Skip to content

Commit

Permalink
doc(tunnel): add information about tunnels
Browse files Browse the repository at this point in the history 
* Reflow existing documentation to fit markdown standards
* Adds caveats about Azure
* Gives information about tunnel types in kube-router
  • Loading branch information
@aauren
aauren committed Oct 7, 2023
1 parent 944ab91 commit ddf857d
Show file tree
Hide file tree
Showing 3 changed files with 269 additions and 100 deletions.
102 changes: 75 additions & 27 deletions docs/dsr.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,40 +2,63 @@

## More Information

For a more detailed explanation on how to use Direct Server Return (DSR) to build a highly scalable and available ingress for Kubernetes see the following blog post:
https://cloudnativelabs.github.io/post/2017-11-01-kube-high-available-ingress/
For a more detailed explanation on how to use Direct Server Return (DSR) to build a highly scalable and available
ingress for Kubernetes see the following
[blog post](https://cloudnativelabs.github.io/post/2017-11-01-kube-high-available-ingress/)

## What is DSR?

When enabled, DSR allows the service endpoint to respond directly to the client request, bypassing the service proxy. When DSR is enabled kube-router will use LVS's tunneling mode to achieve this (more on how later).
When enabled, DSR allows the service endpoint to respond directly to the client request, bypassing the service proxy.
When DSR is enabled kube-router will use LVS's tunneling mode to achieve this (more on how later).

## Quick Start

You can enable DSR functionality on a per service basis.

Requirements:

* ClusterIP type service has an externalIP set on it or is a LoadBalancer type service
* kube-router has been started with `--service-external-ip-range` configured at least once. This option can be specified multiple times for multiple ranges. The external IPs or LoadBalancer IPs must be included in these ranges.
* kube-router must be run in service proxy mode with `--run-service-proxy` (this option is defaulted to `true` if left unspecified)
* kube-router has been started with `--service-external-ip-range` configured at least once. This option can be
specified multiple times for multiple ranges. The external IPs or LoadBalancer IPs must be included in these ranges.
* kube-router must be run in service proxy mode with `--run-service-proxy` (this option is defaulted to `true` if left
unspecified)
* If you are advertising the service outside the cluster `--advertise-external-ip` must be set
* If kube-router is deployed as a Kubernetes pod:
* `hostIPC: true` must be set for the pod
* `hostPID: true` must be set for the pod
* The container runtime socket must be mounted into the kube-router pod via a `hostPath` volume mount.
* `hostIPC: true` must be set for the pod
* `hostPID: true` must be set for the pod
* The container runtime socket must be mounted into the kube-router pod via a `hostPath` volume mount.
* A pod network that allows for IPIP encapsulated traffic. The most notable exception to this is that Azure does not
transit IPIP encapsulated packets on their network. In this scenario, the end-user may be able to get around this
issue by enabling FoU (`--overlay-encap=fou`) and full overlay networking (`--overlay-type=full`) options in
kube-router. This hasn't been well tested, but it should allow the DSR encapsulated traffic to route correctly.

To enable DSR you need to annotate service with the `kube-router.io/service.dsr=tunnel` annotation:
```

```sh
kubectl annotate service my-service "kube-router.io/service.dsr=tunnel"
```

## Things To Lookout For

* In the current implementation, **DSR will only be available to the external IPs or LoadBalancer IPs**
* **The current implementation does not support port remapping.** So you need to use same port and target port for the service.
* In order for DSR to work correctly, an `ipip` tunnel to the pod is used. This reduces the [MTU](https://en.wikipedia.org/wiki/Maximum_transmission_unit) for the packet by 20 bytes. Because of the way DSR works it is not possible for clients to use [PMTU](https://en.wikipedia.org/wiki/Path_MTU_Discovery) to discover this MTU reduction. In TCP based services, we mitigate this by using iptables to set the [TCP MSS](https://en.wikipedia.org/wiki/Maximum_segment_size) value to 20 bytes less than kube-router's primary interface MTU size. However, it is not possible to do this for UDP streams. Therefore, UDP streams that continuously use large packets may see a performance impact due to packet fragmentation. Additionally, if clients set the `DF` (Do Not Fragment) bit, services may see packet loss on UDP services.
* **The current implementation does not support port remapping.** So you need to use same port and target port for the
service.
* In order for DSR to work correctly, an `ipip` tunnel to the pod is used. This reduces the
[MTU](https://en.wikipedia.org/wiki/Maximum_transmission_unit) for the packet by 20 bytes. Because of the way DSR
works it is not possible for clients to use [PMTU](https://en.wikipedia.org/wiki/Path_MTU_Discovery) to discover this
MTU reduction. In TCP based services, we mitigate this by using iptables to set the
[TCP MSS](https://en.wikipedia.org/wiki/Maximum_segment_size) value to 20 bytes less than kube-router's primary
interface MTU size. However, it is not possible to do this for UDP streams. Therefore, UDP streams that continuously
use large packets may see a performance impact due to packet fragmentation. Additionally, if clients set the `DF`
(Do Not Fragment) bit, services may see packet loss on UDP services.

## Kubernetes Pod Examples
As mentioned previously, if kube-router is run as a Kubernetes deployment, there are a couple of things needed on the deployment. Below is an example of what is necessary to get going (this is NOT a full deployment, it is just meant to highlight the elements needed for DSR):
```

