Welcome!
Dedicating this channel to help the audience learn new technologies such as Kubernetes, Linux, Docker, and Windows. I strive to provide content that is deep, analytical, and substantive. For instance, my six-part Kubernetes networking series is one of the most comprehensive anywhere on the net.
I also provide the scripts for the courses so you can set up your own environments and follow along. My goal is that my audience maximizes their learning when viewing my courses and I respond to every comment and question.
Linkedin: www.linkedin.com/in/garsha-rostami-39a2881/
Пікірлер
Thanks for another amazing content. Do you have github repo?
Hi and thank you for your kind feedback! The scripts are stored here: github.com/gary-RR/myKZread_video_AKS_private_clusters_part1
@@TheLearningChannel-Tech ❤
I love all your videos. extremly educational. do you plan to release more content please?
Hi, many thanks for your kind words! Yes, I will be adding more content later in the summer, just have been busy. Any particular topic you are interested in? Thanks!
@@TheLearningChannel-Tech I apreaciate your reply so much. on top of my head I am thinking intro to microservices, or baremetal and k8s, monitoring and observabiities, k8s on prem, etc. I hope you know how valuable your videos are.
@@violinalauradragan7001 I'm really humbled by your kind comments. I'm planning for a few Azure cloud-centric videos next but I will return to Kubernetes and consider your great suggestions, especially an intro to microservices and monitoring. Most of my Kubernetes thus far (except the last one) apply to both on-prem and cloud situations and the instructions to set up clusters from scratch apply to both VMs and bare-metal. If you have any questions about any of the videos or have questions/issues with the labs please post them and I will be more than happy to help if I can. Again, thank you very much for your very motivating kind words! Please take care!
Just halfway through the first video and i can say the type of presentation and knowledge in here is very easy to understand and covers every basic concept. Thanks so much for making this video ❤
Glad it was helpful!
wow thanks for this amazing viedo and powerful samples... really helped me alot .. and i got one question in video 25.13 between udp tunnel and vtep , is there some kind of running process(user space) that have udp port and listening so it get packet from other node ? and if it is how does it communicate with vtep interface? thank you! and is there any chance that you could cover about tun , vtep , vtun interfaces?? i know it's lot to ask but no one can deliver the information like you again really appreciate for your works! and sorry for my poor english..
Hi, thanks for your feedback. The tunnel is not a permanent construct and is only started any time when the two sides need to communicate and is shut down once the communication is completed. I'm currently planning other topics but if I get around it will consider your request. Thanks.
@@TheLearningChannel-Tech thanks!!
Very nice presentation, that should be done in University classes! Your explanations made everything clear in the networking domain, these lectures are TOP!!! Keep up the good work!
Thank you very much! Glad it was helpful!
There are something, I did not quite get it. At the 39:46, about about access $ProductsDBClusterIP:8080 from two container in products-stage name space, your labeled the products-stage namespace, the two pods in stage namespace are both labled? just just one is labled?, thanks.
I think I got it, the condition limited is two, both app and namespace match at the same time. - podSelector: matchLabels: app: products-business namespaceSelector: matchLabels: porducts-prod-db-access: allow
amazing video. very useful to understand the concept
This is really grate demo of k8s network in-depth.
This video series is good. Nice work! I hope that you can make more.
Amazing explanation
Glad it was helpful!
Absolutely the best series on K8s working principles and scenarios on the internet!
Thank you!
Can u make a video on operators ?
These are great videos ....no one covers k8 networking deeper than you.
Most comprehensive tutorial I've ever see, thank you mate...
Glad you liked it!
@@TheLearningChannel-Tech If you are someone who really likes learning fundamentals of things, how you can't like it 😉
Very good informative video! Have a question. At the time stamp 17:00, you mentioned that the tunnel interface will masquerade the actual source IP of the pod and the source IP in the inner IP header changes to tunl0's IP. But why is this required? Technically, even with keeping the actual IP address of the source pod in the traffic and then adding the outer IP header with the source IP as the eth0 of kube-node1-cal's eth0 and with destination IP as the eth0 of the destination node kube-master-cal , the return traffic can still reach the pod in kube-node1-cal, as the destination node will have the bgp route towards the entire pod subnet that is used in the source node kube-node1-cal.
Hi, the reason is that these pods are not routable outside their host worker nodes. If the destination pod tries to send the response directly to the source pod, its host wouldn't know how to send it as there are no entries in the route table to assist it, so the tunnels play the middleman role facilitating this communication.
