Multus CNI ????????? Hexagonal Architecture ?????????????????????
Multus CNI ???????????? meta-plugin ?????????????????? Kubernetes ?????????????????????????????? pods ?????????????????? network interfaces (multi-homed pods) ???????????? pod ?????? network interface ??????????????? (eth0) ????????? default CNI (Calico, Flannel, Cilium) ????????? Multus ??????????????????????????? interfaces ????????????????????????????????????????????? management network, storage network, data plane network ??????????????????
Hexagonal Architecture (Ports and Adapters) ???????????? architectural pattern ?????????????????? business logic (core domain) ?????????????????? external systems (databases, APIs, message queues) ???????????? ports (interfaces) ????????? adapters (implementations) ??????????????? ????????????????????? infrastructure ?????????????????????????????????????????? business logic, testable ????????????????????? (mock adapters), ?????????????????????????????????
?????????????????? Multus CNI ????????? Hexagonal Architecture ??????????????? adapter ?????? hexagonal architecture ????????????????????????????????? dedicated network interface, ????????? traffic types (management, data, storage) ???????????? interfaces ?????????????????????, Network policies ????????????????????????????????? (adapter ???????????????????????????????????????????????????????????? network ????????????????????????), Performance ?????????????????? (dedicated bandwidth per traffic type)
??????????????????????????????????????????????????? Multus CNI
Setup Multus CNI ?????? Kubernetes
# === Multus CNI Installation ===
# 1. Install Multus CNI
kubectl apply -f https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni/master/deployments/multus-daemonset-thick.yml
# 2. Verify installation
kubectl get pods -n kube-system | grep multus
kubectl get network-attachment-definitions
# 3. Create Network Attachment Definitions
cat > network-definitions.yaml << 'EOF'
# Management Network (for monitoring, logging)
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
name: mgmt-network
namespace: default
spec:
config: |
{
"cniVersion": "0.3.1",
"type": "macvlan",
"master": "eth1",
"mode": "bridge",
"ipam": {
"type": "host-local",
"subnet": "10.10.0.0/24",
"rangeStart": "10.10.0.100",
"rangeEnd": "10.10.0.200",
"routes": [{"dst": "0.0.0.0/0"}],
"gateway": "10.10.0.1"
}
}
---
# Data Network (for inter-service communication)
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
name: data-network
namespace: default
spec:
config: |
{
"cniVersion": "0.3.1",
"type": "macvlan",
"master": "eth2",
"mode": "bridge",
"ipam": {
"type": "host-local",
"subnet": "10.20.0.0/24",
"rangeStart": "10.20.0.100",
"rangeEnd": "10.20.0.200"
}
}
---
# Storage Network (for database, object storage)
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
name: storage-network
namespace: default
spec:
config: |
{
"cniVersion": "0.3.1",
"type": "macvlan",
"master": "eth3",
"mode": "bridge",
"ipam": {
"type": "host-local",
"subnet": "10.30.0.0/24",
"rangeStart": "10.30.0.100",
"rangeEnd": "10.30.0.200"
}
}
EOF
kubectl apply -f network-definitions.yaml
# 4. Deploy pod with multiple interfaces
cat > multi-homed-pod.yaml << 'EOF'
apiVersion: v1
kind: Pod
metadata:
name: hexagonal-app
annotations:
k8s.v1.cni.cncf.io/networks: |
[
{"name": "mgmt-network", "interface": "net1"},
{"name": "data-network", "interface": "net2"},
{"name": "storage-network", "interface": "net3"}
]
spec:
containers:
- name: app
image: myregistry/hexagonal-app:latest
ports:
- containerPort: 8080
env:
- name: MGMT_INTERFACE
value: "net1"
- name: DATA_INTERFACE
value: "net2"
- name: STORAGE_INTERFACE
value: "net3"
EOF
kubectl apply -f multi-homed-pod.yaml
# 5. Verify interfaces
kubectl exec hexagonal-app -- ip addr show
# Should show: eth0 (default), net1 (mgmt), net2 (data), net3 (storage)
echo "Multus CNI configured with 3 additional networks"Network Design Patterns
Network patterns ?????????????????? hexagonal architecture
#!/usr/bin/env python3
# network_design.py ??? Multi-Network Hexagonal Architecture
import json
import logging
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("network")
class HexagonalNetworkDesign:
"""Design multi-network topology for hexagonal architecture"""