As mentioned previously, if kube-router is run as a Kubernetes deployment, there are a couple of things needed on the
deployment. Below is an example of what is necessary to get going (this is NOT a full deployment, it is just meant to
highlight the elements needed for DSR):

```sh
apiVersion: apps/v1
kind: DaemonSet
metadata:
Expand Down Expand Up @@ -74,18 +97,26 @@ spec:
...
```

For an example manifest please look at the [kube-router all features manifest](../daemonset/kubeadm-kuberouter-all-features-dsr.yaml) with DSR requirements for Docker enabled.
For an example manifest please look at the
[kube-router all features manifest](../daemonset/kubeadm-kuberouter-all-features-dsr.yaml) with DSR requirements for
Docker enabled.

### DSR with containerd or cri-o

As of kube-router-1.2.X and later, kube-router's DSR mode now works with non-docker container runtimes. Officially only containerd has been tested, but this solution should work with cri-o as well.
As of kube-router-1.2.X and later, kube-router's DSR mode now works with non-docker container runtimes. Officially only
containerd has been tested, but this solution should work with cri-o as well.

Most of what was said above also applies for non-docker container runtimes, however, there are some adjustments that
you'll need to make:

Most of what was said above also applies for non-docker container runtimes, however, there are some adjustments that you'll need to make:
* You'll need to let kube-router know what container runtime socket to use via the `--runtime-endpoint` CLI parameter
* If running kube-router as a Kubernetes deployment you'll need to make sure that you expose the correct socket via `hostPath` volume mount
* If running kube-router as a Kubernetes deployment you'll need to make sure that you expose the correct socket via
`hostPath` volume mount

Here is an example kube-router daemonset manifest with just the changes needed to enable DSR with containerd (this is not a full manifest, it is just meant to highlight differences):
```
Here is an example kube-router daemonset manifest with just the changes needed to enable DSR with containerd (this is
not a full manifest, it is just meant to highlight differences):

```yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
Expand Down Expand Up @@ -115,11 +146,28 @@ spec:

In order to facilitate troubleshooting it is worth while to explain how kube-router accomplishes DSR functionality.

