Contrail Floating IP
Communication has been discussed and tested between pods in the same or different namespace, but so far, it’s been inside of the same cluster. What about communication with devices outside of the cluster?
You may already know that in the traditional (OpenStack) Contrail environment, there are many ways for the overlay entities (typically a VM) to access the Internet. The three most frequent methods are:
Floating IP
Fabric SNAT
Logical router
The preferred Kubernetes solution is to expose any service via service
and Ingress
objects,
which you’ve read about in Chapter 3. In the Contrail Kubernetes
environment, floating IP is used in the service and ingress implementation
to expose them to what’s outside of the cluster. Later this
chapter discusses each of these two objects. But first, let’s
review the floating IP basis and look at how it works with Kubernetes.
The fabric SNAT
and logical router
are used by overlay workloads (VM and
pod) to reach the Internet but initializing communication from the
reverse direction is not possible. However floating
IP supports traffic initialized from both directions – you
can configure it to support ingress traffic, egress traffic, or both,
and the default is bi-directional. This book focuses only on floating
IP. Refer to Contrail documentation for detailed
information about the fabric SNAT and logical router: https://www.juniper.net/ documentation/en_US/contrail5.0/information-products/pathway-pages/contrail-feature-guide-pwp.html.
Floating IP and Floating IP Pool
The floating
IP, or FIP for short,
is a traditional concept that Contrail has supported since its very
early releases. Essentially, it’s an OpenStack concept to map
a VM IP, which is typically a private IP address, to a public IP (the
floating IP in this context) that is reachable from the outside of
the cluster. Internally, the one-to-one mapping is implemented by
NAT. Whenever a vRouter receives packets from outside of the cluster
destined to the floating IP, it will translate it to the VM’s
private IP and forward the packet to the VM. Similarly, it will do
the translation on the reverse direction. Eventually both VM and Internet
host can talk to each other, and both can initiate the communication.
The vRouter is a Contrail forwarding plane that resides in each compute node handling workload traffic.
Figure 1 illustrates the basic workflow of floating IP.
Here are some highlights regarding floating IP to keep in mind:
A floating IP is associated with a VM’s
port
, or a VMI (Virtual Machine Interface).A floating IP is allocated from a
FIP pool
.A floating IP pool is created based on a virtual network (
FIP-VN
).The FIP-VN will be available to outside of the cluster, by setting matching
route-target (RT)
attributes of the gateway router’s VRF table.When a gateway router sees a match with its route import policy in the RT, it will load the route into its VRF table. All remote clients connected to the VRF table will be able to communicate with the floating IP.
There is nothing new in the Contrail Kubernetes environment
regarding the floating IP concept and role. But the use of floating
IP has been extended in Kubernetes service
and ingress
object implementation, and
it plays an important role for accessing Kubernetes service
and ingress
externally.
You can check later sections in this chapter for more details.
Create FIP Pool
Let’s create a floating IP pool in a three-step process:
Create a public floating IP-VN.
Set RT (route-target) for the virtual network so it can be advertised and imported into the gateway router’s VRF table.
Create a floating IP pool based on the public floating IP-virtual network.
Again, there is nothing new here. The same steps would be required in other Contrail environments without Kubernetes. However, as you’ve learned in previous sections, with Contrail Kubernetes integration a floating IP-virtual network can now be created in Kubernetes style.
Create a Public Floating IP-Virtual Network Named vn-ns-default
# vn-ns-default.yaml apiVersion: k8s.cni.cncf.io/v1 kind: NetworkAttachmentDefinition metadata: annotations: "opencontrail.org/cidr": "101.101.101.0/24" name: vn-ns-default spec: config: '{ "cniVersion": "0.3.0", "type": "contrail-k8s-cni" }' $ kubectl apply -f vn-ns-default.yaml networkattachmentdefinition.k8s.cni.cncf.io/vn-ns-default created $ kubectl get network-attachment-definitions.k8s.cni.cncf.io NAME AGE vn-ns-default 22d
Now set the routing target.
If you need the floating IP to be reachable from the Internet through the gateway router, you’ll need to set a route target for the virtual network prefix getting imported in the gateway router’s VRF table (see Figure 2). This step is necessary whenever Internet access is required.
The UI navigation path to set the RT is: Contrail Command > Main Menu > Overlay > Virtual Networks > k8s-vn-ns-default-pod-network > Edit > Routing, Bridging and Policies.
Now let’s create a floating IP pool based on the public virtual network.
This is the final step. From the Contrail Command UI, create a floating IP pool based on the public virtual network. The UI navigation path for this setting shown in Figure 3 is: Contrail Command > Main Menu > Overlay > Floating IP > Create.
The Contrail UI also allows you to set the external flag in virtual network advanced options, so that a floating IP pool named public will automatically be created.
Floating IP Pool Scope
There are different ways you can refer to a floating IP pool in the Contrail Kubernetes environment, and correspondingly the scope of the pools will also be different. The three possible levels with descending priority are:
Object specific
Namespace level
Global level
Object Specific
This is the most specific level of scope. An object specific
floating IP pool binds itself only to the object that you specified,
it does not affect any other objects in the same namespace or cluster.
