티스토리 뷰

IT/Container&k8s

[k8s] Network Resources

Hayley Shim 2023. 10. 29. 00:32

안녕하세요, 2022 kubecon 세션 중 Whose Packet Is It Anyway? Life of a Packet Through a Service Mesh — Kevin Leimkuhler, Buoyant & Doug Jordan, Airbnb 를 참고하여 주요 내용 위주로 정리했습니다.

What is a container?

  • Linux doesn’t have containers. It has namespaces

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

현재 리눅스에서 지원하는 네임스페이스는 크게 보면 다음과 같습니다.참고

  • Cgroup 네임스페이스(cgorup)
  • 네트워크 네임스페이스(network)
  • IPC 네임스페이스(ipc)
  • PID 네임스페이스(pid)
  • UTS 네임스페이스(user)
  • 사용자 네임스페이스(uts)
  • 마운트 네임스페이스(mnt)
  • 시간 네임스페이스(time)

각 컨테이너(Container)는 네트워크 리소스를 공유하는 프로세스입니다.

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

How does a proxy redirect a packet?

  • The packet headers were changed by iptables

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

  • A proxy checks the TCP stream’s socket options

What is responsible for configuring iptables?

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

TCP Debugging

Kafka

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

tcpdump + wireshark

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

install tcpdump

$ apt update && apt install tcpdump

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Summary

  • Linux doesn’t have containers
  • The network namespace isolates network resources
  • iptables rewrite the packet header
  • The proxy looks at the socket table
  • TCP observability is limited
  • tcpdump the pod on loopback via nsenter
  • tcpdump the proxy via host + interface
  • Ephemeral containers will save us

 

 

blog migration project

written in 2022.10.29

https://medium.com/techblog-hayleyshim/k8s-network-d23581d3986a

'IT > Container&k8s' 카테고리의 다른 글

[k8s] Kubernetes Operations (kOps) Install in AWS  (0) 2023.10.29
[k8s] OpenInfra & Cloud Native Day Korea 2022  (1) 2023.10.29
[k8s] 2022 kubecon- Security  (0) 2023.10.29
[k8s] Debugging a k8s cluster  (1) 2023.10.29
[k8s] performance  (1) 2023.10.29
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG more
«   2025/11   »
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30
글 보관함