Cilium CNI Plugins for Kubernetes Cluster Networking

Introduction:
Traditional routing protocols do not fully fit the needs regarding flexibility and scalability of telecommunication providers. More modern and flexible cloud approaches replace legacy technologies. In recent years, providers have struggled to scale private networking connections within their networks. Cloud deployed applications drive the need for flexible and custom routing capabilities.
Software engineers should not have to worry about networking. While deploying applications on the network’s edge, only the network to run it on should be specified. The network connecting to the customer should automatically be configured in the background, enabling a private connection.
Cilium – a container network interface for Kubernetes – offers many abstraction abilities, including Segment Routing over IPv6 (SRv6). Using SRv6, network packets may be sent along a predefined and the most suitable path. As example, VOIP packets would be sent along segments allowing low latency. In addition, SRv6 provides an abstraction of per-tenant virtual networks allowing VPN networking.
This thesis aimed to prove if such an approach works with SRv6 and Cilium.

Approach / Technology:
An IPv6 network infrastructure simulating a provider network was set up. Multiple provider edge and multiple customer edge routers connect backbone data centers and customers’ Kubernetes environments.L3VPN connections were entirely based on SRv6, allowing multi-VRF environments.Multiple Kubernetes clusters running Cilium with SRv6 were placed in the network as provider edge. A VRF connecting pods on a provider edge cluster linking the customer network attached to the customer edge interface was provided using L3VPN. Another BGP-only scenario was implemented with a customer Kubernetes cluster routing data to another customer site network via L3VPN running on the ISP’s network.

Result:
The pods’ network was successfully routed via L3VPN from a customer Kubernetes environment to a customer router proving the functionality of the customer edge scenario.The provider edge scenario with Cilium SRv6 was not functional during the project. The reason for the not fully functional scenario is a not fully operational software.
The entire concept should be considered by telcos and enterprises running Kubernetes clusters, as they can segment and separate their cloud applications from different networks. This approach allows heavy decoupling between software engineering and providing secure as well as private networks for applications.