Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add diagrams to The Kubernetes Network Model #32243

Open
chrismetz09 opened this issue Mar 13, 2022 · 32 comments
Open

Add diagrams to The Kubernetes Network Model #32243

chrismetz09 opened this issue Mar 13, 2022 · 32 comments
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. language/en Issues or PRs related to English language priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/network Categorizes an issue or PR as relevant to SIG Network. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@chrismetz09
Copy link
Contributor

This is a Feature Request

What would you like to be added
Add diagrams to the The Kubernetes network model paragraphs.

Why is this needed
Readers, new and experienced, may find it difficult to visualize the concepts described in the Kubernetes network model intro discussion.

A couple of simple diagrams will assist readers in understanding and preparing them for the subsequent explanations of the Kubernetes networking concerns referenced at the bottom of the page.

Comments
Here is an example-hack diagram to accompany the Kubernetes imposes the following ... paragraphs. A diagram referral and caption described in the How to use captions section of the Diagram guide will further help the reader grasp this concept.

node-kubelet

Mermaid live editor link


Here is an example-hack diagram to accompany the IP-per-pod model description. Again, a diagram referral and caption will help the reader grasp this concept.

pod-container

Mermaid live editor link

@chrismetz09 chrismetz09 added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 13, 2022
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Mar 13, 2022
@mk46
Copy link
Member

mk46 commented Mar 14, 2022

/sig network

@k8s-ci-robot k8s-ci-robot added the sig/network Categorizes an issue or PR as relevant to SIG Network. label Mar 14, 2022
@sftim
Copy link
Contributor

sftim commented Mar 14, 2022

We could take inspiration - without any plagiarism, of course - from https://blog.neuvector.com/article/advanced-kubernetes-networking.

/triage accepted
/language en
/priority important-longterm

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. language/en Issues or PRs related to English language priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 14, 2022
@sftim
Copy link
Contributor

sftim commented Mar 14, 2022

It'd be nice to mix in some IPv6 examples. Kubernetes lets you use IPv6-only, IPv4-only or even dual-stack networking.

@PriyanshuAhlawat
Copy link
Contributor

/assign

@chrismetz09
Copy link
Contributor Author

It'd be nice to mix in some IPv6 examples. Kubernetes lets you use IPv6-only, IPv4-only or even dual-stack networking.

@sftim, I view this page as an intro-high-level intro that tees up the 4 x requirements discussion and more network concepts. IMHO, particular with k8s-cloud-network-newbies, keeping it simple would be appropriate for start.

Diagrams on IPv6, IPv4, dual stack best belong (and badly needed) in /docs/concepts/services-networking/dual-stack/.

@sftim
Copy link
Contributor

sftim commented Mar 14, 2022

@chrismetz09 I think you're recommending that we treat IPv4 as the stack we prefer and document, and relegate discussion of IPv6 to separate pages.

We try not to favor one technology over another, overall. With that in mind, I'd like to see at least some mention of IPv6 being an option in the overview page. It might be that we can't find a way to get it in without confusing readers; however, our starting point should be to try. If illustrating things ends up easier where we've used all-IPv4 for an example, that's OK. In that case, let's add some text to explain that detail.

I'm not sure if we can use images within tabs, but if we can, then we may actually be able to illustrate all three options and let readers compare.

@sftim
Copy link
Contributor

sftim commented Mar 14, 2022

One key thing we should aim to convey with diagrams is that every pod in a cluster can address every other pod in a cluster; packets from one pod to any other pod should never yield a “no route to host” error.

@chrismetz09
Copy link
Contributor Author

@sftim, thinking that classic container eth0, cbr0, vethx, etc. diagram is waaaay too complex for initial K8s network model discussion on this page

Could lead complexity bloat quickly. This should be placed in new separate section, maybe combined with CNI, etc.

@chrismetz09
Copy link
Contributor Author

One key thing we should aim to convey with diagrams is that every pod in a cluster can address every other pod in a cluster; packets from one pod to any other pod should never yield a “no route to host” error.

Totally.

@chrismetz09
Copy link
Contributor Author

@PriyanshuAhlawat, thanks for taking this on. If possible, please use Mermaid to hack the diagrams. This will facilitate collaboration and reviews for this interesting and important topic. Tx!

@reylejano reylejano moved this to In Progress in SIG Docs k/website Board Mar 15, 2022
@reylejano reylejano moved this from In Progress to Todo in SIG Docs k/website Board Mar 15, 2022
@sftim
Copy link
Contributor

sftim commented May 28, 2022

Work on this important issue is very welcome. If anyone's made a start, please share what you have - even if it's not finished, that could help someone else move the work forward.

@chetak123
Copy link
Member

Hey @PriyanshuAhlawat Are you still working on this issue, I would like to collaborate on this issue please.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 20, 2022
@chrismetz09
Copy link
Contributor Author

/assign

@chrismetz09
Copy link
Contributor Author

/remove-lifecycle stale
/assign

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 17, 2022
@chrismetz09
Copy link
Contributor Author

Looking over https://kubernetes.io/docs/concepts/services-networking/.

