-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rewrite "The Kubernetes network model" #47903
Rewrite "The Kubernetes network model" #47903
Conversation
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. We've updated the style guide since this page was last updated; please follow the current style guide around how we write API kinds (and also, ideally, avoid Latin abbreviations).
/lgtm
This could merge as-is; it's an obvious improvement on what we have now.
* All pods can communicate with all other pods, whether on the | ||
same [node](/docs/concepts/architecture/nodes/) or on | ||
different nodes, without NAT. | ||
|
||
* (For platforms that support host-network pods (e.g. | ||
Linux), this rule applies to host-network pods as well.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aligning to the style guide:
* All pods can communicate with all other pods, whether on the | |
same [node](/docs/concepts/architecture/nodes/) or on | |
different nodes, without NAT. | |
* (For platforms that support host-network pods (e.g. | |
Linux), this rule applies to host-network pods as well.) | |
* All pods have a route available to all other pods, whether two Pods are on the | |
same [node](/docs/concepts/architecture/nodes/) or on | |
different nodes. This is a direct means to communicate (no NAT). | |
* (For platforms that support host-network pods (Linux), | |
this rule applies to host-network pods as well.) |
Pods may or may not be able to actually communicate, due to:
- packet filtering (and similar controls)
- misconfiguration, I suppose
- outages
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I brought back the "barring intentional network segmentation" text from before. That applies to the "agents on a node" subclause too, so I put it at the "the pod network handles communication" level rather than the "all pods can communicate" level.
On the Linux thing, it felt weird to be calling out the Linux behavior, which is the expected behavior, rather than the Windows behavior, which is considered wrong, so I flipped that.
LGTM label has been added. Git tree hash: 063c93cc8e27413af8eabfba02c66827d79d4516
|
@@ -80,7 +81,7 @@ corresponding functionality is provided by external components: | |||
On Linux, most container runtimes use the | |||
{{< glossary_tooltip text="Container Networking Interface (CNI)" term_id="cni" >}} | |||
to interact with the pod network implementation, so these | |||
implementations are often called "CNI plugins" | |||
implementations are often called _CNI plugins_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm surprised you didn't added "network plugins" here too :)
LGTM module one comment about the meaning of "long lived" in services, but because I don't understand well the meaning of that expression there |
I judge that even where there's room to improve further, this makes the docs better than they are as they stand. /lgtm |
LGTM label has been added. Git tree hash: 4e404a89c91bf4f6f0fb44679383ac6c004c9fce
|
/hold |
Thanks for all the work on this @danwinship! |
For next week's PR wrangler - I think this looks great so far, when Dan is happy with the state of it, I think it's good to merge |
3805035
to
ad46267
Compare
/hold cancel |
* A service proxy implementation, takes care of converting the | ||
`Service` and `EndpointSlice` objects into packet-rewriting | ||
rules using appropriate operating system APIs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There can be service proxy implemenations that are userspace can we rephrase this to be less low level "A service proxy implementation uses the Services and EndpointSlices object to program the dataplane using appropriate operating system APIs" or something like that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just an overview, and given that all official proxy implementations and commonly-used third-party proxy implementations rewrite packets, it seems reasonable to say it this way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @danwinship, and also the data plane programming might be done by something even more custom (for example: cloud provider APIs; compiling P4 code and reconfiguring external hardware).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fair enough
corresponding functionality is provided by external components, some | ||
of which are optional: | ||
|
||
* Pod network namespace setup is handled by system-level software |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* Pod network namespace setup is handled by system-level software | |
* Pod network namespace setup is handled by container runtimes that use the [Container Runtime | |
Interface] to communicate with the kubelet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we merge this as-is, the docs become better.
/lgtm
LGTM label has been added. Git tree hash: 6f2ebf5fe09a73c9955a04f00883c3e566ea7dde
|
(still) |
LGTM label has been added. Git tree hash: 60497eeb49cd40ae2fc858096ef86fcd713d83b1
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, this was WAY overdue
[Ingress](/docs/concepts/services-networking/ingress/)) allows | ||
you to make Services accessible to clients that are outside the cluster. | ||
|
||
* A simpler, but less-configurable, mechanism for cluster |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we comfortable implying Service LB is obsolete? Does L4 Gateway handle EVERYTHING that LB does? I don't think so...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What change would you recommend?
I definitely wasn't trying to imply that it's obsolete (and note that the old version of this page doesn't link to the Service LB docs at all, so this is actually making that feature more prominent).
But if we're going to have a single top-level answer for "how cluster ingress works in Kubernetes", it should be Gateway, right?
(I could demote the Ingress reference to a nested bullet point... or remove it.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we're going to have a single top-level answer for "how cluster ingress works in Kubernetes", it should be Gateway, right?
I can't see how that is true until L4 gateway is as complete as service LB? @robscott
As for wording here, something like:
"An alternative mechanism for exposing a single Service is the Service API's type: LoadBalancer. It is simpler than Gateway, but less powerful, and is missing some exact functional equivalents."
Or something? I know we don't want to make this "at the time of this writing" but the reality is that, at the time of this writing Gateway does not fully replace type: LB.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this PR makes a better compromise than the page as it stands (and obviously so), so I strongly support merging as-is and then iterating.
I don't see anything that is so wrong that it would seriously mislead readers or get in the way of their learning.
Co-authored-by: Tim Bannister <[email protected]>
e849491
to
5c9bb88
Compare
* A service proxy implementation monitors the `Service` and | ||
`EndpointSlice` objects, and programs the data plane to route | ||
service traffic to its backends, by using operating system or | ||
cloud provider APIs to intercept or rewrite packets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how's that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/label refactor This PR has reviews from SIG Network co-chair and tech lead. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: reylejano The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
LGTM, @thockin for the final approval |
I can't imagine @thockin objecting at this point, so: /lgtm |
LGTM label has been added. Git tree hash: 260f755aa2712c1cab64d7cc2e2bb320a8d0c680
|
LGTM |
Spun off from #41419 which in turn is spun off from #39890. Whee!
This just focuses on improving the existing text, and doesn't (much) add anything to it (leaving that for the two older PRs).
The big problem with this page is that it is very very very old, and that shows in two main ways:
I tried to keep most of the existing information, but some of the "kubernetes-is-not-docker" type stuff just didn't really seem to fit well and got dropped. (But if anyone thinks I dropped something important, let me know and I'll try to find a place for it.)
The update completely reorganizes the existing information, essentially moving the old "Kubernetes networking addresses four concerns" list to the top and putting the "fundamental requirements on any networking implementation" list inside it. And I expanded heavily on the "requirements on any networking implementation" / "detail of the particular container runtime in use" comments to talk about what parts of the network model are core to k8s and what parts are implemented externally.
I'm sure there are style issues to be fixed... (It may need some better transitions in places, or subheadings?)
/cc @sftim @aojea @thockin