Network Traffic
Network traffic refers to the data flowing across the network. In the context of this document, it is useful to think of network traffic from two perspectives: traffic based on direction and traffic related to component types, system or applications. Traffic direction is either north-south traffic, which enters and leaves the cluster, or east-west traffic, which stays within the cluster.
First is a description of getting traffic into the cluster, then how traffic flows after it is in the cluster.
Ingress
Ingress is an overloaded term, so it needs to be understood in context. Sometimes the term means external access into the cluster, as in “ingress to the cluster.” The term also refers to the Kubernetes Ingress resource. In addition, it might be used to mean network ingress to a container in a Pod. Here, it’s used to refer to both general ingress into the cluster and the Kubernetes Ingress resource.
During installation, Verrazzano creates the necessary network resources to access both system components and applications. The following ingress and load balancers description is in the context of a Verrazzano installation.
LoadBalancer Services
To reach Pods from outside a cluster, an external IP address must be exposed using a LoadBalancer or NodePort service. Verrazzano creates two LoadBalancer services, one for system component traffic and another for application traffic. The specifics of how the service gets traffic into the cluster depends on the underlying Kubernetes platform. With Oracle OKE, creating a LoadBalancer type service will result in an Oracle Cloud Infrastructure load balancer being created and configured to load balance to a set of Pods.
Ingress for system components
To provide ingress to system components, Verrazzano installs a NGINX Ingress Controller, which includes a NGINX load balancer. Verrazzano also creates Kubernetes Ingress resources to configure ingress for each system component that requires ingress. An Ingress resource is used is to specify HTTP/HTTPS routes to Kubernetes services, along with an endpoint hostname and a TLS certificate. An Ingress by itself doesn’t do anything; it is just a resource. An ingress controller is needed to watch Ingress resources and reconcile them, configuring the underlying Kubernetes load balancer to handle the service routing. The NGINX Ingress Controller processes Ingress resources and configures NGINX with the ingress route information, and such.
The NGINX Ingress Controller is a LoadBalancer service, as seen here:
$ kubectl get service -n ingress-nginx
# Sample output
ingress-controller-ingress-nginx-controller LoadBalancer
Using the OKE example, traffic entering the Oracle Cloud Infrastructure load balancer is routed to the NGINX load balancer, then routed from there to the Pods belonging to the services described in the Ingress.
Ingress for applications
Verrazzano also provides ingress into applications, but uses an Istio ingress gateway, which is an Envoy proxy, instead of NGINX. Istio has a Gateway resource that provides load balancer information, such as hosts, ports, and certificates for traffic coming into the mesh. For more information, see Istio Gateway. Just as an Ingress needs a corresponding Ingress controller, the same is true for the Gateway resource, where there is a corresponding Istio ingress gateway controller. However, unlike the Ingress, the Gateway resource doesn’t have service routing information. That is handled by the Istio VirtualService resource. The combination of Gateway and VirtualService is basically a superset of Ingress, because the combination provides more features than Ingress. In summary, the Istio ingress gateway provides ingress to the cluster using information from both the Gateway and VirtualService resources.
Because Verrazzano doesn’t create any applications during installations, there is no need to create a Gateway and VirtualService at that time. However, during installation, Verrazzano does create the Istio ingress gateway, which is a LoadBalancer service, along with the Istio egress gateway, which is a ClusterIP service.
$ kubectl get service -n istio-system
# Sample output
istio-ingressgateway LoadBalancer
Again, referring to the OKE use case, this means that there will another Oracle Cloud Infrastructure load balancer created, routing traffic to the Istio ingress gateway Pod, for example, the Envoy proxy.
External DNS
When you install Verrazzano, you can optionally specify an external DNS for your domain. If you do that, Verrazzano will not only create the DNS records, using ExternalDNS, but also it will configure your host name in the Ingress resources. You can then use that host name to access the system components through the NGINX Ingress Controller.
System traffic
System traffic includes all traffic that enters and leaves system Pods.
