►
From YouTube: Deep-Dive: Packet-level Debugging of Bridged and Non-bridged CNI Plugins - Jay Vyas & Sedef Savas
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Deep-Dive: Packet-level Debugging of Bridged and Non-bridged CNI Plugins - Jay Vyas & Sedef Savas, VMware
Finding the fault for k8s connectivity issues can be a daunting task and require several teams (DevOps, networking) to do their own due diligence. The best way to track down a connectivity error from the perspective of a DevOps team is to deep-dive into packets’ journey through the Linux Network Stack. In this session, we will walk through the following challenges for various open-source CNI providers, in real-time with the audience: If packets from your pods aren’t reaching their destination - how would you use tcpdump to determine where in the packet’s trajectory? Do you know what destination NAT’ing is, and at which step and how it happens (via iptables or IPVS) for bridged and non-bridged CNI plugins? What about existing network policies and routes on your hardware - are there iptables rules conflicting with the rules added by kube-proxy?
https://sched.co/Zeob
A
Okay,
so
hi.
This
is
jay
and
sadef
here
from
vmware
we're
going
to
talk
about
how
these
cni
plugins
work
and
how
you
can
look
at
what's
happening
packet
to
packet,
to
understand,
if
you're
having
issues
with
cni's
or
network
policies
or
other
networking
related
stuff
in
your
pod
and
service
networks
and
kubernetes.
B
So
in
kubernetes,
networking
is
a
combination
of
many
concepts
and
it
is
important
to
know
them
to
troubleshoot
any
connectivity
problem,
so
potterpod
networking
is
provided
by
third
cni
plugins
and
since
pods
are
transient.
Kubernetes
has
an
abstraction
called
services
which
allow
us
to
reach
a
group
of
paths
using
virtual
ips
and
qproxy
is
enabling
connectivity
to
services
by
using
load
balancers
like
ip
tables
and
how
you
find
services
is
also
a
part
of
networking,
there's
kubernetes
dns
service.
That
provides
that
once
you
get
basic
port,
what
about
what
service
connectivity?
B
B
B
A
B
And
let's
go
over
some
traditional
linux
constructs
that
are
used
by
most
of
the
cni
plugins
to
provide
connectivity.
First,
one
is
linked
network
namespaces,
so
they
provide
a
separate
instance
of
kernel.
Networking
stack
like
a
different
set
of
interfaces,
routes
firewalls
to
isolate
processes.
All
parts
and
holes
are
sitting
on
different
network
namespaces.
In
this
diagram
we
have
a
single
node.
We
have
two
parts
and
you
see
all
of
them
are
sitting
on
different
network
namespaces
and
communicate
to
communicate
between
pod
network
namespace
and
not
host
network
namespace.
B
B
B
It
is
nothing
but
but
switch
and
does
layer
to
forwarding
also
when
we
want,
when
our
pods
wants
to
communicate
with
the
horse
and
hospitals
communicate
with
the
paws
rod.
Tables
comes
into
picture,
so
here
you
see,
everything
that
is
destined
to
pot
ciders
will
be
sent
to
bridge
and
bridge
knows
how
to
forward
them.
As
I
mentioned,
hosts
and
mods
are
sitting
on
different
network
name
space
and
they
have
different
route
table
rules,
as
you
can
see
here,.
B
B
B
A
Yeah
I'll
just
quickly
say:
eks
is
we're
going
to
go
over
eks
calico
and
in
a
little
bit
and
you'll
see
the
differences.
But
you
know
in
eks
you
don't
need
an
overlay
if
you're
using
their
cni,
because
the
type
control
that
they
have
over
ip
addresses
and
being
able
to
use
enis
and
stuff
other
cni's.
You
know
use
those
overlays
yeah
keep
going.
B
B
Okay,
now
we
are
going
to
briefly
mention
how
some
cni's
are
providing
networking
at
a
high
level,
so
it
is
important
to
know
underlying
constructs.
Your
cni
is
using
to
better
debug
connectivity
issues.
Let's
start
with
calico
calco
supports
multiple
data
planes
like
standard
linux,
networking
or
linux
ebpf
and
windows.