def __init__(self):
pass
def topology(self):
return {
"networks": {
"default_pod_network": {
"cidr": "10.244.0.0/16",
"purpose": "Kubernetes service discovery, DNS",
"cni": "Calico/Flannel/Cilium (primary CNI)",
"interface": "eth0",
"traffic": ["K8s services", "DNS", "API server"],
},
"management_network": {
"cidr": "10.10.0.0/24",
"purpose": "Monitoring, logging, health checks",
"cni": "macvlan via Multus",
"interface": "net1",
"traffic": ["Prometheus metrics", "Log shipping", "Health probes"],
},
"data_plane_network": {
"cidr": "10.20.0.0/24",
"purpose": "Inter-service business data communication",
"cni": "SR-IOV / macvlan via Multus",
"interface": "net2",
"traffic": ["gRPC calls", "REST APIs", "Event streaming"],
},
"storage_network": {
"cidr": "10.30.0.0/24",
"purpose": "Database and storage access",
"cni": "macvlan via Multus",
"interface": "net3",
"traffic": ["PostgreSQL", "Redis", "S3/MinIO"],
},
},
"hexagonal_mapping": {
"core_domain": {
"description": "Business logic (no network dependency)",
"networks": [],
},
"inbound_adapters": {
"description": "HTTP controllers, gRPC servers, message consumers",
"networks": ["default_pod_network", "data_plane_network"],
},
"outbound_adapters": {
"description": "Database repos, API clients, message producers",
"networks": ["storage_network", "data_plane_network"],
},
"infrastructure": {
"description": "Logging, monitoring, config",
"networks": ["management_network"],
},
},
}
def security_policies(self):
return {
"network_isolation": [
"Storage network: only database adapters can access",
"Management network: only monitoring agents",
"Data plane: only service-to-service communication",
"Default: only K8s internal traffic",
],
"encryption": {
"data_plane": "mTLS via service mesh (Linkerd/Istio)",
"storage": "TLS to database, encrypted at rest",
"management": "TLS for metrics/logs export",
},
}
design = HexagonalNetworkDesign()
topo = design.topology()
print("Hexagonal Network Topology:")
for net_name, info in topo["networks"].items():
print(f"\n {net_name} ({info['interface']}):")
print(f" CIDR: {info['cidr']}")
print(f" Purpose: {info['purpose']}")
print(f" Traffic: {', '.join(info['traffic'][:2])}")
print(f"\nHexagonal Layer ??? Network Mapping:")
for layer, info in topo["hexagonal_mapping"].items():
nets = ', '.join(info['networks']) if info['networks'] else 'None (pure logic)'
print(f" {layer}: {info['description']} ??? [{nets}]")Hexagonal Architecture ?????? Kubernetes
Implement hexagonal architecture ???????????? multi-network pods
# === Hexagonal Architecture on K8s ===
# 1. Application deployment with network separation
cat > hexagonal-deployment.yaml << 'EOF'
apiVersion: apps/v1
kind: Deployment
metadata:
name: order-service
labels:
app: order-service
architecture: hexagonal
spec:
replicas: 3
selector:
matchLabels:
app: order-service
template:
metadata:
labels:
app: order-service
annotations:
k8s.v1.cni.cncf.io/networks: |
[
{"name": "data-network", "interface": "net1"},
{"name": "storage-network", "interface": "net2"}
]
spec:
containers:
# Main application (hexagonal core + adapters)
- name: order-service
image: myregistry/order-service:latest
ports:
- name: http
containerPort: 8080
- name: grpc
containerPort: 9090
- name: metrics
containerPort: 9091
env:
# Inbound adapter config (data network)
- name: GRPC_LISTEN_ADDR
value: "0.0.0.0:9090"
- name: HTTP_LISTEN_ADDR
value: "0.0.0.0:8080"
# Outbound adapter config (storage network)
- name: DATABASE_HOST
value: "10.30.0.10"
- name: DATABASE_PORT
value: "5432"
- name: REDIS_HOST
value: "10.30.0.20"
- name: REDIS_PORT
value: "6379"
# Event bus (data network)
- name: KAFKA_BROKERS
value: "10.20.0.50:9092,10.20.0.51:9092"
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 1
memory: 1Gi
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 10
periodSeconds: 5
---
# Database on storage network
apiVersion: apps/v1
kind: Deployment
metadata:
name: order-db
spec:
replicas: 1
selector:
matchLabels:
app: order-db
template:
metadata:
labels:
app: order-db
annotations:
k8s.v1.cni.cncf.io/networks: |
[{"name": "storage-network", "interface": "net1"}]
spec:
containers:
- name: postgres
image: postgres:16
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: orders
