View Only
last person joined: 2 days ago 

Ask questions and share experiences with Juniper’s Cloud-Native Contrail Networking (CN2).
  • 1.  Contrail on Bottlerocket or other dedicated Kubernetes nodes

    Posted 05-19-2023 10:42


    We are currently in the design phase of a new to build internal cloud infrastructure and during all the design discussions someone brought up the idea to use Contrail K8S CNI to be able to do proper isolation etc. Reading through the Day One documentation this really looks like something we could use, but I have one little question.
    We have to idea to use something like Bottlerocket or an other immutable OS and install that on Bare Metal servers to create a secure base for the K8S cluster, but according to the documentation only some RHEL and Ubuntu flavors are supported. 
    - Is it possible to install Contrail in a K8S cluster based on immutable nodes.
    - Does contrail CNI work when used in conjunction with a Spine-Leaf network based on SONiC switches?

    Jan Hugo Prins


  • 2.  RE: Contrail on Bottlerocket or other dedicated Kubernetes nodes

    Posted 05-22-2023 03:23

    Hi Jan,

    The main constraint at this point with installing into other OSes is around the kernel being used and how it appears in the output of `uname -r`.  That is used to pull a pre-compiled kernel module specific to that kernel release.  If your immutable OS is based on a Centos/Debian base, then you may be OK but it is not certain.  We're looking to test other OSes in the future to get fully supported status but for now, that is mostly focused on other major platforms such as SUSE rather than specific immutable releases.  Being immutable isn't a problem in itself as far as I can tell.

    On the second question, the underlay fabric is not a constraint for Contrail (classic or CN2).  The requirements are around the provision of at least one L2 domain that is shared by all compute and controllers for data/control.  You may want to have separate fabrics (and interfaces on the compute) for storage but that's not mandatory.  Finally, if you want to terminate your overlays in order to get traffic in/out of the cluster, you would need a router that supports either MPLSoUDP, MPLSoGRE or VXLAN.  CN2 supports L2 and L3 networks in all three of those encapsulations.  CN2 also offers fabric SNAT at the vRouter, whereby you can NAT any outbound traffic to the IP address of the host from which it is being sent.  That can provide a simpler egress approach if you're prepared to expose the data/control network externally.

    Rgds, Guy

    Guy Davies