Networking
also
it
has
three
networking
flavors.
It
supports
pure
layer,
3
networking
where
traffic
is
not
encapsulated
for
this,
it
uses
bgp
a
route
sharing
and
underlying
network
needs
to
support
bgp
as
well
and
set
up
underlying
growth
accordingly.
Otherwise,
this
is
not
an
option.
B
B
Let's
talk
about
another
cni
called
entria,
so
calico
did
not
have
any
bridge
in
its
while
doing
networking,
but
here
we
see
a
virtual
bridge,
that's
being
used
pretty
similar
to
linux
bridges,
so
it
routes
traffic
using
multiple
file
tables
and
supports
what
windows
and
linux.
If
you
like,
look
at
the
diagram.
A
When
we
talk
about
flow
tables,
so
open
v
switch
is
the
back
end
for,
like
s
mentioned,
andrea
and
so
open
v
switch
is
based
on
these
flow
tables
and
that's
the
whole.
That's
the
whole
way
that
you
architect
a
networking
open
v-switch
compared
with
you
know
what
calico
is
doing
in
the
last
slide,
with
just
using
bgp
for
the
routing.
I
just
wanted
to
repeat.
B
Right,
yeah,
and
if,
if
you
see
the
diagram
here,
are
we
have
two
parts,
they
are
connected
to
obvious
spirit
using
read
pairs.
This
part
is
the
same
with
a
regular
linux
architecture,
but
on
the
obs
spirit
side,
we
are
seeing
a
gateway,
zero
port,
which
is
the
gateway
of
the
node
subnet
and
zero
port,
which
is
the
tunnel
part
that
is
used
for
creating
overlay
tunnels
between
nodes
and
andrea
is
also
supporting
overlay
mode.
It
supports
many
many
different
encapsulation
techniques.
B
B
So
here
we
are
going
to
show
some
examples
of
manually
and
overlay
routing,
so
here
we
are
seeing
non-overlay
which
which,
where
we
do
not
encapsulate,
packers
and
use
a
regular
layer
to
networking
like
arp
and
route
entry.
Here
we
have
two
parts
that
are
connected
via
a
switch
that
that
is
to
demonstrate
they
are
sitting
on
the
same
l2
network,
and
these
are
the
subnets
of
the
pos
inside
nodes.
B
A
A
B
B
See
that
yeah
and
so
yeah,
if,
for
example,
a
non-overlay
network
is
not
an
option
for
you,
because
you
are
sitting
on
a
different
subnets
or
you
don't
don't
have
any
control
in
the
underlying
network
and
cannot
do
layer
3,
networking
overlay
is
the
way
to
go
and
encapsulation
can
be
done
in
many
ways.
So
you
see
the
only
difference
between
this
picture
and
this
picture
is
this.
One
has
ton
ton0
interfaces
that
is
used
to
encapsulate
packets
and
you
see
there's
a
change
here
too.
B
B
A
First
yeah
so
on
the
left.
I've
said
this
before,
but
just
to
repeat
again
on
the
left
is
that's
your
that's
your
cloud
stuff
right!
That's
your
eks!
That's
your
gke!
That's
your!
If
you're,
using
something
like
a
an
nsx
or
something
like
that,
you
can
have
this
fancy
non-overlay
stuff
set
up
for
you
using
hypervisor
native
network
tooling
on
the
right
is
typically
when
you're
spinning
up
your
own
clusters,
that's
when
you're
using
a
cni
provider
that
will
kind
of
abstract
that
all
the
way
for
you
and
using
an
overlay.
B
Right
and
yeah
the
packets
will
be
sent
to
town
zero
and
there's
a
process
attached
to
this
sound
zero
interface
that
encapsulates
the
traffic.
So
it
adds
another
header
with
node
ips
on
top
of
the
pod
ips
and
sends
it
over
the
underlying
network
for
underlying
network.
It
is
simply
a
packet
that
is
destined
from
node
one
to
not
to
so.
