Open in app

Sign in

Write

Sign in

[k8s] Network Resources

Hayley Shim
techblog-hayleyshim
Published in
3 min readOct 29, 2022

--

안녕하세요, 2022 kubecon 세션 중 Whose Packet Is It Anyway? Life of a Packet Through a Service Mesh — Kevin Leimkuhler, Buoyant & Doug Jordan, Airbnb 를 참고하여 주요 내용 위주로 정리했습니다.

What is a container?

  • Linux doesn’t have containers. It has namespaces
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

현재 리눅스에서 지원하는 네임스페이스는 크게 보면 다음과 같습니다.참고

  • Cgroup 네임스페이스(cgorup)
  • 네트워크 네임스페이스(network)
  • IPC 네임스페이스(ipc)
  • PID 네임스페이스(pid)
  • UTS 네임스페이스(user)
  • 사용자 네임스페이스(uts)
  • 마운트 네임스페이스(mnt)
  • 시간 네임스페이스(time)

각 컨테이너(Container)는 네트워크 리소스를 공유하는 프로세스입니다.

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

How does a proxy redirect a packet?

  • The packet headers were changed by iptables
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
  • A proxy checks the TCP stream’s socket options

What is responsible for configuring iptables?

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

TCP Debugging

Kafka

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

tcpdump + wireshark

Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

install tcpdump

$ apt update && apt install tcpdump
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022
Whose Packet Is It Anyways?, Kevin Leimkuhler & Douglas Jordan KubeCon NA 2022

Summary

  • Linux doesn’t have containers
  • The network namespace isolates network resources
  • iptables rewrite the packet header
  • The proxy looks at the socket table
  • TCP observability is limited
  • tcpdump the pod on loopback via nsenter
  • tcpdump the proxy via host + interface
  • Ephemeral containers will save us
K8s

--

--

Hayley Shim
techblog-hayleyshim

Written by Hayley Shim

11 Followers

Breadcrumb : https://github.com/hayleyshim

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams