WIP: K8s network model diagrams #39069
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
sig/docs
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
| without network address translation (NAT) | ||
| * pods can communicate with other pods on same or separate nodes using L2 bridging, native L3 (IPv4, IPv6) networking, or a CNI-specific form of tunnel encapsulation. | ||
|
|
||
| [//]: # (Not sure the agent communications is part of the K8s network model) |
There was a problem hiding this comment.
We should show that a Pod running in host network mode can communicate with another Pod in normal cluster network mode, provided that they are both on the same Pod.
That might be something we save for a followup, but it's good to show it one day.
Also that some network architectures allow for this to happen even when the 2 Pods are on different modes, but that Kubernetes doesn't require or guarantee this.
| Containers within a `Pod` can all reach each other's ports on | ||
| `localhost`. | ||
|
|
||
| {{< figure src="/docs/images/k8net-localhost-PodSameHost.drawio.svg" alt="k8s net arch2" class="diagram-large" caption="Figure 2. Container localhost and L2 bridging" >}} |
There was a problem hiding this comment.
Watch out for assuming that the network plugin uses layer 2 techniques. A network plugin that works at the IP layer only (eg a Linux tun interface plus userland packet encapsulation and decapsulation) is a viable design.
There was a problem hiding this comment.
https://www.researchgate.net/figure/Kubernetes-Network-routing-to-export-the-services_fig1_337362475 includes an example of a diagram that doesn't rely on OSI layer 2 (although, given it shows Flannel, this is partly down to eliding some detail)
Another option is with text, to highlight that this is one of several viable designs.
There was a problem hiding this comment.
Understand re: L2-based and other network paradigms. Referenced paper is "researchy" but your point is valid.
Might call for Advanced Topics section later on that covers other paradigms like User-space networking (kernel bypass), Network Service Mesh, maybe eBPF, CNFs, ...
k8s-ci-robot
added
size/L
There was a problem hiding this comment.
Some more feedback. I hope this helps frame the explanation @chrismetz09
|
|
||
| The Kubernetes network model introduces an architecture that allows you to support your cluster networking requirements. | ||
|
|
||
| Figure 1 illustrates the general Kubernetes network architecture. |
There was a problem hiding this comment.
| Figure 1 illustrates the general Kubernetes network architecture. | |
| Figure 1 shows one example implementation of networking for Kubernetes. |
- layer 2 bridges aren't required
- there doesn't need to be an overlay network
- pod-to-pod traffic doesn't even need to go over the interface used for host networking
Perhaps it'll help to show more than one image with detailed examples. Once we have those, maybe it'll be more obvious which elements are common.
|
|
||
| The components of the architecture consist of the following: | ||
|
|
||
| * Nodes that can be virtual (VM) or physical. |
There was a problem hiding this comment.
| * Nodes that can be virtual (VM) or physical. | |
| * Multiple servers (nodes); these can be physical hosts or virtual machines |
|
|
||
| * Nodes that can be virtual (VM) or physical. | ||
|
|
||
| * Pods configured on each node with one or more containers. |
There was a problem hiding this comment.
| * Pods configured on each node with one or more containers. | |
| * Pods running on each node. Each Pod has one or more containers. |
consider showing a node that doesn't have any workload Pods running?
|
|
||
| Some platforms, such as Linux, support pods running in the host network. Pods attached to the host network of a node can still communicate with all pods on all nodes without NAT. | ||
|
|
||
| ## Terminology |
There was a problem hiding this comment.
