The Kuryr project offers an interesting approach to network cloud native workloads, by enabling container orchestration engines to consume network services from OpenStack Neutron.With pod-in-VM support, Kuryr-Kubernetes enables a whole slew of new hybrid workloads, like bare metal or in-VM pods accessing services that run on VMs, multiple COEs (e.g. Docker Swarm to Kubernetes), and more. Unified networking simplifies deployment, configuration and provides single pane of glass into management and troubleshooting. Let’s dive into Kuryr Kubernetes and learn how different open source technologies can complement each other in order to enable number of complicated deployment scenarios.

1. Kuryr-Kubernetes
Adding Pods to your Datacenter Networking
Irena Berezovsky @irenab
Antoni Segura Puimedon @celebdor

2. Cloud Native Workloads and Networking
12 Factor Application
Containers are the primary workload
encapsulation mechanism
Microservices
Automation and self-healing is a key principal of a
cloud native application

3. Kubernetes
Overview
Cluster is a groups of
nodes running
Kubernetes
Node is physical server or
virtual machine
managed by K8S
Master Node runs Control
Plane

4. K8s Data Model
Pod - basic scheduled
unit
Service - abstraction of
logical set of pods and
policy to access them
Namespace - virtual cluster

5. Kuryr-Kubernetes Project motivation
Hard to connect VMs, bare metal and nested containers
No unified networking infrastructure
Overlay2 for Pods running in VMs
Performance, latency, SLA, management penalties
Need for a smooth transition to the Cloud Native
Applications
Ability to transition workloads to microservices at your own pace

6. Kuryr-Kubernetes Project Mission
Neutron, unified, community sourced networking for
Pods & VMs
OpenStack vendor support experience in the
Container space
Get Neutron users faster into container workloads
VMs and Pods on the same Neutron network
Enable both L2 and L3 connectivity between OS VMs and K8s
Pods

7. Bare Metal Use
Case
Centralized Kuryr Controller
Kuryr Controller maps
K8s Pods into Neutron
ports
K8s Services into
Neutron Load
Balancers
Kuryr CNI on each Worker
node performs Pod
binding

8. Pod in VM Use
Case
Security
Easier node allocation
Single overlay
VM and Pods as targetable
network resources
Can use either Neutron
trunk ports or macvlan
based VM port
allocation

9. Mixed Use Case
Connect to existing
services in VMs
Legacy applications
alongside
microservices
VM NFVs
Use existing cloud for
Kubernetes workloads

10. Supported functionality
Pods networking
Kubernetes native networking
Pods as Neutron ports on the cluster
Neutron network
Single tenant
Full connectivity enabled by default
Kubernetes ClusterIP Services

11. Kuryr-Kubernetes Architecture

13. Kuryr Controller
Secure connection to the Neutron API Server
Keystone as Authorization service
Watches Kubernetes API resources with a service account
Stevedore Plugin based Network resources translation
Handlers: Receive Kubernetes resource events and patch them
Drivers: Used by handlers to allocate Neutron resources, allowing multiple
implementations and vendors.

14. Kuryr Controller ServiceAccount
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kuryrctl
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kuryrctl-global
subjects:
- kind: User
name: kuryrctl
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: kuryrctl
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion:
rbac.authorization.k8s.io/v1beta1
metadata:
name: kuryrctl
rules: - apiGroups:
- ""
verbs:
- get
- list
- watch
resources:
- deployments
- endpoints
- ingress
- nodes
- pods
- policies
- services
- apiGroups:
- ""
verbs:
- update
- patch
resources:
- endpoints
- ingress
- pods
- policies
- nodes
- services
- services/status

15. Kuryr CNI Driver
Kuryr CNI driver only
communicates with
Kubernetes API
Kubelet already has
connection to K8s API
Performs local binding of
the neutron port
Supports CNI versioned
output (0.3.0)
Watches Pod resources for
Controller-driven vif
"annotations": {
"openstack.org/kuryr-vif": {
"active": true,
"address": "fa:16:3e:6c:1f:ff",
"bridge_name": "br-int",
"has_traffic_filtering": true,
"id": "ba8f8d4b-1dfb-4aaf-8ab2-80c25711da3f",
"network": {
"bridge": "br-int",
"id": "a10c5bf4-99b2-4b0d-82b1-2a2639dda4de",
"label": "private",
"mtu": 1450,
"multi_host": false,
"should_provide_bridge": false,
"should_provide_vlan": false,
"subnets": {[{
"cidr": "10.0.0.0/26",
"dns": [],
"gateway": "10.0.0.1",
"ips": [{
"address": "10.0.0.8"}],
"routes": []
}]}
},
"plugin": "ovs",
"port_profile": {
"interface_id": "ba8f8d4b-1dfb-4aaf-8ab2-80c25711da3f"
},
"preserve_on_delete": false,
"vif_name": "tapba8f8d4b-1d"
}
}

16. Controller - CNI baremetal pod creation

17. Controller - CNI
pod-in-VM creation
● Uses trunk ports to provide
Neutron ports to containers
● Uses VLAN segmentation so
Pod communication still goes
to the vSwitch
● Plugging is just creating a
VLAN device
● Polling for neutron trunk agent
to build the infra

18. Kubernetes
Services
Cluster IP translates to
Neutron VIP
Service endpoints translate
to Pool Members
Uses Neutron Lbaas v2
Planned addition of Octavia
driver

19. Cluster service creation flow

20. Scaling Kuryr
● Generic resource
Pooling
○ VIF
○ Load Balancers*
● Stevedore pluggability
to choose pooling
behavior
● Pre-allocates Neutron
resources in batch
operations

21. Demo: Guestbook
2-tier
3 services
PHP frontend, Redis backend

22. Features
LoadBalancer Kubernetes Service Type
Resource Management
Ingress support
Policy support
Multi-Tenancy, Multiple Networks support
Management CLI
What’s Next

23. Join us
Project launchpad
https://launchpad.net/kuryr-kubernetes
Repository
https://github.com/openstack/kuryr-kubernetes
IRC
Weekly meeting #openstack-meeting-4 Mondays 14:00 UTC
#openstack-kuryr at Freenode

24. Resources
Documentation
https://docs.openstack.org/developer/kuryr-kubernetes
Getting started
https://ltomasbo.wordpress.com/2017/01/29/side-by-side-and-nested-kubernetes-and-
openstack-deployment-with-kuryr/
https://ltomasbo.wordpress.com/2017/05/19/openshift-with-kuryr-on-top-of-openstack-
vms-step-by-step-set-up/
Demo

25. Backup

26. Kubernetes
Overview
Cluster is a groups of
nodes running
Kubernetes
Node is physical server or
virtual machine
managed by K8S
Master Node runs Control
Plane