It
knows
how
to
route
it
packet
reaches
to
not
to,
and
then
it
gets
encapsulated
sent
to
the
bridge
and
reaches
to
its
final
destination.
A
Okay,
so
here
we
go
so
the
first
thing
that
we're
going
to
do
is
I'm
going
to
hit
play
so
that,
if
I
don't
know
if
it's
playing
or
not
yeah
yeah,
so
first
thing
we're
going
to
do
is
run
art
which
so
def
mentioned
a
little
while
ago.
So
we
can
see
there
that
you
might
want
to
pause.
It
see
there
that
oh,
oh
yeah
go
ahead.
B
A
Just
keep
it
running
the
whole
time.
Don't
worry
about
it:
okay,
yeah!
So
once
it's
our
once
we
run
arp.
We
can
see
all
the
stuff
that's
locally
available.
I
think
like
the
what's.
It
called
the
the
the
local
pods
and
the
local
nodes.
So
once
the
def
hits
play
now,
we're
gonna
see
it
again:
okay,
cool
yeah,
so
and
and
that
this
isn't
a
calico
cluster,
I'm
going
to
swap
back
and
forth.
The
blue
terminal
is
android,
the
black
is
calico
and
then
there's
another
black
terminal.
A
That's
eks
as
well!
I'm
just
going
to
jump
around
and
show
you
the
commands
here
so
yeah.
So
we
do
that
and
then
we
can
see
that
there's
these
100
ips
and
there's
these
192
ips,
the
192's.
Those
are
the
nodes.
Now,
if
we
run
ipnet
ns,
we
ran
it
really
quickly,
but
you
can
see
it
again
here
right.
We
we
don't
see
it
in
eks,
which
is
interesting
I'll
leave
that
as
a
homework
assignment
to
the
viewers
here.
Why?
My
eks
cluster
didn't
show
me
any
network
name
spaces,
but.
B
A
B
A
That
so,
by
the
way
that
tcp
dump
is
tracing
one
of
those
calico
interfaces,
so
you
do
tcp
dump
dash.
I
on
one
of
the
outputs
of
like,
for
example,
the
ipa
command,
and
then
you
can
trace
the
exact
traffic
going
into
that
interface
in
into
that
pod
and
nothing
else
so,
okay,
so
we
can
see
that
that
198
is
actually
core.
Dns
makes
perfect
sense.
Coordinates
is
constantly
chatting
with
the
api
server
trying
to
figure
with
the
kubernetes
api
server,
trying
to
figure
out,
endpoints
and
stuff
like
that.
A
So
there
we
go
now
we
now
we
can
do
iptable
save
and
then
we
can
go,
look
and
see
how
that
routing
happens
right.
So
we
can
see
here,
there's
a
routing
rule,
that's
going
to
send
anything
to
164.0.1
to
this,
to
the
kubernetes
service
role
dash
mpx
right.
So
the
easiest
way
to
do
this
if
you're
not
good
at
ip
tables.
A
Like
me,
is
you
just
say:
iv
iptable
save
into
a
text
file
and
then
you
just
jump
around
and
you
can
use
star
when
you're,
on
top
of
a
word,
to
jump
from
one
chain
to
another
right
from
one
rule
to
another.
So
literally,
so
you
go
ahead
and
hit
star
and
then
it
takes
you
right
down
to
coupe
service.
And
then
you
can
see
the
comment
there.
That's
the
kubernetes
api
server
service.
Now
we're.
B
A
A
There's
a
million
other
things
use
cases
you
may
wanna
trace,
for
example,
pod
to
pod
or
whatever,
but
it's
essentially
the
same
logical
series
of
steps
that
you
can
go
through
and
it
would
be
the
same
in
andrea
as
well,
if
or
or
or
any
other
cni
provider,
because
the
coup
proxy
is
going
to
basically
have
to
do
roughly
the
same
thing
do
keep
in
mind.
There
are
different
ways
to
do:
coop,
proxy
and
there's
some
systems
may
not
use
ip
tables,
there's
ipvs
and
other
things.
A
Other
technologies
we've
gone
the
simple
route,
though
taking
those
for
granted.
