Design And Implementation Of Multi-tenant Network Isolation Based On Kubernetes

For many years,enterprises and cloud providers have been using virtualization to run their workloads.For a long time,the application is ran in the virtual machine.Because the virtual machine provides the entire virtualization hardware layer,although it can provide resource isolation and control,the cost is significantly higher.While containers can also provide resource isolation and restrictions,but more cheaper.So virtual machines are increasingly replaced by containers.As the popularity of container technology grows,many applications are being developed,deployed and managed as groups of containers to deliver the desired service to users,as evidenced by the rapid rise of Docker.Kubernetes is an open source system for managing containerized applications in multihomed hosts.It provides the functions of resource scheduling,deployment operation,service discovery,and capacity reduction for containerized applications.In this dissertation,the network model of Kubernetes is analyzed.By comparing the existing container network solutions,it is found that the existing solutions are limited in multi-tenant network isolation and can not satisfy the security demand of complex cloud environments.In order to solve those problems,this dissertation compares the existing container network tools in the industry and finds that the Neutron network system in Openstack project not only provides multi-tenant network isolation,but also provides rich API interface.Following the Kubernetes plugin network design pattern,this dissertation designs an independent network management module based on Neutron network system,including Kubernetes neutron-plugin,the independent network management module,and the network management client.Kubernetes neutron-plugin implements the call to the independent network management module,and loads the plugin when the Kubelet starts.The independent network management module realizes the management of the network resources and the configuration of the Pod network.The network management client mainly calls the independent network management module to manage the user's network.And for the transformation of the multi-tenant network model,the application of the cluster load balancing model has been modifieds.This dissertation not only proposes the independent network plugin system solution,but also achieves the solution through the actual development.Finally,the isolation effect and performance of the multi-tenant network are verified by the experiment,which can meet the requirement of Kubernetes platform for multi-tenant network isolation.