yongming
commented
4 years ago Thanks a lot for the quick answer. Programming network policy into a limited number of transit switches/routers seems a good idea. If those transit VNFs are not deployed in every relevant host, where will they be placed? Is there any principle or initial design on this?
Like network policy, distributed service load balance is another container-specific(K8S CluserIP)scenarios, it will also be programmed into those transit VNFs in Mizar data plane, right?
Thanks for your interest on Mizar. Releasing a networking control plane to work with Mizar data plane and/or other popular open-source data planes like OVS, indeed, is a part of our project plan. We are currently working on it to offer a way to unify VM and container networking management, as well as low provisioning latency and high throughput for time-sensitive scenarios like serverless applications. Our next step is to release an alpha implementation of control plane to showcase a few key techniques including fast provisioning with fast path, batched processing of network states (for large-scale deployment scenarios), and a microservice framework design etc..
To answer your second question, we consider container as a first-class citizen throughout our design and implementation. From networking perspective, provisioning a port for containers is the same as that for VMs. One of the scalability challenges for VPC-native containers was how to populate the network policy to other hosts where the security policy is applied to (assuming that OVS is used and label-based policy is chosen). This could be addressed by Mizar as our data plane design requires programming a limited number of transit switches/routers, instead of every relevant host.