So,
okay,
now
next,
looking
at
the
andrea
thing,
so
we
can
see
here
the
route.
The
output
was
a
little
different
and
I
jumped
over
to
eks,
but
you
can
see
now
in
eks.
All
the
gateways
are
zero:
zero,
zero,
zero!
Now
back
to
andrea,
you
can
see
the
output.
Is
this?
The
entry
gateways
are
zero:
zero,
zero
intro
gw
zero.
Let's
just
keep
going.
I
think
we're
going
to
show
it
again
later.
So
f,
it's
not
a
big
deal
so.
B
A
Anyways,
so
here
we
are
now
and
what
we're
going
to
try
to
do
is
we're
going
to
try
to
make
in
we're
back
on
our
calico
cluster,
where
I'm
going
to
make
a
damon
set.
So
that
means
I'm
going
to
have
an
engine
x,
pawn
in
every
node
right
and
I'm
going
to
save
the
iptables
rules
and
we're
going
to
show
you
what
like
vanilla
routing
you
just
get
for
free
that
you
have
to
kind
of
start
you
that.
A
Rules
that
we
use
as
a
baseline,
that
get
created
after
you
create
a
pod
okay.
These
are
just
these
are
just
generic
they're,
just
being
created
for
us
by
calico.
The
thing
to
note
here
is
that
they're
all
named
they're
all
being
added
to
the
dash
a
kali
dash
tw
dash
calek418e,
that's
the
interface
name,
ignore
the
comment.
The
name
inside
the
comment
is
a
calico
specific
thing
to
do
comparison
between
between
which
version
of
the
iptables
rules
was
being
written.
So
it's
a
cni
specific
thing
they
need.
A
A
So
we're
definitely
going
to
see
it.
And
now,
let's
see
what
the
difference
is
between
our
last
policies
and
our
new
policies,
so
we
just
get
diff
and
now
you
can
see.
We've
got
a
few
a
few
different
lines
here
and
we
can
see
that
there
are
some
network
policy,
stanzas
return
of
policy,
accepted,
drop
of
no
policies,
past
packet,
etc,
etc.
Right
so
those
are
going
to
get
applied
after
the
pre-routing
stage
and
I'll
show.
A
B
A
Okay,
so
let's
see
here
yeah
here
it
is
so
this
is
so
that
just
so,
if
you've
never
seen
these
before
you
see
these
decimals,
this
is
how
load
balancing
is
done
from
the
coupe
proxy
level.
That's
how
it
decides
exactly
which
pod
is
going
to
get
traffic
from
a
service
right,
because
obviously
you
may
have
10
different
pods
behind
the
service
and
these
clusters.
A
I've
scaled
up
the
amount
of
core
dns
replicas,
so
that
we
have
plenty
of
examples
of
that
again
now
we
jump
over
the
andrea
here
in
blue
and
we've
got
okay,
namespaces,
okay,
so
yeah.
So
we
show
the
namespaces
and
then
we
delete
everything
and
then
after
we
deleted
this
stuff,
we
just
go
ahead
and
recreate
it.
I'm
not
going
to
do
the
whole
diff
thing.
A
A
If
we
look
at
table
number
90.,
so
you
executing
to
the
andrea
containers
directly,
if
you
want
to
see
this
stuff
and
you
can
run
ovs,
ofctl
flows,
br
int
and
that's
essentially,
the
equivalent
of
like
looking
through
ip
tables
and
open
v
switch.
It's
like
the
same.
It's
the
equivalent
kind
of
operation
right.
You
can
look
at
those
individual
flows,
and
so
now
we've
created
the
daemon
set
and
we've
created
the
network
policy.
A
And
once
you
look
at
the
network
once
once
you
look
at
the
network
policy,
you
can
see.
We
briefly
showed
you
there's
a
couple,
there's
an
extra
row
in
there
and
that
row
shows
the
reg
one,
the
packet's
getting
marked
for
getting
dropped
and
whatnot
out
of
that
flow
table.
So
that's
how
you
can
see
those
policies
being
applied
in
andrea
and
I
think
that's
it.
We
made
it
thank.