Software-defined networking (SDN) is still quite a new technology, but Project Calico is hoping to push forward a generational evolution. Today, the open-source project added support for Google’s Kubernetes container-management platform.
Calico is the brainchild of Christopher Liljenstolpe. He is the director of solutions architecture at Metaswitch, and he said the goal is to build an easy-to-use SDN system targeted at developers, and for Metaswitch to offer premium services and software on top of Calico.
(Related: Engine Yard container group launches Kubernetes packaging system)
“The SDN solutions that have more of an enterprise heritage are relatively complex and bring a lot of baggage with them,” said Liljenstolpe. “A lot of that is built around the concepts of how we used to build enterprise networks. They provide layer 2 connectivity between small numbers of servers. In the scale-out, containerized world, that baggage makes building a simple scalable network anywhere from difficult to impossible.
“For tens of thousands of servers, and hundreds of containers per server, and the fact those containers might only exist for seconds at a time; the churn and objects in-flight in these scale-out environments is a substantial orders of magnitude change. The legacy SDN plays are problematic.”
To that end, Liljenstolpe looked at SDN from the perspective of a developer rather than from a network administrator. “Calico said we want a simple network infrastructure. People should not spend time troubleshooting their network,” he said.
“They should be deploying. SDN needs to be Internet scalable, it needs to scale to hundreds of thousands of endpoints. It needs to be secure. We don’t make the people who write the applications think in terms of being a network engineer. We don’t make them think ‘Which layer 2 virtual network do I attach this to? These are on different trust domains, so now I need different firewall rules. Where do those get deployed?’ ”
Instead of forcing developers to answer these complex networking questions, Calico favors a secondary approach to managing the network. Rather than having it fully defined by hand, Calico listens to the orchestrators on your network. These can be from Mesosphere, OpenStack, or now Kubernetes.
The information sent out for provisioning networks and systems by these orchestrators are then read by Calico, which puts the metadata into a distributed key-value store. From there, agents on the client machines are able to automatically configure themselves to slot into their proper virtual networks.
“When a workload shows up and says, ‘I am a production, front-end load balancer,’ that server goes out and figures out who are all the load balancers, who are all the production workloads,” said Liljenstolpe. “And it calculates a set of ACLs to affect that workload. If an IP address changes, the local server gets that change and recalculates the ACLs.”
Project Calico is available as open source from www.projectcalico.org.