New "Network Devices" feature for OCI containers

[Antonio Ojea]

Dear SIG Network and Node communities,

Today, runc has officially merged support for the new "Network Devices" feature of the OCI specification. This allows for the direct and declarative handling of Linux network devices within containers, with support also in crun and youki runtimes.

This specification took a considerable amount of time to finalize due to the complexity of the problem and the emphasis on a clear separation of concerns. The discussions spanned over 180 comments and involved two KubeCon face to face meetings with the OCI community, and finally receiving approval at KubeCon London this year (yeah, I'm great at doing selfies :) .

During the review of KEP-3698 Multi-Network and KEP-4477 KNI (Kubernetes Networking Interface), important discussions were triggered that clearly revealed the problems caused by the lack of good APIs and technologies to address these needs effectively. This resulted in inefficiencies and the creation of complex, unscalable compensation layers for handling scenarios that require the use of multiple network interfaces in Pods.

One of the key reasons for this was the compartmentalization of the problem, a kind of application of Conway's law. Networking teams traditionally use the CNI hook in the runtime to configure "everything network" related. This serializes the network configuration during Pod creation, leading to problems like Pod startup latency or hard to troubleshoot Pod creation failures, especially when the CNI hook had to communicate with the API server to retrieve information. This new feature allows for building a more scalable pattern where the RunPodSandbox hook primarily focuses on creating the network namespace, and the complexities of network configurations (such as IPAM and DNS configuration) can be handled in a pre-Pod creation phase, similar to DRA NodePrepareResources or within an init container.

To help you understand and experiment with this feature, I have prepared a codelab.

I  encourage you to review the codelab and the existing integration tests in runc , experiment with the feature and provide feedback

Thanks to all the people who helped to get this feature done. It is truly inspiring how the Kubernetes ecosystem spans multiple communities, and how individuals wear multiple hats to contribute to the greater good of OSS software. 

Special thanks to the Open Container Initiative community, and the runc, crun, and youki maintainers: Akihiro Suda, Alexander Kanevskiy, Giuseppe Scrivano, Kir Kolyshkin, Mike Brown, Mrunal Patel, Phil Estes, Rodrigo Campos, Samuel Karp, Toru Komatsu.

My apologies if I inadvertently missed anyone.