Kubernetes kube-proxy Modes: iptables and ipvs, Deep Dive
Vložit
- čas přidán 7. 06. 2024
- In this video, we will have an in-depth discussion on Kubernetes kube-proxy and will discuss how its supported modes iptables and ipvs result in different load balancing schemes. We will also discuss what iptables and ipvs are and how they provide load balancing and how to configure kube-proxy to use ipvs. Finally, we will summarize the benefits of ipvs mode is superior to iptables mode and also in what situations kube-proxy falls back to iptables.
Links:
Demo scripts: github.com/gary-RR/myCZcams_...
Timecodes
0:00 - Intro
2:35 - Quick overview of Kubernetes PODs, services, and kube-proxy and their relationship.
5:34 - Quick into to Linux iptables.
10:07 - How load balancing works in iptables mode.
21:56 - Intro to Linux ipvs load balancing system.
27:01 - Demo: Setup an ipvs load balancer for VM-hosted service.
33:31 - Demo: How to configure Kubernetes to use ipvs during Kubernetes cluster setup.
49:50 - Demo: How to configure Kubernetes to use ipvs for an existing Kubernetes cluster.
54:18 - Summary of advantages of ipvs mode over iptables mode.
57:18 Situations where Kubernetes falls back to iptables.
Complete playlist for these series: • Kubernetes Networking ...
My Other Videos:
► Cilium Kubernetes CNI Provider: Part 4, IP Routing Modes (Direct and Encapsulated)
• Cilium Kubernetes CNI ...
► Cilium Kubernetes CNI Provider, Part 3: Cluster Mesh
• Cilium Kubernetes CNI ...
►Cilium Kubernetes CNI Provider, Part 2: Security Policies and Observability Leveraging Hubble
• Cilium Kubernetes CNI ...
► Cilium Kubernetes CNI Provider, Part 1: Overview of eBPF and Cilium and the Installation Process • Cilium Kubernetes CNI ...
► What is VXLAN and How It is Used as an Overlay Network in Kubernetes?
• What is VXLAN and How ...
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 2- Join Linux Machines to AD:
• Managing Linux Logins,...
► Managing Linux Log-ins, Users, and Machines in Active Directory (AD): Part 1- Setup AD:
• Managing Linux Logins,...
► Sharing Resources between Windows and Linux:
• Sharing Resources betw...
►Kubernetes: Configuration as Data: Environment Variables, ConfigMaps, and Secrets:
• Kubernetes: Configurat...
►Configuring and Managing Storage in Kubernetes:
• Configuring and Managi...
► Istio Service Mesh - Securing Kubernetes Workloads:
• Istio Service Mesh - S...
► Istio Service Mesh - Intro
• Istio Service Mesh (si...
► Understanding Kubernetes Networking. Part 6: Calico Network Policies:
• Understanding Kubernet...
► Understanding Kubernetes Networking. Part 5: Intro to Kubernetes Network Policies:
• Understanding Kubernet...
► Understanding Kubernetes Networking. Part 4: Kubernetes Services:
• Kubernetes services - ...
► Understanding Kubernetes Networking Part 3: Calico Kubernetes CNI Provider in depth:
• Understanding Kubernet...
► Understanding Kubernetes Networking. Part 2: POD Network, CNI, and Flannel CNI: Plug-in: • Understanding Kubernet...
►Understanding Kubernetes Networking. Part 1: Container Networking: • Video
► Setup a Linux-Windows (Calico based) Hybrid Kubernetes Cluster to Host .NET Containers:
• Setup a Linux-Windows ...
► A Docker and Kubernetes tutorial for beginners:
A Docker and Kubernetes tutorial for beginners. - CZcams
► Setup a "Docker-less" Multi-node Kubernetes Cluster on Ubuntu Server:
• Setup a "Docker-less" ...
►Step by Step Instructions on Setting up Multi-Node Kubernetes Cluster on CentOS: • Step by Step Instructi...
►Setup and Configure CentOS Linux Server on A Windows 10 Hypervisor - CZcams: • Setup and Configure Ce...
►Setup NAT (Network Address Translation) on Hyper-V: • Setup NAT (Network Add...
► Enable Nested Virtualization on Windows to run WSL 2 (Linux) and Hyper-V on a VM: • Enable Nested Virtuali...
►Setup a Multi-Node MicroK8S Cluster on Windows 10: • Setup a Multi Node Mic...
► Detailed Windows Terminal, (WSL 2), Linux, Docker, and Kubernetes Install Guide on Windows 10:
• Detailed Windows Termi... - Věda a technologie
Great video! This the best and most complete explanation of what kube-proxy is and how load balancing modes (iptables,ipvs) works in Kubernetes. Thank you for providing these exceptional courses to tech professionals!
Hi Bijan, thank you very much for the kind words. Glad it was helpful!
Absolutely the best series on K8s working principles and scenarios on the internet!
Thank you!
This is the best kubernetes series on the internet.
Thanks, glad you found them helpful.
THis course is simply exceptional.... Such indepth knowlwdge.. and simple explanatiom to cover every details is out of this world...
