{"id":18309446,"url":"https://github.com/electrocucaracha/k8s-networkingdeepdive-demo","last_synced_at":"2025-06-23T14:32:50.366Z","repository":{"id":37050010,"uuid":"331997525","full_name":"electrocucaracha/k8s-NetworkingDeepDive-demo","owner":"electrocucaracha","description":"Didactic project for K8s Networking analysis","archived":false,"fork":false,"pushed_at":"2025-05-27T05:06:38.000Z","size":246,"stargazers_count":9,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-27T06:22:15.951Z","etag":null,"topics":["cni-plugin","ebpf","flannel","ipvs","kubernetes","networking"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/electrocucaracha.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-01-22T16:13:23.000Z","updated_at":"2025-05-27T05:06:41.000Z","dependencies_parsed_at":"2023-02-13T08:15:30.537Z","dependency_job_id":"8e6d5c20-4fd2-4bbf-a1a6-fd8e8f603d4e","html_url":"https://github.com/electrocucaracha/k8s-NetworkingDeepDive-demo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/electrocucaracha/k8s-NetworkingDeepDive-demo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electrocucaracha%2Fk8s-NetworkingDeepDive-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electrocucaracha%2Fk8s-NetworkingDeepDive-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electrocucaracha%2Fk8s-NetworkingDeepDive-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electrocucaracha%2Fk8s-NetworkingDeepDive-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/electrocucaracha","download_url":"https://codeload.github.com/electrocucaracha/k8s-NetworkingDeepDive-demo/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electrocucaracha%2Fk8s-NetworkingDeepDive-demo/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261494591,"owners_count":23167162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cni-plugin","ebpf","flannel","ipvs","kubernetes","networking"],"created_at":"2024-11-05T16:11:26.775Z","updated_at":"2025-06-23T14:32:50.343Z","avatar_url":"https://github.com/electrocucaracha.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes Networking deep dive Demo\n\n\u003c!-- markdown-link-check-disable-next-line --\u003e\n\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)\n\n\u003c!-- markdown-link-check-disable-next-line --\u003e\n\n![visitors](https://visitor-badge.laobi.icu/badge?page_id=electrocucaracha.k8s-NetworkingDeepDive-demo)\n\n## Summary\n\nThis project collects instructions to discover, analyze and learn how\nKubernetes connects containers in different setups.\n\n### Presentations\n\n- Cloud-Native MX ([slides](https://www.slideshare.net/VictorMorales34/pod-sandbox-workflow-creation-from-dockershim)|[video](https://youtu.be/Gi_IBnyiAgw?t=2613))\n- Comunidad DevOps + Cloud Native Costarica ([slides](https://www.slideshare.net/VictorMorales34/deep-dive-networking))\n- Kubernetes Community Days GT 2021 ([slides](https://www.slideshare.net/VictorMorales34/understanding-kube-proxy-in-ipvs-mode)|[video](https://youtu.be/fT94W7kvdx4))\n- OpenInfra Days Mexico 2022 ([slides](https://www.slideshare.net/VictorMorales34/deciphering-kubernetes-networking)|[video](https://www.youtube.com/watch?v=OuuM0H_5_sI))\n\n## Virtual Machines\n\nThe [Vagrant tool][1] is used for provisioning Ubuntu Focal Virtual\nMachines. It's highly recommended to use the _setup.sh_ script\nof the [bootstrap-vagrant project][2] for installing Vagrant\ndependencies and plugins required for this project. That script\nsupports two Virtualization providers (Libvirt and VirtualBox) which\nare determine by the **PROVIDER** environment variable.\n\n```bash\ncurl -fsSL http://bit.ly/initVagrant | PROVIDER=libvirt bash\n```\n\nOnce Vagrant is installed, it's possible to provision a Virtual\nMachine using the following instructions:\n\n```bash\nvagrant up \u003cpause|ipvs|flannel|bash|ebpf\u003e\n```\n\n## Linux interfaces for virtual networking\n\nLinux has rich virtual networking capabilities that are used as basis for\nhosting Virtual Machines and containers, as well as cloud environments.