Home
Contribute
Contact Us
Browse all meetings
Home
Contribute
Contact Us
Browse all meetings
solo.io
/
Traffic in ambient mesh
/ 17 Mar 2023
solo.io
/
Traffic in ambient mesh
/ 17 Mar 2023
Previous Meeting
Next Meeting
⏯
Sync
Add meeting
Rate page
Subscribe
►
From YouTube:
Traffic in ambient mesh - Part 2: Redirection using iptables and GENEVE tunnels
Description
In this video, we’ll dive deeper into how redirection using iptables and GENEVE tunnels works.
A
In the previous video,, we talked about how the sidecar proxy is configured to intercept traffic, the role of istio cni,.
A
And we've installed ambient mesh and briefly shown the iptable's rules that are set on the cluster.
A
Node.
in this video we'll dive deeper into how redirection actually works and look into iptables.
A
Rules and different interfaces that get set up by the istio cni plugin., the istio cni plugin, watches.
A
For any changes pertaining to pods and namespaces, and when it sees a namespace, that's been made part.
A
Of the ambient mesh,, it has to configure the node to intercept traffic for those pods.
as part of the.
A
Node setup the istio cni plugin sets up rules on the nodes and also creates an ip set called.
A
Z-Tunnel pods ips..
The purpose of this ip set is to keep track of the ip addresses of the pods.
That.
A
Are part of the ambient mesh.
if we run the ip set list command on the node,, we'll see that the ip set.
A
Is created but it's empty.
now we already have two pods running in the cluster;: let's make them.
A
Part of the ambient mesh by labeling the namespace with data "plane mode ambient.".
Now, if we list the ip.
A
Sets again, you'll notice that this time there are two ip addresses in the list,, and these addresses.
A
Match the two pods that are running in the cluster and are part of the ambient mesh..
So as the pods.
A
Get added or removed, the cni plugin keeps the ip set list up to date..
The ips in this ip set are.
A
Used in the rules,, so let's look at an example..
If we list the iptables rules again notice, the rules.
A
In the post and pre-routing, then mark the packets with the mark 100,, so any packets originating from.
A
The pots that are part of the ambient mesh will be marked with the mark 100..
Next, we can look.
A
At the ip rule list and we'll notice a rule that says if the packets have the mark 100,, they should.
A
Be routed according to their routing table 101..
So if we look at the routing table, 101, we'll see.
A
That the first line in this output is telling us that the traffic should be sent to the ip address.
A
192.168.127.2 using the istio out interface.
note that this ip is the ip address of the p.
A
Istio out interface, that's set up on the z-tunnel and we'll talk about this later.
A
Now there are special interfaces set up on the node,, so if we run ip link, show command, we'll.
A
See two interfaces that stand: out: the istio in and istio out interface., as the name suggests.
A
The purpose of these interfaces is to handle the inbound and outbound traffic on that node.
A
These interfaces are connected using the geneve tunnels to interfaces that are set up on the z tunnel.
A
Pod, that's running on the same node..
Let's look at more closely at the istio in interface., the.
A
192.168.126.1 address is the ip address of the istio in interface, and the dot 3 address is the.
A
Broadcast address.
notice, the geneve keyword and the 10.244.2.3 address,.
This line basically says.
A
That the istio in interface is connected using the geneve tunnel to that ip address, and that ip.
A
Address is,, if we go and check in the cluster, we'll see that it that's the ip address of the z-tunnel.
A
Pod that's running on the same node., so let's zoom out a little bit and look at the overall picture.
A
So, as the pods get added to the ambient mesh,, a virtual interface is created on the node and the.
A
Ip set is updated with that ip address..
Now, as the packets go from the pods to the node,, they.
A
Get marked with the mark 100 and are directed to the istio out interface, using the routing.
A
Table we've shown.
now the istio out interface in turn is connected to the p istio out interface.
A
That's set up on the z-tunnel pod, and that's how the packages get from the pod inside the.
A
Ambient mesh through the node and then to the z-tunnel part, that's running on the same node.
A
In the next video, we'll look at what happens at the z-tunnel pod once those.
A
Packets are received on the p istio out and p istio in interfaces.
