In distributed environments, the network is part of the application. The native container networking builds available in Docker and Kubernetes allow organizations to start their containerization journey with relative ease. However, it is easy for organizations to miss the added value of a container networking solution and only use primitives to configure the pipes.
Using basic network capabilities means that the network will eventually become a bottleneck without enterprise-grade mechanisms for scaling. The good news is that developers and network engineers are not bound by the native network builds that come with Docker and Kubernetes.
Container networks innately solve challenges that go beyond connectivity.
- First, it is a basis for container security by managing segmentation, filtering, access controls, intrusion detection and others.
- Second, for distributed applications, container networks provide a foundation for application performance by offering load balancing, observability, diagnostics, and troubleshooting.
- Third, support applications development by enabling multi-cluster, multi-cloud and edge connectivity.
In this article, we explore currently available container networking solutions. These can be broadly categorized as open source, open source with an enterprise blueprint, and commercial solutions. To understand the similarities and differences between these three categories, we need to understand some basic technical features.
Container Network Interfaces and Ingress Controllers
While Kubernetes provides DNS and pod networking natively, it does not provide a network interface system by default; this functionality is provided by network plugins. These plugins are container network interfaces (CNIs) and ingress controllers. A CNI provides essential Layer 2-3 constructs, plus additional low-level features such as network policy enforcement, load balancing, network encryption, and integration with network infrastructure for multi-host, multi-cluster networks. Gateway controllers are responsible for serving incoming requests (north-south traffic), typically with a load balancer, although they may also configure additional front-end or border routers to help handle the traffic.
CNIs are a good benchmark for understanding the basic capabilities of a container network solution. Most CNIs are open source, and most enterprise-grade solutions take advantage of open source CNIs to build more advanced capabilities. As such, we note the following:
- Enterprise versions of open source container networking solutions are maintained by the original developers of the open source software.
- Business solutions also take advantage of open source software to build their solutions.
- Business solutions can also develop CNI from nearby sources and additional services.
open source solutions
Open source networking solutions for container-based systems like Kubernetes provide different features and CNI implementations, which allow containers to connect to each other and to the wider network. These tools handle various aspects of networks, including but not limited to IP addressing, routing, load balancing, network policy enforcement, and service discovery.
Some of the most popular open source solutions available today include:
- cilium: an open source project to provide networking, security, and observability for cloud-native environments such as Kubernetes clusters and other container orchestration platforms. At the core of Cilium is a new Linux kernel technology called eBPF, which enables powerful network security, visibility and control logic to be inserted dynamically into the Linux kernel.
- Calico Project: Calico Open Source is a network and security solution for containers, virtual machines, and native host-based workloads. It supports a wide range of platforms, including Kubernetes, OpenShift, Docker EE, OpenStack, and bare metal services. Calico can use either an eBPF data plane or the Windows data plane.
- net tissue– A cloud-native networking toolkit that creates a virtual network to connect Docker containers on multiple hosts and enables their automatic discovery.
- Andrea: a Kubernetes native project that implements CNI and Kubernetes NetworkPolicy, for network connectivity and pod workload security. Antrea extends the benefit of Open vSwitch (OVS) programmable networking to Kubernetes.
As with all open source software, these are free to use; in terms of initial investment, the cheapest option available. However, additional development and upskilling of employees can quickly dilute zero start-up costs.
Open source enterprise versions
Some open source software developers, notably Isovalent for Cilium and Tigera for Project Calico, also offer enterprise-level versions of their solutions.
- Isovalent company for Cilium – offers additional capabilities such as zero-trust network policies, load balancing, multi-cluster connectivity and automation, segment routing, and automatic policy creation based on network traffic. Isovalent Enterprise for Cilium has been thoroughly tested, is fully supported, and is covered by 24/7 support from the eBPF and Cilium developers.
- calico company – the commercial product and extension of Calico open source. It provides the same secure application connectivity across legacy and multi-cloud environments as Calico, but adds enterprise governance and compliance capabilities for mission-critical deployments. It offers the Calico CNI network plugin, Calico CNI IP address management plugin, overlay network modes, non-overlay network modes, and network policy enforcement.
Going for an enterprise version means getting support directly from the people who know the software best. They are more likely to understand the nuances and edge cases that may arise, leading to faster and more effective troubleshooting. Updates to enterprise features and the open source version are generally in sync, so any advances in open source quickly find their way into the enterprise version as well.
Network engineers will see familiar names in the container networking space. It’s worth noting that some of these providers have container networking capabilities available within a broader solution.
- Arista CloudEOS and CloudVision The software provides a consistent operating model for CNIs of container networks, on-premises private cloud, public cloud infrastructures, and bare metal environments. Some benefits of CloudEOS for Kubernetes include network operator visibility into what is happening with the container network environment, real-time analytics for the container network infrastructure, and correlation between the physical network infrastructure, virtual machine hosts and containerized workloads.
- Juniper Contrail Net it is supported as a CNI in Kubernetes environments. Contrail integrated with Kubernetes adds additional network functionality, including multi-tenancy, network isolation, micro-segmentation with network policies, load balancing, and more.
- Cisco Intersight Kubernetes Service (IKS) is a lightweight container management platform for delivering multi-cloud, production-grade upstream Kubernetes. It simplifies the process of provisioning, securing, scaling, and managing virtualized Kubernetes clusters by providing end-to-end automation, including network integration, load balancers, native dashboards, and storage provider interfaces.
- Cisco Application Centric Infrastructure (ACI) CNI Add-on provides IP address management for pods and services, distributed routing and switching, and distributed firewalling to enforce network policies.
- VMware Container Networking with Antrea offers users signed images, binaries, and full support for Project Antrea. Container Networking with Antrea is built on Tanzu Kubernetes Cluster (TKG) on vSphere and clouds, and Tanzu Kubernetes Cluster Service to run on vSphere with Tanzu. Any customer with a valid license for VMware NSX-T Advanced and higher can automatically get support for VMware Container Networking with Antrea at no additional charge.
- Container Entry Services (CIS) F5 BIG-IP integrates with container orchestration environments to dynamically create L4/L7 services on F5 BIG-IP systems and load balance network traffic across all services. By monitoring the orchestration API server, CIS can modify the BIG-IP system configuration based on changes made to containerized applications.
Compared to the enterprise versions offered by open source software developers, commercial solutions have a number of benefits, such as vendor ownership, standardized management, and broader product portfolios. If an organization already has an existing implementation from one of the providers described above, leveraging their container networking solutions can be a flip of a switch.
There is a wide range of solutions available on the market. But to truly realize the benefits of the solution, it’s important to rethink the strategy for container networks from a necessary set of pain points to an enabler of secure and robust containerized applications.