Platform9 Blog

SDN for Kubernetes – OpenContrail and Platform9 bring a simple a secure container networking solution for enterprises

The popularity of containers as a deployment model has risen significantly in the last few years. Kubernetes has become the container orchestration engine of choice and it is gaining wider enterprise adoption at a rapid pace. Platform9 is making this enterprise adoption easy by providing “Kubernetes as a Service” on their customers’ own private data centers as well as public clouds. Platform9 also provides features like single-sign-on (with support for SAML, ADFS, Okta, OneLogin), role-based access control, and multi-tenancy.

Continuing with this enterprise enablement for enterprises, Platform9 is pleased to announce integration with OpenContrail, a leading provider of SDN in virtualization. They are bringing the same power to container networking with their integration with Kubernetes, enabling the ability to isolate Kubernetes networks at various levels.

Together, Platform9 Managed Kubernetes and OpenContrail provide a simple and secure networking solution for enterprises.

Getting Started
First, let’s get up and running with Kubernetes. With Platform9, it’s really easy, just sign up for a free-trial. Once our team has created an environment for you, simply follow the steps below:

  1. Add a new Node, and download the agent.
  1. Install the agent.
  2. Authorize the host.

  1. Now create a cluster, select “OpenContrail” as the networking provider. Add the OpenContrail controller address and the CIDRs for service and pods.

Once you finish, attach nodes to the cluster you just created and you will have a fully functional Kubernetes with OpenContrail integrated.

I am most excited about the security features OpenContrail has introduced, and there are three levels  of isolation that can be enabled:

  1. Cluster Isolation: This is the default mode where a single cluster network is shared by all namespaces. In this case each Pod can access others regardless of namespaces.
  2. Namespace Isolation: Using a simple annotation pods in different namespaces cannot communicate with each other. Policies can be configured to allow for explicit access between specific pods.
  3. Application Isolation: Using name labels on Pods, replication controllers, or services, separate networks can be created for every Pod to isolate these services.

Contrail Web-UI showing virtual network for isolated namespace

Contrail also offers other advanced features which are absent in other solutions.

  • Load Balancing: OpenContrail implements non-proxy load-balancing based on ECMP without additional hops. Its native implementation is distributed in the OpenContrail vRouters for the elastic/virtual IP addresses used in Kubernetes Service objects. It eliminates need for kube-proxy controller that has the performance drawback(kube-proxy often re-configures and re-compiles IPtables to try to create complex NAT rules for the load balancing and sometimes needs to reroute packets to the correct server hosting the pod selected by the load balancing).
  • Network Policy: OpenContrail implements the Kubernetes network policy objects applied to pods and much more.  OpenContrail powerful SDN capability layers security at the level of multi-tenancy, virtual network isolation, and customized security groups. Furthermore it can also insert transparent service chains with stateful firewalls and other services (could be in containers, VMs or physical). With Kubernetes, you can abstract this task to OpenContrail defaults or fully control network policy to your heart’s (and CSO’s) content, ensuring security policy within and across your Kubernetes cluster.
  • Ingress Controller: Kubernetes doesn’t ship with a built-in Ingress Controller unless you run on GKE, so Ingress objects are ignored by default. OpenContrail, is the only full SDN solution so far that implements Ingress using an included HAProxy setup.

Watch a demo of the setup of Platform9 Managed Kubernetes and OpenContrail and how to isolate namespaces. We are very excited about this integration and believe it will further help enterprise adoption of Kubernetes.

Please leave comments below or email us at for feedback or questions.

Roopak Parikh

Co-founder and CTO at Platform9
Roopak envisioned the technology powering Platform9, and now leads our Engineering wizards in the quest to realize this vision. Roopak likes to work with customers in designing solutions and solving technical challenges. He also leads incubation projects within the organization and loves talking about everything from latest javascript frameworks to blockchain technologies.

Before co-founding Platform9, Roopak was a technical lead at VMware, where he helped architect and ship major vSphere products: Update Manager and vCloud Director. Before VMware, Roopak was an early engineer at an early stage Mobile computing startup.

Outside of work, Roopak is a fan of audiobooks, likes cooking, following sports, and keeping up with his kids on the soccer field.

You may also enjoy

Kubernetes On-premise: Why, and How

By Platform9

Tracing Serverless Functions with OpenTracing and Jaeger

By Platform9

The browser you are using is outdated. For the best experience please download or update your browser to one of the following: