SlideShare a Scribd company logo

Container Networking Meetup March 31 2016

Download as PPTX, PDF
Andrew Randall, profile picture
Andrew Randall

The document discusses Project Calico, highlighting its role in networking for containerized environments and the challenges faced in achieving efficient network configuration. It outlines key issues such as scaling, IP address limitations, and evolving orchestration platform support, while advocating for a simpler, more effective routing approach. Additionally, it emphasizes the need for proper configuration to avoid sub-optimal performance and discusses the implications of container networking on cloud-based infrastructures.

Software
1 of 25
Downloaded 112 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Project Calico is sponsored by@projectcalico Sponsored by Networking in a Containerized Data Center: the Gotchas! MICROSERVICES FOR ENTERPRISES MEETUP Andy Randall | @andrew_randall Palo Alto, March 31, 2016
Project Calico is sponsored by@projectcalico (n) North American. “an instance of publicly tricking someone or exposing them to ridicule, especially by means of an elaborate deception.”
Project Calico is sponsored by@projectcalico
Project Calico is sponsored by@projectcalico Run anywhere Simple Lightweight Standard Speed Cloud Efficient
Project Calico is sponsored by@projectcalico
Project Calico is sponsored by@projectcalico The original “container approach” to networking  All containers on a machine share the same IP address  Gotcha #1: WWW1 WWW2 80 80 Proxy 8080 8081 Still most container deployments use this method!
Project Calico is sponsored by@projectcalico World is moving to “IP per container” Container Network Interface (CNI) Container Network Model (libnetwork, 0.19) net-modules (0.26) (future: CNI?)
Project Calico is sponsored by@projectcalico We’ve solved “IP per VM” before… VM 1 VM 2 VM 3 Virtual Switch
Project Calico is sponsored by@projectcalico We’ve solved “IP per VM” before… VM 1 VM 2 VM 3 Virtual Switch VM 1 VM 2 VM 3 Virtual Switch
Project Calico is sponsored by@projectcalico Consequences for containers (gotcha #2): Scale Hundreds of servers, low churn Millions of containers, high churn
Project Calico is sponsored by@projectcalico pHost 1 Virtual Switch / encapsulation vNIC pNIC vNIC VM1 Consequences for containers (gotcha #3): Layering Packets are double encap’d! Container A Container B Container C Virtual Switch / encapsulation veth0 veth1 veth2 pHost 2 Virtual Switch / encapsulation VM2 Container D Container E Container F Virtual Switch / encapsulation pNIC vNIC vNIC veth0 veth1 veth2 Physical Switch
Project Calico is sponsored by@projectcalico Consequences for containers (gotcha #4): walled gardens Legacy App pHost 1 Virtual Switch / encapsulation vNIC pNIC vNIC VM1 Container A Container B Container C Virtual Switch / encapsulation veth0 veth1 veth2 Physical Switch
Project Calico is sponsored by@projectcalico “Any intelligent fool can make things bigger, more complex… It takes a touch of genius – and a lot of courage – to move in the opposite direction.”
Project Calico is sponsored by@projectcalico A Saner Approach: just route IP from the container pHost 1 Virtual underlay vNIC pNIC vNIC VM1 Container A Container B Container C Linux kernel routing (no encapsulation) veth0 veth1 veth2 pHost 2 Virtual Underlay VM2 Container D Container E Container F Linux kernel routing (no encapsulation) pNIC vNIC vNIC veth0 veth1 veth2 Physical Underlay
Project Calico is sponsored by@projectcalico Variant: 1 vm per host, no virtual underlay, straight-up IP pHost 1 pNIC vNIC VM1 Container A Container B Container C Linux kernel routing (no encapsulation) veth0 veth1 veth2 pHost 2 VM2 Container D Container E Container F Linux kernel routing (no encapsulation) pNIC vNIC veth0 veth1 veth2 Physical Underlay
Project Calico is sponsored by@projectcalico Results: bare metal performance from virtual networks 0 1 2 3 4 5 6 7 8 9 10 Bare metal Calico OVS+VXLAN Throughput Gbps 0 20 40 60 80 100 120 Bare metal Calico OVS+VXLAN CPU % per Gbps Source: https://www.projectcalico.org/calico-dataplane-performance/
Project Calico is sponsored by@projectcalico  Some container frameworks still assume port mapping  E.g. Marathon load balancer service (but being fixed…)  Some PaaS’s not yet supporting IP per container  But several moving to build on Kubernetes, and will likely pick it up Gotcha #5: IP per container not yet universally supported
Project Calico is sponsored by@projectcalico  You can easily get your configuration wrong and get sub- optimal performance, e.g.  select wrong Flannel back-end for your fabric  turn off AWS src-dest IP checks  get MTU size wrong for the underlay… Gotcha #6: running on public cloud
Project Calico is sponsored by@projectcalico Consequences of MTU size… 0 50 100 150 200 250 300 t2.micro m4.xlarge qperf bandwidth Bare Metal Calico
Project Calico is sponsored by@projectcalico Consequences of MTU size… 0 50 100 150 200 250 300 t2.micro m4.xlarge qperf bandwidth Bare Metal Calico (MTU=1440) Calico (MTU=8980)
Project Calico is sponsored by@projectcalico  Suppose we assign a /24 per Kubernetes node (=> 254 pods)  Run 10 VMs per server, each with a Kubernetes node  40 servers per rack  20 racks per data center  4 data centers  => now need a /15 for the rack, a /10 space for the data center, and the entire 10/8 rfc1918 range to cover 4 data centers.  … and hope your business doesn’t expand to need a 5th data center! Gotcha #7: IP addresses aren’t infinite
Project Calico is sponsored by@projectcalico  Kubernetes  CNI fairly stable  Fine-grained policy being added – will move from alpha (annotation— based) to first-class citizen API  Mesos – multiple ways to network your container  Net-modules – but only supports Mesos containerizer  Docker networking – but then not fully integrated e.g. into MesosDNS  CNI – possible future, but not here today  Roll-your-own orchestrator-network co-ordination – the approach some of our users have taken  Docker  Swarm / Docker Datacenter still early; libnetwork evolution? policy? Gotcha #8: orchestration platforms support still evolving
Project Calico is sponsored by@projectcalico  Docker libnetwork provides limited functionality / visibility to plug-ins  E.g. network name you specify as a user is NOT passed to the underlying SDN  Consequences:  Diagnostics hard to correlate  Hard to enable ”side loaded” commands referring to networks created on Docker command line (e.g. Calico advanced policy)  Hard to network between Docker virtual network domain and non- containerized workloads Gotcha #9: Docker libnetwork is “special”
Project Calico is sponsored by@projectcalico  “Can you write a function that tells me when all nodes have caught up to the global state?”  Sure… Gotcha #10: at cloud scale, nothing ever converges function is_converged() return false
Project Calico is sponsored by@projectcalico

