Networking Capabilities on Cozystack

Network Architecture

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Cozystack uses a multi-layered networking stack designed for bare-metal Kubernetes clusters. The architecture combines several components, each responsible for a specific layer of the network:

Layer	Component	Purpose
External load balancing	MetalLB	Publishing services to external networks
Service load balancing	Cilium eBPF	kube-proxy replacement, in-kernel DNAT
Network policies	Cilium eBPF	Tenant isolation and security enforcement
Pod networking (CNI)	Kube-OVN	Centralized IPAM, overlay networking
VM IP passthrough	cozy-proxy	Passing through external IPs into virtual machines
VM secondary interfaces	Multus CNI	Attaching secondary L2 interfaces to virtual machines
Observability	Hubble (optional)	Network traffic visibility (disabled by default)

flowchart TD
 EXT["External Clients"]
 RTR["Upstream Router / Gateway"]
 MLB["MetalLB<br/>(L2 ARP / BGP)"]
 CIL["Cilium eBPF<br/>(Service Load Balancing + Network Policies)"]
 OVN["Kube-OVN<br/>(Pod Networking + IPAM)"]
 PODS["Pods"]

 EXT --> RTR
 RTR --> MLB
 MLB --> CIL
 CIL --> OVN
 OVN --> PODS

Cluster Network Configuration

Parameter	Default Value
Pod CIDR	10.244.0.0/16
Service CIDR	10.96.0.0/16
Join CIDR	100.64.0.0/16
Cluster domain	cozy.local
Overlay type	GENEVE
CNI	Kube-OVN
kube-proxy replacement	Cilium eBPF

Networking Stack Variants

Cozystack supports several networking stack variants to accommodate different cluster types. The variant is selected via bundles.system.variant in the platform configuration.

VPC

Mon, 01 Jan 0001 00:00:00 +0000

VPC offers a subset of dedicated subnets with networking services related to it. As the service evolves, it will provide more ways to isolate your workloads.

Service details

To function, the service requires kube-ovn and multus CNI to be present, so by default it will only work on paas-full bundle. Kube-ovn provides VPC and Subnet resources and performs isolation and networking maintenance such as DHCP. Under the hood it uses ovn virtual routers and virtual switches. Multus enables a multi-nic capability, so a pod or a VM could have two or more network interfaces.

Managed VPN Service

Mon, 01 Jan 0001 00:00:00 +0000

A Virtual Private Network (VPN) is a critical tool for ensuring secure and private communication over the internet. Managed VPN Service simplifies the deployment and management of VPN server, enabling you to establish secure connections with ease.

VPN client applications: https://shadowsocks5.github.io/en/download/clients.html

Deployment Details

The VPN Service is powered by the Outline Server, an advanced and user-friendly VPN solution. Internally known as “Shadowbox”, which simplifies the process of setting up and sharing Shadowsocks servers. It operates by launching Shadowsocks instances on demand. Furthermore, Shadowbox is compatible with standard Shadowsocks clients, providing flexibility and ease of use for your VPN requirements.

Managed Nginx-based HTTP Cache Service

Mon, 01 Jan 0001 00:00:00 +0000

The Nginx-based HTTP caching service is designed to optimize web traffic and enhance web application performance. This service combines custom-built Nginx instances with HAProxy for efficient caching and load balancing.

Deployment information

The Nginx instances include the following modules and features:

VTS module for statistics
Integration with ip2location
Integration with ip2proxy
Support for 51Degrees
Cache purge functionality

HAproxy plays a vital role in this setup by directing incoming traffic to specific Nginx instances based on a consistent hash calculated from the URL. Each Nginx instance includes a Persistent Volume Claim (PVC) for storing cached content, ensuring fast and reliable access to frequently used resources.

Managed TCP Load Balancer Service

Mon, 01 Jan 0001 00:00:00 +0000

The Managed TCP Load Balancer Service simplifies the deployment and management of load balancers. It efficiently distributes incoming TCP traffic across multiple backend servers, ensuring high availability and optimal resource utilization.

Deployment Details

Managed TCP Load Balancer Service efficiently utilizes HAProxy for load balancing purposes. HAProxy is a well-established and reliable solution for distributing incoming TCP traffic across multiple backend servers, ensuring high availability and efficient resource utilization. This deployment choice guarantees the seamless and dependable operation of your load balancing infrastructure.

Virtual Routers

Mon, 01 Jan 0001 00:00:00 +0000

Starting with version v0.27.0, Cozystack can deploy virtual routers (also known as “router appliances” or “middlebox appliances”). This feature allows you to create a virtual router based on a virtual machine instance. The virtual router can route traffic between different networks.

Creating a Virtual Router

Creating a virtual router requires a Cozystack administrator account.

Create a VM Instance
Use the standard vm-instance and virtual-machine packages to create a virtual machine instance.