[k8s] Network Resources
안녕하세요, 2022 kubecon 세션 중 Whose Packet Is It Anyway? Life of a Packet Through a Service Mesh — Kevin Leimkuhler, Buoyant & Doug Jordan, Airbnb 를 참고하여 주요 내용 위주로 정리했습니다.
What is a container?
- Linux doesn’t have containers. It has namespaces
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
현재 리눅스에서 지원하는 네임스페이스는 크게 보면 다음과 같습니다.참고
- Cgroup 네임스페이스(cgorup)
- 네트워크 네임스페이스(network)
- IPC 네임스페이스(ipc)
- PID 네임스페이스(pid)
- UTS 네임스페이스(user)
- 사용자 네임스페이스(uts)
- 마운트 네임스페이스(mnt)
- 시간 네임스페이스(time)
각 컨테이너(Container)는 네트워크 리소스를 공유하는 프로세스입니다.
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
How does a proxy redirect a packet?
- The packet headers were changed by iptables
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
- A proxy checks the TCP stream’s socket options
What is responsible for configuring iptables?
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
TCP Debugging
Kafka
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
tcpdump + wireshark
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
install tcpdump
$ apt update && apt install tcpdump
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Summary
- Linux doesn’t have containers
- The network namespace isolates network resources
- iptables rewrite the packet header
- The proxy looks at the socket table
- TCP observability is limited
- tcpdump the pod on loopback via nsenter
- tcpdump the proxy via host + interface
- Ephemeral containers will save us
blog migration project
written in 2022.10.29
https://medium.com/techblog-hayleyshim/k8s-network-d23581d3986a