Thank you !! One quick question - when UDP pipe is setup between two VMs hosting containers, how is destination VM's IP determined? For example - when we did a curl to hello word service IP from master to node1, to setup the UDP pipe, node1's IP needed to be known. Is calico doing some magic under the hood for this?
Hi, yes when the source pod issues an ARP request, the Calico VTEP forwards it to the other node where the other pod responds, similar to the discussion of VXLAN overview discussion.
@@TheLearningChannel-Tech Thanks for the response. So basically when the ARP response comes back from destination VTEP, source VTEP being a switch will remember that certain MAC lives on this VTEP. So after ARP, when ping packet is sent, source VTEP will establish the UDP pipe between source and destination VTEPs. Does this seem like correct understanding?
@@vipinchawria Close, Calico is a CNI provider responsible for creating pods. It knows what pod (and its IP address) is assigned to what worker node. When the source pod issues an ARP, it basically says I'm looking for the MAC address of the pod that has this IP address. Calico VTEP examines the destination IP address and forwards it to the worker node that hosts that pod.
Hi Can you please do a serie about ebpf? Something easy to follow.
Hi, this provides an overview of ebpf: kzread.info/dash/bejne/k4CllbFsnJWydpc.html
amazing. thank you
Wow. Amazing content. The best
All of your vidoes are very informative and great for learning. Can you please explain how Networking works in AKS?
I am still learning your CILIUM Networking Videos for the AWS , let me comeback when i switched to AZURE...
Vedio after a long time..thank you
Great video, thanx for your kindness and effort
Great tutorial
Please can you explain the part how the packet is routed in the case where we get response from the pod on master having destination ip of the tunnel. how the response is sent from tunnel to the respective pod on the worker node
I'm trying to understand your question but if you are asking how a call from a pod on master is routed to a pod on node 1, it is done exactly like the scenario I explained in the video but is routed through the tunnel on node 1. Nothing is different.
@@TheLearningChannel-Tech correct but as soon as it reached tunnel on node 1 how it knows to which pod it needs to send the response as in the IP header which we captured on master there was no information (IP) about the pod on node 1 as it was NAT to node 1 tunnel IP address. I am trying to understand how the packet is routed from node 1 tunnel to pod on node 1 as the response arrives
@@rahulsawant485 This is a call/response situation. The tunnel on the callin server masqurates the calling pod's IP address and sends the request to ther side. The pod on the other side (server) thinks the tunnel on the other side made the call and sends the responds back to the tunnel on the other side. That tunnel is sitting there waiting for the results and as soon as it gets it, it simplay forward it to the pod.
Thank you. This statement "That tunnel is sitting there waiting for the results and as soon as it gets it, it simplay forward it to the pod." makes it clear
great tutorias ever I have seen
I have a question here. We have a datacenter with few VXLANs, one is for load web load balancers and one is for production servers. The K8S vxlan overlay can work on the top of existing VXLANs overlays? Thank you
Hi, the VXLAN implementation is internal to Kubernetes and is used to provide connectivity among pods within the Kubernetes cluster.
This is great! For so many years every book and folks used to refer switch as a layer 2 device, nobody explained it in terms of subnets. Now I am actually able to distinguish between Data layer anf Network layer.
Hey! Great video. A quick question about the daigram at 20:40, is NAT part of the router if we everything is a physical device?
Hi, yes, the NAT translation is done within the physical router. I just showed it outside the router for clarity.
@@TheLearningChannel-Tech Thanks a lot for clarification.
sudo nano /etc/yum.repos.d/kubernetes.repo no longer works
Thanks for letting for your feedback. This video was created three years ago before CentOS was discontinued.
sudo nano /etc/yum.repos.d/kubernetes.repo no longer works
I just downloaded the shell script from your github repository, and tried it, but the ping only works for the namespace in the same node, failed to namespace of the other node I am confused a lot. I really appreciate if you can help.
