Abstract: Today, Cloud Native applications have very simple network requirements: discoverable service endpoints with routable IP addresses. This allows Kubernetes to be deployed easily on any network, including public and private IaaS, and even across the Internet. However, as Kubernetes looks to introduce multi-tenancy, and as applications require more sophisticated access control and traffic management policies, network segmentation for isolation and traffic control will be necessary. One common approach for multi-tenant networking is to deploy a virtual network using VXLAN overlays and an SDN controller. VXLAN segmentation provides the isolation necessary for network multi-tenancy and enables policy based security and traffic management. However, building and managing overlay virtual networks is complex and introduces a number of difficult operational challenges. In this session, we introduce Romana, a new open source SDN solution that lets operators build Cloud Native Networks without the complexity of virtual network overlays. Romana networks provide multi-tenancy directly on the physical network, which makes them easier to operate and perform better than overlay virtual networks. We will also show Kubernetes with multi-tenant networks and how to apply network security policies using CNI and the new NetworkPolicy Third Party Resource in Kubernetes 1.2.

1. +
A Cloud Native SDN for Kubernetes
Juergen Brendel, Stas Kraev
Kubecon, London, March 2016

2. romana.io A cloud native SDN for Kubernetes @romanaproject
Agenda
● “Cloud native”, why does it matter?
● A better network for cloud native architectures
● New things in Kubernetes
● Demos

3. romana.io A cloud native SDN for Kubernetes @romanaproject
About us
● Team background:
– Data center networks
– Low-level traffic management
● Created L2 overlay network startup
– Bought by Cisco
● OpenStack networking
● There's got to be a better way
– Time is right

4. What is 'cloud native'?

5. romana.io A cloud native SDN for Kubernetes @romanaproject
The past: Enterprise networking
● Full control
● Applications need L2 and L3
– May need hard-wired IP addresses
– Broadcasts
● Servers are pets, not cattle: “Careful!”
– VM migration
● Complex!
– Complexity in the applications
– Because apps may do anything, network needs to support
everything!

6. romana.io A cloud native SDN for Kubernetes @romanaproject
Cloud native applications
● Automate all the things!
– Infrastructure as code
– Cattle, not pets: “Meh... just kill it.”
– Workloads come and go quickly
– Build for resiliance
● IP is all you need
– No hardcoded IP addresses, discovery
– No special network requirements
– Basic IP connectivity
● Restrictions
– Accept them and get clarity and simplicity in return

7. The problem

8. romana.io A cloud native SDN for Kubernetes @romanaproject
We have a mismatch
● Building cloud native applications…
● … on top of enterprise networking
– SDN controllers use overlay L2 domains
– VLAN, VXLAN, OVS, etc.
● Complexity and brittleness
– Lose benefits of simplicity
– Lose performance (encap, blinded hardware)
– Difficult to maintain and trouble shoot

9. romana.io A cloud native SDN for Kubernetes @romanaproject
The price you pay: Complexity
VXLAN Decap
VXLAN Decap
VXLAN Encap
VXLAN Encap
2 Top of Rack Round
Trips
East/West Traffic
Per Instance Security

10. romana.io A cloud native SDN for Kubernetes @romanaproject
The price you pay: Performance
Router
Endpoint A Endpoint B
Router
L2 overlay A
L2 overlay B
VRouter

11. romana.io A cloud native SDN for Kubernetes @romanaproject
Why do we do this to ourselves?
● We don't need any L2 features
● Except traffic segmentation
– Multi tenancy
– Tiers and policies

12. The solution

13. romana.io A cloud native SDN for Kubernetes @romanaproject
Cloud native SDNs
● Use native L3 capabilities
● No overlays
● De-emphasize IP address ranges
● Still provides segmentation, multi tenancy
● Simple, clear and scalable network setup

14. romana.io A cloud native SDN for Kubernetes @romanaproject
A truly cloud native SDN: Romana
● Project Romana
● Open source
● Apache 2.0 license
● Mostly written in Go
● Kubernetes and OpenStack

