Networking

Managing networking in your Kubernetes cluster

This content is associated with a legacy version of the Replicated product. For the current Replicated product documentation, see docs.replicated.com.

Replicated uses Weave to assign IP addresses to pods and connect them across multiple hosts. Weave runs as a DaemonSet in the kube-system namespace and includes a controller to support Network Policy resource types.

Encryption

Replicated will configure Weave to encrypt all traffic between hosts in your clusters by default. As a performance optimization, you can disable this behavior in a trusted network by passing the encrypt_network=0 param to the kubernetes-init install script:

curl -sSL https://get.replicated.com/kubernetes-init | sudo bash -s encrypt-network=0

If Weave is not able to configure an IPSec tunnel with the ESP protocol then encrypted traffic may be routed through a slower tunnel known as sleeve. This will happen when running on a kernel version below Linux 4.2 or when a firewall rule is blocking esp packets.

Troubleshooting

You can determine whether weave is making encrypted connections between hosts by running the weave status command on a Weave pod.

WEAVE_POD=$(kubectl -n kube-system get pods | grep weave-net | awk '{ print $1 }' | head -1)
kubectl -n kube-system exec $WEAVE_POD -c weave -- /home/weave/weave --local status

You can use the weave status connections command to determine whether connections between hosts are using sleeve or the fast datapath.

WEAVE_POD=$(kubectl -n kube-system get pods | grep weave-net | awk '{ print $1 }' | head -1)
kubectl -n kube-system exec $WEAVE_POD -c weave -- /home/weave/weave --local status connections

NodeLocal DNSCache

Due to a bug in the conntrack Linux kernel module, it is possible to experience DNS lookup timeouts resulting in lookup delays of 5 or more seconds. This issue is described in more detail here and here. As a workaround, Kubernetes NodeLocal DNSCache can be enabled by passing the nodelocal-dnscache flag to the install scripts or by including the query parameter ?nodelocal_dnscache=1 in the install script URL.

curl -sSL https://get.replicated.com/kubernetes-init | \
    sudo bash -s nodelocal-dnscache