More Related Content

PDF
'Dockerizing' within enterprises
Harish Jayakumar
 
PDF
Microservices for Enterprises - Consistent Network & Security services for Co...
Dhananjay Sampath
 
PPTX
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Andrew Randall
 
PPTX
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
PPTX
Onug lunch talk may 12 2015 no video
Andrew Randall
 
PDF
Clocker, Calico and Docker
Andrew Kennedy
 
PDF
Docker Networking with Project Calico
Andrew Kennedy
 
PDF
Metaswitch Project Calico
Andrew Kennedy
 
'Dockerizing' within enterprises
Harish Jayakumar
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Dhananjay Sampath
 
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)
Andrew Randall
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
Onug lunch talk may 12 2015 no video
Andrew Randall
 
Clocker, Calico and Docker
Andrew Kennedy
 
Docker Networking with Project Calico
Andrew Kennedy
 
Metaswitch Project Calico
Andrew Kennedy
 

What's hot (20)

PDF
Simplifying and Securing your OpenShift Network with Project Calico
Andrew Randall
 
PDF
How we built Packet's bare metal cloud platform
Packet
 
PDF
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
PPTX
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Packet
 
PDF
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Fawad Khaliq
 
PDF
Let's Talk about Packet
Packet
 
PDF
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Mark Church
 
PPTX
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Cloud Native Day Tel Aviv
 
