[K8S Series] In-depth analysis of k8s network plug-in—Canal

Preface

It is not difficult to do something, the difficulty lies in persistence. It is not difficult to persist for a while, but the difficult thing is to persist to the end.

Article tag color description:

• Yellow : important titles
• Red : used to mark conclusions
• Green : used to mark arguments
• Blue : used to mark arguments

In the world of modern containerized applications, the container orchestration platform Kubernetes has become the standard. Kubernetes is a distributed system. In order to support complex applications and microservice architecture, the network is an integral part of the Kubernetes cluster.

Able to manage and orchestrate containerized applications, where monitoring is a very important aspect to help users understand the health, performance, and availability of the cluster.

In this article, the [Canal] plug-in in the Kubernetes network plug-in will be introduced in detail.

I hope this article will not only make you gain something, but also make you learn happily. If you have any suggestions, you can leave a message to communicate with me.

 Column introduction

This is the column where this article is located. Welcome to subscribe: [In-depth analysis of k8s] column

Let’s briefly introduce what this column will do:

• It mainly analyzes each knowledge point in depth to help everyone fully master k8s. The following are the updated chapters.
• This is the address of the column introduction article: [In-depth analysis of K8S column introduction]

1 Basic introduction 

In Kubernetes, the network plug-in is also called the Container Network Interface (CNI) plug-in, which is used to implement communication and network connections between containers. Here are some common Kubernetes network plugins:

1. Flannel : Flannel is a popular CNI plug-in that uses virtual network overlay technology (overlay network) to connect containers on different nodes. Flannel supports a variety of back-end drivers, such as VXLAN, UDP, Host-GW, etc.

2. Calico : Calico is an open source networking and security solution that uses the BGP protocol for routing between containers. Calico supports flexible network policies and security rules and can be used for large-scale deployment.

3. Weave Net : Weave Net is a lightweight CNI plug-in that connects containers on different nodes by creating virtual network devices and network proxies. Weave Net supports overlay mode and direct connection mode, providing flexibility.

4. Cilium : Cilium is a high-performance network and security solution for Kubernetes, using eBPF (Extended Berkeley Packet Filter) technology to provide fast inter-container communication and network policy enforcement.

5. Canal : Canal is a comprehensive CNI plug-in that combines the functions of Calico and Flannel. It can use Flannel to provide an overlay network, while using Calico's network policy and security features.

6. Antrea : Antrea is an Open vSwitch-based CNI plugin designed for Kubernetes networking and security. It provides high-performance network connectivity and network policy capabilities.

7. kube-router : kube-router is an open source CNI plugin that combines network and service proxy functionality. It supports BGP and IPIP protocols and has load balancing features.

These are some common options among Kubernetes network plugins, each with its own specific advantages and applicable scenarios. Choosing the right network plug-in depends on factors such as your needs, network topology, and performance requirements.

At the same time, the Kubernetes community is constantly evolving and launching new network plug-ins to meet changing needs.

2 Canal Introduction

2.1 Concept introduction

Canal is a network plug-in based on the MySQL protocol. It can synchronize the binlog events of the MySQL database to other resources in the Kubernetes cluster, such as Pods, Services, etc.

This means that through Canal, we can achieve seamless integration of MySQL database and Kubernetes cluster.

The core concepts of Canal mainly include the following aspects:

1. Data flow : The core of Canal is the flow of data . It listens to the binlog events of the MySQL database, converts these events into a data format that Kubernetes can understand, and then sends the data to the specified Kubernetes resource.

2. Event conversion : Canal provides a complete set of event conversion rules that can convert MySQL binlog events into Kubernetes resource objects. In this way, we can manage and operate these resources through the Kubernetes API.

3. Data persistence : In order to ensure data integrity and consistency, Canal provides data persistence function. It will store the received data locally. When needed, the data can be read from the local or written to the MySQL database.

Here are other introductions from Canal:

1. Network functions : Canal can provide network functions for Kubernetes clusters, including network interconnection, network isolation, and routing. It implements a software-defined network (SDN) solution that allows containers and Pods to communicate with each other and connect to networks outside the cluster by creating virtual networks and network policies.

