Continuing from the previous article "Virtual Cloud Network Series | Introduction to Antrea's Application to VMware Solution Functions (1)", in this tweet, I would like to briefly discuss with you that Antrea is the main container network interface supported by VMware, related components and other competing solutions difference. In recent years, with the technological development of Kubernetes, related projects on Container Network Interface have blossomed, from the early Flannel / Weave / OVN to the current mainstream Calico / Cilium, including VMware itself. NSBU also developed NCP (NSX Container Platform), each has its own strengths. At present, VMware/Tanzu mainly adopts Antrea in commercial support. What are the advantages of Antrea? This is a simple explanation for everyone.
First, let's take a look at the architecture of Antrea, and discuss several key points:
1. Antrea uses Open-vSwitch as the core network component
In the above architecture diagram, you can see that each Kubernetes Node has a big OVS (Open-vSwitch) word. This is the main difference between Antrea and other solutions: Antrea uses Open vSwitch as the underlying core component. Open vSwitch is a long-term, stable and programmable open source solution with the following characteristics:
- The solution is mature. Open vSwitch has been fully commercialized as early as Nicira, the predecessor of NSX, and is now a built-in module of the Linux Kernel.
- As the core component of the open source SDN (Software Define Network), developers can easily use Open vSwitch (via OVSDB / Openflow) to enable a variety of security and network functions required by enterprises, far more than the requirements defined by the native Kubernetes foundation.
- It can run on Linux and Windows operating systems, so it has complete portability. When customers want to deploy Kubernetes Cluster on different public and private clouds and different operating systems, Antrea can easily support them.
2. Antrea has controller-agent control/forwarding design
Also in the picture above, you can see that there is an Antrea Agent in each Kubernetes Node. The main job of this Antrea Agent is to receive instructions from the Kubernetes API Server and Antrea Controller, write related network and security requirements, and then implement functions through the local OVS. For example, Pods need to be connected across node networks through Geneve Tunnel line, each Pod's own Network Policy and so on.
In addition, since an important function of Antrea is to perform advanced security control between Pods, a component is required to:
- Collect the status of Pod/Namespace/Service through Kubernetes API.
- Provides an API for external systems to call to configure advanced security policies.
- In this component, the advanced security policy is distributed to the Antrea Agent on the required Kubernetes Node, and the respective OVS is called to implement the security policy.
Therefore, when Antrea is deployed, in addition to the Antrea Agent on each K8S node, a Controller Pod will also be installed on the Master Nodes. The figure below is a Kubernetes Cluster with one Master Node and three Worker Nodes that I built in the Lab. It can be seen that when Antrea is installed, each Node has an Antrea Agent (four in total), in addition to an antrea-controller pod configuration, which is responsible for providing advanced security control and external system interfaces discussed above. fetch function.
If you are interested in the detailed relationship between Antrea/Kubernetes components, you can refer to the following picture, which includes the complete relationship between each component of Antrea, each component of Kubernetes, and even the external system:
Let’s talk briefly about the architecture first. If you want to know more about the relevant details, you can refer to the following articles for detailed discussions:
Here is a special tweet to discuss the architecture. I mainly want to emphasize the following points:
- By adopting Open vSwitch's mature technology as the core backbone, Antrea can easily achieve cross-operating systems, and even rapid support on different public and private cloud platforms.
- At the same time, due to the extensive experience accumulated in Open vSwitch, the Antrea project can quickly apply the functions supported by Open vSwitch itself, respond to the needs of enterprises, and realize new functions through the existing mechanism of Open vSwitch in a short period of time.
- With the design of Antrea Controller, it is possible to implement a far more complex security policy mechanism than the traditional Network Policy, and at the same time, it can easily provide external systems (such as NSX we will discuss later, or integrate another well-known open source maintenance tool OCTANT) for policy configuration and information lookup.
Although different Container Network Interface solutions have their own advantages and disadvantages, Antrea has the characteristics mentioned above, including mature components, complete functions, easy development, and easy integration of external systems, and has become VMware's first choice for supporting container solutions. In particular, VMware itself has invested a lot of development team and related experience in maintaining the Open vSwitch open source project, and it is natural to continue the development and maintenance of Antrea.
Let’s talk about this first, and in the next article I will discuss with you how to install Antrea.
Content Source|Public Account: VMware China R&D Center
The author of this article: Colin Jao (Rao Kangli), a senior technical consultant of VMware, is mainly responsible for the VMware NSX product line, and is currently committed to the introduction and promotion of network virtualization, distributed security protection technology and new application delivery solutions.