Friday, July 3, 2026
HomeCloud ComputingKubernetes multi-zone deployment with Calico

Kubernetes multi-zone deployment with Calico

[ad_1]

Kubernetes isn’t designed for multi-tenancy, however right here’s a strategy to obtain zone-based isolation of workloads inside the identical Kubernetes cluster.

by Hans Emmanuel, Chief Answer Architect, Cloud Native Computing Follow, HPE Pointnext Companies

HPE-Pointnext-Services-technology-services-consulting-Kubernetes.pngAs we all know, Kubernetes doesn’t present multi-tenancy out of the field. There are some workarounds for attaining multi-tenancy utilizing totally different tenancy fashions, relying on the requirement. However the fact is that Kubernetes shouldn’t be designed in a multi-tenant sample. And with regards to networking, the container networking interface (CNI) spec shouldn’t be involved concerning the community segregation of workloads. So, the Kubernetes CNIs will not be meant to offer L2/L3 community isolation out of the field. The CNI-backed community insurance policies are the Kubernetes object used for network-level isolation of workloads, which generally leverages the firewall guidelines in employee nodes.

However what if it is required to deploy employee nodes throughout a number of community zones, as a consequence of numerous issues from utility homeowners and different stakeholders? And in some circumstances – for instance, to be aligned with totally different compliance necessities – it’s obligatory to have separation of bodily and community workloads.

Normally, separate Kubernetes clusters (in a cluster-as-a-service mannequin) are used when it’s pivotal to have the isolation of workloads. However typically operating and managing a number of Kubernetes clusters causes some operational burden.

On this weblog, I’ll clarify an method that HPE used for certainly one of our prospects, with Calico CNI in BGP (border gateway protocol) mode to attain the zone-based isolation of workloads inside the identical Kubernetes cluster.

We used HPE ProLiant DL360 Gen10 servers because the employee nodes. The diagram under reveals a high-level view of the deployment topology. Right here the employee nodes are deployed throughout totally different remoted community zones. Inter-zone site visitors might be crossing the core firewall. The important thing level on this topology is the BGP route reflectors per zone. As proven within the diagram, employee nodes within the yellow zone are peered to the corresponding route reflectors, which can guarantee that the Calico-advertised routes might be contained inside the zone.

The datacentre is utilizing leaf-spine topology and digital routing and forwarding (VRFs) utilized in community materials for the multi-tenancy at L3 stage. Route reflectors are peered in the direction of corresponding VRFs in border leaf switches. All of the inter-VRF (zone) site visitors might be crossing the core FW, and solely permitted site visitors will cross it.

On this topology, the employee nodes in a zone don’t have any thought concerning the workloads operating in employee nodes in different zones. Even when a workload in a single zone wants to speak to a workload in one other zone, it might be routed in the direction of core FW and solely the allowed site visitors will stream.

Deployment Topology.png

 

Conclusion: Although multi-tenancy shouldn’t be an out-of-the-box answer in Kubernetes, typically we have to lengthen it to satisfy technical expectations and safety necessities. Right here we achieved this with Calico CNI, with its intensive BGP capabilities.

Know-how providers consulting from HPE Advisory & Skilled Companies can assist you get essentially the most out of your Kubernetes multi-tenancy design and implementation. We perceive that after cloud-native workloads attain manufacturing maturity, it’s inevitable to design and implement the next stage of community safety and efficiency requirements. The World Cloud-Native Computing observe in HPE Advisory & Skilled Companies can assist you construct your enterprise-grade community design and configuration, drawing on our deep experience and expertise of cloud-native computing applied sciences.

To study extra, see our HPE Container Adoption Service answer transient.

Be taught extra about HPE Pointnext Companies and the way we assist you keep forward of what is subsequent.

Hans Emmanuel.jpgHans Emmanuel is a Chief Answer Architect in HPE’s Cloud Native Computing Follow Space, HPE Pointnext Advisory & Skilled Companies. He began his profession as a Linux server engineer again in 2010 and has since labored on a wide range of non-public cloud options and cloud-native applied sciences. Hans has labored on DevOps and growth initiatives; design and implementation of Devops/DevSecOps pipelines; and self-managed Kubernetes clusters.

Companies Specialists
Hewlett Packard Enterprise

twitter.com/HPE_Pointnext
linkedin.com/showcase/hpe-pointnext-services/
hpe.com/pointnext



[ad_2]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments