K3s multi-node install

Kubernetes network policies are implemented by network plugins rather than Kubernetes itself. Simply creating a network policy resource without a network plugin to implement it, will have no effect on network traffic.

The Calico plugin implements the full set of Kubernetes network policy features. In addition, Calico supports Calico network policies, providing additional features and capabilities beyond Kubernetes network policies. Kubernetes and Calico network policies work together seamlessly, so you can choose whichever is right for you, and mix and match as desired.

How Kubernetes assigns IP address to pods is determined by the IPAM (IP Address Management) plugin being used.

The Calico IPAM plugin dynamically allocates small blocks of IP addresses to nodes as required, to give efficient overall use of the available IP address space. In addition, Calico IPAM supports advanced features such as multiple IP pools, the ability to specify a specific IP address range that a namespace or pod should use, or even the specific IP address a pod should use.

The CNI (Container Network Interface) plugin being used by Kubernetes determines the details of exactly how pods are connected to the underlying network.

The Calico CNI plugin connects pods to the host networking using L3 routing, without the need for an L2 bridge. This is simple and easy to understand, and more efficient than other common alternatives such as kubenet or flannel.

An overlay network allows pods to communicate between nodes without the underlying network being aware of the pods or pod IP addresses.

Packets between pods on different nodes are encapsulated using VXLAN, wrapping each original packet in an outer packet that uses node IPs, and hiding the pod IPs of the inner packet. This can be done very efficiently by the Linux kernel, but it still represents a small overhead, which you might want to avoid if running particularly network intensive workloads.

For completeness, in contrast, operating without using an overlay provides the highest performance network. The packets that leave your pods are the packets that go on the wire.

Calico routing distributes and programs routes for pod traffic between nodes using its data store without the need for BGP. Calico routing supports unencapsulated traffic within a single subnet, as well as selective VXLAN encapsulation for clusters that span multiple subnets.

Calico stores the operational and configuration state of your cluster in a central datastore. If the datastore is unavailable, your Calico network continues operating, but cannot be updated (no new pods can be networked, no policy changes can be applied, etc.).

Calico has two datastore drivers you can choose from

• etcd - for direct connection to an etcd cluster
• Kubernetes - for connection to a Kubernetes API server

The advantages of using Kubernetes as the datastore are:

• It doesn’t require an extra datastore, so is simpler to install and manage
• You can use Kubernetes RBAC to control access to Calico resources
• You can use Kubernetes audit logging to generate audit logs of changes to Calico resources

For completeness, the advantages of using etcd as the datastore are:

• Allows you to run Calico on non-Kubernetes platforms (e.g. OpenStack)
• Allows separation of concerns between Kubernetes and Calico resources, for example allowing you to scale the datastores independently
• Allows you to run a Calico cluster that contains more than just a single Kubernetes cluster, for example, bare metal servers with Calico host protection interworking with a Kubernetes cluster or multiple Kubernetes clusters.