2. Network isolation : Canal has powerful network isolation capabilities and can isolate different namespaces or different Pod groups in the Kubernetes cluster to prevent communication between them. This isolation capability can help users achieve security and performance isolation in a multi-tenant environment.

3. Network routing : Canal can provide flexible network routing functions for Kubernetes clusters. It supports load balancing based on IP addresses and ports, and can direct traffic to different Pods or services based on user-defined rules to achieve high availability and load balancing.

4. Environmental adaptability : Canal can adapt to different network environments, including cloud environments and local environments. It supports multiple network models such as Virtual LAN (VLAN), VXLAN, Overlay, etc., and can be integrated with various network devices and cloud service providers.

5. Container network access : Canal can provide network access capabilities for containers, allowing containers to communicate with other containers or external services through the network. It supports different network protocols and technologies such as IP, IPv6, VLAN, VXLAN, UDP/TCP, etc.

6. Plug-in ecosystem : Canal is an open plug-in architecture that provides a rich plug-in ecosystem. Users can choose suitable plug-ins according to their own needs, such as network policy plug-ins, load balancing plug-ins, and log plug-ins, to meet different usage scenarios.

2.2 Implementation principle

The implementation principle of Canal is based on the MySQL master-slave replication principle. Canal simulates the interaction protocol of the MySQL slave, disguises itself as the MySQL slave, and sends the dump protocol to the MySQL master;

MySQL master receives the dump request sent from canal and starts pushing the binary log to canal. Then canal parses the binary log and sends it to the storage destination, such as MySQL, Kafka, Elastic Search, etc.

Canal’s workflow is as follows:

1. The client (Canal Server) sends a request to the Canal Server cluster and establishes a connection with the Canal Server cluster.
2. After one of the nodes in the Canal Server cluster receives the request, it returns a response indicating that it has successfully connected to the Canal Server cluster.
3. The client sends a request to each node in the Canal Server cluster and establishes a connection with each node.
4. When the client sends the start command, each node in the Canal Server cluster sends a dump command to the MySQL database and sends the received binary log events to the client.
5. The client parses the received binary log events and converts them into JSON formatted data.
6. The client sends the converted data to the specified storage destination, such as MySQL, Kafka, Elastic Search, etc.

2.3 Architecture introduction

Canal is a network plug-in based on the Calico and Flannel projects, used to implement container network functions and isolation. The following is a detailed introduction to the Canal architecture

1. control plane
2. data plane
3. Component interaction

Control Plane:

• etcd storage : Canal uses etcd as a distributed key-value store to store network status and configuration information. etcd provides high availability and consistency, ensuring the reliability of the cluster's network status and configuration.
• Flannel controller : Canal uses the Flannel controller as part of the control plane . The Flannel controller is responsible for monitoring Kubernetes API Server events, such as Pod creation, deletion, and update, as well as network policy changes. It converts these events into network configuration updates and writes them to etcd storage.
• Network Policy Controller : The Canal control plane also includes the Network Policy Controller , which handles the configuration and updates of network policies. It listens to network policy events on the Kubernetes API Server, converts them into network policy configuration information, and writes it to etcd storage.

Data Plane

• Network proxy : Canal runs one or more network proxy components on each node, responsible for handling network connections and data forwarding. These network proxy components listen to the network status and configuration information in etcd and perform corresponding operations based on it. The network proxy component is responsible for managing network interfaces and routing tables on nodes, as well as handling the routing and forwarding of network traffic.
• Calico data plane : Canal uses Calico's data plane to provide high-performance network forwarding and security features. The Calico data plane includes components such as routers (Route Reflectors), BGP Peering, routing tables, and ACLs (Access Control Lists), which are used to implement IP address management and network traffic forwarding.

