Lecture on Calico and Container Networking Interface (CNI)

Jul 14, 2024

Lecture on Calico and Container Networking Interface (CNI)

Overview of CNI

  • CNI (Container Networking Interface): Open-source software providing network plumbing for containers.
    • Simplifies networking setup for containers (assigning IP addresses, etc.).
    • Used by Kubernetes, Cloud Foundry, Podman, etc.
  • Network Namespace: A container for all network-related info (IP, interfaces, firewall, routes).
  • Pod Network Namespace: Created by Kubernetes; has own namespace and virtual Ethernet pair (veth pair) for pod-host communication.

How CNI Works

  • Kubernetes API server calls into kubelet service → kubelet calls into CNI plugin → creates pod network namespace → installs veth pair for pod to host communication → assigns IP address and default route.
  • Route Setup: Establishes routes between host and pod for communication.

Calico Overview

  • Calico: Popular CNI plugin provider.
    • Installs via kubectl apply -f [URL] command.
    • Uses dynamic subnet allocation; each node responsible for IP assignments.
    • Default encapsulation method is IP-in-IP protocol.

IP-in-IP Protocol

  • Ethernet Frame: Contains MAC header, data, CRC checksum.
    • IP-in-IP: Encapsulates inside another IP header for pod communication across nodes.
    • Used for cross-node pod communication.
  • BGP (Border Protocol Gateway): Shares and exchanges route info between nodes.

Demo and Exploration

  • Setup: Kubernetes cluster with master node and secondary node.
  • Hello World App: Four pods across two nodes. Display veth interfaces and IP addresses.
  • Command Examples:
    • ip addr: Lists interfaces.
    • ip link show type veth: Shows virtual Ethernet interfaces.
    • kubectl get pods -o wide: Displays all pods with node locations.
    • ip route get [IP]: Displays route to a destination pod.

Packet Capture and IP-in-IP Example

  • Use Tshark to capture network traffic and examine IP-in-IP encapsulation.
  • Captured Details: Frame, outer IP header, inner IP header, TCP session.
    • Source/Destination IP: Outer IP (nodes); Inner IP (pods).

Calico's Use of BGP

  • BGP Overview: Exterior gateway protocol to exchange routing information among autonomous systems.
    • Creates full mesh of internal BGP connections.
    • Layer 2 network: Uses BGP for route information sharing.
    • Layer 3 network: Uses IP-in-IP or VXLAN for cross-node communication.

Route Reflectors

  • Large Clusters: Use route reflectors instead of full mesh to reduce complexity.
  • Peer Calico directly with physical network infrastructure in controlled environments.

Components of Calico

  • Felix Daemon: Manages and programs route tables.
  • Bird BGP Agent: Handles BGP communications between nodes.

Advanced Calico Networking Options

  • Non-overlay Network: Best performance; no encapsulation/decapsulation.
    • BGP peering with top-of-rack routers.
    • On same subnet: Use BGP for internal peering.
  • Cross-subnet Overlay: Use encapsulation only when crossing subnets.
  • Full Overlay Network: Options for IP-in-IP or VXLAN.

Calico in Cloud Environments

  • Google, Azure, AWS specific considerations.
    • Example: Azure does not support IP-in-IP, use VXLAN.

Configuration Changes Post-Installation

  • Calicoctl Commands:
    • calicoctl node status: Checks BGP status.
    • Modifying IP Pools: Update YAML configurations to change encapsulation settings.
    • Route Change Verification: Check how routes update after configuration changes.

Summary

  • Covered CNI, Calico, IP-in-IP, BGP, network choices, Calico configuration changes post-installation.
  • References to more detailed courses and networking materials.