[K8S series] In-depth analysis of k8s network plug-in - Calico

preamble

It is not difficult to do one thing, the difficulty lies in persistence. It's not hard to persevere, but the hard part is to persevere to the end.

Article tag color description:

• Yellow : important headlines
• Red : used to mark conclusions
• Green : used to mark arguments
• Blue : used to mark arguments

Kubernetes (k8s) is a container orchestration platform that allows applications and services to be run in containers. Learn about k8s network plug-in-Calico related knowledge today

I hope this article will not only give you some gains, but also enjoy learning. If you have any suggestions, you can leave a message and communicate with me.

 Column introduction

This is the column where this article is located, welcome to subscribe: [In-depth analysis of k8s] column

Briefly introduce what this column will do:

• It is mainly to deeply analyze each knowledge point and help everyone fully master k8s. The following are the updated chapters
• This is the column introduction article address: [In-depth analysis of K8S column introduction]

Kubernetes is a distributed system capable of managing and orchestrating containerized applications. Among them, monitoring is a very important aspect, which can help users understand the health status, performance and availability of the cluster.

In this article, the Calico plugin in the Kubernetes network plugin will be described in detail.

1 Basic introduction 

In Kubernetes, network plug-ins are also called container network interface (Container Network Interface, CNI) plug-ins, which are used to implement communication and network connections between containers. Here are some common Kubernetes networking plugins:

1. Flannel : Flannel is a popular CNI plugin that uses a virtual overlay network to connect containers on different nodes. Flannel supports a variety of back-end drivers, such as VXLAN, UDP, Host-GW, etc.

2. Calico : Calico is an open source networking and security solution that uses the BGP protocol for routing between containers. Calico supports flexible network policies and security rules, which can be used for large-scale deployment.

3. Weave Net : Weave Net is a lightweight CNI plugin that connects containers on different nodes by creating virtual network devices and network proxies . Weave Net supports overlay mode and direct connection mode, which is flexible.

4. Cilium : Cilium is a high-performance network and security solution for Kubernetes, using eBPF (Extended Berkeley Packet Filter) technology to provide fast inter-container communication and network policy enforcement.

5. Canal : Canal is a comprehensive CNI plugin that combines the functionality of Calico and Flannel . It can use Flannel to provide overlay networking while using Calico's network policy and security features.

6. Antrea : Antrea is an Open vSwitch-based CNI plugin designed for Kubernetes networking and security. It provides high-performance network connectivity and network policy functions.

7. kube-router : kube-router is an open source CNI plugin that combines network and service proxy functionality . It supports BGP and IPIP protocols, and has load balancing features.

These are some of the common options in Kubernetes networking plugins, each with its specific benefits and use cases. Choosing the right network plugin depends on factors such as your needs, network topology, and performance requirements.

At the same time, the Kubernetes community is constantly evolving and introducing new networking plugins to meet changing needs.

2  Calico

Calico is a powerful open source container networking and network security solution widely used in Kubernetes clusters and other container orchestration platforms.

It implements high-performance inter-container communication and network policy control by utilizing the BGP (Border Gateway Protocol) protocol and the Linux network namespace .

2.1 Realize the function

The following is a brief introduction to the functions of some implementations of the Calico plugin:

1. Container network communication : Calico enables container network communication by creating a dedicated Linux network namespace on each node . The data packets in the container are first sent to the Calico network namespace of the node, and then forwarded to the network namespace where the target container is located according to the network routing rules. This direct network forwarding method ensures high-performance communication between containers.

2. BGP routing protocol : Calico uses the BGP protocol to implement routing between containers . The Calico agent on each node registers the container network information into the BGP routing table, and then propagates the routing information to other nodes through the BGP protocol. This way, each node knows how to reach containers on other nodes.

3. Network Policy : Calico provides a powerful network policy function that allows you to define fine-grained access control rules. You can define which containers can communicate with which containers and allow or deny packet flow based on label selectors. This gives you full control over the communication between containers.

4. Network isolation : By using network isolation technologies in the Linux kernel (such as namespace and iptables), Calico can achieve container-level network isolation.

5. Security : Calico supports the security group function based on network policy, which can realize the isolation and secure communication between containers. By setting network policy rules, you can ensure that only authorized containers can communicate with each other, thereby protecting your applications and data.

6. IPv6 support : Calico fully supports IPv6 , allowing you to use IPv6 addresses in Kubernetes clusters.

7. High Availability : Calico is designed to support high availability and fault tolerance. The Calico proxy and BGP routing daemon on each node are self-healing, able to automatically detect and recover from failures.