For example, you can specify a service object web
to get floating IP from the floating IP pool pool1
, a service object dns
to get floating
IP from another floating IP pool pool2
,
etc. This gives the most granular control of where the floating IP
will be allocated from for an object – the cost is that you
need to explicitly specify it in your YAML file for every object.
Namespace Level
In a multi-tenancy environment each namespace would be associated
to a tenant, and each tenant would have a dedicated floating IP pool.
In that case, it is better to have an option to define a floating
IP pool at the NS level, so that all objects created in that namespace
will get floating IP assignment from that pool. With the namespace
level pool defined (for example, pool-ns-default
), there is no need to specify the floating IP-pool name in each
object’s YAML file any more. You can still give a different
pool name, say my-webservice-pool
in an
object webservice
. In that case, object
webservice will get the floating IP from my-webservice-pool
instead of from the namespace level pool pool-ns-default
, because the former is more specific.
Global Level
The scope of the global level pool would be the whole cluster. Objects in any namespaces can use the global floating IP pool.
You can combine all three methods to take advantage of their combined flexibility. Here’s a practical example:
Define a global pool
pool-global-default
, so any objects in a namespace that has no namespace-level or ob- ject-level pool defined, will get a floating IP from this pool.For ns
dev
, define a floating IP poolpool-dev
, so all objects created in nsdev
will by default get floating IP frompool-dev
.For ns
sales
, define a floating IP poolpool-sales
, so all objects created in nssales
will by default get floating IP frompool-sales
.For ns
test-only
, do not define any namespace-level pool, so by default objects created in it will get floating IP from thepool-global-default
.When a service
dev-webservice
in ns dev needs a floating IP frompool-sales
instead ofpool-dev
, specifyingpool-sales
indev-webservice
object YAML file will achieve this goal.
Just keep in mind the rule of thumb – the most specific scope will always prevail.
Object Floating IP Pool
Let’s first take a look at the object-specific floating IP pool:
#service-web-lb-pool-public-1.yaml apiVersion: v1 kind: Service metadata: name: service-web-lb-pool-public-1 annotations: "opencontrail.org/fip-pool": "{'domain': 'default-domain', 'project': 'k8s-ns-user-1', 'network': 'vn-public-1', 'name': 'pool-public-1'}" spec: ports: - port: 8888 targetPort: 80 selector: app: webserver type: LoadBalancer
In this example, service service-web-lb-pool-public-1
will get an floating IP from pool pool-public-1
, which is created based on virtual network vn-public-1
under current project k8s-ns-user-1
.
The corresponding Kubernetes namespace is ns-user-1
. Since object-level floating IP pool is assigned for this specific
object only, with this method each new object needs to be explicitly
assigned a floating IP pool.
NS Floating IP Pool
The next floating IP pool scope is in the namespace level. Each namespace can define its own floating IP pool. In the same way as a Kubernetes annotations object is used to give a subnet to a virtual network, it is also used to specify a floating IP pool. The YAML file looks like this:
#ns-user-1-default-pool.yaml apiVersion: v1 kind: Namespace metadata: annotations: opencontrail.org/isolation: "true" opencontrail.org/fip-pool: "{'domain': 'default-domain', 'project': 'k8s-ns-user-1', 'network': 'vn-ns-default', 'name': 'pool-ns-default'}" name: ns-user-1
Here ns-user-1
is given a namespace-level
floating IP pool named pool-ns-default
,
and the corresponding virtual network is vn-ns-default
. Once the ns-user-1
is created with this
YAML file, any new service which requires a floating IP, if not created
with the object-specific pool name in its YAML file, will get a floating
IP allocated from this pool. In practice, most namespaces (especially
those isolated namespaces) will need their own namespace default pool
so you will see this type of configuration very often in the field.
Global floating IP Pool
To specify a global level floating IP pool, you need to give
the fully-qualified pool name (domain > project > net-
work > name
) in contrail-kube-manager (KM)
Docker’s configuration file(/etc/contrail/contrail-kubernetes.conf
). This file is automatically generated by the Docker during its
bootup based on its ENV parameters, which can be found in the /etc/contrail/common_kubemanage
r.env file in the master
node:
$ cat /etc/contrail/common_kubemanager.env VROUTER_GATEWAY=10.169.25.1 CONTROLLER_NODES=10.85.188.19 KUBERNETES_API_NODES=10.85.188.19 RABBITMQ_NODE_PORT=5673 CLOUD_ORCHESTRATOR=kubernetes KUBEMANAGER_NODES=10.85.188.19 CONTRAIL_VERSION=master-latest KUBERNETES_API_SERVER=10.85.188.19 TTY=True ANALYTICS_SNMP_ENABLE=True STDIN_OPEN=True ANALYTICS_ALARM_ENABLE=True ANALYTICSDB_ENABLE=True CONTROL_NODES=10.169.25.19
As you can see, this .env
file contains
important environmental parameters about the setup. To specify a global FIP pool
, add the following line:
KUBERNETES_PUBLIC_FIP_POOL={'domain': 'default-domain','name':
'pool-global-default','network': 'vn-global-default','project': 'k8s-ns-user-1'}
It reads: the global floating IP pool is called pool-global-default
and it is defined based on a virtual
network vn-global-default
under project k8s-ns-user-1
. This indicates that the corresponding
Kubernetes namespace is ns-user-1
.
