Nuage Networks DemoFriday: Container Networking in Kubernetes with Nuage Networks

© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.

CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION 11/29/2016

1

SDxCentral DemoFriday

DevOps at Scale :

Container Networking in Kubernetes with Nuage Networks • Harmeet Sahni, Product Management (@sahni_harmeet)

• Aniket Bhat, Software Engineer (@anbhat)

• November 4, 2016


CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION

Agenda

1. Challenges with running Kubernetes in production

2. What’s Kubernetes

3. Nuage integration with Kubernetes

4. Demo

11/29/2016

2



TIME

Front End MiddleWare SQL DB App Logic Idle

1 2 3 4 5

Containers are created and destroyed on the fly.

SDN needs to follow ,in real time, enforcing the Security, QoS, NAT or service chaining policies for each container.

Container enviroments are more dynamic than legacy Virtualized DC



Are Containers the next Silo?

4

KVM/ESXi Server Bare Metal Servers

Gateway

Server

Server

L2

Virtual Network B Virtual Network A

VM VM VM

OpenStack

Virtual Network C

L2

L2

Container Server

Cont. POD POD

Kubernetes



Container/Pod to VM/Bare Metal communication needs Policies

5

Hypervisor Container/Kubernetes Node (VM or Bare Metal)

Bare Metal Server

VM VM App Pod



Kubernetes

11/29/2016

6



Kubernetes

Kubernetes – Greek for “helmsman”

Abbreviation: K8S

Open source cluster manager originally designed by Google

Platform for automating deployment, scaling, and operations of application containers across clusters of hosts



Master

SCHEDULER

API PROXY

AUTH

REPLICATION CONTROLLER

Node

KUBELET SERVICE PROXY

POD (SVC 2)

POD (SVC 2)

Node

KUBELET SERVICE PROXY

POD (SVC 1)

POD (SVC 1)

CLIENT

C1 C1

C1 C2 C1 C2

ETCD

Kubernetes Architecture



Kubernetes Concepts 1. Pods

Unit of deployment in Kubernetes

Co-located group of containers

IP address allocated to a Pod

Containers in a Pod talk to each other using localhost networking

2. Services

Logical set of pods which can be accessed as a unit

Provide a stable IP address and port for a Service

A service proxy is used to proxy requests across the cluster

3. Labels

Key Value pairs attached to primitives (pods, rep. controllers, services)

Labels are not meant to be unique

Labels are used to organize and select groups of objects

4. Namespaces

A Kubernetes namespace provides a mechanism to scope resources in a cluster.

Note: Not the same as a Linux namespace



Nuage VCS integration with Kubernetes

11/29/2016

10



Virtualized Cloud Services (VCS)

Physical servers Virtual Machines

Policy-Driven Virtualized Networking for all Environments

Containers Public Cloud



Virtualized Services Directory (VSD) • Network Policy Engine – abstracts complexity • Service templates and analytics

Virtualized Services Controller (VSC) • SDN Controller, programs the network • Rich routing feature set

Virtual Routing & Switching (VRS) • Distributed switch / router – L2-4 rules • Supports leading hypervisors and base metal assets • Virtual (VRS) and Physical (VSG) form-factors

Nuage Networks Virtualized Cloud Service (VCS)

Virtualized Cloud Services (VCS)



Nuage VCS Addresses Container Networking Challenges

Provides Multi-tenancy and App Isolation

Control over IP addressing (IP-per-Pod)

Supports hybrid app environments with containers, VMs and Bare Metal servers

On-prem, Public Cloud and Hybrid Cloud container deployments

Flexible and Granular Security Policy framework



Overlay-based Virtual Networks Kubernetes Deployment With VCS

Master Node Node

VSD

K A

PI

XMPP

VRS Nuage-Kube-Mon

Kubernetes Cluster

VSC (SDN

Controller)

VSD (Policy Engine)

VRS

Nuage K8S Plugin Nuage K8S Plugin



Network Policies for Kubernetes

15



Network Policies for Kubernetes

Nuage Policy Framework Generic framework that can work with different orchestrators

like Kubernetes and Mesos

Nuage Policy Framework has an adapter for the K8S Network Policy API K8S Network Policy API(Beta) was introduced in Kubernetes

1.3

16

NEW



Policy Creation Workflow

Master

Node Node

VSD

K A

PI

XMPP

VRS

Nuage-K8S-Mon

Kubernetes Cluster

VSC (SDN

Controller)

VSD (Policy Engine)

VRS

Nuage K8S Plugin Nuage K8S Plugin

API Client

Policy Spec

K8S Policy API

Nuage Policy Framework



Network Policy Use Cases 1. Expose a set of Pods (e.g. a web frontend) so that they are accessible from

the Internet 2. Pods can only talk to specific Pods (or groups of Pods) in their namespace 3. Pods from one namespace can access Pods in another namespace 4. Limit the Pods that can access internal hosts and also limit the subnets/hosts

that the Pods are allowed to access 5. Pods can only talk to internal hosts but cannot initiate connections to the

Internet 6. Pods can initiate connections to the Internet but cannot initiate connections

to internal hosts

18



19

DEMO



Demo 1

20

my-nginx pod 1

my-nginx pod 2

my-nginx pod 3

Unauthorized Client

Authorized Client



Demo 2

21

my-nginx pod 1 DB on Bare Metal Server



Resources

Free Trial: www.nuagex.io

Github: https://github.com/nuagenetworks/nuage-kubernetes

22

http://www.nuagex.io/

https://github.com/nuagenetworks/nuage-kubernetes






23

THANK YOU

Nuage Networks DemoFriday: Container Networking in Kubernetes with Nuage Networks

Technology

Transcript of Nuage Networks DemoFriday: Container Networking in Kubernetes with Nuage Networks