Cloud Native Data Plane: Leverage AF_XDP for Kubernetes*

author-image

作者

 

Cloud Native Data Plane (CNDP) was created to provide a lightweight packet processing framework enabling cloud native developers to use  and other interfaces to provide better performance compared to standard Linux* networking interfaces.

AF_XDP is an address family optimized for high-performance packet processing applications such as firewalls, gateways, and load balancers. Introduced in 4.18 Linux kernel, it aims to boost to benefits of AF_XDP in cloud native environments. However, there were two challenges: ease-of-development and the need for unprivileged pods. Running pods in privileged mode can be a security risk - potentially exploited through various types of attacks - and should be avoided.

 

 

CNDP is a collection of user-space libraries designed to accelerate packet processing for cloud applications built on AF_XDP. The AF_XDP plugins for Kubernetes* is a Kubernetes device plugin and container network interface (CNI) plugin that provides AF_XDP networking to Kubernetes pods.

CNDP aims to provide better performance than standard network socket interfaces by taking advantage of platform technologies to accelerate the various libraries and algorithms. It also provides easy-to-view metrics and telemetry with examples that deploy network services on Kubernetes. Previously, CNDP applications that leveraged AF_XDP performance benefits ran in privileged pods. With the integration with AF_XDP plugins for Kubernetes, CNDP applications get the performance benefits of AF_XDP but can run unprivileged.

The integration of CNDP with AF_XDP plugins for Kubernetes enables CNDP applications to run in secure, unprivileged pods. Sub-function support - where a single netdev is sliced into subnetdevs or subfunctions - is also under development. This will improve the scalability in cloud environments because it can leverage and scale the zero copy AF_XDP interfaces for multiple workloads or containers.

See It in Action

Let’s start with a topology diagram illustrating one system running the single node Kubernetes cluster and the second system running the packet generator application. The two systems connect back-to-back with an Intel* Ethernet controller XL710 for 40-Gigabit Ethernet.

 

 

This offers all the performance of cloud native packet processing without having to grant admin privileges to each application. Check out the demo below to see how a single node Kubernetes cluster with the AF_XDP plugins for Kubernetes - the device plugin and CNI - working together with the CNDP application.

 

 

The network attachment definition and the pod spec are created to launch the CNDP application running in a pod. This packet forwarding application is available at the CNDP GitHub* repository.

Ethtool filters direct application traffic to specific queues on the networking device so that the AF_XDP socket receives traffic. These ethtool filters are programmed by the CNI. Traffic metrics received in the CNDP application are visible on the host using the Prometheus* agent exporting application metrics.

The result? You can create an unprivileged secure pod leveraging the performance benefits of AF_XDP in a Cloud Native scenario.

Get Involved

CNDP welcomes community participation. Please check out the GitHub repo and the website at cndp.io. Take the code for a test drive and try out the sample applications; contribute changes you’d like by creating pull requests in the GitHub repo. If you have questions, engage with the developers using the GitHub repository issues feature to suggest enhancements or report any bugs. You can also check out the AF_XDP plugins for Kubernetes at on GitHub. If you’re a customer using it already, please reach out and with feedback and requirements.

Check out the full presentation here.

About the Presenters:

Elza Matthew, network software engineer, has been at Intel for about six years, currently focusing on packet processing software libraries and Ethernet networking drivers.

Sushma Sitaram, network software engineer, has been at Intel for nine years, developing packet processing software, Ethernet drivers, and low-level libraries.

 

"