We could add these to the glossary and then use shortcodes to repeat (include) the definitions here.
| * containers in same pod can communicate with each other. | ||
| * pods can communicate with all other pods on the same or separate [nodes](/docs/concepts/architecture/nodes/) | ||
| without network address translation (NAT). | ||
| * pods can communicate with other pods on the same or separate nodes using L2 bridging, native L3 (IPv4, IPv6) networking, tunneling, or other techniques for conveying packets from one pod to another. |
There was a problem hiding this comment.
| * pods can communicate with other pods on the same or separate nodes using L2 bridging, native L3 (IPv4, IPv6) networking, tunneling, or other techniques for conveying packets from one pod to another. | |
| * pods can communicate with other pods on the same or separate nodes using layer 2 bridging, native layer 3 (IPv4, IPv6) networking, tunneling, or other techniques for conveying packets from one pod to another. |
|
|
||
| Figure 1 illustrates the general Kubernetes network architecture. | ||
|
|
||
| {{< figure src="/docs/images/k8net-Pod-arch-template.drawio.svg" alt="k8s net arch" class="diagram-large" caption="Figure 1. K8s Network Architecture" >}} |
There was a problem hiding this comment.
| {{< figure src="/docs/images/k8net-Pod-arch-template.drawio.svg" alt="k8s net arch" class="diagram-large" caption="Figure 1. K8s Network Architecture" >}} | |
| {{< figure src="/docs/images/k8net-Pod-arch-template.drawio.svg" alt="k8s net arch" class="diagram-large" caption="Figure 1. Example network architecture for a cluster" >}} |
There was a problem hiding this comment.
Will add a two examples to this section so figure captions will change.
| * L2bridge is a virtual L2 bridge that allows attachment, configuration and communications between pods on the same node. Depending on your deployment of container runtimes and CNI, you might know this entity as a `linux bridge`, `docker0`, `cbr0` or `cni0`. | ||
|
|
||
| * CNI plugins supporting different techniques for pod networking that include virtual overlay networks and physical underlay networks. You can choose from any number of different CNI plugins to best meet your cluster networking requirements. | ||
| * L2bridge is a virtual L2 bridge that allows attachment, configuration and communications between pods on the same node. Depending on your deployment of container runtimes and CNI, you might know this entity as a `linux bridge`, `docker0`, `cbr0` or `cni0`. |
There was a problem hiding this comment.
Wrap this long line as we do for line 89-95?
| @@ -30,7 +30,7 @@ implementation (barring any intentional network segmentation policies): | |||
| * Containers in same pod can communicate with each other. | |||
| * Pods can communicate with all other pods on the same or separate [nodes](/docs/concepts/architecture/nodes/) | |||
| without network address translation (NAT). | |||
| * Pods can communicate with other pods on the same or separate nodes using L2 bridging, native L3 (IPv4, IPv6) networking, tunneling, or other techniques for conveying packets from one pod to another. | |||
| * Pods can communicate with other pods on the same or separate nodes using layer 2 bridging, native layer 3 (IPv4, IPv6) networking, tunneling, or other techniques for conveying packets from one pod to another. | |||
|
Thanks again @chrismetz09 Overall, if you frame this as “here are some examples of valid cluster networking” (and not accidentally imply “this shows how it always is done”), I think we're actually close to being able to merge something. And then, we can iterate. |
Add code blocks in page run-single-instance-stateful-application
[zh] sync blog: 2023-01-02-cross-namespace-data-sources-alpha.md
…it-phase [zh-cn] Resync kubeadm_init_phase_control-plane_scheduler.md
[zh] sync /storage/persistent-volumes.md
…ects Tidy concepts pages within Label and Annotation
Co-authored-by: Shannon Kularathna <[email protected]>
Co-authored-by: divya-mohan0209 <[email protected]>
k8s-ci-robot
added
language/uk
|
Hi @chrismetz09 - would you like help rebasing this PR to touch fewer files? |
|
@sftim, is this the standard rebase to squash my multiple commits into one? Looks like this is something different? If so, yes guidance please. |
|
This PR stands to change 697 files. Doesn't look right. Let's fix that. |
|
It is not right for sure. |
|
Probing for a solution. Would this work? |
|
Working new branch called |
|
/close |
|
@chrismetz09: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/remove-area blog release-eng |
k8s-ci-robot
removed
area/blog
Initial incomplete diagrams addressing #32243.
This is incomplete but begins to follow an outline. Can be a broad topic so included comments inline.