
10.100.0.2
00:00:00:00:21:42

Network
How to fix the
storm?

Network - Proxy ARP
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
A
R
P

Network - Proxy ARP
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
who has 10.100.0.2 ?
10.0.0.1
00:00:00:00:00:01
10.100.0.2
00:00:00:00:21:42
A
R
P

Network - Proxy ARP
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
10.100.0.2 is-at
00:00:00:00:21:42
10.0.0.1
00:00:00:00:00:01
10.100.0.2
00:00:00:00:21:42
A
R
P

Network - Proxy ARP
CBR0BREX
00:00:00:00:21:42
10.10.0.1/32
00:00:00:00:25:45
10.100.0.1/24
00:00:00:00:00:02
10.100.0.2/32
00:00:00:00:00:01
10.0.0.1/32
NodeETCD
Pod
SYN/ACK 10.100.0.2
10.0.0.1
00:00:00:00:00:01
10.100.0.2
00:00:00:00:21:42
10.100.0.2
00:00:00:00:21:42
A
R
P

KubeProxy

KubeProxy
3 modes:
● Userspace
● IPTables
● IPVS

KubeProxy - Userspace
Deprecated :(

KubeProxy - IPTables
● Chained Process / Not incremental
● Locked during update
● Time spent to add 1 rule when svc count increase
● For 20k svc (160k rules) : 5 hours!

KubeProxy - IPTables
Routing performances
1 service 1k service 10k services 50k services
First
Service
575μs 614μs 1023μs 1821μs
Middle
Service
575μs 602μs 1048μs 4174μs
Last
Service
575μs 631μs 1050μs 7077μs

KubeProxy - IPVS
● Hashing vs Chains
● Better Load Balancing algorithms
● Weighted / RR / LeastConn / src&dst hashing / …
● Health Checks / Connections retries…
● IPTables is a swiss knife where IPVS is a purposed one

Reload performances
KubeProxy - IPVS vs IPTables
# Services 1 5 000 20 000
# Rules 8 40 000 160 000
IPTables 2 ms 11 min 5 hours
IPVS 2 ms 2 ms 2 ms

Bandwidth performances
KubeProxy - IPVS vs IPTables
#service 1 1k 5k 10k 25k 50k
First First Last First Last First Last First Last First Last
IPTables
(MB/s)
67 64 56 50 39 15 6 0 0 0 0
IPVS
(MB/s)
65 62 54 54 54 43 43 30 29 24 24

The security journey

We are hiring!
● Opensource database expert
● Site Reliability Engineers (Private cloud, Openstack, DNS, Observability)
● Software engineers (containers, baremetal, webhosting)
● Back-end developers (go, python)
● Engineering manager webhosting

Kubinception
Thank you!

CNCF BordeauxKubinception Network Deep Dive

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a CNCF BordeauxKubinception Network Deep Dive

Semelhante a CNCF BordeauxKubinception Network Deep Dive (20)

Mais de OVHcloud

Mais de OVHcloud (20)

Último

Último (20)

CNCF BordeauxKubinception Network Deep Dive