PDF
Container security within Cisco Container Platform
Sanjeev Rampal
 
PDF
NYC Docker Meetup: Contiv networking on Docker
Sanjeev Rampal
 
PDF
Project calico - introduction
Hazzim Anaya
 
PDF
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Sanjeev Rampal
 
PPTX
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
Cloud Native Day Tel Aviv
 
PDF
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
PPT
Deploying calico on kubernetes
Anirban Sen Chowdhary
 
PDF
Overlay/Underlay - Betting on Container Networking
Lee Calcote
 
PDF
Openstack Summit: Networking and policies across Containers and VMs
Sanjeev Rampal
 
PDF
OpenStack and OpenDaylight: An Integrated IaaS for SDN/NFV
Cloud Native Day Tel Aviv
 
PPTX
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Cloud Native Day Tel Aviv
 
PDF
Introduction to the Container Networking and Security
Cloud 66
 
Simplifying and Securing your OpenShift Network with Project Calico
Andrew Randall
 
How we built Packet's bare metal cloud platform
Packet
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Packet
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Fawad Khaliq
 
Let's Talk about Packet
Packet
 
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Mark Church
 
Lessons learned from global telecom operators' cloud journeys - Zeev Likworni...
Cloud Native Day Tel Aviv
 
Container security within Cisco Container Platform
Sanjeev Rampal
 
NYC Docker Meetup: Contiv networking on Docker
Sanjeev Rampal
 
Project calico - introduction
Hazzim Anaya
 
Triangle Kubernetes Meetup: Container cloud networking - Contiv for K8S & Ope...
Sanjeev Rampal
 
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
Cloud Native Day Tel Aviv
 
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
Deploying calico on kubernetes
Anirban Sen Chowdhary
 
Overlay/Underlay - Betting on Container Networking
Lee Calcote
 
Openstack Summit: Networking and policies across Containers and VMs
Sanjeev Rampal
 
OpenStack and OpenDaylight: An Integrated IaaS for SDN/NFV
Cloud Native Day Tel Aviv
 
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Cloud Native Day Tel Aviv
 
Introduction to the Container Networking and Security
Cloud 66
 
Ad

Similar to Container Networking Meetup March 31 2016 (20)

PPTX
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Cynthia Thomas
 
PPTX
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
Guillaume Morini
 
PDF
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 
PPTX
Comparison of existing cni plugins for kubernetes
Adam Hamsik
 
PPTX
Docker Networking Overview
Sreenivas Makam
 
PDF
Container Networking Deep Dive
Open Networking Summit
 
PDF
Packet walks in_kubernetes-v4
InfraEngineer
 
PPTX
Kubernetes Online Training
navyatejavisualpath
 
PPTX
DockerCon US 2016 - Docker Networking deep dive
Madhu Venugopal
 
PDF
Building a sdn solution for the deployment of web application stacks in docker
Jorge Juan Mendoza
 
PDF
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
PDF
OSDC 2017 | The evolution of the Container Network Interface by Casey Callend...
NETWAYS
 
PDF
OSDC 2017 - Casey Callendrello -The evolution of the Container Network Interface
NETWAYS
 
PPTX
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeAcademy
 
PDF
Container network security
Daisuke Nakajima
 
PDF
Practical Design Patterns in Docker Networking
Docker, Inc.
 
PDF
KubernetesNetworkingAndImplementation-Lecture.pdf
AnkitShukla661141
 
PDF
Docker network performance in the public cloud
ContainerCamp
 
PDF
Docker network performance in the public cloud
Arjan Schaaf
 
PDF
Vbrownbag container networking for real workloads
Cisco DevNet
 
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Cynthia Thomas
 
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
Guillaume Morini
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 
Comparison of existing cni plugins for kubernetes
Adam Hamsik
 
Docker Networking Overview
Sreenivas Makam
 
Container Networking Deep Dive
Open Networking Summit
 
Packet walks in_kubernetes-v4
InfraEngineer
 
Kubernetes Online Training
navyatejavisualpath
 
DockerCon US 2016 - Docker Networking deep dive
Madhu Venugopal
 
Building a sdn solution for the deployment of web application stacks in docker
Jorge Juan Mendoza
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
OSDC 2017 | The evolution of the Container Network Interface by Casey Callend...
NETWAYS
 
OSDC 2017 - Casey Callendrello -The evolution of the Container Network Interface
NETWAYS
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeAcademy
 
Container network security
Daisuke Nakajima
 
Practical Design Patterns in Docker Networking
Docker, Inc.
 