Now with that piece of configuration placed, you can re-compose
the contrail-kube-manager
Docker container
to make the change take effect. Essentially you need to tear it down
and then bring it back up:
$ cd /etc/contrail/kubemanager/ $ docker-compose down;docker-compose up -d Stopping kubemanager_kubemanager_1 ... done Removing kubemanager_kubemanager_1 ... done Removing kubemanager_node-init_1 ... done Creating kubemanager_node-init_1 ... done Creating kubemanager_kubemanager_1 ... done
Now the global floating IP pool is specified for the cluster.
In all three scopes, floating IP is automatically allocated and associated only to service and ingress objects. If the floating IP has to be associated to a pod it has to be done manually. We’ll talk about this in the next section.
Floating IP for Pods
Once floating IP pool is created and available, a floating IP can be allocated from the floating IP pool for the pods that require one. This can be done by associating a floating IP to a VMI (VM, or pod, interface), You can manually create a floating IP out of a floating IP pool in Contrail UI, and then associate it with a pod VMI as in Figure 4 and Figure 5
Make sure the floating IP pool is shared to the project where floating IP is going to be created.
Advertising Floating IP
Once a floating IP is associated to a pod interface, it will be advertised to the MP-BGP peers, which are typically gateway routers. The following Figures, Figure 6, Figure 7, and Figure 8, show how to add and edit a BGP peer.
Input all the BGP peer information and don’t forget to associate the controller(s), which is shown next in Figure 9.
From the dropdown of peer
under Associated Peers
, select the controller(s) to peer
with this new BGP router that you are trying to add. Click save
when done. A new BGP peer with ROUTER TYPE router
will pop up.
Now we’ve added a peer BGP router as type router. For the local BGP speaker, which is with type control-node, you just need to double-check the parameters by clicking the Edit button. In this test we want to build an MP-IBGP neighborship between Contrail Controller and the gateway router, so make sure the ASN and Address Families fields match on both ends, refer to Figure 11.
Now you can check BGP neighborship status in the gateway router:
labroot@camaro> show bgp summary | match 10.169.25.19 10.169.25.19 60100 2235 2390 0 39 18:19:34 Establ
Once the neighborship is established, BGP routes will be exchanged between the two speakers, and that is when we’ll see that the floating IP assigned to the Kubernetes object is advertised by the master node (10.169.25.19) and learned in the gateway router:
labroot@camaro> show route table k8s-test.inet.0 101.101.101.2 Jul 11 01:18:31 k8s-test.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) @ = Routing Use Only, # = Forwarding Use Only + = Active Route, - = Last Active, * = Both 101.101.101.2/32 *[BGP/170] 00:01:42, MED 200, localpref 100, from 10.169.25.19 AS path: ? validation-state: unverified, > via gr-2/3/0.32771, Push 47
The detail
version of the same command
tells more: the floating IP route is reflected from the Contrail Con-
troller, but Protocol next hop
being the
compute node (10.169.25.20
) indicates that
the floating IP is assigned to a compute node. One entity currently
running in that compute node owns the floating IP:
labroot@camaro> show route table k8s-test.inet.0 101.101.101.2 detail | match "next hop" Jul 11 01:19:18 Next hop type: Indirect, Next hop index: 0 Next hop type: Router, Next hop index: 1453 Next hop: via gr-2/3/0.32771, selected Protocol next hop: 10.169.25.20 Indirect next hop: 0x900e640 1048601 INH Session ID: 0x70f
The dynamic soft GRE configuration makes the gateway router automatically create a soft GRE tunnel interface:
labroot@camaro> show interfaces gr-2/3/0.32771 Jul 11 01:19:53 Logical interface gr-2/3/0.32771 (Index 432) (SNMP ifIndex 1703) Flags: Up Point-To-Point SNMP-Traps 0x4000 IP-Header 10.169.25.20:192.168.0.204:47:df:64:0000000800000000 Encapsulation: GRE-NULL Copy-tos-to-outer-ip-header: Off, Copy-tos-to-outer-ip-header-transit: Off Gre keepalives configured: Off, Gre keepalives adjacency state: down Input packets : 0 Output packets: 0 Protocol inet, MTU: 9142 Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0 Flags: None Protocol mpls, MTU: 9130, Maximum labels: 3 Flags: None
The IP-Header
indicates a GRE outer
IP header, so the tunnel is built from the current gateway router
whose BGP local address is 192.168.0.204
, to the remote node 10.169.25.20
, in
this case it’s one of the Contrail compute nodes. The floating
IP advertisement process is illustrated in Figure 12.