15. romana.io A cloud native SDN for Kubernetes @romanaproject
A truly cloud native SDN: Romana
● Use only IP routing
– No overlays
– All workload addresses are 'real'
– Simplicity!
● Use smart addressing
– Encode tenant or segment in IP address
– Assign “virtual” addresses with host prefixes
– Massive (!) collapse of route table
● Routes are static
– No route updates, no broadcasts for new endpoint

16. romana.io A cloud native SDN for Kubernetes @romanaproject
Routing and route aggregation
Host A
eth0:
192.168.8.11
romana-gw:
10.0.0.1/16
10.0.0.5
10.0.1.7
10.0.1.19
10.0.5.3
Host B
eth0:
192.168.8.22
romana-gw:
10.1.0.1/16
10.1.3.52
10.1.9.2
Host C
eth0:
192.168.8.33
romana-gw:
10.2.0.1/16
10.2.0.16
10.2.3.81
10.2.4.6
Routes:
10.1/16 → 192.168.8.22
10.2/16 → 192.168.8.33
Routes:
10.0/16 → 192.168.8.11
10.2/16 → 192.168.8.33
Routes:
10.0/16 → 192.168.8.11
10.1/16 → 192.168.8.22

17. romana.io A cloud native SDN for Kubernetes @romanaproject
Architecture
Host A Host B Host C
Agent Agent Agent
Tenant
Topology
IPAM
Root
Kubernetes

18. romana.io A cloud native SDN for Kubernetes @romanaproject
Architecture
Host A Host B Host C
Agent Agent Agent
Tenant
Topology
IPAM
Root
OpenStack

19. Romana / Kubernetes integration

20. romana.io A cloud native SDN for Kubernetes @romanaproject
Integration points
● CNI (Container Network Interface)
– Developed last year by CoreOS
– Supported by Kubernetes since version 1.1
● Third party resources
– Develop Kubernetes extensions via external
processes
● Network Policies
– Still under development by networking SIG
– Different proposals under discussion

21. romana.io A cloud native SDN for Kubernetes @romanaproject
CNI_COMMAND (ADD | DEL)
CNI_CONTAINERID
CNI_NETNS
CNI_IFNAME
CNI_ARGS
...
CNI: Interface creation workflow
Host A
eth0:
192.168.8.11
Romana
CNI plugin
Kubelet Create interface

22. romana.io A cloud native SDN for Kubernetes @romanaproject
CNI: Interface creation workflow
Host A
eth0:
192.168.8.11
Romana
CNI plugin
Kubelet
Romana
IPAM
Romana
Tenant
Romana
Topology
Host
Tenant
Segment

23. romana.io A cloud native SDN for Kubernetes @romanaproject
CNI: Interface creation workflow
Host A
eth0:
192.168.8.11
Romana
CNI plugin
Kubelet
Romana
Agent
10.0.0.5
connectivity
policies
Romana
IPAM
Romana
Tenant
Romana
Topology
IP address

24. romana.io A cloud native SDN for Kubernetes @romanaproject
Third party resources
● Tell Kubernetes about your new resource
$ kubectl create ­f third­party­resource­definition.yml
● Start listening for events on new URLs
/apis/romana.io/demo/v1/namespaces/default/networkpolicys/
metadata:
name: network­policy.romana.io
apiVersion: extensions/v1beta1
kind: ThirdPartyResource
description: "Network policy"
versions:
­ name: demo/v1

25. romana.io A cloud native SDN for Kubernetes @romanaproject
Kubernetes network polices
● Recognized need for policies
– Grant / deny access, isolate tiers and tenants
– Basically: ACLs
– Different proposals exist
– Implementations use Kubernetes 3rd party resources
● Namespaces
– Use namespace as 'tenant'
– Add 'isolation' flag to namespace

26. romana.io A cloud native SDN for Kubernetes @romanaproject
Example network policy
POST /apis/romana.io/demo/v1/namespaces/tenant­a/networkpolicys/
{
"kind": "NetworkPolicy",
"metadata": {
"name": "pol1"
},
"spec": {
"allowIncoming": {
"from": [
{ "pods": { "segment": "frontend" } }
],
"toPorts": [
{ "port": 80, "protocol": "TCP" }
]
},
"podSelector": { "segment": "backend" }
}
}
Gets
applied to
namespace
“segments”:
Natural fit
for Romana

