Introduction
The container network is a comprehensive networking solution designed for cloud-native applications, ensuring seamless east-west communication within clusters and efficient north-south traffic management across external networks, while providing essential networking functionalities. It consists of these core components:
- Container Network Interfaces (CNIs) for east-west traffic management within the cluster.
- Ingress Gateway Controller ALB for managing HTTPS ingress traffic.
- MetalLB for handling LoadBalancer type Services.
- Additionally, it provides robust network security and encryption features to ensure secure communication.
Advantages
The container network offers the following core advantages:
-
Flexible Network Management
With support for multiple CNIs, he container network supports both overlay, underlay and routing modes, providing flexibility to adapt to diverse network environments. It also offers fine-grained IP allocation and robust egress management. As the founding team of Kube-OVN, we bring extensive hands-on experience in building and maintaining large-scale networks, ensuring reliable and performant connectivity.
-
Isolation, Multi-Tenant, and API Flexibility for Ingress Gateway
With the ALB operator, multiple ALB instances can be created and managed within one cluster. Each tenant can have a dedicated group of ALB instances as ingress gateway, ensuring effective isolation and resource management. Additionally, users can flexibly choose between Ingress and Gateway API based on their preferences and operational requirements, ensuring seamless traffic management and enhanced flexibility. As the founding team of ALB, we can guaranteeing a robust and scalable solution.
-
Comprehensive Network Security
Container network provides a multi-layered security framework to ensure protection across all levels. In the CNI layer, we support multiple security policy models, including NetworkPolicy and AdminNetworkPolicy, to enforce fine-grained network access controls. For secure data transmission, the network incorporates robust traffic encryption. At the Ingress Gateway layer, we provide advanced security mechanisms such as TLS termination and support for ModSecurity, offering comprehensive protection for external-facing applications. With built-in network policy enforcement, encryption, and traffic monitoring, it ensures protection against unauthorized access and maintains compliance with security standards.
Application Scenarios
The container network is particularly suitable for the following scenarios:
-
East-West Traffic Management
Leveraging CNIs to provide efficient pod-to-pod communication within clusters, with support for both overlay and underlay network modes to meet different deployment needs.
-
North-South Traffic Control
Using ALB as the Ingress Gateway Controller to manage external HTTPS traffic, with flexible API choices and multi-tenant isolation capabilities for different teams.
-
Load Balancer Service Exposure
Utilizing MetalLB to provide high availability for LoadBalancer type Services, enabling reliable external access to cluster services through virtual IP addresses.
-
Network Security and Encryption
Implementing comprehensive security through NetworkPolicy, AdminNetworkPolicy, and traffic encryption to ensure secure communication across the network infrastructure.
Usage Limitations
While the container network provides extensive functionalities, the following limitations should be noted:
-
Underlay Network Requirement
Some underlay network capabilities, such as Kube-OVN Underlay Subnet, Egress IP, and MetalLB, require underlying L2 network support. These features cannot be used in public cloud providers and certain virtualized environments like AWS and GCP.
With its versatile design and comprehensive feature set, the container network empowers organizations to build, scale, and manage secure, reliable, and high-performance containerized applications.