In this session we’re going to deep dive into the network stack associated with both Kubenet and Azure CNI, to help explain how they work internally, how they can be debugged the pros and cons of each.

  • Outbound Type: Check out the session from @RayKaohere
  • Network Plugin
  • Windows Networking
    • Great Overview
    • Details (Linux –> Windows):
      • Azure CNI Required
        • Supported in AKS Engine and an open issue exists to promote this capability to AKS. See issue #1244
      • Linux Bridge –> Host Networking Service
      • iptables –> vSwitch + Virtual Filtering Platform + Distributed Router
  • Network Policy: None/Azure/Calico
  • How iptables come into play
  • Debugging
    • ssh-jump - Create a jump server pod in your cluster and tunnels ssh through kubernetes port-forward
    • tcpdump - Native Linux command line tool. Run in host or pod. Check out this zine from Julia Evans - @b0rk….tcpdump
    • ksniff - Creates a tcpdump proxy and can stream directly to Wireshark

Network Feature Status

Feature Status Notes
IPVS vs. IPTables No Current Plan Transition to IPVS over IPTables has been considered, but the known stability of IPTables has won out over IPVS, for the time being. Feel free to contribute to the discussion in the AKS github under issue #1846
IPv6 Backlog IPv6 is still in alpha state in upstream Kubernetes, so not ready for production workloads. You can track the status under sig-networking. Microsoft has been heavily involved in it’s development, so I hoped to see adoption in AKS pretty rapidly, but not dates have yet been shared.
Nodepool Subnet Public Preview Allows you to choose the target subnet at the nodepool level rather than at the cluster level. Currently Azure CNI only, but Kubenet is planned
Calico on Windows In Progress Adds support for open source Calico Kubernetes Network Policy in AKS for Windows