This blog post was authored by Jason Messer, Principal PM Lead, WDG Core Networking.
Containers have become synonymous with application modernization, and Kubernetes has become the leading solution for orchestrating containerized applications. With Windows Server version 1709, Windows now has parity with Linux for Kubernetes networking from a platform perspective. At the same time, we are looking to expand the Kubernetes ecosystem so that Windows worker nodes and services running .NET, ASP.NET, IIS, and other Windows apps can be orchestrated by Kubernetes.
Today, I’m excited to announce our partnership with Tigera to contribute towards Project Calico for Kubernetes. Calico is a community based, free and open source solution, maintained by Tigera, that is designed to simplify, scale and secure networks and services managed by Kubernetes. It solves a major pain point for developers and DevOps teams by enabling them to manage the complexity of defining, configuring and securing networking topologies for applications and mapping those policies to the underlying fabric. Microsoft is extending Calico’s functionality to support Windows Server version 1709 by contributing code for the Calico data plane driver (Felix) so that it can manage network policy on Windows Server worker nodes.
The Felix data plane driver runs on every K8s node and is responsible for programming ACLs, and routes, to provide the desired connectivity and security to container endpoints and services. An orchestrator plugin for Kubernetes enables users to specify their policy using Kubernetes network policy syntax with Calico, completed through the Felix data plane driver. A richer set of policy is available through Calico directly.
On Windows, the Felix data plane driver interfaces with the Windows Host Networking Service (HNS) and takes the network policy received from Calico/Kubernetes and invokes the HNS APIs to add them as ACL policies. HNS then programs the Virtual Filtering Platform (VFP) Hyper-V switch extension, roughly analogous to iptables in Linux, which enforces these policies in the Windows data path.
The result of this work is that users running mixed OS (Linux and Windows) Kubernetes clusters can now define and manage network policy in a consistent manner to secure their containerized applications and microservices. Previously, network policy enforcement for container endpoints could not be managed on Windows nodes even though the platform itself (VFP) included this capability. DevOps and admins can now associate security policies with specific endpoints and services on these mixed clusters.
Support for Calico network policy on Windows is currently at ‘beta’ level, and Microsoft and Tigera are working with a limited number of joint customers to conduct trials over the coming months, with the goal of reaching general availability in the first half of 2018.
Calico for Windows will work for both on-premises and cloud-based deployments including Microsoft’s Azure Container Service through ACS-Engine. It will also enable interoperability of Windows nodes with Tigera’s commercial secure application connectivity solution, CNX, with the limitation that hierarchical policies will not be supported by this initial release of Calico for Windows.
At this time, the Felix data plane driver on Windows is used for network policy (ACL) enforcement and not interface management or route programming. However, these features are on our product roadmap as many customers find that static route configuration or overlay-based networks are difficult to configure correctly and have performance limitations. To provide a networking solution which works for both Linux and Windows K8s cluster nodes, Microsoft has brought support for Flannel to Windows and created two CNI plugins for host-gateway and overlay networking modes, and is working with the community to upstream these contributions.
Special thanks to Nick Wood from Microsoft for writing the code for the Calico/Felix data plane driver on Windows, and Shaun Crampton from Tigera for providing consulting and assistance.