This post will highlight and explain the importance of a pluggable data plane. But in order to do so, we first need an analogy. It’s time to talk about a brick garden wall!
Imagine you have been asked to repair a brick garden wall, because one brick has cracked through in the summer sun. You have the equipment you need, so the size of the job will depend to a great extent on how easily the brick can be removed from the wall without interfering with all the ones around it. Good luck.
Now that we have that wonderful imagery in mind, let’s look at how to go about designing walls — and how they can be maintained.
About software coupling: Fixing walls and designing great walls
“Coupling” is the term used to describe the interdependence between pieces of software. Closely coupled systems are interdependent and difficult to separate; loosely coupled systems are more like building blocks designed to work together, but they come apart cleanly. So, since the bricks in our garden wall are closely coupled (in this case, by cement), attempting to remove just one creates difficult challenges.
We can think of software as being built in “walls,” too. The protocols that support the modern internet exist in a wall (i.e. stack) called the internet protocol suite. At the top of the wall are protocols such as HTTPS that allow software programs and humans to communicate with each other, and further down the stack are protocols that are not used directly by users but are critical to the functionality of the higher layers (e.g. Ethernet, TCP).
One of the protocols in the middle of the internet protocol suite wall (in the third row of bricks, to be exact) is IPv4. It has been “cracked through” for some time. It is widely accepted that IPv4 needs to be replaced, but one of the biggest reasons for the slow progress in getting the job done is that, historically, IPv4 has been closely coupled to the protocols above and below it in the network stack. We can’t just “remove the brick.”
While the challenges of IPv4 is one example that many people will be familiar with, the same principle is true in all of software engineering. A strictly defined software interface means that the software is easier to secure, maintain, improve and manage. Looking at the below graphic, we can visualize what a well designed modular software solution (the pizza store) would look like versus a poorly designed solution (the car rental store). Which one would you prefer?
So how is all of this relevant to Tigera’s Kubernetes security and observability solution, Calico?
Calico was designed with a four-tier wall from day one:
- the data model (defines the custom resources used to enable Calico);
- the Felix Calculation Graph (the “control plane” that makes the smart decisions);
- the data plane driver (a simple, minimal driver responsible for programming the data plane); and
- the data plane (responsible for forwarding packets).
Each component has not only a clearly defined role, but a clearly defined API interface to the “brick” above and below it. With Calico, it’s easy to replace a brick and get back to the rest of the weekend in the garden.
But what if the brick is not broken? What if we just want a shiny new brick?
Calico: Choosing the best bricks (standard Linux, Windows HNS, eBPF, VPP, and beyond)
When Calico arrived, it only had support for a single data plane; but the simplicity, performance and compatibility ensured that adoption grew rapidly. Support has since been extended to two additional data planes, adding great functionality. With support for a total of three data planes on offer, Calico enables you to choose the right tool for the right job:
- Linux eBPF (high performance, excellent visibility, improved traffic flow)
- Standard Linux iptables (good performance, great compatibility, wide support)
- Windows HNS (supporting workloads on Windows)
In addition, thanks to the hard work of the contributors to the Vector Packet Processing (VPP) project, there has been significant progress made on building support within Calico for a fourth data plane: VPP.
It’s a testament to Calico’s excellent design that multiple data planes have been added in a short space of time, whilst maintaining a rich network policy model.
The Future: Very shiny bricks
The world of networking is full of protocols and technologies that were going to be the next big thing, but did not deliver on their promise (TRILL, anyone?).
Calico’s support for a pluggable data plane, which was built-in from day one, ensures that Calico is always able to support the latest developments in data plane technology and move gracefully between data planes, as we all learn what the future holds.
Thanks to this support, Calico is able to use the best native control possible for its Policy Engine, and has the right data plane technology for the job — today and in the future.
Did you know you can become a certified Calico operator? Learn Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.
- Read our guide to eBPF
- Calico eBPF Data Plane Deep-Dive
- kOps adds support for Calico’s eBPF data plane
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!