github.com/kubearmor/cilium@v1.6.12/Documentation/kubernetes/intro.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _k8s_intro: 8 9 ************ 10 Introduction 11 ************ 12 13 What does Cilium provide in your Kubernetes Cluster? 14 ==================================================== 15 16 The following functionality is provided as your run Cilium in your Kubernetes 17 cluster: 18 19 * `CNI` plugin support to provide pod_connectivity_ with 20 `multi host networking`. 21 * Identity based implementation of the `NetworkPolicy` resource to isolate `pod` 22 to `pod` connectivity on Layer 3 and 4. 23 * An extension to NetworkPolicy in the form of a `CustomResourceDefinition` 24 which extends policy control to add: 25 26 * Layer 7 policy enforcement on ingress and egress for the following 27 application protocols: 28 29 * HTTP 30 * Kafka 31 * Egress support for CIDRs to secure access to external services 32 * Enforcement to external headless services to automatically restrict to the 33 set of Kubernetes endpoints configured for a service. 34 * ClusterIP implementation to provide distributed load-balancing for pod to pod 35 traffic. 36 * Fully compatible with existing kube-proxy model 37 38 .. _pod_connectivity: 39 40 Pod-to-Pod Connectivity 41 ======================= 42 43 In Kubernetes, containers are deployed within units referred to as `Pod`, which 44 include one or more containers reachable via a single IP address. With Cilium, 45 each Pod gets an IP address from the node prefix of the Linux node running the 46 Pod. See :ref:`address_management` for additional details. In the absence of any 47 network security policies, all Pods can reach each other. 48 49 Pod IP addresses are typically local to the Kubernetes cluster. If pods need to 50 reach services outside the cluster as a client, the network traffic is 51 automatically masqueraded as it leaves the node. You can find additional 52 information in the section :ref:`concepts_external_access`. 53 54 Service Load-balancing 55 ====================== 56 57 Kubernetes has developed the Services abstraction which provides the user the 58 ability to load balance network traffic to different pods. This abstraction 59 allows the pods reaching out to other pods by a single IP address, a virtual IP 60 address, without knowing all the pods that are running that particular service. 61 62 Without Cilium, kube-proxy is installed on every node, watches for endpoints 63 and services addition and removal on the kube-master which allows it to to 64 apply the necessary enforcement on iptables. Thus, the received and sent 65 traffic from and to the pods are properly routed to the node and port serving 66 for that service. For more information you can check out the kubernetes user 67 guide for `Services <http://kubernetes.io/docs/user-guide/services>`__. 68 69 When implementing ClusterIP, Cilium acts on the same principles as kube-proxy, 70 it watches for services addition or removal, but instead of doing the 71 enforcement on the iptables, it updates BPF map entries on each node. For more 72 information, see the `Pull Request 73 <https://github.com/cilium/cilium/pull/109>`__. 74 75 Further Reading 76 =============== 77 78 The Kubernetes documentation contains more background on the `Kubernetes 79 Networking Model 80 <https://kubernetes.io/docs/concepts/cluster-administration/networking/>`_ and 81 `Kubernetes Network Plugins 82 <https://kubernetes.io/docs/concepts/cluster-administration/network-plugins/>`_ 83 . 84