►
From YouTube: Kube Proxy Next Gen
Description
The Kubernetes Service Proxy is a critical extension point for businesses wanting to expand the scope of cloud native applications to more sophisticated networking models, larger scale clusters and for designing better services mesh technologies. Some might even say it is "the thing" that differentiates Kubernetes networking from other container platforms. For several years, extending it has required copying and pasting code from Kubernetes, or rebuilding its extremely sophisticated caching logic piecemeal.
Kube Proxy Next Generation (KPNG) is a Kubernetes SIG Network project which decouples the dataplane (backend), from the Kubernetes specific logic of the Service Proxy, allowing for innovation in the way networks are built on Kubernetes without the need for adding more technical debt to Kubernetes core. The KPNG project supports multiple operating systems and allows users to easily plugin high performance, in-memory service proxying technologies that are entirely powered by a GRPC integration layer.
This reduces load on the APIServer and creates a service extension model for Kubernetes. KPNG project is rapidly growing and the community is engaging and passionate about its overall mission. In this session, we will showcase how KPNG is structured to tackle the pain points around current implementation of Kubernetes Service Proxy along with a demo of KPNG in different backends like nft, iptables, ipvs and how to reason about kube-proxy’s logic in any mode, using a generic model. KPNG being a nascent project, we will also talk about what lies ahead and give a sneak peek of the project roadmap.
A
B
B
This
sub
project
comes
under
sig
network
in
the
kubernetes
ecosystem,
we'll
get
into
the
details
of
cupping
in
a
bit,
but
I'll
give
you
a
peek
into
it
right
away.
Cupping
tries
to
redesign
cube
proxy
by
decoupling,
the
kubernetes
bits
and
the
networking
bits.
Cupping
interacts
with
the
cube
api
server
and
stores
the
global
state
of
the
cluster
in
memory
and
then
provides
a
local
diff
state
to
the
back
end,
implementing
the
routing
rules
of
a
service.
B
A
So
what
is
kyproxy
as
you'll
probably
know?
Q
proxy
is
one
of
the
two
kubernetes
components
that
runs
on
every
node,
the
other
one
being
the
cubelet.
It
manages
service
abstraction
within
kubernetes.
It
is
deployed
as
a
daemon
set
on
every
node
and
can
be
configured
using
a
config
map.
You
can
run
q
proxy
in
several
modes.
Iptables,
ipvs
and
user
space
user
space
mode
is
now
considered
as
legacy.
Iptables
is
the
default
mode
and
ipvs
is
the
most
recent
mode.
A
Now,
let's
take
a
closer
look
at
the
diagram
whenever
a
service
is
created
or
deleted,
there
are
changes
to
the
endpoints
resources.
These
are
persisted
in
the
api
server
and
the
information
is
synced
to
queue
proxy.
Whenever
a
client
sends
a
request
to
the
service,
say
an
nginx
service
exposed
as
cluster
ip
note
that
this
is
a
virtual
ip.
A
A
A
A
A
A
A
A
We
know
that
the
cluster
ip
is
1096
231,
184
and
on
destination
port
80.
It
says
jump
to
this
particular
service,
so
this
is
a
service
ending
in
l6n,
and
we
have
that
over
here.
So
there
are
two
entries
for
this:
let's
read
through
so
the
first
line
here
states
the
default
nginx
with
a
random
probability
of
0.5
jump
to
this
service
endpoint.
So
50
of
the
requests
end
up
going
to
this
particular
service,
endpoint
and
50
percent-
goes
to
the
second
line
over
here
and
jumps
to
this
particular
service
endpoint.
A
Let's
look
at
one
of
these.
Let's
look
at
the
service
endpoint
ending
into
th,
which
is
over
here,
so
this
line
basically
adds
the
masquerade
bit
on
the
packet.
But
let's
look
at
this
line.
This
is
what
is
of
interest
to
us,
so
it
says
the
service
endpoint
that
is
default.
Engine
x
has
to
be
routed,
that
is,
to
destination
10,
to
44
2.3
and
on
port
8000.
A
A
A
B
Q
proxy
does
the
networking
and
the
kubernetes
api
server
watch
bits
in
a
single
process.
This
causes
a
significant
load
on
the
api
server
as
the
node's
increase
in
the
cluster.
This
blog
post
from
open
ai
highlights
these
pain
points
of
q
proxy.
When
the
cluster
is
scaled
up,
it
provides
data
on
how
the
bandwidth
required
for
responses
from
api
server
grows
by
order
of
n
squared
extended
q
proxy
is
complicated
because
of
its
in
entry
implementation.