North-south system traffic
North-south traffic includes all system traffic that enters or leaves a Kubernetes cluster.
Ingress
The following lists the Verrazzano system components which are accessed through the NGINX Ingress Controller from a client external to the cluster:
- OpenSearch
- Keycloak
- OpenSearch Dashboards
- Grafana
- Prometheus
- Rancher
- Verrazzano Console
- Verrazzano API
Egress
The following table shows Verrazzano system components that initiate requests to a destination outside the cluster.
Component | Destination | Description |
---|---|---|
cert-manager | Let’s Encrypt | Get signed certificate. |
ExternalDNS | External DNS | Create and delete DNS entries in an external DNS. |
Fluentd | OpenSearch | Fluentd on the managed cluster calls OpenSearch on the admin cluster. |
Prometheus | Prometheus | Prometheus on the admin cluster scrapes metrics from Prometheus on the managed cluster. |
Rancher Agent | Rancher | Rancher agent on the managed cluster sends requests to Rancher on the admin cluster. |
Verrazzano Authentication Proxy | Keycloak | Calls Keycloak for authentication, which includes redirects. |
Verrazzano Platform Operator | Kubernetes API server | Multicluster agent on the managed cluster calls API server on the admin cluster. |
East-west system traffic
The following tables show Verrazzano system components that send traffic to a destination inside the cluster, with the following exceptions:
- Usage of CoreDNS: It can be assumed that any Pod in the cluster can access CoreDNS for name resolution.
- Envoy to Istiod: The Envoy proxies all make requests to the Istio control plane to get dynamic configuration, and such. This includes both the gateways and the mesh sidecar proxies. That traffic is not shown.
- Traffic within a component is not shown, for example, traffic between OpenSearch Pods.
- Prometheus scraping traffic is shown in the second table.
Component | Destination | Description |
---|---|---|
cert-manager | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Fluentd | OpenSearch | Fluentd sends data to OpenSearch. |
Grafana | Prometheus | UI for Prometheus data. |
OpenSearch Dashboards | OpenSearch | UI for OpenSearch. |
NGINX Ingress Controller | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Istio | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Rancher | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Verrazzano Authentication Proxy | Keycloak | Calls Keycloak for token authentication. |
Verrazzano Authentication Proxy | VMI components | Access UIs for OpenSearch Dashboards, Grafana, and such. |
Verrazzano Authentication Proxy | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Verrazzano Application Operator | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Verrazzano Monitoring Operator | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Verrazzano Operator | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Verrazzano Platform Operator | Kubernetes API server | Perform CRUD operations on Kubernetes resources. |
Verrazzano Platform Operator | Rancher | Register the managed cluster with Rancher. |
Prometheus scraping traffic
This table shows Prometheus traffic for each system component scrape target.
Target | Description |
---|---|
cadvisor | Kubernetes metrics. |
OpenSearch | Envoy metrics. |
Grafana | Envoy metrics. |
Istiod | Istio control plane metrics. |
Istiod | Envoy metrics. |
Istio egress gateway | Envoy metrics. |
Istio ingress gateway | Envoy metrics. |
Keycloak | Envoy metrics. |
OpenSearch Dashboards | Envoy metrics. |
MySQL | Envoy metrics. |
NGINX Ingress Controller | Envoy metrics. |
NGINX Ingress Controller | NGINX metrics. |
NGINX default back end | Envoy metrics. |
Node exporter | Node metrics. |
Prometheus | Envoy metrics. |
Prometheus | Prometheus metrics. |
Verrazzano Console | Envoy metrics. |
Verrazzano API | Envoy metrics. |
WebLogic operator | Envoy metrics. |
Webhooks
Several of the system components are controllers, and some of those have webhooks. Webhooks are called by the Kubernetes API server on a component HTTPS port to validate or mutate API payloads before they reach the API server.
