[k8s] Network Resources

안녕하세요, 2022 kubecon 세션 중 Whose Packet Is It Anyway? Life of a Packet Through a Service Mesh — Kevin Leimkuhler, Buoyant & Doug Jordan, Airbnb 를 참고하여 주요 내용 위주로 정리했습니다.

What is a container?

• Linux doesn’t have containers. It has namespaces

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

현재 리눅스에서 지원하는 네임스페이스는 크게 보면 다음과 같습니다.참고

• Cgroup 네임스페이스(cgorup)
• 네트워크 네임스페이스(network)
• IPC 네임스페이스(ipc)
• PID 네임스페이스(pid)
• UTS 네임스페이스(user)
• 사용자 네임스페이스(uts)
• 마운트 네임스페이스(mnt)
• 시간 네임스페이스(time)

각 컨테이너(Container)는 네트워크 리소스를 공유하는 프로세스입니다.

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

How does a proxy redirect a packet?

• The packet headers were changed by iptables

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

• A proxy checks the TCP stream’s socket options

What is responsible for configuring iptables?

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

TCP Debugging

Kafka

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

tcpdump + wireshark

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

install tcpdump

$ apt update && apt install tcpdump

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Summary

• Linux doesn’t have containers
• The network namespace isolates network resources
• iptables rewrite the packet header
• The proxy looks at the socket table
• TCP observability is limited
• tcpdump the pod on loopback via nsenter
• tcpdump the proxy via host + interface
• Ephemeral containers will save us

 

 

blog migration project

written in 2022.10.29

https://medium.com/techblog-hayleyshim/k8s-network-d23581d3986a