KubernetesNetworkingAndImplementation-Lecture.pdf
AnkitShukla661141
 
Docker network performance in the public cloud
ContainerCamp
 
Docker network performance in the public cloud
Arjan Schaaf
 
Vbrownbag container networking for real workloads
Cisco DevNet
 
Ad

More from Andrew Randall (6)

PPTX
Why Kubernetes on Azure: Tigera-Microsoft Partnership
Andrew Randall
 
PDF
State of cloud and application connectivity
Andrew Randall
 
PDF
Preview of “CIOReview - Networking Technology Special 2015”
Andrew Randall
 
PDF
A randall powerpresentations
Andrew Randall
 
PDF
Ingredients for a Successful Service Innovation Ecosystem
Andrew Randall
 
PPT
ONUG Keynote - VoIP Has Just Begun
Andrew Randall
 
Why Kubernetes on Azure: Tigera-Microsoft Partnership
Andrew Randall
 
State of cloud and application connectivity
Andrew Randall
 
Preview of “CIOReview - Networking Technology Special 2015”
Andrew Randall
 
A randall powerpresentations
Andrew Randall
 
Ingredients for a Successful Service Innovation Ecosystem
Andrew Randall
 
ONUG Keynote - VoIP Has Just Begun
Andrew Randall
 

Recently uploaded (20)

PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
System and Network Administration Chapter 2
jaramharo
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 

