Rancher Network Requirements

  • Post author:
  • Post category:미분류

Kubernetes network policies are implemented by network plug-ins, not by Kubernetes itself. Simply creating a network policy resource without a network plug-in to implement it has no impact on network traffic. K3s resource profiling collects test results to determine the minimum resources required for the K3s agent, the K3s server with a workload, and the K3s server with an agent. It also includes an analysis of what has the greatest impact on K3s server and agent utilization and how to protect the cluster datastore from agent and workload disruption. This is especially important for etcd nodes, which are sensitive to network latency, because the RTT between the etcd nodes in the cluster determines the minimum time to perform validation. This section describes the system requirements for Docker, Kubernetes, and SSH. The Calico plugin implements all the features of Kubernetes network policies. In addition, Calico supports Calico network policies and provides additional functionality beyond Kubernetes network policies. Kubernetes and Calico network policies work together seamlessly, so you can choose the one that`s right for you and combine it the way you want.

An overlay network allows pods to communicate between nodes without the underlying network knowing the pods or IP addresses of the pods. Calico`s flexible modular architecture supports a variety of deployment options, allowing you to choose the best network and network policy options for your specific environment. This includes the ability to work with a variety of CNI and IPAM plugins, as well as the underlying networking options. Install Calico as a required CNI for network and/or network policies on Rancher-provided clusters. The hardware requirements for nodes with the worker role depend primarily on your workloads. The minimum to run the Kubernetes node components is 1 processor (core) and 1 GB of memory. For this reason, it is important to future-proof scopes by modifying scopes to avoid overlapping routing with other areas of the network and possible exhaustion of the cluster IP address if the default settings are not suitable. Note: Before you create this manifest, review the content and make sure that the settings for your environment are correct. For example, you might need to adjust the default IP pool CIDR address to match the CIDR address of your pod network.

The default value for Rancher is 10.42.0.0/16. Hardware requirements change based on the size of your deployments. Minimum recommendations can be found here. For external data storage, the general performance requirements are as follows: For performance reasons, we recommend that you avoid extending cluster nodes over long distances and unreliable networks. For example, nodes can be located in separate Availability Zones in the same region, in the same datacenter, or in separate nearby datacenters. The hardware requirements depend on the size of your K3s cluster. For production clusters and large clusters, we recommend that you use a high availability configuration with an external database. The following options are recommended for the external database in production: Please refer to the network plugin documentation for additional requirements (e.g.

kernel modules) For the sake of completeness, working without overlay offers the most powerful network. The packets that leave your pods are the packets that go on the wire. The Calico CNI plugin connects the pods to the host network via L3 routing without the need for an L2 bridge. This is simple and easy to understand and more effective than other common alternatives such as kubenet or flannel. Packets between pods on different nodes are encapsulated with IPIP, wrapping each original packet in an external packet that uses node IP addresses and hiding the pod IP addresses of the inner packet. This can be done very efficiently by the Linux kernel, but it still presents a little overhead that you might want to avoid if you`re running particularly network-intensive workloads. K3s is very lightweight, but has some minimum requirements, as described below. Whether you configure a K3s cluster to run in a Docker or Kubernetes configuration, each node running K3s must meet the following minimum requirements. You may need more resources to meet your needs. Important: The VXLAN port on the nodes should not be exposed to the world because it opens your cluster network that anyone can access. Run your nodes behind a firewall/security group that disables access to port 8472. Warning: Flannel relies on the Bridge CNI plugin to create an L2 network that switches traffic.

Rogue pods with NET_RAW capabilities can abuse this L2 network to launch attacks such as ARP spoofing. Therefore, as shown in Kubernetes documents, set a restricted profile that disables NET_RAW on untrusted pods.