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: db-credentials
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
volumes:
- name: data
persistentVolumeClaim:
claimName: order-db-pvc
EOF
kubectl apply -f hexagonal-deployment.yaml
echo "Hexagonal deployment configured"Testing ????????? Troubleshooting
???????????????????????????????????????????????? multi-network setup
#!/usr/bin/env python3
# network_test.py ??? Multi-Network Testing
import json
import logging
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("test")
class MultiNetworkTester:
def __init__(self):
pass
def test_plan(self):
return {
"connectivity_tests": {
"description": "??????????????? connectivity ????????? network interfaces",
"commands": [
"kubectl exec order-service -- ip addr show # Verify all interfaces",
"kubectl exec order-service -- ping -c 3 -I net1 10.20.0.10 # Data network",
"kubectl exec order-service -- ping -c 3 -I net2 10.30.0.10 # Storage network",
"kubectl exec order-service -- curl http://10.20.0.10:8080/health # Service health",
],
},
"isolation_tests": {
"description": "???????????????????????? network isolation ???????????????",
"tests": [
"App pod should NOT access storage network from default interface",
"DB pod should NOT access data network",
"Management pod should NOT access storage network",
],
},
"performance_tests": {
"description": "??????????????? bandwidth ??????????????? interface",
"tool": "iperf3",
"tests": [
"Default network: baseline bandwidth",
"Data network: inter-service throughput",
"Storage network: database throughput",
],
},
"troubleshooting": {
"pod_no_additional_interface": [
"Check Multus daemonset running: kubectl get pods -n kube-system | grep multus",
"Check NetworkAttachmentDefinition exists: kubectl get net-attach-def",
"Check annotation syntax in pod spec",
"Check host interface exists (master field in NAD config)",
],
"no_connectivity": [
"Check IPAM allocated IP: kubectl exec pod -- ip addr show net1",
"Check routing table: kubectl exec pod -- ip route",
"Check host network config (VLAN, bridge)",
"Check firewall rules on host",
],
},
}
tester = MultiNetworkTester()
plan = tester.test_plan()
print("Multi-Network Test Plan:")
for category, info in plan.items():
if isinstance(info, dict) and "description" in info:
print(f"\n {category}: {info['description']}")
if "commands" in info:
for cmd in info["commands"][:2]:
print(f" $ {cmd}")
if "tests" in info:
for t in info["tests"][:2]:
print(f" - {t}")Monitoring ????????? Security
??????????????????????????????????????????????????????????????????????????? multi-network
#!/usr/bin/env python3
# network_monitor.py ??? Multi-Network Monitoring
import json
import logging
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("monitor")
class NetworkMonitor:
def __init__(self):
pass
def dashboard(self):
return {
"interfaces": {
"eth0 (default)": {"rx_mbps": 45, "tx_mbps": 38, "errors": 0, "status": "UP"},
"net1 (data)": {"rx_mbps": 120, "tx_mbps": 95, "errors": 0, "status": "UP"},
"net2 (storage)": {"rx_mbps": 200, "tx_mbps": 180, "errors": 2, "status": "UP"},
"net3 (mgmt)": {"rx_mbps": 5, "tx_mbps": 3, "errors": 0, "status": "UP"},
},
"pods_with_multus": {
"total": 24,
"healthy": 23,
"unhealthy": 1,
"unhealthy_pod": "order-service-abc123 (net2 interface down)",
},
"network_policies": {
"total": 8,
"enforced": 8,
"violations_24h": 3,
"top_violation": "order-service tried to access storage-network from eth0",
},
"security": {
"mtls_coverage": "95%",
"unencrypted_connections": 2,
"certificate_expiry": "45 days",
},
}
monitor = NetworkMonitor()
dash = monitor.dashboard()
print("Multi-Network Dashboard:")
for iface, info in dash["interfaces"].items():
print(f" {iface}: RX={info['rx_mbps']}Mbps, TX={info['tx_mbps']}Mbps, Status={info['status']}")
pods = dash["pods_with_multus"]
print(f"\nPods: {pods['healthy']}/{pods['total']} healthy")
if pods["unhealthy"] > 0:
print(f" Issue: {pods['unhealthy_pod']}")
policies = dash["network_policies"]
print(f"\nNetwork Policies: {policies['enforced']} enforced, {policies['violations_24h']} violations")
sec = dash["security"]
print(f"Security: mTLS {sec['mtls_coverage']}, Certs expire in {sec['certificate_expiry']}")FAQ ??????????????????????????????????????????