1. kube-router adds iptables rules to the `mangle` table which marks incoming packets destined for DSR based services with a unique FW mark. This mark is then used in later stages to identify the packet and route it correctly. Additionally, for TCP streams, there are rules that enable [TCP MSS](https://en.wikipedia.org/wiki/Maximum_segment_size) since the packets will change MTU when traversing an ipip tunnel later on.
2. kube-router adds the marks to an `ip rule` (see: [ip-rule(8)](https://man7.org/linux/man-pages/man8/ip-rule.8.html)). This ip rule then forces the incoming DSR service packets to use a specific routing table.
3. kube-router adds a new `ip route` table (at the time of this writing the table number is `78`) which forces the packet to route to the host even though there are no interfaces on the host that carry the DSR IP address
4. kube-router adds an IPVS server configured for the custom FW mark. When packets arrive on the localhost interface because of the above `ip rule` and `ip route`, IPVS will intercept them based on their unique FW mark.
5. When pods selected by the DSR service become ready, kube-router adds endpoints configured for tunnel mode to the above IPVS server. Each endpoint is configured in tunnel mode (as opposed to masquerade mode), which then encapsulates the incoming packet in an ipip packet. It is at this point that the pod's destination IP is placed on the ipip packet header so that a packet can be routed to the pod via the kube-bridge on either this host or the destination host.
6. kube-router then finds the targeted pod and enters it's local network namespace. Once inside the pod's linux network namespace, it sets up two new interfaces called `kube-dummy-if` and `ipip`. `kube-dummy-if` is configured with the externalIP address of the service.
7. When the ipip packet arrives inside the pod, the original source packet with the externalIP is then extracted from the ipip packet via the `ipip` interface and is accepted to the listening application via the `kube-dummy-if` interface.
8. When the application sends its response back to the client, it responds to the client's public IP address (since that is what it saw on the request's IP header) and the packet is returned directly to the client (as opposed to traversing the Kubernetes internal network and potentially making multiple intermediate hops)
1. kube-router adds iptables rules to the `mangle` table which marks incoming packets destined for DSR based services
with a unique FW mark. This mark is then used in later stages to identify the packet and route it correctly.
Additionally, for TCP streams, there are rules that enable
[TCP MSS](https://en.wikipedia.org/wiki/Maximum_segment_size) since the packets will change MTU when traversing an
ipip tunnel later on.
2. kube-router adds the marks to an `ip rule` (see: [ip-rule(8)](https://man7.org/linux/man-pages/man8/ip-rule.8.html)).
This ip rule then forces the incoming DSR service packets to use a specific routing table.
3. kube-router adds a new `ip route` table (at the time of this writing the table number is `78`) which forces the
packet to route to the host even though there are no interfaces on the host that carry the DSR IP address
4. kube-router adds an IPVS server configured for the custom FW mark. When packets arrive on the localhost interface
because of the above `ip rule` and `ip route`, IPVS will intercept them based on their unique FW mark.
5. When pods selected by the DSR service become ready, kube-router adds endpoints configured for tunnel mode to the
above IPVS server. Each endpoint is configured in tunnel mode (as opposed to masquerade mode), which then
encapsulates the incoming packet in an ipip packet. It is at this point that the pod's destination IP is placed on
the ipip packet header so that a packet can be routed to the pod via the kube-bridge on either this host or the
destination host.
6. kube-router then finds the targeted pod and enters it's local network namespace. Once inside the pod's linux network
namespace, it sets up two new interfaces called `kube-dummy-if` and `ipip`. `kube-dummy-if` is configured with the
externalIP address of the service.
7. When the ipip packet arrives inside the pod, the original source packet with the externalIP is then extracted from
the ipip packet via the `ipip` interface and is accepted to the listening application via the `kube-dummy-if`
interface.
8. When the application sends its response back to the client, it responds to the client's public IP address (since
that is what it saw on the request's IP header) and the packet is returned directly to the client (as opposed to
traversing the Kubernetes internal network and potentially making multiple intermediate hops)
39 changes: 39 additions & 0 deletions docs/tunnels.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Tunnels in kube-router

There are several situations in which kube-router will use tunnels in order to perform certain forms of overlay /
underlay routing within the cluster. To accomplish this, kube-router makes use of
[IPIP](https://en.wikipedia.org/wiki/IP_in_IP) overlay tunnels that are built into the Linux kernel and instrumented
with iproute2.

## Scenarios for Tunnelling

By default, kube-router enables the option `--enable-overlay` which will perform overlay networking based upon the
`--overlay-type` setting (by default set to `subnet`). So out of the box, kube-router will create a tunnel for
pod-to-pod traffic any time it comes across a kube-router enabled node that is not within the subnet of it's primary
interface.

Additionally, if `--overlay-type` is set to `full` kube-router will create an tunnel for all pod-to-pod traffic and
attempt to transit any pod traffic in the cluster via an IPIP overlay network between nodes.

Finally, kube-router also uses tunnels for DSR ([Direct Server Return](dsr.md)). In this case, the inbound traffic is
encapsulated in an IPIP packet by IPVS after it reaches the node and before it is set to the pod for processing. This
allows the return IP address of the sender to be preserved at the pod level so that it can be sent directly back to the
requestor (rather than being routed in a synchronous fashion).

## Encapsulation Types

* IPIP (IP in IP) - This is the default method of encapsulation that kube-router uses
* FoU (Foo over UDP) - This is an optional type of IPIP encapsulation that kube-router uses if the user enables it

### FoU Details

Specifically, kube-router uses GUE
([Generic UDP Encapsulation](https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels#gue))
in order to support both IPv4 and IPv6 FoU tunnels. This option can be enabled via the kube-router parameter
`--overlay-encap=fou`. Optionally, the user can also specify a desired port for this traffic via the
`--overlay-encap-port` parameter (by default set to `5555`).

## IPIP with Azure

Unfortunately, Azure doesn't allow IPIP encapsulation on their network. So users that want to use an overlay network
will need to enable `fou` support in order to deploy kube-router in an Azure environment.
Loading

0 comments on commit ddf857d

Please sign in to comment.