Featured Story
Nokia picks Intel man as new boss, chasing AI and US deals
Justin Hotard, who runs Intel's data center and AI business, is to succeed Pekka Lundmark, who is leaving Nokia in an improved shape.
Containers offer many benefits to Network Function Virtualization (NFV) and hence, have been widely adopted by network engineering teams across wireline, cable, and mobile networks #Sponsored.
By Robert McIntyre, Nikhila Kamath
Containers offer many benefits to Network Function Virtualization (NFV) and hence, have been widely adopted by network engineering teams across wireline, cable, and mobile networks. With containers comes cloud-native principles like immutable infrastructure, declarative APIs and GitOps which enable robust and scalable network functions that can be automatically scaled and load-balanced using Kubernetes constructs.
As NFVi vendors have evolved their products to take better advantage of cloud native capabilities – from custom operators and resource definitions to multivendor CI/CD pipelines – we are seeing exciting opportunities for NFVi workloads to take better advantage of advancements in the CNI and container ecosystem.
In this article, we will highlight recent advancements in container networking, many of which are driven by service providers through the Linux Foundation, CNCF and SIGs, and even our teams here at VMware by Broadcom. We’ll review how these recent advancements have evolved container networking to the point where providers can take a “no compromises” approach to network function workloads like 5G, vBNG, and vCMTS, at scale, without making tradeoffs in latency, throughput, and manageability.
Here are some key advancements and how they address challenges for large-scale NFVi deployments:
Inline Service Mesh
Service meshes offer many benefits to network workloads, including traffic management, security, and manageability. But first generation service meshes such as Istio and Linkerd introduced latency overhead due to the sidecar proxy model – the additional hop and associated logic required to implement retries, load balancing, etc. This performance/usability tradeoff makes sense for enterprise and consumer applications but are problematic for latency sensitive Network Function (NF) such as 5G user-plane.
To solve this, Inline service meshes, such as Cilium and Isovalent's Cluster Mesh, integrate service mesh functionality into the container network interface (CNI), eliminating the additional hop and bypassing the Kernal to incorporate hardware offloads and networking features like eBPF to provide secure multi-tenancy and isolation within cluster. The benefits include:
Network performance: In addition to reduced latency, inline service mesh offers improved performance and throughput by removing the extra network hop through the sidecar proxy. They can also leverage kernel-bypass techniques and hardware offloads more efficiently compared to sidecar proxies.
Simplified management: Inline meshes integrates with the CNI, obviating the need to inject and manage sidecar proxies alongside each application container, simplifying testing, deployment, and configuration.
Security and Multi-Tenancy: Inline service meshes can leverage kernel networking features like network namespaces and eBPF to provide secure multi-tenancy and isolation between different NFVi workloads and tenants. This allows consolidating multiple VNFs on the same Kubernetes cluster while maintaining isolation.
Multi-Cluster and Multi-Cloud Support: Projects like Cilium enable the extension of inline service mesh capabilities across multiple Kubernetes clusters and public clouds. This is crucial for NFVi use cases requiring geo-distribution of workloads across edge locations.
Multi-Cluster Support
Kubernetes now has better multi-cluster capabilities through projects like KubeFed and GKE Cluster Federation. Combined with IPAM plugins, this allows deploying and managing VNFs and services across multiple Kubernetes clusters, enabling geo-distribution of NFVi workloads.
Address Management
Running multi-cloud, and even geographically distributed deployments, is a challenge for NFVi deployments due largely to the complexity of managing multiple address pools at scale. IP Address Management (IPAM) plugins like Calico and Cilium provide simplified and secure networking and network policy enforcement across clusters independent of the overlay technology and address range, which enables secure multi-cluster NFV deployments with service chains that can span multiple Kubernetes clusters.
Hardware Acceleration
The skyrocketing amount of data that telecoms are dealing with has resulted in the widespread adoption of the data processing unit (DPU). The DPU is viewed as the third pillar of the data center, in addition to the central processing unit (CPU) and the graphical processing unit (GPU).
The DPU aids the CPU by taking on networking and communication workloads. It uses hardware acceleration technology and high-performance network interfaces to handle data transfers, data compression, data storage, data security, and data analytics. This frees up the CPU for other tasks.
Projects like GPU-Accelerated Containers and DPDK integration enable leveraging hardware like SmartNICs, GPUs, NPUs etc. for high-performance data plane acceleration[3][5]. This is crucial for meeting the performance needs of data-intensive NFVi workloads like vBNG, vCMTS, vRAN etc.
Multi-tenancy
Although Kubernetes provides limited multi-tenancy out of the box, it provides an extensible framework and isolation primitives, such as hierarchical namespaces and custom resources, that can be used to implement multi-tenancy. Although this work is still in early stages, it is a burgeoning area led by the the broader community including the Linux Foundation and SIG working on enhancing Kubernetes with stronger native multi-tenancy capabilities.
All that said, implementing multi-tenancy with current functionality requires knowledge of Kubernetes' isolation primitives, cloud-native networking tools, and third-party multi-tenancy frameworks.
Here are some ways to get started and examples of how our customers are doing this today:
Namespaces: Kubernetes namespaces provide a way to partition resources and isolate workloads. Different tenants or Cloud Native Functions (CNF) can be deployed in separate namespaces to achieve a basic level of isolation.
RBAC (Role-Based Access Control) - Kubernetes RBAC allows defining fine-grained access controls over resources like namespaces, providing control over what users can perform what actions.
Resource Quotas - Resource quotas can be enforced per namespace to limit the total compute, storage, and other resources each tenant/CNF can consume, preventing resource starvation.
Network Policies - As discussed above, network policies combined with IPAM plugins like Calico and Cilium enable implementing secure network isolation between CNFs across namespaces and clusters.
Virtual Clusters/Control Planes - Projects such as vCluster and Virtual Kubelet provide tenant-level virtual Kubernetes control planes, achieving a higher degree of isolation.
Hierarchical Namespaces - The Hierarchical Namespace Controller (HNC) enables modeling multi-tenancy as hierarchical namespaces for finer-grained segregation beyond a flat namespace model.
As the ecosystem continues to evolve, projects like Capsule are developing comprehensive native multi-tenancy features without requiring additional management layer or customizations by offering exciting capabilities such as mutli-tenant orchestration, self-service hierarchical namespaces, security constraints, and enhanced policy enforcement.
Conclusion
All of these capabilities promise to enhance NFVi, but as always, there is risk and complexity in adopting new technologies. We recommend providers continue to observe and ideally participate in these project because early adopters of these capabilities can accelerate network service reliability, service velocity, while reducing complexity and cost. As always, it’s helpful to work with solution providers that understand the unique needs of providers and also have experience innovating and contributing to community projects so that they can advise on what’s worth investing in, and just as importantly, help you gauge the maturity and readiness of these technologies to help you manage technology risk and develop strategies to mitigate those risks.
You May Also Like