Calico using rkt

Anirban Sen Chowdhary

Transcript of Calico using rkt

Page 1: Calico using rkt

Anirban Sen Chowdhary

Page 2: Calico using rkt

Project Calico, a Tigera open-source project that provides a layer 3 network implementation, aimed at scalable datacenter deployments. This slides explains provides a simple way to try out rkt network isolation with Calico. It requires a cluster of nodes configured with Calico networking, and expects that you have rkt installed and calicoctl configured to interact with the cluster.

Page 3: Calico using rkt

Calico with rkt

Calico supports networking and network policy in a pure rkt container environment.

1) Verifying Calico service is running:

Installation should have installed and started the Calico service on each node. We can check that it's running using sudo rkt list.

Page 4: Calico using rkt

Calico with rkt

Calico supports networking and network policy in a pure rkt container environment.

2) Creating the networks:

We can configure multiple networks when we are using rkt. Each network can represented by a configuration file in /etc/rkt/net.d/. We can define a rkt network for Calico by creatinga configuration file in /etc/rkt/net.d/.

1) Each network needs to be given a unique "name".2) Using Calico networking, we need to specify "type": "calico"3) Using Calico IPAM, specify "type": "calico-ipam" in the "ipam" section.

Page 5: Calico using rkt

Calico creates an identically named profile for each Calico-rkt network.By default the policy that is specified in the profile allows full communication between all containers within the network but restricts ingress traffic from a containers that is located on other networks.This worked example creates two rkt networks. We will run these commands on both calico-01 and calico-02:

Page 6: Calico using rkt

And on calico-02:

Page 7: Calico using rkt

3) Create test container :

Now the networks is created, so we can start some containers. We'll create a container on calico-01 in network1, and then we will create containers on calico-02 in each network so that we can check connectivity to the first container. The container we create on calico-01 will run a busybox image running a simple HTTP daemon httpd serving up the containers local filesystem over HTTP.

Page 8: Calico using rkt

On calico-01We will create the container in network1, we will include a suffix :IP=, which is used to pass the IP environment through to the network plugin which Calico IPAM uses to assign a specific IP address. We use a fixed IP address.

Use rkt list to see the IP:

We can see that a busybox container running on the network network1 with an IP address of We see that rkt also creates a second network called default-restricted - this is used for communication with the rkt service

Page 9: Calico using rkt

4) Validating intra-network connectivity :

Since we created the container on calico-01 and we know its IP address, we can now able to access it using wget from containers running on either host, as long as they are created in the same network.

Expected output will:

We can repeat this command on calico-01 and check that access works the same

Page 10: Calico using rkt

5) Verify Calico profiles were created

We can use the calicoctl get profiles command line tool to verify that the Calico CNI plugin created two profiles, network1 and network2.

Page 11: Calico using rkt

For more information visit

Page 12: Calico using rkt