关注微信公众号
第一手干货与资讯
加入官方微信群
获取免费技术支持
In the world of containers, Kubernetes has become the community standard for container orchestration and management. But there are some basic elements surrounding networking that need to be considered as applications are built to ensure that full multi-cloud capabilities can be leveraged.
The basic unit of management inside Kubernetes is not a container—It is called a pod. A pod is simply one or more containers that are deployed as a unit. Often, they are a single functional endpoint used as part of a service offering. Two examples of valid pods are:
Useful things to know about pods:
A Kubernetes service is where multiple identical pods are managed behind a load balancer. Clients connect to the IP of the load balancer instead of the individual IPs of each pod. Defining your application as a service allows Kubernetes to scale the number of pods based on the rules defined, and available resources. Defining an application as part of a service is the only way to make it available to clients outside of the Kubernetes infrastructure. Even if you never scale past one node, services is the avenue to have an external IP address assigned.
Want to learn more about Docker, Kubernetes, and Rancher? Join us for free online training Labels are key/value pairs which are assigned to objects, like pods, within Kubernetes. Labels should be meaningful and relevant. In a standard installation of Kubernetes, labels do not directly impact core operations with Kubernetes, but are used primarily for grouping and identification purposes.
Labels were mentioned in the previous section, and there are now network plugins recommended by Kubernetes that leverage labels to change some functionality at runtime. Most of the network plugins that can be used on Kubernetes are based on the Container Networking Interface (CNI) specification, which is maintained by the Cloud Native Computing Foundation. The CNI allows for the same network plugins to be used on multiple container platforms. As part of the Kubernetes Network Special Internet Group (Network SIG), a way to apply network security policies has been created that leverages labels so the correct network policies are applied at runtime, instead of the more traditional model of a network or security team that pre-assigns everything. (The world of containers is too dynamic to have that level of manual intervention.) There are several options available today that support network policies applied to namespaces and pods, including OpenContrail and Project Calico. With this new approach, Kubernetes administrators import all pre-approved policies, and developers are responsible for and have the autonomy to apply the policies as required—with all of this work being done as part of the pod definition. Sample Network Policy:
POST /apis/net.alpha.kubernetes.io/v1alpha1/namespaces/tenant-a/networkpolicys/ { "kind": "NetworkPolicy", "metadata": { "name": "pol1" }, "spec": { "allowIncoming": { "from": [ { "pods": { "segment": "frontend" } } ], "toPorts": [ { "port": 80, "protocol": "TCP" } ] }, "podSelector": { "segment": "backend" } } }
Sample Pod Configuration with Network Policy Defined:
apiVersion: v1 kind: Pod metadata: name: nginx labels: app: nginx segment: frontend spec: containers: - name: nginx image: nginx ports: - containerPort: 80
With the functionality that Kubernetes offers, developers now have the flexibility they require to fully define the application and its dependencies, and can use multiple containers in a single pod. Kubernetes will ensure that if any of the containers fail, those pods will be decommissioned and a new one will be spun up to replace it automatically. Developers can also define what port the application or service listens on, if it is part of a larger service, or just a standalone instance. With operations “out of the way,” rapid development and deployment cycles using continuous delivery and deployment methodologies can and will be the new normal. Vince Power is a Contributor at Fixate IO and Solution Architect who has a focus on cloud adoption and technology implementations using open source-based technologies. He has extensive experience with core computing and networking (IaaS), identity and access management (IAM), application platforms (PaaS), and continuous delivery.