\n\n### Bonded interface\n\nBonding driver provides a method for aggregating multiple network interfaces\ninto a single logical \"bonded\" interface. The behavior of the bonded interface\ndepends on the mode; generally speaking, modes provide either hot standby or\nload balancing services.\n\n```text\n+-----------------------------+\n|            Server           |\n|                             |\n|      +--------------+       |\n|      |     bond0    |       |\n|      +-------+------+       |\n|              |              |\n|      +-------+------+       |\n|      |              |       |\n|   +--+---+       +--+---+   |\n|   | eth0 |       | eth1 |   |\n+---+--+---+-------+--+---+---+\n       |              |\n+======+==============+=======+\n|            switch           |\n+=============================+\n```\n\n```bash\nip link add bond1 type bond miimon 100 mode active-backup\nip link set eth0 master bond1\nip link set eth1 master bond1\n```\n\n### VLAN\n\nA VLAN, aka virtual LAN, separates broadcast domains by adding tags to network\npackets. VLANs allow network administrators to group hosts under the same switch\nor between different switches.\n\n```text\n+---------------------------------+\n|             Server              |\n|                                 |\n|   +--------+       +--------+   |\n|   | eth0.1 |       | eth0.2 |   |\n|   +----+---+       +----+---+   |\n|        |                |       |\n|        +-------+--------+       |\n|                |                |\n|             +--+---+            |\n|             | eth0 |            |\n+-------------+--+---+------------+\n                 |\n+================+================+\n|              switch             |\n+=================================+\n```\n\n```bash\nip link add link eth0 name eth0.1 type vlan id 1\nip link add link eth0 name eth0.2 type vlan id 2\n```\n\n### VXLAN\n\nVXLAN (Virtual eXtensible Local Area Network) is a tunneling protocol designed\nto solve the problem of limited VLAN IDs (4,096) in IEEE 802.1q. It is described\nby IETF RFC 7348.\n\n```text\n+------------+        +------------+\n|   Server   |        |   Server   |\n|            |        |            |\n|   +-----+  |        |   +-----+  |\n|   | vx0 |  |        |   | vx0 |  |\n|   +--+--+  |        |   +--+--+  |\n|      |     |        |      |     |\n|   +--+---+ |        |   +--+---+ |\n|   | eth0 | |        |   | eth0 | |\n+---+--+---+-+        +---+--+---+-+\n       |                     |\n+======+=====+        +======+=====+\n|   switch   +--------+   switch   |\n+============+        +============+\n```\n\n```bash\nip link add vx0 type vxlan id 100 local 1.1.1.1 remote 2.2.2.2 dev eth0 dstport 4789\n```\n\n### MACVLAN\n\nWith MACVLAN, you can create multiple interfaces with different Layer 2 (that\nis, Ethernet MAC) addresses on top of a single one.\n\n```bash\nip link add macvlan1 link eth0 type macvlan mode bridge\n```\n\n### IPVLAN\n\nIPVLAN is similar to MACVLAN with the difference being that the endpoints have\nthe same MAC address.\n\n```bash\nip link add ipvl0 link eth0 type ipvlan mode l2\n```\n\n### VETH\n\nThe VETH (virtual Ethernet) device is a local Ethernet tunnel. Devices are\ncreated in pairs, packets transmitted on one device in the pair are immediately\nreceived on the other device. When either device is down, the link state of the\npair is down. These 2 devices can be imagined as being connected by a network\ncable; each veth-device of a pair can be attached to different virtual entities\nas OpenVswitch bridges, LXC containers or Linux standard bridges.\n\n```bash\nip link add veth0 type veth peer name veth1\n```\n\n### Dummy\n\nA dummy interface is entirely virtual like, for example, the loopback interface.\nThe purpose of a dummy interface is to provide a device to route packets through\nwithout actually transmitting them.\n\n```bash\nip link add dummy1 type dummy\n```\n\n### TUN\n\nNetwork TUNnel, simulates a network layer device and operates in layer 3\ncarrying IP packets.