The following components use webhooks:
- cert-manager
- Coherence Operator
- Istio
- Rancher
- Verrazzano Application Operator
- Verrazzano Platform Operator
Application traffic
Application traffic includes all traffic to and from Verrazzano applications.
North-south application traffic
After Verrazzano is installed, you can deploy applications into the Istio mesh. When doing so, you will likely need ingress into the application. As previously mentioned, this can be done with Istio using the Gateway and VirtualService resources. Verrazzano will create those resources for you when you use an IngressTrait in your ApplicationConfiguration. The Istio ingress gateway created during installation will be shared by all applications in the mesh, and the Gateway resource is bound to the Istio ingress gateway that was created during installation. This is done by the selector field in the Gateway:
selector:
istio: ingressgateway
Verrazzano creates a Gateway/VirtualService pair for each IngressTrait. Following is an example of those two resources created by Verrazzano.
Here is the Gateway; in this case both the host name and certificate were generated by Verrazzano.
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
...
name: hello-helidon-hello-helidon-appconf-gw
namespace: hello-helidon
...
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- hello-helidon-appconf.hello-helidon.1.2.3.4.nip.io
port:
name: HTTPS
number: 443
protocol: HTTPS
tls:
credentialName: hello-helidon-hello-helidon-appconf-cert-secret
mode: SIMPLE
Here is the VirtualService; notice that it refers back to the Gateway and that it contains the service routing information.
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
...
name: hello-helidon-ingress-rule-0-vs
namespace: hello-helidon
spec:
gateways:
- hello-helidon-hello-helidon-appconf-gw
hosts:
- hello-helidon-appconf.hello-helidon.1.2.3.4.nip.io
HTTP:
- match:
- uri:
prefix: /greet
route:
- destination:
host: hello-helidon
port:
number: 8080
East-west application traffic
To manage east-west traffic, each service in the mesh should be routed using a VirtualService and an optional
DestinationRule. You can still send east-west traffic without either of these resources, but you won’t get any custom
routing or load balancing. Verrazzano doesn’t configure east-west traffic. Consider bobbys-front-end
in the Bob’s Books example at
bobs-books-comp.yaml.
When deploying Bob’s Books, a VirtualService is created for bobbys-front-end
, because of the IngressTrait, but there are
no VirtualServices for the other services in the application. When bobbys-front-end
sends requests to
bobbys-helidon-stock-application
, this east-west traffic still goes to bobbys-helidon-stock-application
through
the Envoy sidecar proxies in the source and destination Pods, but there is no VirtualService representing
bobbys-helidon-stock-application
, where you could specify a canary deployment or custom load balancing. This
is something you could configure manually, but it is not configured by Verrazzano.
Proxies
Verrazzano uses network proxies in multiple places. The two proxy products are Envoy and NGINX. The following table shows which proxies are used and in which Pod they run.
Usage | Proxy | Pod | Namespace | Description |
---|---|---|---|---|
System ingress | NGINX | ingress-controller-ingress-nginx-controller-* |
ingress-nginx |
Provides external access to Verrazzano system components. |
Verrazzano authentication proxy | NGINX | verrazzano-authproxy-* |
verrazzano-system |
Verrazzano authentication proxy server for Kubernetes API and SSO. |
Application ingress | Envoy | istio-ingressgateway-* |
istio-system |
Provides external access to Verrazzano applications. |
Application egress | Envoy | istio-egressgateway-* |
istio-system |
Provides control of application egress traffic. |
Istio mesh sidecar | Envoy | ingress-controller-ingress-nginx-controller-* |
ingress-nginx |
NGINX Ingress Controller in the Istio mesh. |
Istio mesh sidecar | Envoy | ingress-controller-ingress-nginx-defaultbackend-* |
ingress-nginx |
NGINX default backend in the Istio mesh. |
