Hi all,
I am curious how K8s is integrated into the network at your sites (bare metal) and/or on OpenStack, how routing etc. is organized with respect to the underlying layer?
E.g., with respect to hw firewalls/zones and/or OS net security groups how K8s is embedded at sites?
Cheers and thanks,
Thomas
We use Calico, with typha for scalability since our cluster is quite large.
I plan to enable route-reflectors at some point to further improve scalability.
We use IPIP mode: CrossSubnet (instead of VXLAN) to reduce the packet overhead for traffic within the cluster.
This requires setting allowed address pairs in Openstack so that Neutron will allow a node to spoof the source address as being from the pod subnet. For special large tenants like this we trunk a VLAN on all the hypervisor nodes in the cloud, so the underlying network in Openstack is a L2 VLAN so there is only one thin encapsulation layer.
We also use PureLB as a ARP-based load balancer.
Openstack security groups are set up by Kubespray.