8. Cross-cloud and cross-data center : Calico supports expansion and cross-region use between different cloud platforms and data centers, providing you with a cross-cloud container network solution.

9. IP pool management : Calico can dynamically allocate IP addresses for each node through the IP pool management function, so as to achieve better utilization and management of IP resources.

10. Traffic logs : Calico supports traffic logs, which can record information such as the source, destination, protocol, and port of network traffic, thereby helping users better monitor and debug network traffic.

2.2 Implementation principle

The implementation principle of the Calico plug-in involves several key components and technologies. Let us understand the implementation mechanism behind it step by step:

1. BGP routing protocol : Calico uses the BGP (Border Gateway Protocol) protocol to implement container network routing. In the Calico network, each node runs a Calico agent (Felix), which registers the container network information on the node into the BGP routing table, and propagates the routing information to other nodes through the BGP protocol.

2. IP Pool and Subnetting : In the Calico network, each node has a unique IP pool. When a container starts, Calico assigns the container a unique IP address from the node's IP pool. This way, each container has a unique IP address, enabling containers to communicate directly via IP address.

3. Container network namespaces : Calico uses Linux network namespaces for container network isolation. Containers on each node are located in their own network namespace, which ensures network isolation between containers.

4. Routing rules : Calico uses routing rules to determine communication paths between containers. On each node, the Calico agent will generate appropriate routing rules for containers based on the routing information in the BGP routing table, thereby achieving high-performance communication between containers.

5. Network Policies : Calico supports network policies, allowing users to define fine-grained access control rules. Network policies can define which containers can communicate with which containers based on label selectors, enabling isolation and secure communication between containers.

6. Routing table and route selection : The Calico agent on each node maintains a routing table to decide how to forward packets. When a container needs to communicate with another container, the Calico agent will choose the appropriate path according to the route in the routing table, and forward the packet to the network namespace where the target container is located.

The Calico plugin enables container network isolation and high-performance communication by using the BGP routing protocol and Linux network namespaces.

The Calico agent on each node maintains routing tables and IP pools, generates appropriate routing rules and access control rules for containers based on BGP routing information and network policy rules, and implements communication and security isolation between containers .

This makes Calico a powerful, scalable, and high-performance container networking solution.

2.3 Advantages and disadvantages

Calico plug-in is an open source network plug-in for Kubernetes network, which builds a high-performance, high-scalability and security container network based on BGP protocol and Linux kernel technology .

The pros and cons of the Calico plugin are as follows:

advantage:

1. High performance : The Calico plug-in uses the BGP protocol as the underlying network protocol , which can implement a high-performance container network and meet high-traffic and low-latency application scenarios.

2. High scalability : The Calico plug-in uses the BGP protocol to dynamically learn and publish container routing information, which can realize a highly scalable container network and support large-scale container clusters.

3. Security : The Calico plug-in supports Kubernetes network policies, which can restrict the traffic between containers through label selectors and rule definitions, so as to achieve better network security.

4. Ease of use : The installation and configuration of the Calico plugin is relatively simple and can be done using a simple command line tool.

5. Open source and free : The Calico plug-in is open source and free, which can save a certain cost.

shortcoming:

1. High complexity : The underlying technology of the Calico plug-in is relatively complex and requires a certain level of technology to use and maintain.

2. High resource usage : The Calico plug-in uses Linux kernel technology to implement container network isolation, which requires a certain amount of system resources.

3. Configuration needs attention : the configuration of the Calico plug-in needs to pay attention to some details, such as the configuration of BGP ASN and IP address, and it is necessary to ensure that the configuration of each node is correct.

4. Windows nodes are not supported : Currently, the Calico plugin does not support Windows nodes and can only be used on Linux nodes.

In general, Calico plug-in is a powerful container network plug-in, which is suitable for application scenarios with high performance, high scalability and security. In practical applications, it is necessary to evaluate its advantages and disadvantages according to specific needs, and select a suitable network plug-in.

2.4 Usage Scenarios

The Calico plug-in is suitable for high-performance, high-scalability, and security application scenarios of large-scale container clusters, especially in scenarios that require management and protection of container traffic, such as:

1. Large-scale container cluster: The Calico plug-in uses the BGP protocol to implement dynamic routing, which can support large-scale container clusters and has high scalability.

2. High-performance applications: The Calico plug-in uses Linux kernel technology to implement container network isolation, enabling high-performance container networks, suitable for high-traffic and low-latency application scenarios.