B
Very
few
people
in
the
community
understand
current
cube
proxy
code
and
have
context
about
the
history
of
it.
This
tweet
is
one
such
example
where
we
wanted
to
know
why
service
boards
require
names.
Tim
hawkins
then
had
then
replied
to
us
to
fill
us
in
with
the
context
and
pr
from
2015
mapping
to
this
feature.
B
A
Cupping
to
the
rescue
we
are
finally
getting
into
the
meat
of
this
talk,
but
first
a
little
history
and
context.
Jan
2020
was
when
mikhail
gave
us
cupping
for
christmas
october.
2020
was
when
the
kept
for
cupping
was
out
in
march,
2021
jay
and
a
few
others
decided
to
start
a
working
group
for
cupping
and
since
may
2021.
Until
now
we
have
managed
to
make
quite
a
bit
of
progress,
rajas
and
I
joined
somewhere
in
this
time
frame.
A
The
cupping
team
has
managed
to
separate
nft
ip
tables
and
ipvs
back-ends
as
individual
and
vendorable
plugins.
We
also
added
github
actions
and
enable
ci
that
gates
all
rpr's.
We
have
also
added
windows
user
space
as
a
back-end.
So
far,
all
right,
brace
yourself.
Now
we
are
going
to
take
a
closer
look
at
cupping.
B
Cupping
architecture
has
two
parts
to
it.
First
is
the
front
end,
that
is
the
cupping
server,
and
this
is
responsible
for
getting
data
from
the
kubernetes
api
server
and
then
the
back
end,
which
is
responsible
for
implementing
routing
rules.
So
there
can
be
different
backends
like
ip
tables,
ipvs
and
ft,
etc.
B
B
Let
me
show
you
the
repository
of
cupping,
which
is
under
kubernetes
6
org
in
github.
This
is
where
the
different
back
ends
are
housed,
so
every
back
end
comes
with
its
own,
go
mod
and
its
own
dependencies,
and
things
like
that.
This
is
where
the
cupping
server
resides
and
here's
how
you
can
interact
with
coming.
So,
let's
take
a
look
at
this,
so
here
I
have.
B
A
kind
cluster-
this
is
a
three
node
kind
cluster,
similar
to
what
anusha
had
it's
just
that
this
is
having
cupping
instead
of
q
proxy,
and
I
got
this
kind
cluster
up
by
running
something
called
as
hack,
e2e,
dot
sh
with
ipv4
and
the
back
end
is
nft
in
in
development
mode.
So
this
is
a
script
that
we
run
in
ci
and
you
can
try
to
run
it
to
get
cupping
up
this
lives
under
the
hack
directory
in
copying
repository.
There
is
also
something
called
as
hack,
cupping,
local
up
dot
sh.
B
All
right,
so
here's
the
demon
set
of
cupping
and
as
we
can
see
there
are
two
containers.
This
is
the
one
that
is
the
server
and
and
then
there's
cupping
nft
container
over
here.
That's
listening
to
the
copying
server
and
using
it
to
write
nftable
rules,
because
that's
the
backend
that
we're
using
so
nf
tables
are
similar
to
ip
tables
and
in
nft
back
end
in
cupping.
There's
something
called
as
a
diff.
Different
object,
that's
used.
B
So
what
happens
is
that
cupping
server
sends
the
entire
state
of
the
kubernetes
network
to
the
cupping
nft
backend
through
something
called
as
a
callback
api
and
then
the
backend
recalculates,
the
new
state
of
the
network
and
then
rewrites
the
nf
table
rules.
If
they
are
necessary,
we
there's
a
great
blog
post
by
jay,
pointing
out
how
nft
implementation
works
in
keeping
and
we'll
come
back
to
it
in
some
time
all
right
cool
all
right.
So
I
have
cluster
cuppings
running.
Everything
is
fine.
Now,
let's
see
how
cupping
works.
B
B
B
So
this
is
what
cupping
server
tries
to
send
to
the
back
end,
and
this
is
the
information
that's
required
for
the
back
backend
to
create
the
routing
rules,
all
right
so
now,
so
this
is
the
current
state
of
the
cluster
right.
So
now,
let's
try
to
see
what
happens
when
we
try
to
create
a
service
for
our
nginx
server,
so
I'm
trying
to
create
a
simple
cluster
ip
service
and
once
I
create
a
service,
the
state
changes.
B
Now
I
have
a
diff
which
points
out
to
the
new
set
of
end
points
that
are
needed
for
this
service.
Let's
try
to
let's
try
to
update
this
service
and
see
how
that
that
gets
changed
real
time
all
right.
