OSPF and DNS NodePort
After bootstrapping up a basic Kubernetes Lab, a dynamic routing protocol provides effective routing at all layers because each router and switch understands how to route traffic effectively
# ospfctl show rib Destination Nexthop Path Type Type Cost Uptime 192.168.0.4 192.168.2.4 Intra-Area Router 20 04:47:00 192.168.2.0/24 192.168.2.3 C Intra-Area Network 20 05:06:25 10.244.1.0/24 192.168.2.65 Type 2 ext Network 20 04:16:00 10.244.2.0/24 192.168.2.66 Type 2 ext Network 20 04:16:00 10.244.3.0/24 192.168.2.67 Type 2 ext Network 20 04:16:00
To make name resolution work, we will configure a stub zone and port forwarding for DNS
$ traceroute -n registry.default.svc.mykube.local traceroute to registry.default.svc.mykube.local (10.244.3.62), 64 hops max, 40 byte packets 1 192.168.0.7 11.875 ms 10.928 ms 11.47 ms 2 192.168.2.67 0.749 ms 0.483 ms 0.349 ms 3 10.244.3.62 0.459 ms 0.328 ms 0.383 ms
OpenBSD Router and OSPF, OSPFv3
OSPF can be run over any interface. Here we will advertise on the interface
vlan2
# /etc/ospfd.conf router-id 192.168.0.3 area 0.0.0.2 { interface vlan2 { metric 20 } }
The configuration for OSPFv3 (for IPv6) is exactly the same. OSPF an OSPFv3 prevent routes from being enabled if a MTU mismatch is detected, and ospfd(8) will log an error if this occurs.
Juniper EX
One advantage of using a dynamic routing protocol is that core switching, as well as the router on the edge can route this traffic
set protocols ospf area 0.0.0.2 interface irb.82 set protocols ospf import into-ospf set protocols ospf3 area 0.0.0.2 interface irb.82 set protocols ospf3 import into-ospf set policy-options policy-statement into-ospf term static then accept
PicOS
Even small PicOS switches from fs.com have full routing support.
set protocols ospf area 0.0.0.2 set protocols ospf network 192.168.2.0/24 area "0.0.0.2" set protocols ospf interface vlan-82 set protocols ospf6 area 0.0.0.2 set protocols ospf6 interface vlan-82 area "0.0.0.2"
Tie it all together by redistributing static routes
edit protocols static
set route 10.244.1.0/24 next-hop 192.168.2.65
set route 10.244.2.0/24 next-hop 192.168.2.66
set route 10.244.3.0/24 next-hop 192.168.2.66
set route 10.244.0.0/16 reject
set route fd00:f4:1::/64 next-hop fd00:52::41
set route fd00:f4:2::/64 next-hop fd00:52::42
set route fd00:f4:3::/64 next-hop fd00:52::43
set route fd00:f4::/32 reject
exit
exit
set protocols ospf redistribute static
set protocols ospf6 redistribute static
Notes:
-
Adding a
rejectrule is to avoid a routing loop if the locally connectednext-hopcannot be resolved va ARP or NDP.
Forwarding DNS using a NodePort Sevice
Kubernetes allows a special kind of service to be defined that only modifies forwarding rules
apiVersion: v1 kind: Service metadata: name: kube-dns-external namespace: kube-system spec: selector: k8s-app: kube-dns type: NodePort ports: - name: dns-udp port: 53 targetPort: 53 nodePort: 30053 protocol: UDP sessionAffinity: None
$ kubectl get svc --namespace kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 19h kube-dns-external NodePort 10.103.147.139 <none> 53:30053/UDP 19h
Unbound is now able to use any Kubernetes node to answer nameserver queries!
# unbound.conf stub-zone: name: "svc.mykube.local" stub-addr: 192.168.2.65@30053 stub-addr: 192.168.2.66@30053 stub-addr: 192.168.2.67@30053