\n\n### TAP\n\nA virtual \"tap\" device is a single point to point device which can be used by a\nprogram in user-space or a virtual machine to send Ethernet packets on layer 2\ndirectly to the kernel or receive packets from it. A file descriptor (fd) is\nread/written during such a transmission. KVM/qemu virtualization uses \"tap\"\ndevices to equip virtualized guest system with a virtual and configurable\nethernet interface - which then interacts with the fd. A tap device can on\nthe other side be attached to a virtual Linux bridge; the kernel handles the\npacket transfer as if it occurred over a virtual bridge port.\n\n### Bridge\n\nA bridge behaves like a network switch. It forwards packets between interfaces\nthat are connected to it. It's usually used for forwarding packets on routers,\non gateways, or between VMs and network namespaces on a host. It also supports\nSTP, VLAN filter, and multicast snooping.\n\n```text\n+-----------------------------------+\n|              Server               |\n|                                   |\n|   +----------+    +-----------+   |\n|   |    VM1   |    |  netns1   |   |\n|   |          |    |           |   |\n|   | +------+ |    | +-------+ |   |\n|   | | eth0 | |    | | veth0 | |   |\n|   +-+------+-+    +-+-------+-+   |\n|     | tap1 |        | veth1 |     |\n|     +---+--+        +---+---+     |\n|         |               |         |\n|   +-----+---------------+-----+   |\n|   |           br0             |   |\n|   +------------+--------------+   |\n|                |                  |\n|             +--+---+              |\n|             | eth0 |              |\n+-------------+--+---+--------------+\n                 |\n+================+==================+\n|              switch               |\n+===================================+\n```\n\n```bash\nip link add br0 type bridge\nip link set eth0 master br0\nip link set tap1 master br0\nip link set veth1 master br0\n```\n\n#### Aspects and properties\n\n- A \"tap\" device attached to one Linux bridge cannot be attached to another\n  Linux bridge.\n- All attached devices are switched into the promiscuous mode.\n- The bridge itself (not a tap device at a port!) can get an IP address and may\n  work as a standard Ethernet device. The host can communicate via this address\n  with other guests attached to the bridge.\n- You may attach several physical Ethernet devices (without IP !) of the host to\n  a bridge - each as a kind of \"uplink\" to other physical switches/hubs and\n  connected systems. With the spanning tree protocol activated all physical\n  systems attached to the network behind each physical interface may communicate\n  with physical or virtual guests linked to the bridge by other physical\n  interfaces or virtual ports.\n- Properly configured the bridge transfers packets directly between two specific\n  bridge ports related to the communication stream of 2 attached guests -\n  without exposing the communication to other ports and other guests. The bridge\n  may learn and update the relevant association of MAC addresses to bridge\n  ports.\n- The virtual bridge device itself - in its role as an Ethernet device - does\n  not work in promiscuous mode. However, packets arriving through one of its\n  ports for (yet) unknown addresses may be flooded to all ports.\n- You cannot bridge a Linux bridge directly by or with another Linux bridge (no\n  Linux bridge cascading). You can neither connect a Linux bride to another\n  Linux bridge via a \"tap\" device.\n\n## Contribution\n\nThis is an open project, several individuals contribute in different forms like\ncoding, documenting, testing, spreading the word at events within others.\n\n![Visualization of the codebase](./codebase-structure.svg)\n\n[1]: https://www.vagrantup.com/\n[2]: https://github.com/electrocucaracha/bootstrap-vagrant\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felectrocucaracha%2Fk8s-networkingdeepdive-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felectrocucaracha%2Fk8s-networkingdeepdive-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felectrocucaracha%2Fk8s-networkingdeepdive-demo/lists"}