New and/or experienced network person looking over K8s networking for the first time could find this difficult to parse.

Simple pictures plus text edits is necessary. More detailed pictures with veths, namespaces, cbr0, cni etc. can be added at the bottom. This tees up the cluster networking discussion.

I will hack up some pictures to illustrate.

@sftim
Copy link
Contributor

sftim commented Oct 18, 2022

@chrismetz09 you might like to look at https://deploy-preview-30817--kubernetes-io-main-staging.netlify.app/docs/concepts/services-networking/service/ which illustrates how I hope the page will look within 12 months or so (see PR #30817)

The existing diagrams have moved into the reference section: https://deploy-preview-30817--kubernetes-io-main-staging.netlify.app/docs/reference/networking/virtual-ips/
I was hoping to follow this up with more work to redo those diagrams, once the constituent elements of #30817 merge into main.

@sftim
Copy link
Contributor

sftim commented Oct 18, 2022

I don't have plans to make any significant change to https://kubernetes.io/docs/concepts/services-networking/

@sftim
Copy link
Contributor

sftim commented Oct 18, 2022

I do recommend putting more advanced / detailed information inside https://k8s.io/docs/reference/networking/

@chrismetz09
Copy link
Contributor Author

I do recommend putting more advanced / detailed information inside https://k8s.io/docs/reference/networking/

Got it, will go with that approach.

@chrismetz09
Copy link
Contributor Author

#36671 generates 404.

@chrismetz09
Copy link
Contributor Author

@sftim
Copy link
Contributor

sftim commented Jan 3, 2023

We might want to distinguish between:

  • essential to the network model (eg: a primary network interface; IP networking)
  • typical to implementations of the Kubernetes network model (eg: using a veth pair; bridging; 192.168.0.0/16)

@chrismetz09
Copy link
Contributor Author

Exactly what I was thinking! Keeping it simple we have:

K8s network model: "IP-per-Pod", localhost for containers in same pod namespace, L2/IP networking for Inter-pod.
K8s network model implementations. Here is a hack figure for single host communications. More text and figures forthcoming.

k8net-localhost-PodSameHost drawio

figure link in diagrams.net

@sftim
Copy link
Contributor

sftim commented Jan 4, 2023

  • It'd be nice to illustrate an example using IP-only networking, eg a tun and some imaginary userland packet mangler outside the Pod netns.
  • The host interface need not be in the root netns; if we can avoid people wrongly inferring that it must be, even better.

@chrismetz09
Copy link
Contributor Author

Template diagram for pod networking between different hosts. This can be broken up into multiple diagrams, perhaps showing one with CNI-specific encaps and one with native L2/IP networking. Again just a template. Looking to keep it simple for readers wishing to understand the k8s network model.

The diagrams and text would be added to k8s network model page.

k8net-PodDiffHost-template drawio

figure link in diagrams.net

@sftim
Copy link
Contributor

sftim commented Jan 10, 2023

Feedback at this point is maybe don't use names veth1 and cbr0 in the host ns. How about pod1-host (or pod4-host) and l2bridge0? Also, in the writeup, explain that the two bridge interfaces are unrelated.

@sftim
Copy link
Contributor

sftim commented Jan 10, 2023

@chrismetz09 if you're happy to, please feel free to open a PR.

@mehabhalodiya
Copy link
Contributor

@PriyanshuAhlawat I don't see any updates; so unassigning you. Please feel free to assign, if you come back here again and are willing to work on 🙂
/unassign @PriyanshuAhlawat

@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Jan 21, 2024
@a-mccarthy
Copy link
Contributor

/triage accepted

@sftim looks like you were the last one working on this in #41419, can you comment here on what you feel is still needed for this issue?

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 25, 2024
@sftim
Copy link
Contributor

sftim commented Mar 25, 2024

It's tricky because this isn't about documenting a thing people already agree on. Instead, we need to find that agreement partly by proposing a model and then seeing what concerns people have.

What we need to find is a shared understanding of what is core to Kubernetes networking. We need that understanding, perhaps as a sketch or wireframe or as a writeup, so that we can explain it and agree on how to explain it.

This isn't a small ask, IMO. I can probably make time to facilitate a discussion around this, or to help smooth out disagreements on where the boundaries are. Maybe some other folks can too.

Specifically, we need to take things out of the model. We won't show layer 2 (Kubernetes doesn't have opinions here), or packet filtering (Kubernetes doesn't really require it), or iptables. We really would prefer to abstract away kube-proxy because that is an implementation rather than the underlying model. It needs effort and it needs time from the key stakeholders (Docs, Network, Architecture).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. language/en Issues or PRs related to English language priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/network Categorizes an issue or PR as relevant to SIG Network. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
Development

No branches or pull requests

9 participants