triangle kubernetes meetup: container cloud networking - contiv for k8s & openshift

Container Cloud Networking- Contiv for K8S & Openshift

Triangle Kubernetes & Openshift MeetupJune 2017

Sanjeev Rampal – Cisco

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

About the speaker• Current

• Principal Engineer in Cloud Platforms and Solutions Group• Container platform engineering (Docker, Kubernetes, Openshift)• Contiv container networking development

• Previously• Cisco Intercloud architecture and operations• Long time Cisco networking guy (Built hardware routers, ASR9K, 15454)

• Twitter: @sr2357

Contiv Overview & Architecture


100% Open Source The Most Powerful Container Networking Fabric L2, L3, Overlay or ACI Rich Policy Model

DevOps IT Admin

Any NetworkingAny Platform

Any Infrastructure

Application Intent

Rich Policy

Declarative

Simple InstallGUI + CLI

Containers, VM, BM

LDAP/RBAC

Introduction to Contiv


Contiv: How everything fits togetherOperational Policy Management

Developer Operations

ApplicationScheduler

Node 1 Node 2 Node-nContiv Distributed Policy Layer

...

Contiv Elements

Contiv UI to manage/monitor policies/usage

Distributed policy enforcement for network

Integration with physical infrastructure

Integrated with popular container schedulers

Contiv Automatically Integrates and Enforces Developer and Operations Policies


Contiv Modes: Works with or without Cisco hardware

Application-Centric Infrastructure (ACI)• Containers integrated with APIC policies• Physical services integration

Nexus Standalone or Any L2/ L3 Network• Overlay or non-overlay modes• VLAN or VxLan handoff• Optional BGP interop (standard routing protocol)

Contiv Leverages Underlying Infrastructure Capabilities

Requires Cisco ACI hw

Does not require Cisco hw(any vendor ok)


Introducing Contiv 1.0What’s New:

LDAP+RBAC

All New User Experience

and Workflow

Kubernetes 1.4 Support

Docker 1.12 Support

OpenShiftIntegration

Simple Install

1

Commercially Supported Contiv will be announced shortly

Cisco Advances Services

Cisco Solutions Support

100% Open Source at contiv.github.io


Challenges

• Encap over encap (over encap) suffers performance• Obscures visibility, makes diagnostics/monitoring difficult• Harder to integrate with HW appliances

Networking In The Container World

Physical NetworkHypervisorHypervisor

Physical Network

Virtual Switching or Overlay Network

C1 Cn

Overlay Network - VXLAN


Physical Network

Hypervisor Hypervisor

Host 1 Host 2 Host 2Host 1

VM1

C1 Cn


VM2

C1 Cn



C1 Cn


VM1 VM2


Contiv Policy Management System

Node 1 Node-nNode 2

Contiv Distributed Policy Enforcement Layer

Policy Distribution

Policy Manager

Manage/Monitor Policies/Usage/Quotas

Policy Distribution Framework Integrated with Schedulers

Policy Enforcement Points

Integration with Cisco Infrastructure (Nexus/ACI/UCS)


Micro-services With Contiv

Micro-services isolated within the network of a tenant

Web Group

AppGroup

DB Group

Allow grouping of containers/pods

1

Specify policies between groups or from outside the network

2

Ability to Provide Granular Micro-service based Policies in a Scalable Way


ContivHigh-Level Architecture

Host-1

.…

Host Plug-InDistributedKV Store

Plug-In Logic

Contiv Host Agent

Host-n

Linux Host Routing/Switching

To Physical Network

ARP/DNS Responder

Service LB

Route Distribution [ BGP | RPC ]

Container Runtime(e.g., Docker)

[ K8s| Swarm | Mesos | Nomad ]

Master-DBPolicy EngineREST Server

IPAM/Resource-Mgmt HA HeartbeatDistributed

KV Store

[ Etcd | Consul ]

REST User I/F (e.g., netctl | contivctl)

API Calls to External Orchestration Systems e.g,. ACI, Schedulers

Health Monitoring

Contiv Master Cluster

.……

.…

BRKCLD-2024 11


Physical Network (Underlay Integration Options)Native Connectivity

Infra Policy: [ Bridged | Routed ]

VLAN | IP (BGP) Handoff to Access Node

APP1 APP2APP3 APP4

Host-1 Host-n

.…

Overlay Connectivity

Infra Policy: [ Overlay ] [ Bridge | Routed ]

Overlays for Inter-Container Traffic

APP1 APP2APP3 APP4

Host-1 Host-n

.…

Any Network Topology and Container Visibility Across Physical Network

Use Case:Private Cloud

Use Case:Private CloudPublic Cloud


Access-Aggregation TopologyL2+

Configuration: Ease of L2, Benefits of L3: Avoids Flooding

Access: N5k/N9k+N2k

Optional: VMware DVSL2 Network: Statically Configured with VLAN(s)Contiv Host Networking

Agg Layer: e.g., N7k/N9k SVIs Boundary

DC Core

L2 VPC Network

.…

Host-n

.….…

Host-2Host-1

ESX/Hyperversior Layer

Contiv Host Plug-Ins


Container Networking OptionsL3 Native

Leaf: N3k/N9k

Host BGP Peers with Leaf

L3 Routing on Host

Contiv Host Networking

Spine Layer: e.g., N9k

DC Core

L3 CLOS Network

.…

Host-n

V M V MV M V M

.…

V M V MV M V M

.…

Host-2

V M V M

Host-1

V M V M

Contiv Host Plug-Ins

Scalable, Distributed Layer 3 Fabric


Application Centric Infrastructure (ACI)External Network

App DBWeb

QoS

Filter

QoS

Service

QoS

Filter

ACI Fabric

APICAPIC


Benefits of Integrating Contiv with ACI

• Uniform policies for any workload• VMs | Bare-Metal | Container

• Policy automation for mix-mode workloads

• Scale: IPs, EPGs, Networks

• Performance: 40G and 100G optimized fabrics

• Telemetry/Diagnostics• Container location aware physical network


Contiv ACI IntegrationContainer

Management

Unified Policy Automation and Enforcement Across BM, VM, and Containers

Contiv Master

Contiv APIC Gateway

OVS Contiv PluginHYPERVISORHYPERVISORHYPERVISOR Container/Pod Host

Bare Metal

Services


Web

Contiv Plugin

Host-1 Host-n

DB Web DB

Container Scheduler

Contiv Plugin

Application Intent

Tenant-1:External à Web:80 àDB:Port

Tenant-2:External à Web:80 àDB:Port

2

Launching Apps across Cluster

4

DevOps Intent => ACI Policy

Policy Instantiation5

Contiv Tenant/Network Creation1

Physical Network Prep0

3

Example Workflow

Network AdminDevOps Admin

ContivNetMaster


Host-1 Host-2 Host-nCloud A

Cloud B

Demo Physical Topology


C11 (nginx) C12 (nginx)

C21 (alpine) C22 (alpine)

L7 Load balancer/ web reverse proxy

(HAProxy)

VM ‘Z’

Containers Cloud ‘A’Openshift/Kubernetes

VMs Cloud ‘B’Openstack/vSphere

Service 1“default-group”

Service 2“privileged-group”

Service 3 E.g. database VM

Demo Application


Host-1 Host-2 Host-nCloud A

Cloud B

Demo Physical Topology


Getting More Information / Getting Started

Web: http://contiv.ioLive chat: contiv.slack.com

Thank you

triangle kubernetes meetup: container cloud networking - contiv for k8s & openshift

Technology