Component interaction

• Communication between the control plane and data plane occurs through etcd storage. The control plane writes network configuration and status information to etcd, and the data plane monitors change events on etcd and performs corresponding operations based on the changes.
• The control plane and the Kubernetes API Server communicate directly through the API to obtain Pod and network policy information and listen to related events.

Through the above architecture, Canal realizes the network functions and isolation of Pods in the Kubernetes cluster . It uses Calico's high-performance data plane to provide powerful network forwarding and security features.

At the same time, through integration with the Flannel controller and network policy controller, Canal can realize functions such as IP address management, network policy configuration and dynamic update.

In this way, Canal can meet the network needs in containerized application scenarios and provide reliable container network solutions.

2.4 Usage scenarios

Canal It provides management capabilities for network functions and policies.

It is suitable for various scenarios , including network isolation in multi-tenant environments, high-availability and load-balancing network routing, container network access, etc.

Whether in the cloud or on-premises, Canal provides reliable networking solutions. 

2.5 Advantages and Disadvantages

When talking about the pros and cons of Canal, it is important to note that it is a specific web plugin, so its pros and cons are relative to other web plugins.

The following is a detailed introduction to the advantages and disadvantages of Canal:

advantage:

1. Comprehensive network functions: Canal provides a wide range of network functions, including network interconnection, network isolation and routing. It supports multiple network models and protocols, and has flexible network routing capabilities that can manage traffic according to user-defined rules. This enables users to build complex network topologies and policies based on their needs.

2. Multi-tenant support: Canal has strong network isolation capabilities to provide security and performance isolation for multi-tenant environments. It can isolate different namespaces or Pod groups to prevent communication between them, thereby protecting tenant data and applications.

3. Environmental adaptability: Canal can adapt to different network environments, including cloud environments and local environments. It supports multiple network models and technologies and can integrate with a variety of network devices and cloud service providers. This enables users to use Canal in different deployment environments without changing the network architecture.

4. Plug-in ecosystem: Canal provides a rich plug-in ecosystem, and users can choose suitable plug-ins according to their needs. This allows users to extend Canal's functionality, including network policy, load balancing and logging.

shortcoming:

1. Learning curve: Since Canal is a relatively complex network plug-in, using it may require a certain cost of learning and understanding. Users need to be familiar with Canal concepts, configuration, and management methods to ensure that it is deployed and used correctly.

2. Configuration complexity: Canal can be relatively complex to configure, especially when advanced network features and policies need to be implemented. Users may need to dig deeper into Canal's configuration options and parameters to ensure the network is configured and managed correctly.

3. Performance overhead: Like other network plug-ins, Canal also introduces certain performance overhead. Especially when dealing with large amounts of network traffic and complex network routing, performance may be affected. Users need to evaluate and optimize network configurations to meet application performance requirements.

It should be noted that the advantages and disadvantages of Canal are not absolute, and they may vary depending on user needs, deployment environment, and other factors.

Before choosing and using Canal, it is recommended to carefully evaluate its pros and cons and compare it with other network plug-ins to choose the solution that best suits you.

3 Installation and use

3.1 Installation steps

 1 Prepare the Kubernetes cluster:

First, make sure you have a running Kubernetes cluster. This can be a local cluster or a cloud provider's hosted cluster.

2 Download Canal:

Download the latest version of Canal from the official Canal GitHub repository ( https://github.com/projectcalico/canal)  .

3 Deploy Canal

Use kubectl or other Kubernetes deployment tools to deploy Canal to the Kubernetes cluster. Canal can be deployed as a Kubernetes Deployment using the following command:

kubectl apply -f canal.yaml

Among them, canal.yaml is a YAML file containing Canal deployment configuration. You can adjust the parameters in the configuration file as needed.

4 Wait for deployment to complete

Wait for Canal to complete deployment in the Kubernetes cluster. You can check the status of a Pod using the following command:

kubectl get pods -n kube-system

 确保 Canal 相关的 Pod 正常运行并处于就绪状态。 

5 Verify the network plug-in:

Once Canal deployment is complete, you can verify that the network plug-in is working properly. You can create a simple test Pod and try to access it from other Pods or from outside the cluster. If network communication is normal, Canal has been successfully installed and configured.

