Controller Architecture Diagram
A high-level view of Kube-DC controller components (excluding UI) and external dependencies.
Networking Integration (Kube-OVN & Multus)
Below is a focused diagram showing how Kube-OVN and Multus CNI are installed and integrated via the Project NetworkAttachmentDefinition.
Referenced code:
- Scheme registration: 【F:cmd/main.go†L57-L60】
- NAD controller: 【F:internal/project/res_nad.go†L12-L27】
- Installer sequence: 【F:installer/kube-dc/templates/kube-dc/template.yaml†L94-L102】【F:installer/kube-dc/templates/kube-dc/template.yaml†L119-L127】
EIP, FIP & ServiceLoadBalancer Networking Flows
Detailed Network Stack Implementation
- Project VPC & Subnet provisioning (
internal/project/res_vpc.go)- Creates an OVN Virtual Private Cloud via
OvnVpcCR and logical switch.
- Creates an OVN Virtual Private Cloud via
- NetworkAttachmentDefinition (
internal/project/res_nad.go)- Defines a Multus NAD with CNI config for
kube-ovn, pointing at the OVS socket and project provider.
- Defines a Multus NAD with CNI config for
- SNAT Rule (
internal/project/res_snat.go)- Installs an
OvnSnatRuleto translate pod-source IPs to the project gateway EIP for outbound internet.
- Installs an
- Default Gateway EIP (
internal/project/res_eip_default.go)- Ensures a project-scoped
EIpCR representing the default gateway external IP, created viaNewEipDefault.
- Ensures a project-scoped
- Floating IP (FIp) (
internal/fip/res_eip.go&FIpReconciler)- Syncs or creates EIp owned by FIp, then updates
FIp.Status.ExternalIPafter attaching the EIp to pods via OVN.
- Syncs or creates EIp owned by FIp, then updates
- Service LoadBalancer (
internal/service_lb/service_lb.go,internal/service_lb/eip_res.go,ServiceReconciler)NewSvcLbEIpResallocates or binds an external IP for the Service.NewLoadBalancerResuses OVN NB client to define load balancer VIP→backend mappings and injects rules into logical router/switch.
- Extra External Subnets (
internal/project/res_vpc.go)- Adds
ExtraExternalSubnetsfield toVpc.Specwhenproject.Spec.EgressNetworkTypediffers from the default external subnet, enabling multi-network external connectivity.
【F:internal/project/res_vpc.go†L45-L52】if externalNetwork.Name != defaultExternalSubnet.Name {
vpc.Spec.ExtraExternalSubnets = []string{externalNetwork.Name}
} - Adds
-Refer to code for detailed behavior:
- Preamble and flag parsing: 【F:cmd/main.go†L117-L131】
- NAD CNI config: 【F:internal/project/res_nad.go†L14-L31】
- SNAT via OVN: 【F:internal/project/res_snat.go†L14-L45】
- Default EIP creation: 【F:internal/project/res_eip_default.go†L15-L42】
- FIp EIP sync: 【F:internal/fip/res_eip.go†L25-L50】
- Service LB orchestration: 【F:internal/service_lb/service_lb.go†L30-L58】【F:internal/service_lb/eip_res.go†L18-L40】
Public vs Cloud External Networking
Kube-DC supports two external network types: public (direct public IPs) and cloud (cloud-provider-backed). The type influences EIP/FIP provisioning and SNAT rules:
// ExternalNetworkType defines how external networks are treated:
type ExternalNetworkType string
const (
ExternalNetworkTypePublic ExternalNetworkType = "public"
ExternalNetworkTypeCloud ExternalNetworkType = "cloud"
)
// MasterConfig defaults per resource if not overridden:
DefaultGwNetworkType, DefaultEipNetworkType,
DefaultFipNetworkType, DefaultSvcLbNetworkType
【F:api/kube-dc.com/v1/types.go†L1-L18】
Project Egress Network Selection
The project spec may set egressNetworkType to choose the external subnet for VPC/SNAT/EIP.
// GenerateProjectVpc picks externalSubnet based on project.Spec.EgressNetworkType:
externalNetwork, _ := utils.SelectBestExternalSubnet(ctx, cli, project.Spec.EgressNetworkType)
```【F:internal/project/res_vpc.go†L55-L61】
### SNAT Rules for Outbound Traffic
SNAT rules ensure pod egress to internet through the gateway EIP:
```go
// NewProjectSnat creates OvnSnatRule linking project namespace to gateway EIP
base.GeneratedObject = &kubeovn.OvnSnatRule{
Spec: OvnSnatRuleSpec{
OvnEip: DefaultOvnEipName(project, externalSubnet.Name),
Vpc: projectNamespace,
VpcSubnet: SubnetName(project),
},
}
```【F:internal/project/res_snat.go†L14-L45】
### Default Gateway EIP vs Floating IP
- **Default Gateway EIP**: A single EIp CR per project created by `NewProjectEip` when no explicit EIP exists. Used for SNAT and default outbound.
- **Floating IP (FIp)**: EIp allocated per FIp CR to attach public IPs to specific workloads.
```go
// NewProjectEip ensures default project gateway EIp exists
WithGetFunction(func(...) {
eip, err := resourcesProcessor.GetProjectGwEip()
if IsNotFound(err) {
newEip, _ := NewEipDefault(...)
base.GeneratedObject = newEip
}
})
```【F:internal/project/res_eip_default.go†L15-L37】
```go
// SyncEip for FIp: derives EIp name from FIp and creates/gets it
// then FIpReconciler attaches exclusive ownership in OVN
```【F:internal/fip/res_eip.go†L25-L40】
### Service LoadBalancer External IP Binding
ServiceReconciler uses annotations or defaults to bind EIp to Services:
```go
// Get or create EIp for Service LB via NewSvcLbEIpRes
eipSyncer := NewSvcLbEIpRes(ctx, cli, svc, project)
eipSyncer.Sync(ctx)
// Configure OVN LB VRRP rules via NewLoadBalancerRes
lbRes := NewLoadBalancerRes(ctx, cli, svc, endpoints, eipSyncer.Found(), project)
lbRes.Sync(ctx)
```【F:internal/service_lb/eip_res.go†L18-L40】【F:internal/service_lb/service_lb.go†L75-L98】