Container Networking Meetup March 31 2016

  • 1. Project Calico is sponsored by@projectcalico Sponsored by Networking in a Containerized Data Center: the Gotchas! MICROSERVICES FOR ENTERPRISES MEETUP Andy Randall | @andrew_randall Palo Alto, March 31, 2016
  • 2. Project Calico is sponsored by@projectcalico (n) North American. “an instance of publicly tricking someone or exposing them to ridicule, especially by means of an elaborate deception.”
  • 3. Project Calico is sponsored by@projectcalico
  • 4. Project Calico is sponsored by@projectcalico Run anywhere Simple Lightweight Standard Speed Cloud Efficient
  • 5. Project Calico is sponsored by@projectcalico
  • 6. Project Calico is sponsored by@projectcalico The original “container approach” to networking  All containers on a machine share the same IP address  Gotcha #1: WWW1 WWW2 80 80 Proxy 8080 8081 Still most container deployments use this method!
  • 7. Project Calico is sponsored by@projectcalico World is moving to “IP per container” Container Network Interface (CNI) Container Network Model (libnetwork, 0.19) net-modules (0.26) (future: CNI?)
  • 8. Project Calico is sponsored by@projectcalico We’ve solved “IP per VM” before… VM 1 VM 2 VM 3 Virtual Switch
  • 9. Project Calico is sponsored by@projectcalico We’ve solved “IP per VM” before… VM 1 VM 2 VM 3 Virtual Switch VM 1 VM 2 VM 3 Virtual Switch
  • 10. Project Calico is sponsored by@projectcalico Consequences for containers (gotcha #2): Scale Hundreds of servers, low churn Millions of containers, high churn
  • 11. Project Calico is sponsored by@projectcalico pHost 1 Virtual Switch / encapsulation vNIC pNIC vNIC VM1 Consequences for containers (gotcha #3): Layering Packets are double encap’d! Container A Container B Container C Virtual Switch / encapsulation veth0 veth1 veth2 pHost 2 Virtual Switch / encapsulation VM2 Container D Container E Container F Virtual Switch / encapsulation pNIC vNIC vNIC veth0 veth1 veth2 Physical Switch
  • 12. Project Calico is sponsored by@projectcalico Consequences for containers (gotcha #4): walled gardens Legacy App pHost 1 Virtual Switch / encapsulation vNIC pNIC vNIC VM1 Container A Container B Container C Virtual Switch / encapsulation veth0 veth1 veth2 Physical Switch
  • 13. Project Calico is sponsored by@projectcalico “Any intelligent fool can make things bigger, more complex… It takes a touch of genius – and a lot of courage – to move in the opposite direction.”
  • 14. Project Calico is sponsored by@projectcalico A Saner Approach: just route IP from the container pHost 1 Virtual underlay vNIC pNIC vNIC VM1 Container A Container B Container C Linux kernel routing (no encapsulation) veth0 veth1 veth2 pHost 2 Virtual Underlay VM2 Container D Container E Container F Linux kernel routing (no encapsulation) pNIC vNIC vNIC veth0 veth1 veth2 Physical Underlay
  • 15. Project Calico is sponsored by@projectcalico Variant: 1 vm per host, no virtual underlay, straight-up IP pHost 1 pNIC vNIC VM1 Container A Container B Container C Linux kernel routing (no encapsulation) veth0 veth1 veth2 pHost 2 VM2 Container D Container E Container F Linux kernel routing (no encapsulation) pNIC vNIC veth0 veth1 veth2 Physical Underlay
  • 16. Project Calico is sponsored by@projectcalico Results: bare metal performance from virtual networks 0 1 2 3 4 5 6 7 8 9 10 Bare metal Calico OVS+VXLAN Throughput Gbps 0 20 40 60 80 100 120 Bare metal Calico OVS+VXLAN CPU % per Gbps Source: https://www.projectcalico.org/calico-dataplane-performance/
  • 17. Project Calico is sponsored by@projectcalico  Some container frameworks still assume port mapping  E.g. Marathon load balancer service (but being fixed…)  Some PaaS’s not yet supporting IP per container  But several moving to build on Kubernetes, and will likely pick it up Gotcha #5: IP per container not yet universally supported
  • 18. Project Calico is sponsored by@projectcalico  You can easily get your configuration wrong and get sub- optimal performance, e.g.  select wrong Flannel back-end for your fabric  turn off AWS src-dest IP checks  get MTU size wrong for the underlay… Gotcha #6: running on public cloud
  • 19. Project Calico is sponsored by@projectcalico Consequences of MTU size… 0 50 100 150 200 250 300 t2.micro m4.xlarge qperf bandwidth Bare Metal Calico
  • 20. Project Calico is sponsored by@projectcalico Consequences of MTU size… 0 50 100 150 200 250 300 t2.micro m4.xlarge qperf bandwidth Bare Metal Calico (MTU=1440) Calico (MTU=8980)
  • 21. Project Calico is sponsored by@projectcalico  Suppose we assign a /24 per Kubernetes node (=> 254 pods)  Run 10 VMs per server, each with a Kubernetes node  40 servers per rack  20 racks per data center  4 data centers  => now need a /15 for the rack, a /10 space for the data center, and the entire 10/8 rfc1918 range to cover 4 data centers.  … and hope your business doesn’t expand to need a 5th data center! Gotcha #7: IP addresses aren’t infinite
  • 22. Project Calico is sponsored by@projectcalico  Kubernetes  CNI fairly stable  Fine-grained policy being added – will move from alpha (annotation— based) to first-class citizen API  Mesos – multiple ways to network your container  Net-modules – but only supports Mesos containerizer  Docker networking – but then not fully integrated e.g. into MesosDNS  CNI – possible future, but not here today  Roll-your-own orchestrator-network co-ordination – the approach some of our users have taken  Docker  Swarm / Docker Datacenter still early; libnetwork evolution? policy? Gotcha #8: orchestration platforms support still evolving
  • 23. Project Calico is sponsored by@projectcalico  Docker libnetwork provides limited functionality / visibility to plug-ins  E.g. network name you specify as a user is NOT passed to the underlying SDN  Consequences:  Diagnostics hard to correlate  Hard to enable ”side loaded” commands referring to networks created on Docker command line (e.g. Calico advanced policy)  Hard to network between Docker virtual network domain and non- containerized workloads Gotcha #9: Docker libnetwork is “special”
  • 24. Project Calico is sponsored by@projectcalico  “Can you write a function that tells me when all nodes have caught up to the global state?”  Sure… Gotcha #10: at cloud scale, nothing ever converges function is_converged() return false
  • 25. Project Calico is sponsored by@projectcalico

Editor's Notes

  • #13: All the containers can talk to one another Things like Kubeproxy will allow a single service VIP to access the containers inside the virtual network But some legacy apps need direct access to the containers, and there’s no on/off-ramp possible