Make sure you follow the instructions below and change the IP addresses to match your environment: # ------------------- Overlay setup --------------------- # To establish the udp tunnel (make sure to run these as root (sudo -i)): 1- On "ubuntu1" run: socat UDP:192.168.0.11:9000,bind=192.168.0.10:9000 TUN:172.16.0.100/16,tun-name=tundudp,iff-no-pi,tun-type=tun & #***Note that I removed "iff-up" switch from command on "ubuntu1" because I was getting an error. 2- On "ubuntu2" run: socat UDP:192.168.0.10:9000,bind=192.168.0.11:9000 TUN:172.16.1.100/16,tun-name=tundudp,iff-no-pi,tun-type=tun,iff-up & 3- Return to "ubuntu1" and run ip link set dev tundudp up #echo "Disables reverse path filtering" #sudo bash -c 'echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter' #sudo bash -c 'echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter' #sudo bash -c 'echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter' #sudo bash -c 'echo 0 > /proc/sys/net/ipv4/conf/tundudp/rp_filter
@@TheLearningChannel-Tech The ubuntu1 and ubuntu2 are on the same subnet, is it necessary to set up the UDP tunnel?
awesome useful ,really really awesome video
Grate work
thanks a lot for posting this; I have one question related to setting up network policies; we have a use case wherein multiple applications are sitting in their own namespaces and these applications are accessible through the ingress controller using ingress; we want to whitelist traffic coming to each namespace using tools like calico; I found that although we are able to get the source ip of the client visible in the ingress controller, the application pods only receive the source ip of the ingress controller; I did manage to get the source ips in the request headers and looks like I will have to try istio for further traffic whitelisting on the basis of the headers; my question is, is this approach good or is there a better way to achieve what I want to achieve.
so suppose I want client A to access application in namespace X but not application in namespace Y; how to whitelist this at the namespace level when this client is coming from outside the cluster using the ingress controller
Hi, Which IPs are you referring to? The IP addresses of clients that are calling from outside the cluster? In that case, you'll need to leverage a firewall that sits before the external load balancer and ingress controller. This is because as you noticed the client IPs are natted.
@@TheLearningChannel-Tech yes, want to whitelist address of clients calling from outside the cluster; after using proxy protocol feature of the ingress controller, am able to see the actual client ips in the ingress controller; but am still trying to figure out how to get these ips whitelisted in the application pods which are reached through the ingress and are sitting in different namespaces per application
so the intention is to filter at the namespace level with each namespace allowing a different set of ips to access the application it contains;
I am coming to think that istio might be the solution here and will try that out; I don't think calico can help here. I read about the calico eBPF dataplane but not sure on it.
Best thing found on internet.... Kudos to the efforts 😃
thanks for such detailed video.
Glad it was helpful!
Really, it's the best kubernetes networking explanation on entire internet. Believe me, I've seen many, even in diffrent languages:D
Glad it was helpful!
Being K8S Admin guy .. here I found the best on K8S networking .. Liking your videos too much .. Thanks for this great work
Great content, very helpful and gave me a good bit of clarity on some things.. some bits have still gone over my head but still great stuff.
Glad it was helpful!
You may use following commands in WindowsTerminal/PowerShell (on windows host). You need to create ".kube" directory before: cd ~\.kube\ microk8s config > config Then use kubectl directly without microk8s "prefix" Also you may use this config to login to kubernetes dashboard.
What is the content of terry.jones.conf file?
This is very well explained, the official documentation is very confusing
Thank you ❤
This is great!
I finally understand how BGP works, thanks for explaining!
Great to hear!
Hi, Could you briefly explain how packets are forwarded from load balancer to ingress to services? where do these load balancer and ingress controller run? on master node? i basically didnt understand how ip addr are assigned to these... Thank You!
Hi, Looks like you have skipped a lot of stuff in the presentation. I suggest you watch those discussions that start from the following URL that talks introduces the ingress concept, followed by how the load balancer and the ingress are related, and finally walks through setting up an ingress controller, the load balancer and some test service: kzread.info/dash/bejne/oox5qLySnJWtpZM.html
Great presentation, thanks!
Thank you too!
Hi Gary . I am a beginner in kubernetes. i see a lot of kubernetes related playlists in your channel but bit confused from where i need to start . could tell the sequence of playlists i should watch Thanks for all the videos
Hi, You can start with these: Docker and Kubernetes Intro kzread.info/head/PLSAko72nKb8RZp3SH0KAZNCPvF71rqU7- Kubernetes Networking Series kzread.info/head/PLSAko72nKb8QWsfPpBlsw-kOdMBD7sra-
Thank God, finally found an interesting stuff to understand networking internals , thank you so much Sir for investing your time on this...