3. Multi-tenant application: The Calico plug-in supports Kubernetes network policies, which can restrict the traffic between containers through label selectors and rule definitions, so as to achieve better network security and are suitable for multi-tenant application scenarios.

4. High-security applications: Calico plug-ins support advanced network features such as network isolation and traffic logs, which can help users better manage and protect network traffic in Kubernetes clusters, and are suitable for application scenarios with high security requirements.

The Calico plug-in is suitable for container network application scenarios that require high performance, high scalability, and security. It is a powerful Kubernetes network plug-in.

In practical applications, it is necessary to select an appropriate network plug-in according to specific business scenarios and requirements.

2.5 Configuration & Installation 

To install and configure the Calico plug-in on the Kubernetes cluster, you can follow the steps below:

2.5.1 Install etcd and Kubernetes network plugin

Install etcd and Kubernetes network plugins: The Calico plugin needs to use etcd and Kubernetes network plugins as underlying support, so they need to be installed first. It can be installed using Kubeadm, Kubespray or other tools.

2.5.2 Download the Calico YAML file 

Download the Calico YAML file: Download the latest Calico YAML file from the Calico official website, for example: https://docs.projectcalico.org/v3.20/manifests/calico.yaml ↗ .

2.5.3 Deploy the Calico plug-in 

: Use the kubectl command to deploy the downloaded Calico YAML file to the Kubernetes cluster, for example: kubectl apply -f calico.yaml.

 2.5.4 Configuring BGP Routing 

To use the BGP routing protocol in the Calico plug-in, you need to configure the BGP ASN and IP address of each node. The following can be added to the Calico YAML file:

- name: CALICO_IPV4POOL_CIDR
  value: "192.168.0.0/16"
- name: IP_AUTODETECTION_METHOD
  value: "can-reach=192.168.0.1"
- name: CALICO_NETWORKING_BACKEND
  value: "bird"
- name: CALICO_AS_NUMBER
  value: "64512"
- name: NODE_BGP_IPV4_ADDR
  value: "10.0.0.1"

in,

• CALICO_IPV4POOL_CIDR is the IP address pool used by the Calico plugin
• IP_AUTODETECTION_METHOD is the method to automatically detect the IP address of the node,
• CALICO_NETWORKING_BACKEND is the network backend used,
• CALICO_AS_NUMBER是BGP ASN，
• NODE_BGP_IPV4_ADDR is the BGP IP address of the node.

2.5.6 Configuring Network Policies

The Calico plugin supports Kubernetes network policies, which can use label selectors and rule definitions to restrict traffic between containers. The following can be added to the Calico YAML file:

- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
  value: "DROP"

Among them, FELIX_DEFAULTENDPOINTTOHOSTACTION is the default network policy, which can be set to DROP, ACCEPT or REJECT.

1. Application configuration: Use the kubectl command to apply the modified Calico YAML file to the Kubernetes cluster, for example: kubectl apply -f calico.yaml.

2. Verify configuration: Use the kubectl command to verify whether the Calico plugin has been successfully installed and configured, for example: kubectl get pods --all-namespaces.

Through the above steps, the Calico plug-in can be successfully installed and configured in the Kubernetes cluster to achieve a high-performance, highly scalable, and secure container network.

Of course, in practical applications, more detailed and refined configurations are required according to actual needs.

3 expansion

What is the BGP protocol

BGP (Border Gateway Protocol) protocol is a protocol used in Internet routing. It is mainly used to exchange routing information between different autonomous systems (AS) to achieve Internet crossing and intercommunication.

In the Internet, due to the large network scale and complex network topology, it is necessary to use a protocol that can effectively handle network path selection and routing decisions .

The BGP protocol is such a protocol, which realizes the spanning and intercommunication of the Internet by exchanging routing information between different autonomous systems, and by calculating and selecting the best path.

The main functions of the BGP protocol include: route selection, route policy, route filtering and route aggregation , etc.

The BGP protocol establishes a TCP connection between BGP peers to exchange routing information and network policies to determine the best network path.

The BGP protocol not only considers the path length, but also considers factors such as the number of ASs on the path, the attributes of ASs, and the policies of ASs.

In a large-scale container cluster, the BGP protocol can be used as the underlying protocol of the container network to help achieve a high-performance, high-scalability, and security container network.

Through the BGP protocol, container nodes can dynamically learn and publish container routing information to achieve intercommunication and traffic management between containers.