Friday, March 25, 2022
HomeCloud ComputingKubernetes multi-zone deployment with Calico

Kubernetes multi-zone deployment with Calico

Kubernetes isn’t designed for multi-tenancy, however right here’s a strategy to obtain zone-based isolation of workloads throughout the similar Kubernetes cluster.

by Hans Emmanuel, Chief Answer Architect, Cloud Native Computing Follow, HPE Pointnext Providers

HPE-Pointnext-Services-technology-services-consulting-Kubernetes.pngAs we all know, Kubernetes doesn’t present multi-tenancy out of the field. There are some workarounds for attaining multi-tenancy utilizing completely different tenancy fashions, relying on the requirement. However the reality is that Kubernetes just isn’t designed in a multi-tenant sample. And in the case of networking, the container networking interface (CNI) spec just isn’t involved in regards to the community segregation of workloads. So, the Kubernetes CNIs are usually not supposed to supply L2/L3 community isolation out of the field. The CNI-backed community insurance policies are the Kubernetes object used for network-level isolation of workloads, which typically leverages the firewall guidelines in employee nodes.

However what if it is required to deploy employee nodes throughout a number of community zones, as a result of varied considerations from software house owners and different stakeholders? And in some circumstances – for instance, to be aligned with completely different compliance necessities – it’s necessary to have separation of bodily and community workloads.

Normally, separate Kubernetes clusters (in a cluster-as-a-service mannequin) are used when it’s pivotal to have the isolation of workloads. However typically working and managing a number of Kubernetes clusters causes some operational burden.

On this weblog, I’ll clarify an strategy that HPE used for one in every of our clients, with Calico CNI in BGP (border gateway protocol) mode to realize the zone-based isolation of workloads throughout the similar Kubernetes cluster.

We used HPE ProLiant DL360 Gen10 servers because the employee nodes. The diagram beneath reveals a high-level view of the deployment topology. Right here the employee nodes are deployed throughout completely different remoted community zones. Inter-zone site visitors will probably be crossing the core firewall. The important thing level on this topology is the BGP route reflectors per zone. As proven within the diagram, employee nodes within the yellow zone are peered to the corresponding route reflectors, which is able to be sure that the Calico-advertised routes will probably be contained throughout the zone.

The datacentre is utilizing leaf-spine topology and digital routing and forwarding (VRFs) utilized in community materials for the multi-tenancy at L3 degree. Route reflectors are peered in direction of corresponding VRFs in border leaf switches. All of the inter-VRF (zone) site visitors will probably be crossing the core FW, and solely permitted site visitors will cross it.

On this topology, the employee nodes in a zone don’t have any concept in regards to the workloads working in employee nodes in different zones. Even when a workload in a single zone wants to speak to a workload in one other zone, it might be routed in direction of core FW and solely the allowed site visitors will circulation.

Deployment Topology.png


Conclusion: Although multi-tenancy just isn’t an out-of-the-box resolution in Kubernetes, typically we have to lengthen it to fulfill technical expectations and safety necessities. Right here we achieved this with Calico CNI, with its intensive BGP capabilities.

Expertise companies consulting from HPE Advisory & Skilled Providers may help you get probably the most out of your Kubernetes multi-tenancy design and implementation. We perceive that when cloud-native workloads attain manufacturing maturity, it’s inevitable to design and implement the next degree of community safety and efficiency requirements. The International Cloud-Native Computing follow in HPE Advisory & Skilled Providers may help you construct your enterprise-grade community design and configuration, drawing on our deep experience and expertise of cloud-native computing applied sciences.

To be taught extra, see our HPE Container Adoption Service resolution temporary.

Study extra about HPE Pointnext Providers and the way we show you how to keep forward of what is subsequent.

Hans Emmanuel.jpgHans Emmanuel is a Chief Answer Architect in HPE’s Cloud Native Computing Follow Space, HPE Pointnext Advisory & Skilled Providers. He began his profession as a Linux server engineer again in 2010 and has since labored on quite a lot of non-public cloud options and cloud-native applied sciences. Hans has labored on DevOps and improvement initiatives; design and implementation of Devops/DevSecOps pipelines; and self-managed Kubernetes clusters.

Providers Consultants
Hewlett Packard Enterprise



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments