Home » Kubernetes Networking: CNI, Service Mesh, Ingress, Network Policy และ Multi-Cluster
Kubernetes Networking: CNI, Service Mesh, Ingress, Network Policy และ Multi-Cluster
Kubernetes Networking: CNI, Service Mesh, Ingress, Network Policy และ Multi-Cluster
Kubernetes Networking เป็น foundation ของ container orchestration CNI (Container Network Interface) ให้ pod-to-pod connectivity, Service Mesh เพิ่ม observability, security และ traffic management ระหว่าง services, Ingress จัดการ external traffic เข้า cluster, Network Policy ควบคุม pod-to-pod communication และ Multi-Cluster Networking เชื่อมต่อหลาย clusters เข้าด้วยกัน
Kubernetes networking มี 4 fundamental requirements: 1) pod-to-pod communication โดยไม่ต้อง NAT 2) node-to-pod communication 3) pod เห็น IP ตัวเองเหมือน pod อื่นเห็น 4) Services expose pods ด้วย stable endpoint ทุก CNI plugin ต้อง implement requirements เหล่านี้ แต่วิธี implement ต่างกัน → performance, features, complexity ต่างกัน
CNI (Container Network Interface)
| CNI Plugin |
Technology |
Key Feature |
| Calico |
BGP routing, eBPF |
Network Policy (most complete), BGP peering, eBPF dataplane |
| Cilium |
eBPF |
eBPF-native (no iptables), network policy, observability (Hubble) |
| Flannel |
VXLAN overlay |
Simple, lightweight, good for small clusters (no network policy) |
| Weave Net |
VXLAN, encryption |
Easy setup, built-in encryption, mesh networking |
| AWS VPC CNI |
AWS ENI |
Native VPC networking (pods get VPC IPs), best for EKS |
| Azure CNI |
Azure VNET |
Native VNET integration, best for AKS |
| Antrea |
Open vSwitch |
VMware-backed, OVS dataplane, Windows support |
Calico vs Cilium
| Feature |
Calico |
Cilium |
| Dataplane |
iptables (default) or eBPF |
eBPF (native, no iptables) |
| Network Policy |
Kubernetes + Calico-specific (most mature) |
Kubernetes + Cilium-specific (L7 policies) |
| Routing |
BGP (can peer with physical routers) |
VXLAN/Geneve/native routing |
| Observability |
Basic (flow logs) |
Hubble (rich flow visibility, service map) |
| Service Mesh |
No (use Istio/Linkerd separately) |
Cilium Service Mesh (built-in, sidecar-free) |
| Performance |
Good (eBPF mode = excellent) |
Excellent (eBPF-native from start) |
| Maturity |
Very mature (oldest K8s CNI) |
Mature (CNCF graduated, growing fast) |
Kubernetes Services
| Service Type |
How |
Use Case |
| ClusterIP |
Internal IP only (accessible within cluster) |
Inter-service communication (default type) |
| NodePort |
Expose on each node’s IP at static port (30000-32767) |
Development, simple external access |
| LoadBalancer |
Provision cloud load balancer (AWS ELB, GCP LB) |
Production external access (cloud environments) |
| ExternalName |
CNAME alias to external service |
Reference external services by K8s service name |
| Headless |
No ClusterIP → DNS returns pod IPs directly |
StatefulSets, service discovery without proxy |
Ingress
| Feature |
รายละเอียด |
| คืออะไร |
L7 load balancer ที่ route external HTTP/HTTPS traffic ไป services ภายใน cluster |
| Routing |
Host-based (api.example.com → api service) + Path-based (/api → api, /web → web) |
| TLS Termination |
Terminate SSL at ingress → forward HTTP to backend pods |
| Ingress Controller |
Implementation ที่ทำงานจริง (Nginx, Traefik, HAProxy, AWS ALB, Istio Gateway) |
| Gateway API |
Next-gen replacement for Ingress (more expressive, role-oriented, multi-tenant) |
Ingress Controllers
| Controller |
