calico and isolation at kubernetes services.

caseydavenport / k8s-policy-agent

Calico network policy agent for Kubernetes

Apache License 2.0

1 stars 3 forks source link

calico and isolation at kubernetes services. #2

Open dp-farm opened 8 years ago

dp-farm commented 8 years ago

Hi Casey,

I am trying to use calico in kubernetes and want to enable service isolation.

i.e. service 'A' cannot talk to service 'B' but service 'C' pods can talk to service 'B'.

Now service IPs (cluster ip) are not assigned by calico so I guess calico policies will work at pod layer. but how does pod see client IP. kube-proxy will do open a new connection to backend pod (service ''B pods) with source IP of minion node itself.

So when packets arrive at pods of service 'B' it will source IP of minion node (kube-proxy) itself, how will calico do policy enforcement without seeing source IP?

thanks Devesh

caseydavenport commented 8 years ago

@dp-farm

When using Calico for NetworkPolicy it is recommended to use the iptables mode of the kube-proxy for a few reasons.

1) As you point out, using the userspace proxy obscures the source address to policy doesn't work anymore.

2) It is much faster and more efficient than the userspace proxy.

The iptables proxy is the default mode in > v1.2 I believe.

For network policy, I'd recommend checking out this: http://kubernetes.io/docs/user-guide/networkpolicies/

Calico is one of the few network implementations that support that API.

dp-farm commented 8 years ago

oh ok, thanks. I was playing with vagrant coreos guestbook demo (https://github.com/projectcalico/calico-containers/blob/master/docs/cni/kubernetes/vagrant-coreos/guestbook.md).

And I see two kinds of results, that lead me to ask this question --->

If i try to access fronend pods from frontend pods. I see few times this kind of trace where source IP is changing to minion IP --> 23:37:16.443651 IP 192.168.0.67.44934 > 10.100.0.142.http: Flags [S], seq 3495141044, win 29200, options [mss 1460,sackOK,TS val 1189792 ecr 0,nop,wscale 7], length 0 23:37:16.443689 IP k8s-node-01.44934 > 192.168.0.67.http: Flags [S], seq 3495141044, win 29200, options [mss 1460,sackOK,TS val 1189792 ecr 0,nop,wscale 7], length 0

dp-farm commented 8 years ago

But this may be happening when a pod ends up talking to itself using self service cluster IP. May be this is a bug or intentional behaviour in iptable implementation of kube-proxy. Thanks for your clarification.

On same line I have one more question. Can calico support behaviour similar to kubernetes cluster IP, where same non-routable IP from calico be assigned to a load-balancing entity (similar to kube-proxy)?

this way we can support calico firewall at service IP layer itself. I have a use-case for this in mesos environment where calico can help firewalling at loadbalancing layer itself.