Introduce pod-to-pod communication outline for edge docs #1655
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| +++ | ||
| title = "Multi-cluster communication in flat networks" | ||
| description = "Multi-cluster communication using pod-to-pod communication inshared network environments." | ||
mateiidavid marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| aliases = [ "multicluster_support" ] | ||
| +++ | ||
|
|
||
| Linkerd's multi-cluster functionality allows pods to connect to Kubernetes | ||
| services across cluster boundaries in a secure, and fully transparent way. In | ||
| order to be environment agnostic, the multi-cluster extension uses an | ||
| intermediary gateway in each cluster that exports a service to other clusters. | ||
|
|
||
| Environments that can be categorized as having a flat network topology may | ||
| choose to route traffic directly, instead of going through the intermediary | ||
| hop. When clusters use a shared network, pods are able to establish TCP | ||
| connections to each other, and consequently send traffic, without requiring any | ||
| `LoadBalancer`-type services or ingress gateways. Linkerd's security, | ||
| reliability and observability guarantees can be extended to environments that | ||
| use a shared network by sending traffic directly to the pods in a multi-cluster | ||
| setting. | ||
|
|
||
| {{< fig | ||
| alt="An architectural diagram comparing hierarchical network mode with the new flat network mode" | ||
| src="/uploads/2023/07/[email protected]">}} | ||
|
|
||
| Using a direct pod-to-pod communication model has a few advantages over the | ||
| gateway model, all while preserving Linkerd's model of separate failure and | ||
| security domains: | ||
|
|
||
| * Improved latency for cross-cluster calls | ||
| * Improved security, workload identity for mTLS is preserved across clusters | ||
| instead of being overridden with the gateway identity | ||
| * Reduced operational costs by lowering the amount of traffic that has to be | ||
| routed through an ingress gateway | ||
|
|
||
| ## How does it work | ||
|
|
||
| - Kubeconfig generated as part of link | ||
| - Secret, RBAC | ||
| - Controller watches for changes, reads from API server | ||
| - Service can be exported in either mode | ||
|
|
||
| ## Namespace sameness | ||
|
|
||
| - Explanation | ||
| - Link | ||
|
There was a problem hiding this comment. I think it'd be good to introduce both modes from the beginning, so users don't have to wait till way down the doc to discover about the p2p mode. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -51,6 +51,40 @@ networks](/2020/02/17/architecting-for-multicluster-kubernetes/#requirement-i-su | |
| Once these components are installed, Kubernetes `Service` resources that match | ||
| a label selector can be exported to other clusters. | ||
|
|
||
| ## Multi-cluster for flat networks | ||
|
|
||
| Linkerd's multi-cluster extension supports pod-to-pod communication in | ||
| environments that use a shared, flat network. When clusters share the same | ||
| network, pods may establish TCP connections and send traffic to each other | ||
| across cluster boundaries. In such cases, it may be preferred to avoid the | ||
| additional hop represented by the gateway intermediary. | ||
|
|
||
| {{< fig | ||
| alt="An architectural diagram comparing hierarchical network mode with the new flat network mode" | ||
| src="/uploads/2023/07/[email protected]">}} | ||
|
|
||
| Operating the multi-cluster extension in a direct pod-to-pod communication mode | ||
| may provide several advantages over routing traffic through a gateway: | ||
|
|
||
| * Improved latency, by avoiding an additional network hop | ||
| * Reduced operational costs that stem from maintaing a `LoadBalancer`-type | ||
| service for the gateway | ||
| * Finer grained multi-cluster authorization policies, cryptographic identity | ||
| can be preserved across cluster boundaries, allowing for more expressive | ||
| policies | ||
|
|
||
| Direct pod-to-pod communication does not replace gateways, as a matter of fact, | ||
| the two are not mutually exclusive. Routing configuration is expressed at the | ||
| `Service` resource level. A label selector is used to export services to other | ||
| clusters; the same label selector is shared by the two modes. Services that | ||
| want to benefit from direct pod-to-pod routing can be exported with a | ||
| `remote-discovery` mode, while services whose traffic should go through the | ||
| gateway can continue to use the default label value. | ||
|
|
||
| To read more about pod-to-pod communication, you can follow the [getting | ||
| started with flat networks in multi-cluster](<placeholder>) guide, or consult | ||
| the [multi-cluster reference page](../flat-network-multicluster). | ||
|
|
||
| ## Headless services | ||
|
|
||
| [headless-svc]: https://kubernetes.io/docs/concepts/services-networking/service/#headless-services | ||
|
|
@@ -95,6 +129,8 @@ guide](../../tasks/multicluster/) for a walkthrough. | |
| ## Further reading | ||
|
|
||
| * [Multi-cluster installation instructions](../../tasks/installing-multicluster/). | ||
| * [Multi-cluster communication in flat networks](../flat-network-multicluster) | ||
| * [Getting started with multi-cluster in flat networks](<placeholder-for-getting-started>) | ||
| * [Multi-cluster communication with StatefulSets](../../tasks/multicluster-using-statefulsets/). | ||
| * [Architecting for multi-cluster | ||
| Kubernetes](/2020/02/17/architecting-for-multicluster-kubernetes/), a blog | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just looking at this from the outside, it feels like this separate feature doc shouldn't exist, and any additional content should be rolled into the existing multicluster feature doc.