Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cloudfoundry/cf-k8s-networking

building a cloud foundry without gorouter....
https://github.com/cloudfoundry/cf-k8s-networking

cloudfoundry eirini golang istio kubernetes kubernetes-controller metacontroller networking routing service-mesh

Last synced: 3 months ago
JSON representation

building a cloud foundry without gorouter....

Awesome Lists containing this project

README

        

cf-k8s-networking
---
Routing and networking for Cloud Foundry running on Kubernetes.

## Deploying

CF-K8s-Networking is a component of CF-for-K8s. To deploy CF-for-K8s reference
the following documentation:

* [Deploy Cloud Foundry on
Kubernetes](https://github.com/cloudfoundry/cf-for-k8s/blob/master/docs/deploy.md)
* [Deploy Cloud Foundry
Locally](https://github.com/cloudfoundry/cf-for-k8s/blob/6e4ba5cc0514481a0675ea83731449c752b1dcad/docs/deploy-local.md)

## Architecture

![Architecture Diagram of
CF-K8s-Networking](doc/assets/routecontroller-data-flow-diagram.png)

* **RouteController:** Watches the Kubernetes API for Route CRs and translates
the Route CRs into Istio Virtual Service CRs and Kubernetes Services
accordingly to enable routing to applications deployed by Cloud Foundry.

* **Istio:** CF-K8s-Networking currently depends on [Istio](https://istio.io/).
* Istio serves as both our gateway router for ingress networking, replacing
the role of the Gorouters in CF for VMs, and service mesh for (eventually)
container-to-container networking policy enforcement.
* We provide a manifest for installing our custom configuration for Istio,
[here](https://github.com/cloudfoundry/cf-for-k8s/blob/master/config/istio/istio-generated/xxx-generated-istio.yaml).
* Istio provides us with security features out of the box, such as:
* Automatic Envoy sidecar injection for system components and application workloads
* `Sidecar` Kubernetes resources that can limit egress traffic from workload `Pod`s
* Transparent mutual TLS (mTLS) everywhere
* (Eventually) app identity certificates using [SPIFFE](https://spiffe.io/) issued by Istio Citadel
* Istio should be treated as an "implementation detail" of the platform and
our reliance on it is subject to change
* Istio config is located in [cf-for-k8s](https://github.com/cloudfoundry/cf-for-k8s) and it's managed by the cf-k8s-networking team.

## Contributing
For information about how to contribute, develop against our codebase, and run
our various test suites, check out our [Contributing guidelines](CONTRIBUTING.md).