Kubernetes Networking in Thalassa Cloud
Networking in Kubernetes is a critical component that enables communication between Pods, Services, and external networks. Thalassa Cloud provides flexible networking options, allowing users to choose the best solution for their workloads.
Thalassa Cloud supports Cilium as the default CNI (Container Network Interface) or allows users to install their own CNI of choice. Networking in Kubernetes is built on two primary components:
- Pod Networking: Enables communication between Pods within and across nodes.
- Service Networking: Facilitates communication between workloads using stable service endpoints.
Additionally, network policies allow users to define fine-grained access controls for inter-Pod communication.
CNI Options in Thalassa Cloud
Thalassa Cloud supports two networking configurations:
1. Cilium CNI (Default Option)
Cilium is an eBPF-based CNI that provides high-performance networking and security features. It enables policy enforcement, observability, and encryption at the network level.
Default Configuration in Thalassa Cloud:
- WireGuard encryption is enabled by default, securing all Pod-to-Pod communication within the cluster.
- Optional Kube-Proxy Replacement: Users can enable full kube-proxy replacement for enhanced performance and scalability.
- Cilium Layer 7 (L7) Functionality: Cilium integrates with Envoy Gateway, enabling advanced API gateway and traffic management features.
- No Cilium L2 Mode: Thalassa Cloud relies on its Cloud Controller Manager (CCM), which supports Thalassa Cloud Load Balancers instead of Cilium’s L2 load balancing.
These configurations ensure that Cilium is optimized for secure, scalable, and high-performance networking in Thalassa Cloud. Cilium is an eBPF-based CNI that provides high-performance networking and security features. It enables policy enforcement, observability, and encryption at the network level.
Key features of Cilium:
- eBPF-based networking for low-latency packet processing.
- Transparent load balancing for Kubernetes Services.
- Built-in network policies for security enforcement.
- Integration with Kubernetes Network Policies to control traffic flow.
2. Custom CNI (Bring Your Own CNI)
For users who prefer full control, Thalassa Cloud allows clusters to be deployed without a pre-installed CNI, enabling users to install and configure their own networking solution.
Supported third-party CNI options include:
- Calico
Note: If you choose to install a custom CNI, ensure compatibility with Thalassa Cloud’s networking and security features.
Pod Networking
How Pod Networking Works
Each Pod in Kubernetes is assigned a unique IP address, allowing direct communication between Pods without the need for NAT (Network Address Translation). The CNI handles the underlying routing between Pods.
Network Connectivity Between Pods
- Within the same node: Pods communicate directly through the virtual network.
- Across different nodes: The CNI ensures inter-node Pod communication.
Service Networking
How Service Networking Works
Kubernetes Services provide stable network identities for accessing workloads, even if underlying Pods change. A Service abstracts a group of Pods and routes traffic based on labels.
Common Service Types:
| Service Type | Description |
|---|---|
| ClusterIP | Default type, accessible only within the cluster. |
| NodePort | Exposes the service on a static port on each node. |
| LoadBalancer | Provisions an external load balancer (Thalassa Cloud Load Balancers supported). |
| ExternalName | Maps a Kubernetes service to an external DNS name. |
Network Policies
Thalassa Cloud supports Kubernetes Network Policies to restrict communication between Pods and Services. Network policies define which Pods can communicate with others based on namespace, labels, and port-based rules.
For more details, see Network Policies Documentation.
Summary
Thalassa Cloud Kubernetes provides a highly flexible networking model, allowing users to choose between Cilium as the default CNI or installing a custom CNI. Pod networking ensures seamless communication across nodes, while service networking enables stable access to workloads through various service types. Network policies provide additional security by defining rules for inter-Pod communication.
By leveraging Thalassa Cloud’s networking capabilities, users can build scalable, secure, and efficient cloud-native applications with enhanced observability and performance. The combination of Kubernetes-native networking features, Cilium’s advanced functionality, and network policies ensures that workloads remain highly available and well-protected.