So
let
me
just
change
the
port
or
to
maybe
8081
and
before
I
enter
that
I'll.
Just
make
space
for
the
new
div
that
will
be
formed.
B
B
There
are
other
utilities
which
are
similar
to
node
log
there's
something
called
as
global
log,
so
I
can
say
cupping
global
log
and
all
right,
it
is
cupping
hyphen
global
log-
and
this
gives
me
the
the
state
of
kubernetes
networking
from
a
controlled
plane
perspective
and
not
from
a
node
perspective.
So
this
has
endpoint
services
as
well
as
parts
of
kubernetes
that
are
that
are
relevant
right.
B
So
what
this
does
is
that
this
gives
us
this
gives
a
sense
of
debugging
on
at
a
node
level
as
whereas
at
at
a
global
kubernetes
control,
plane
level.
So
this
will
help
in
something
like
bug
reports
wherein,
if
someone
tries
to
add
a
service-
and
you
know
or
implement
service
proxy
and
and
can
then
grab
the
state
at
the
global
level
and
also
at
the
node
level
and
then
try
to
see
what
sort
of
things
are
changing
and
how
things
are
getting
communicated
so
on
and
so
forth.
B
So
this
is
sort
of
the
flexibility
flexibility,
that's
given
by
cupping
and
then
through
through
these
diffs
diff
states,
a
particular
backend
is
able
to
write
its
own
networking
rules.
So
in
this
case,
nf
tables
rules
will
be
written.
If
we
had
to
use
iptables
backhand,
it
had
to
write
iptables
rules
so
on
and
so
forth.
So
this
is
how
the
decoupling
works
in
copying
from
from
the
kubernetes
control
plane
to
the
to
the
to
the
back
end,
that's
responsible
for
the
networking
aspect,
all
right.
B
Okay!
So
now
that
we
have
some
context
on
how
cupping
works
and
how
how
it
tries
to
decouple
and
and
the
architecture
of
cupping,
let's
see
how
we
can
get
involved
in
cupping
right.
So
this
is
a
mirror
from
one
of
our
pairing
sessions.
So
I'm
not
trying
to
scare
you
off
it's
just
a
tool
that
we
use
to
learn
things
around
cube
proxy
and
cupping,
and
things
like
that.
B
So
with
this
sub
project,
one
of
our
main
goals
is
to
make
you
proxy
for
to
work
and
easy
to
understand,
so
that
we
can
make
your
proxy
extensible
from
a
command
line
and
a
back-end
perspective,
and
we
want
to
do
it
through
cupping.
So
we
want
to
learn
as
much
as
we
can
about
kubernetes
service
networking
and
also
build
an
upstream
community
around
it.
A
A
The
cup
split,
that
is
the
control
plane
and
uses
plane
split,
makes
it
possible
to
develop
separate
data
planes
or
back-ends
without
forking
off
of
cube
proxy.
The
cni's
no
longer
have
to
sync
with
the
q
proxy
code.
They
are
free
to
implement
their
own
back-end,
while
still
using
the
cupping
server,
as
is
the
kubernetes.
Api
server
is
hugely
benefited
with
cupping
reducing
the
number
of
watch
requests.
A
B
B
We
got
the
initial
implementation
for
ipvs
from
ricardo
and
then
lars
also
helped
with
ipvs
and
ip
tables.
Implementation
hanuman
is
now
driving
the
ip
ipvs.
A
backend
of
cupping
and
naya
is
helping
out
with
ipvs
as
well.
Neha
is
also
the
founding
member
of
the
cupping
ci
with
friedrich,
and
we
got
valuable
inputs
from
antonio
as
well
when
it
comes
to
cis
packs
of
cupping.
B
So
this
is
this:
is
the
team
that's
behind
cupping?
And
it's
it's
a
it's
a
hard
project.
Your
first
comment
may
take
weeks
or
months,
especially
if
you're
new,
to
cube
proxy
or
to
kubernetes
networking.
However,
we
will
pair
with
people
wanting
to
join
and
make
an
impact.
We
pair
we
pay
program
every
wednesday
and
friday
at
our
meetings
and
also
informally
at
other
times
as
well.
So
please
don't
hesitate
to
join
us
or
ask
us
questions
when
meetings
or
on
entry
or
live
stream.
B
That
happens
every
wednesday,
but
be
ready
for
a
lot
of
debugging
and
be
ready
to
take
up
complex
problems
when
it
comes
to
cupping
feel
free
to
join
us
on
slack
as
well
on
kubernetes
slack
on
sig
network
kpng
channel
all
right.
So
thanks
for
listening
to
us
and
hope
to
see
you
all
in
the
next
coming
meeting.