What is a Container Network Interface

Container Network Interface (CNI) is a framework for dynamically configuring networking resources in a Kubernetes cluster. CNI can integrate smoothly with the kubelet to enable the use of an overlay or underlay network to automatically configure the network between pods. Kubernetes uses CNI as an interface between network providers and Kubernetes pod networking.

There exists a wide variety of CNIs (Antrea, Calico, etc.) that can be used in a Kubernetes cluster. For more information on the supported CNIs, please read this article.

Business Challenges with Current K8s Networking Solutions

The top business challenges associated with current CNI solutions can be categorized as below:

• Community support lacks predefined SLAs: Enterprises benefit from collaborative engineering and receive the latest innovations from open-source projects. However, it is a challenge for any enterprise to rely solely on community support to run its operations because community support is a best effort and cannot provide a predefined service-level agreement (SLA).
• Solution fragmentation, incompatibility, and incompleteness: The newer version of CNIs may become incompatible with the applied Kubernetes version. There is a minimum Kubernetes version that each CNI supports, and older versions of Kubernetes are typically not supported.
• Project viability, and loss of contributors: Open-source projects can sometimes languish due to low user adoption or the loss of core contributors. One of the surefire ways to maintain project viability is through widespread user adoption. 

What is Project Antrea

Antrea is a Kubernetes-native project that provides networking and security services for a Kubernetes cluster. Antrea uses Open vSwitch as the networking data plane in every Kubernetes node to provide pod-to-pod communication.

Project Antrea has active contributors from Intel, Mellanox/Nvidia, and VMware.

How does VMware Container Networking with Antrea solve these problems?

VMware Container Networking with Antrea provides the assurance of signed images and binaries with full enterprise support by VMware. Because Antrea is designed into the VMware Tanzu portfolio, there already exists an installed user base for VMware Container Networking. It also provides support for the latest conformant Kubernetes and stable releases of Antrea as it closely follows open source and the release cadence of Kubernetes.

Benefits of VMware Container Networking with Antrea

1. Simplify Kubernetes networking with a unified networking stack across multiple managed Kubernetes providers. Antrea can be used with edge clouds, public clouds, and on-premises clouds.
2. Antrea accelerates packet processing performance by offloading the network data plane to SmartNICs for execution. Aided by SmartNICs, Antrea provides secure, high-performance networking to support CPU-intensive use cases, such as big data and machine learning.
3. Encrypt traffic between pods to increase container security despite running untrusted fabrics.
4. Get comprehensive, enterprise-class support for the most stable releases of Antrea that comply with CNCF specifications.

What is Antrea NetworkPolicy?

By default, all pods in a K8 cluster can communicate with each other. Applying a NetworkPolicy to a given pod isolates it, meaning it can only send traffic to, or receive traffic from, a pod that has been explicitly selected.

Antrea implements more than just the CNI. Antrea provides NetworkPolicy enforcement that empowers admins to implement fine-grain controls over pod traffic. Kubernetes clusters do have in-built network policies, Antrea builds on those native network policies to provide policies of its own.  Antrea provides 2 CRDS for creating network policies:

• Antrea ClusterNetworkPolicy
• Antrea NetworkPolicy

ClusterNetworkPolicy which, as the name implies, operates at the Kubernetes cluster level. On the other hand, NetworkPolicy limits the scope of a policy to a Kubernetes namespace. A Kubernetes platform administrator can construct a security policy for the cluster as a whole using ClusterNetworkPolicy. A developer can think of the NetworkPolicy as a tool for securing apps in a certain namespace.

How Antrea and NSX are better together?

Since Kubernetes platforms typically lack a graphical user interface, managing networking policies can be difficult. There is no central location from where the policies can be enforced/managed.

The main challenges can be classified as below:

• Lack of Visibility into Network Traffic: This makes it challenging to tell whether a security policy is being applied or not.
• Network Policies at Scale: In a large Kubernetes deployment, applications and users grow, and it is a daunting task to create policies for each application. Also, it is a possibility that network policies conflict with each other thus causing unexpected behavior.

This is where VMware NSX could add great value in the Kubernetes environment by providing consistent Networking and Security across VMs and Containers.

Antrea can be integrated with NSX. With the help of this integration, the Network and Security Admin will be able to apply security policies to their TKG workloads and have complete insight into those workloads. This integration may offer a stable organizational structure and clear responsibility sharing between the Platform and Infrastructure teams.

VMware NSX provides visibility into K8s resources like Cluster, Namespaces, Pods, and Labels in the NSX UI in addition to managing Network Policies. Additionally, if the FlowExporter option is enabled in the Antrea configuration, you can use Antrea Netflow (IPFIX) to obtain container network observability in vRealize Network Insight and to produce firewall rules in NSX based on the information in vRealize Network Insight.

And that’s it for this post. In the next post, I will discuss a bit more about how Antrea works with NSX and how to enable integration between the two.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.