Post on 16-Apr-2017
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION 11/29/2016
1
SDxCentral DemoFriday
DevOps at Scale :
Container Networking in Kubernetes with Nuage Networks • Harmeet Sahni, Product Management (@sahni_harmeet)
• Aniket Bhat, Software Engineer (@anbhat)
• November 4, 2016
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Agenda
1. Challenges with running Kubernetes in production
2. What’s Kubernetes
3. Nuage integration with Kubernetes
4. Demo
11/29/2016
2
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
TIME
Front End MiddleWare SQL DB App Logic Idle
1 2 3 4 5
Containers are created and destroyed on the fly.
SDN needs to follow ,in real time, enforcing the Security, QoS, NAT or service chaining policies for each container.
Container enviroments are more dynamic than legacy Virtualized DC
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Are Containers the next Silo?
4
KVM/ESXi Server Bare Metal Servers
Gateway
Server
Server
L2
Virtual Network B Virtual Network A
VM VM VM
OpenStack
Virtual Network C
L2
L2
Container Server
Cont. POD POD
Kubernetes
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Container/Pod to VM/Bare Metal communication needs Policies
5
Hypervisor Container/Kubernetes Node (VM or Bare Metal)
Bare Metal Server
VM VM App Pod
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Kubernetes
11/29/2016
6
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Kubernetes
Kubernetes – Greek for “helmsman”
Abbreviation: K8S
Open source cluster manager originally designed by Google
Platform for automating deployment, scaling, and operations of application containers across clusters of hosts
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Master
SCHEDULER
API PROXY
AUTH
REPLICATION CONTROLLER
Node
KUBELET SERVICE PROXY
POD (SVC 2)
POD (SVC 2)
Node
KUBELET SERVICE PROXY
POD (SVC 1)
POD (SVC 1)
CLIENT
C1 C1
C1 C2 C1 C2
ETCD
Kubernetes Architecture
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Kubernetes Concepts 1. Pods
Unit of deployment in Kubernetes
Co-located group of containers
IP address allocated to a Pod
Containers in a Pod talk to each other using localhost networking
2. Services
Logical set of pods which can be accessed as a unit
Provide a stable IP address and port for a Service
A service proxy is used to proxy requests across the cluster
3. Labels
Key Value pairs attached to primitives (pods, rep. controllers, services)
Labels are not meant to be unique
Labels are used to organize and select groups of objects
4. Namespaces
A Kubernetes namespace provides a mechanism to scope resources in a cluster.
Note: Not the same as a Linux namespace
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Nuage VCS integration with Kubernetes
11/29/2016
10
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Virtualized Cloud Services (VCS)
Physical servers Virtual Machines
Policy-Driven Virtualized Networking for all Environments
Containers Public Cloud
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Virtualized Services Directory (VSD) • Network Policy Engine – abstracts complexity • Service templates and analytics
Virtualized Services Controller (VSC) • SDN Controller, programs the network • Rich routing feature set
Virtual Routing & Switching (VRS) • Distributed switch / router – L2-4 rules • Supports leading hypervisors and base metal assets • Virtual (VRS) and Physical (VSG) form-factors
Nuage Networks Virtualized Cloud Service (VCS)
Virtualized Cloud Services (VCS)
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Nuage VCS Addresses Container Networking Challenges
Provides Multi-tenancy and App Isolation
Control over IP addressing (IP-per-Pod)
Supports hybrid app environments with containers, VMs and Bare Metal servers
On-prem, Public Cloud and Hybrid Cloud container deployments
Flexible and Granular Security Policy framework
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Overlay-based Virtual Networks Kubernetes Deployment With VCS
Master Node Node
VSD
K A
PI
XMPP
VRS Nuage-Kube-Mon
Kubernetes Cluster
VSC (SDN
Controller)
VSD (Policy Engine)
VRS
Nuage K8S Plugin Nuage K8S Plugin
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Network Policies for Kubernetes
15
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Network Policies for Kubernetes
Nuage Policy Framework Generic framework that can work with different orchestrators
like Kubernetes and Mesos
Nuage Policy Framework has an adapter for the K8S Network Policy API K8S Network Policy API(Beta) was introduced in Kubernetes
1.3
16
NEW
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Policy Creation Workflow
Master
Node Node
VSD
K A
PI
XMPP
VRS
Nuage-K8S-Mon
Kubernetes Cluster
VSC (SDN
Controller)
VSD (Policy Engine)
VRS
Nuage K8S Plugin Nuage K8S Plugin
API Client
Policy Spec
K8S Policy API
Nuage Policy Framework
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Network Policy Use Cases 1. Expose a set of Pods (e.g. a web frontend) so that they are accessible from
the Internet 2. Pods can only talk to specific Pods (or groups of Pods) in their namespace 3. Pods from one namespace can access Pods in another namespace 4. Limit the Pods that can access internal hosts and also limit the subnets/hosts
that the Pods are allowed to access 5. Pods can only talk to internal hosts but cannot initiate connections to the
Internet 6. Pods can initiate connections to the Internet but cannot initiate connections
to internal hosts
18
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION 11/29/2016
19
DEMO
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Demo 1
20
my-nginx pod 1
my-nginx pod 2
my-nginx pod 3
Unauthorized Client
Authorized Client
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Demo 2
21
my-nginx pod 1 DB on Bare Metal Server
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Resources
Free Trial: www.nuagex.io
Github: https://github.com/nuagenetworks/nuage-kubernetes
22
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION 11/29/2016
23
THANK YOU