Q: Multus CNI ????????????????????????????????????????????? Kubernetes cluster ??????????
A: ??????????????????????????? ????????????????????????????????? single CNI (Calico, Cilium) ????????????????????? Multus ????????????????????????????????? ???????????? separate traffic types (management, data, storage) ?????? physical network ?????????????????????, Telco/NFV workloads ?????????????????????????????? SR-IOV ?????????????????? high-performance networking, Compliance ????????????????????????????????? management traffic ?????????????????? data traffic, Legacy integration pods ??????????????????????????????????????? network ????????????????????????????????????????????? (macvlan/ipvlan) ???????????????????????????????????????????????????????????????????????? ????????? Network Policies ????????? primary CNI ????????? traffic ?????????????????????????????? Multus ??????????????? complexity ??????????????? manage ???????????????????????????????????????????????????????????????
Q: Hexagonal Architecture ?????????????????? Clean Architecture ??????????????????????
A: ?????????????????????????????????????????????????????? Hexagonal Architecture (Ports and Adapters) ???????????? ?????????????????????????????????????????? ports (interfaces) ????????????????????? core domain ????????? outside world, ???????????????????????? inbound ports (????????? requests) ????????? outbound ports (????????? requests), adapters implement ports Clean Architecture (Uncle Bob) ???????????? dependency rule (dependencies ???????????????????????????), ???????????????????????? layers (Entities, Use Cases, Interface Adapters, Frameworks) ???????????????????????? Hexagonal ???????????????????????? layers ?????????????????? ????????????????????????????????????, Clean Architecture ?????? layers ?????????????????? structured ???????????? ????????????????????????????????? ?????????????????????????????????????????? ???????????????????????? ????????? business logic ?????????????????? infrastructure ???????????????????????????????????????????????????????????????
Q: SR-IOV ????????? macvlan ???????????????????????????????????????????
A: macvlan ??????????????? virtual interface ????????? physical interface, share bandwidth ????????? host, performance ?????? (near native) ?????????????????????????????? SR-IOV, ?????????????????????????????????????????????, ??????????????????????????? NIC ?????????????????? SR-IOV (Single Root I/O Virtualization) ??????????????? Virtual Functions (VF) ????????? physical NIC, ??????????????? VF ????????????????????????????????? NIC ?????????, Performance ???????????????????????? (hardware offload), ???????????? NIC ?????????????????? SR-IOV, ?????????????????????????????????????????????????????? (BIOS settings, driver config) ??????????????? macvlan ?????????????????? general use (web apps, microservices), SR-IOV ?????????????????? high-performance needs (NFV, telco, HPC, ML inference ????????????????????? low latency)
Q: Multi-network pods ??????????????????????????????????????? performance ??????????????????????
A: Overhead ????????????????????? macvlan/ipvlan near-native performance (< 1% overhead), SR-IOV hardware offload ??????????????? overhead, Memory ???????????????????????????????????????????????? interface (~1-2MB), CPU overhead ???????????????????????? ??????????????????????????? performance ????????? traffic ?????? congestion (storage traffic ????????????????????? bandwidth ????????? data traffic), Dedicated bandwidth per traffic type, QoS policies ????????? interface ????????????????????????????????????????????????????????? Pod startup ????????????????????????????????????????????? (allocate multiple interfaces), IP management ????????????????????????????????? (IPAM ?????????????????????????????? subnets), Troubleshooting ????????????????????? (???????????? debug ???????????? interfaces), Node resource ?????????????????? physical interfaces ?????????????????????
