Networking Architecture¶
This section describes the networking architecture and components used in the RCIIS DevOps project.
Overview¶
The RCIIS project uses a modern Kubernetes networking stack with emphasis on security, observability, and performance.
Container Network Interface (CNI)¶
Cilium (Recommended)¶
Why Cilium? - eBPF-based networking for high performance - Built-in network policies and security - Service mesh capabilities - Advanced observability features
Configuration: apps/infra/cilium/
# Key Cilium features enabled
operator:
replicas: 1
hubble:
enabled: true
relay:
enabled: true
ui:
enabled: true
Calico (Alternative)¶
Use Cases: - Legacy environment support - Specific policy requirements - Debugging and troubleshooting
Configuration: Available in cluster setup scripts
Ingress and Load Balancing¶
NGINX Ingress Controller¶
Purpose: External traffic routing and SSL termination
Configuration: apps/infra/ingress-nginx/
- Common values: Shared across environments
- Environment-specific: Per-environment customizations
- Features: SSL passthrough, rate limiting, authentication
MetalLB (Local Development)¶
Purpose: LoadBalancer services in Kind clusters
Configuration: apps/infra/metallb/
# MetalLB address pools for local development
addressPools:
- name: default
protocol: layer2
addresses:
- 172.18.255.200-172.18.255.250
Service Mesh¶
APISIX Gateway¶
Purpose: API gateway and advanced routing
Configuration: apps/rciis/apisix/
Features: - Dynamic routing and load balancing - Authentication and authorization - Rate limiting and traffic control - Plugin ecosystem for extensibility
Per-environment configuration: - Local: Basic routing for development - Testing: Full feature testing - Staging: Production-like configuration
Network Policies¶
Security Policies¶
Cilium Network Policies: - Application-level security - Protocol-aware filtering - Identity-based policies
Kubernetes Network Policies: - Namespace isolation - Pod-to-pod communication rules - Ingress/egress traffic control
Policy Examples¶
# Example: Restrict database access
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-access
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: api-server
ports:
- protocol: TCP
port: 5432
DNS and Service Discovery¶
CoreDNS¶
Configuration: Standard Kubernetes DNS
Custom Zones: - Internal service discovery - External service resolution - Development domain overrides
Service Discovery Patterns¶
Internal Services:
Cross-namespace Communication: - Explicit service references - Network policy controls - Service mesh routing
Observability and Monitoring¶
Network Monitoring¶
Hubble (Cilium): - Real-time network visibility - Service dependency mapping - Security event monitoring
Prometheus Metrics: - Network performance metrics - Service mesh telemetry - Ingress controller statistics
Troubleshooting Tools¶
Network Debugging:
# Cilium connectivity test
cilium connectivity test
# Hubble flow monitoring
hubble observe --follow
# Service mesh status
kubectl get svc,ingress,networkpolicy
Security Considerations¶
Encryption¶
In-Transit: - TLS for all external communications - mTLS for service-to-service (optional) - Encrypted CNI traffic (Cilium)
At-Rest: - Kubernetes secrets encryption - SOPS for GitOps secrets - Persistent volume encryption
Access Control¶
Network Level: - Network policies for micro-segmentation - Ingress controller authentication - Service mesh authorization
Application Level: - OAuth2/OIDC integration - API key management - Rate limiting and DDoS protection
Performance Optimization¶
Traffic Shaping¶
Ingress Level: - Connection limits - Request rate limiting - Bandwidth throttling
Service Mesh Level: - Circuit breakers - Retry policies - Load balancing algorithms
Caching Strategies¶
Edge Caching: - CDN integration - Ingress controller caching - Static asset optimization
Service Caching: - Redis for session storage - Application-level caching - Database query caching