6 Configure network policy (optional):

Depending on your needs, you can configure Canal's network policies. Network policies can define rules that allow or prohibit communication between Pods to achieve stricter network isolation and security. You can write a network policy YAML file and apply it to a Kubernetes cluster using the kubectl apply command.

3.2 Verify that the network plug-in is installed successfully

To verify that a network plug-in (such as Canal) installed successfully and works properly, you can do the following:

1 Check the running status of the plug-in:

Use the following command to check whether the Pod related to the plug-in is running:

kubectl get pods -n kube-system

Make sure that the Pod associated with Canal is running and that the number of replicas in the READY column is the required number. If there are any errors or exceptions, check the relevant Pod's logs for more details.

2 Create a test Pod:

Create a simple test Pod to verify network communication with other Pods or outside the cluster. A simple Nginx Pod can be created using the following YAML file:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-test
spec:
  containers:
    - name: nginx
      image: nginx

Specific steps: 

Save the above YAML file as `nginx-test.yaml` and create the Pod using the following command:

kubectl apply -f nginx-test.yaml

After the Pod is created, you can check its status using the following command:

kubectl get pods

Make sure the test pod is running and the number of replicas in the READY column is 1.

Test network connectivity: Use the following command to perform a network connectivity test in the test pod:

kubectl exec -it nginx-test -- curl <目标IP或域名>

Replace `<target IP or domain name>` with the target IP address or domain name you want to test. If network communication is normal, you will see a response from the target.

You can also test network connectivity to the test Pod by executing the same command in other Pods.

By performing the above steps, you can verify that the network plug-in installation was successful and ensure that network communication between Pods is functioning properly.

If you encounter any problems, you can check the relevant logs, configurations, and documents to further troubleshoot and solve the problem.

4 FAQ

During the use of Canal, you may encounter some common problems. Here are some possible problems and corresponding solutions:

Canal Pod is in a non-running state or cannot be started: 

• Check whether the network of the Kubernetes cluster is normal and ensure that the dependent components of the network plug-in (such as etcd) are running normally.
• Check the Canal Pod's logs for more details. Use the following command to view the logs:

  kubectl logs <canal-pod-name> -n kube-system

• Ensure that the Pod's resource allocation (such as CPU, memory) is sufficient to meet operating requirements.

Network communication is blocked or external services cannot be accessed:

• Check that the network policy is configured correctly to ensure that communication between Pods or with external services is allowed.
• Check the routing rules of the network plug-in to ensure that traffic is correctly forwarded to the target Pod or service.
• Make sure that the network plug-in's network isolation feature is not blocking required network traffic.

The Pod cannot obtain an IP address or is not reachable over the network:

• Check whether there is an IP address allocation problem and ensure that Canal correctly allocates IP addresses to Pods.
• Ensure that the node's network interface (such as the CNI interface) is properly configured and compatible with the network plug-in.
• Check the node's network configuration to ensure that the network plug-in can correctly manage the Pod's network connections.

Problems occurred after upgrading the Canal version:

• Before upgrading your Canal version, read the release notes and documentation carefully to learn about possible compatibility issues and configuration changes.
• Review the configuration requirements and key points for the new version and ensure that appropriate configuration changes are made as needed.
• Back up and restore critical data during the upgrade process to prevent data loss or irrecoverable damage.

Performance issues or excessive load:

• Evaluate the resource configuration of the cluster to ensure that nodes have sufficient CPU, memory, and network bandwidth.
• Adjust Canal's configuration parameters according to actual load conditions, such as the number of concurrent connections, connection timeout, etc.
• Use performance monitoring tools (such as Prometheus + Grafana) to monitor and analyze the performance indicators of the cluster, identify bottlenecks and optimize them.

5 Summary

Overall, Canal is a powerful network plug-in that provides network functions and container network isolation for Kubernetes clusters.

Its design is flexible and scalable to meet containerized application scenarios of different sizes and needs.

6 votes