Great job. Not easy to pull out such a great content with so much depth.
Real deep dive on ipvs and k8s svc. Thank you for making insightful video and share it.
Great video. Very detailed and clear explanation. Thank you
Thank you, sir! Please keep releasing new tutorials!
The great content, as usually, thanks Gary.
Thanks, Gary for this wonderful series of tech. videos. I would like to ask you to make some more in-depth discussion on api server and control manager
very useful video on IPVS :), thank you very much😍
Glad it was helpful!
great video with clear explanation and good demo
Thank you!
Awesome stuff. The colors though - they are killing my eyes...
wow amazing contents,thanks for sharing your knowledge, really apprieciate it
Many thanks! Glad you found them helpful.
I always first like and then watch. Great videos
Hi Mohamed, thank you very much, greatly appreciate your kind words!
Thanks! This is very informative
Glad it was helpful!
Awesome stuff!!
Great video!
Glad you enjoyed it
Great video. Rare to find such detailed tutorial on advanced topic. Would you please consider as an indepth kubernetes Security topic or series as well ?
Hi and thanks for your comment!
I already have some videos on Kubernetes network security policies that you view on this play list:czcams.com/play/PLSAko72nKb8QOVoWZqgn4mCCpfGFZZlEI.html
I'll be adding more Kubernetes operational security videos in the future.
Great video thanks a bunch
Hi Marc, thanks very much!
Marvelous..
Great!!!!! just want to learn those things !
Hi Tracy, Thank you very much! If you have other Kubernetes topics that you would like a video on, please post. My mind reading abilities are limited, LOL!
@@TheLearningChannel-Tech LOL your videos are very very helpful and comprehensive. Sure ! I will share with you when I have some other topics!
@@tracylee8446 Thank you, Tracy.
Thank you for the great video!
I'd have a question regarding the fall-back on iptables. Could you provide some details on why ipvs mode cannot handle eg. NodePort type service? Does this mean that the load balancing also reverts to the default used with iptables, or does ipvs still handle that part, and just uses iptables for eg. SNAT?
Thanks a lot!
Hi, thank you, and glad you found it helpful. IPVS is incapable of SNAT and masquerading, in those situations, the SNAT/Masqurating rules are saved in rule tables known as "IPSET". Please note the following:
1- IPSsets are indexed so unlike regular iPTable rules, they are not sequentially processed. In other words, they are a magnitude more performant than IPtable rules.
2- As stated earlier, only SNAT/Masqurating rules are saved in IPSet tables so performance hit when the service is consumed externally is really negligible.
@@TheLearningChannel-Tech Thank you so much for the reply! Just for completeness, I tested it and the load balancing algorithms of ipvs work even in the fall-back cases :)
@@dorle3046 Great, thanks for testing and providing feedback!
Thx
Hi, I have a question at 19:20, why src and source of DNAT are both 0.0.0.0/0?
Hi, all zeroes mean any. So that means the rule applies from any source to any destination.
at 13:26
I believe the endpoints that got saved in ETCD should be pods IPs (172.16.9.68 , 172.16.9.144 ) , correct ?
Also Thank you so much for such great video from which I've learned a lot.
Hi, my apologies for late response, your post had been flagged as a spam due to the IP addresses in the content. You are right, that is a typo. Thanks for noticing it and glad you found it helpful.
Is it possible to setup different IPVS load balancing algorithms for different services?
Hi,
If you mean outside Kubernetes, the answer is yes. For Kubernetes, it is set at the cluster level, so you won't be able to change the load balancing algorithm at the service level.
I genuinely wonder how well IPVS works in production though because very few shops will run thousands of services on a single cluster so I dubious as to how reliable the integration is on the k8s side given how open source k8s is?
Hi,
IPVS has been part of Linux Kernel for quite some time now and is widely used in prod. The CNI providers such as Cilium are moving towards a newer technology called eBPF, here is a link to a video where I go into details: czcams.com/video/aLq3O3l2LF4/video.html
@@TheLearningChannel-Tech thanks, gary! I've watched your cilium video, but thank you for the tip, that's very helpful.
May I know, how can we block the outgoing traffic to a IP address using iptables?
Hi, this a good resource: www.budgetvm.com/kb/ip-tables-block-ip/#:~:text=To%20block%20outgoing%20traffic%20to%20a%20specific%20IP%2C,way%2C%20you%20can%20block%20a%20range%2Fsubnet%20of%20IPs.?msclkid=f41b0ac2cf9511ec9c6debb654344409
Great Video! I have a question will kube-proxy in iptables mode do round-robin? I think its random
Hi Sri, round-robin is actually the only supported mode in iptables mode. The first POD is selected at random but then on other PODs are selected in a round-robin fashion.
Anyways you give detailed explanation for everything we smoothly changed our cluster to IPVS mode following your video
and there is no latency now thanks again
@@sriteja2510 Great, thanks for the comments and feedback!
This feels like a college course. I feel like I should be paying money.
Thanks, there is a Thank you $ button below the video screen that you can use to contribute if you wish.
The great content, as usually, thanks Gary.
Thank you, Alex, much appreciated!