Feature |
Best For |
| Nginx Ingress |
Most popular, stable, well-documented |
General purpose, most clusters |
| Traefik |
Auto-discovery, Let’s Encrypt integration, middleware |
Dynamic environments, auto-TLS |
| HAProxy |
High performance, advanced LB features |
High-traffic production |
| AWS ALB Controller |
Native AWS ALB provisioning |
EKS clusters (AWS-native) |
| Istio Gateway |
Full service mesh integration |
Istio service mesh environments |
| Envoy Gateway |
Gateway API native, Envoy-based |
Modern Gateway API implementations |
Network Policy
| Feature |
รายละเอียด |
| คืออะไร |
Firewall rules สำหรับ pods — control ingress/egress traffic ระหว่าง pods |
| Default |
No policy = allow all (pods can communicate freely) |
| Selectors |
Select pods by label (app=web), namespace, IP block (CIDR) |
| Ingress Rules |
Control who can send traffic TO selected pods |
| Egress Rules |
Control where selected pods can send traffic TO |
| Default Deny |
Create empty policy → denies all traffic to selected pods (then whitelist) |
| L3/L4 Only |
Standard K8s policy = IP + port only | Cilium/Calico = L7 (HTTP path, method) |
| CNI Required |
CNI must support Network Policy (Flannel does NOT, Calico/Cilium do) |
Service Mesh
| Feature |
Istio |
Linkerd |
Cilium Service Mesh |
| Architecture |
Sidecar (Envoy proxy per pod) |
Sidecar (lightweight Rust proxy) |
Sidecar-free (eBPF in kernel) |
| mTLS |
Automatic mutual TLS |
Automatic mTLS (zero-config) |
WireGuard encryption |
| Observability |
Rich (Kiali dashboard, distributed tracing) |
Good (Viz dashboard, golden metrics) |
Hubble (eBPF-based flow visibility) |
| Traffic Management |
Advanced (canary, A/B, fault injection, circuit breaker) |
Basic (traffic split, retries) |
Growing (L7 traffic management) |
| Complexity |
High (many CRDs, Envoy config) |
Low (lightweight, simple) |
Medium (eBPF knowledge helpful) |
| Performance |
Overhead from sidecar (latency + memory) |
Lower overhead (Rust proxy) |
Lowest (no sidecar, kernel-level) |
Multi-Cluster Networking
| Solution |
How |
Use Case |
| Cilium Cluster Mesh |
eBPF-based pod-to-pod across clusters |
Multi-cluster service discovery, global services |
| Istio Multi-Cluster |
Mesh federation between clusters |
Cross-cluster traffic management, mTLS |
| Submariner |
L3 connectivity between cluster networks |
Hybrid cloud, cross-cluster pod networking |
| Skupper |
Application-layer virtual network |
Multi-cloud, hybrid connectivity without VPN |
ทิ้งท้าย: Kubernetes Networking = Connect, Secure, Observe
Kubernetes Networking CNI: Calico (BGP, mature policy), Cilium (eBPF-native, Hubble), Flannel (simple), cloud-native (VPC/VNET) Services: ClusterIP (internal), NodePort (dev), LoadBalancer (production), Headless (stateful) Ingress: L7 routing (host/path), TLS termination — Nginx (popular), Traefik (auto), Gateway API (next-gen) Network Policy: pod firewall (label selectors, ingress/egress, default deny) — requires CNI support Service Mesh: Istio (feature-rich, sidecar), Linkerd (lightweight), Cilium (sidecar-free eBPF) Multi-Cluster: Cilium Cluster Mesh, Istio multi-cluster, Submariner Key: K8s networking stack = CNI (connectivity) + Network Policy (security) + Ingress (external) + Service Mesh (observability)
อ่านเพิ่มเติมเกี่ยวกับ VXLAN EVPN Fabric BGP EVPN และ Service Mesh Istio Linkerd Envoy ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