Istio mesh sidecar | Envoy | fluentd-* |
verrazzano-system |
Fluentd in the Istio mesh. |
Istio mesh sidecar | Envoy | keycloak-* |
keycloak |
Keycloak in the Istio mesh. |
Istio mesh sidecar | Envoy | mysql-* |
keycloak |
MySQL used by Keycloak in the Istio mesh. |
Istio mesh sidecar | Envoy | verrazzano-api-* |
verrazzano-system |
Verrazzano API in the Istio mesh. |
Istio mesh sidecar | Envoy | verrazzano-console-* |
verrazzano-system |
Verrazzano Console in the Istio mesh. |
Istio mesh sidecar | Envoy | vmi-system-es-master-* |
verrazzano-system |
OpenSearch in the Istio mesh. |
Istio mesh sidecar | Envoy | vmi-system-es-data-* |
verrazzano-system |
OpenSearch in the Istio mesh. |
Istio mesh sidecar | Envoy | vmi-system-es-ingest-* |
verrazzano-system |
OpenSearch in the Istio mesh. |
Istio mesh sidecar | Envoy | vmi-system-kibana-* |
verrazzano-system |
OpenSearch Dashboards in the Istio mesh. |
Istio mesh sidecar | Envoy | vmi-system-prometheus-* |
verrazzano-system |
Prometheus in the Istio mesh. |
Istio mesh sidecar | Envoy | vmi-system-grafana-* |
verrazzano-system |
Grafana in the Istio mesh. |
Istio mesh sidecar | Envoy | weblogic-operator-* |
verrazzano-system |
WebLogic operator in the Istio mesh. |
Multicluster
Some Verrazzano components send traffic between Kubernetes clusters. Those components are the Verrazzano agent, Verrazzano authentication proxy, and Prometheus.
Multicluster egress
The following table shows Verrazzano system components that initiate requests between the admin and managed clusters. All of these requests go through the NGINX Ingress Controller on the respective destination cluster.
Source Cluster | Source Component | Destination Cluster | Destination Component | Description |
---|---|---|---|---|
Admin | Prometheus | Managed | Prometheus | Scape metrics on managed clusters. |
Admin | Verrazzano Console | Managed | Verrazzano Authentication Proxy | Admin cluster proxy sends Kubernetes API requests to managed cluster proxy. |
Managed | Fluentd | Admin | OpenSearch | Fluentd sends logs to OpenSearch. |
Managed | Rancher Agent | Admin | Rancher | Rancher Agent sends requests Rancher. |
Managed | Verrazzano Authentication Proxy | Admin | Keycloak | Proxy sends requests to Keycloak. |
Managed | Verrazzano Agent | Admin | Kubernetes API server | Agent, in the platform operator, sends requests Kubernetes API server. |
Verrazzano agent
In the multicluster topology, the Verrazzano platform operator has an agent thread running on the managed cluster that sends requests to the Kubernetes API server on the admin cluster. The URL for the admin cluster Kubernetes API server is registered on the managed cluster by the user.
Verrazzano authentication proxy
In a multicluster topology, the Verrazzano authentication proxy runs on both the admin and managed clusters.
On the admin cluster, the authentication proxy connects to in-cluster Keycloak, using the Keycloak Service.
On the managed cluster, the authentication proxy connects to Keycloak on the admin cluster through the NGINX Ingress
Controller running on the admin cluster.
For SSO, the authentication proxy also needs to send requests to Keycloak, either in-cluster or through the cluster ingress. When a request comes into the authentication proxy without an authentication header, the proxy sends a request to Keycloak through the NGINX Ingress Controller, so the request exits the cluster. Otherwise, if the authentication proxy is on the admin cluster, then the request is sent directly to Keycloak within the cluster. If the authentication proxy is on the managed cluster, then it must send requests to Keycloak on the admin cluster.
Prometheus
A single Prometheus service in the cluster, scrapes metrics from Pods in system components and applications. It also scrapes Pods in the Istio mesh using HTTPS, and outside the mesh using HTTP. In the multicluster case, the Prometheus on the admin cluster, scrapes metrics from Prometheus on the managed cluster, through the NGINX Ingress Controller on the managed cluster.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.