27. romana.io A cloud native SDN for Kubernetes @romanaproject
Network policy workflow
Kubernetes master
Kubernetes API
3rd
party resource
type definition
kubectl

28. romana.io A cloud native SDN for Kubernetes @romanaproject
Network policy workflow
Kubernetes master
Kubernetes API
URLs
New URLs for this
resource type, per
namespace

29. romana.io A cloud native SDN for Kubernetes @romanaproject
Host
Romana
Agent
iptables
Host
Romana
Agent
iptables
Network policy workflow
Kubernetes master
Romana
K8S listener
Kubernetes API
Host
Romana
Agent
New Romana
policy definition
URLs
Events
streamed
through GET
request
Some client
POST /…..
{ new policy }
iptables

30. Demo

31. romana.io A cloud native SDN for Kubernetes @romanaproject
Conclusion
● Cloud native architectures simplify things
● Need a cloud native SDN to enjoy benefits
● Romana:
– Cloud native without compromises
– Native network performance
– Mostly static config: Solid network
– Very easy to work with and understand
● Easy to try:
– Simple installers for Kubernetes and OpenStack

32. romana.io A cloud native SDN for Kubernetes @romanaproject
Thank you!
● Romana Links
– http://romana.io - Project home
– http://romana.io/blog - Blog
– https://github.com/romana/romana - Sources
● Contact
– @romanaproject - Twitter
– info@romana.io - Email
– https://romana.slack.com/ - Slack channel
● Kubernetes links
– http://bit.ly/1RMVkrr - CNI spec

33. Appendix: Romana technical notes

34. romana.io A cloud native SDN for Kubernetes @romanaproject
Semantic and topological addressing
3
1
3
0
2
9
2
8
2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0
1
9
1
8
1
7
1
6
1
5
1
4
1
3
1
2
1
1
1
0
9 8 7 6 5 4 3 2 1 0
0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 1 1
10
Network prefix bits
The network prefix.
In this example, we
are using the 10/8
address space.
6
Host ID Segment ID
We currently
store tenant ID in
upper bits of
segment ID.
4 67
Endpoint ID
Widths are configurable, don't have to use byte boundaries.

35. romana.io A cloud native SDN for Kubernetes @romanaproject
Segment and tenant bits
3
1
3
0
2
9
2
8
2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0
1
9
1
8
1
7
1
6
1
5
1
4
1
3
1
2
1
1
1
0
9 8 7 6 5 4 3 2 1 0
0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 1 1
10
Network prefix bits
6
Host ID Segment ID
4 67
Endpoint ID
Encode the
tenant ID

36. romana.io A cloud native SDN for Kubernetes @romanaproject
Romana: Traffic segmentation
● Tenant traffic separated:
– Tenants don't get whole CIDR prefix or L2 domain
– But fully isolated from other tenants' traffic
● Tenants can define segments:
– Like tiers, provide isolation and policies
● Use segment and tenant bits in IP addresses:
– Apply policies (iptables) based on that
– Segments can stretch across hosts

37. romana.io A cloud native SDN for Kubernetes @romanaproject
Host BHost A
Allowing traffic within tenant
10.0.0.5 10.1.0.12
iptables:
check src/dst addrs
“tenant/segment bits
must match”
Src: 10.0.0.5
Dst: 10.1.0.12
Same
tenant/segment bits

38. romana.io A cloud native SDN for Kubernetes @romanaproject
Host BHost A
Isolating tenant traffic: Default
10.0.0.5 10.1.128.9
iptables:
check src/dst addrs
“tenant/segment bits
must match”
Src: 10.0.0.5
Dst: 10.1.128.9
Different
tenant/segment bits
Different
tenant

39. romana.io A cloud native SDN for Kubernetes @romanaproject
Host BHost A
Apply network policy between
segments (full isolation as default)
10.0.0.5 10.1.1.9
iptables:
Does policy chain
exist?
Otherwise: DROP
Src: 10.0.0.5
Dst: 10.1.1.9
Same tenant,
different segment
policy-chain:
From segment 0?
Protocol TCP?
To port 80?