We’re excited to announce our beta launch of Kentik Kube, an industry-first solution that reveals how K8s traffic routes through an organization’s data center, cloud(s), and the internet.

With this launch, Kentik can observe the entire network — on prem, in the cloud, on physical hardware or virtual machines, and anywhere in between. Kentik Kube enables network, infrastructure, platform, and DevOps engineers to gain full visibility of network traffic within the context of their Kubernetes deployments — so they can quickly detect & solve network problems, and surface traffic volumes from pods to external services.

Kubernetes cluster running on AKS, displaying traffic and latency to the front end of an online shopping site.

Why we built Kentik Kube

Kubernetes has become the de facto standard for cloud-based applications. As companies migrate their workloads, ensuring the reliability, connectivity and performance from user applications and their clusters, to the entire infrastructure and internet is critical.

Very often, pods and services experience network delays that degrade a user’s experience. It is difficult to identify which Kubernetes services and pods are experiencing network delays. The complexity of microservices leaves engineers wondering if the network reality matches their design, who are the top requesters consuming Kubernetes services or which microservices are oversubscribed, and how the infrastructure is communicating both within itself or across the internet.

Kentik Kube use cases

We built Kentik Kube to provide visibility for cloud-managed Kubernetes clusters (AKS, EKS, and GKE) as well as on-prem, self-managed clusters using the most widely implemented network models. Teams responsible for complex networks can:

Improve network performance

• Discover which services and pods are experiencing network latency
• Identify service misconfigurations without capturing packets
• Configure alert policies to proactively find high latency impacting nodes, pods, workloads or services.

Gain end-to-end K8s visibility

• Identify all clients and requesters consuming your Kubernetes services
• Know exactly who was talking to which pod, and when.

Validate policies and security measures

• See which pods, namespaces, and services are speaking with each other to ensure configured policy is working as expected.
• Identify pods and services that are communicating with non-Kubernetes infrastructure or the internet — when they should not be.

How Kentik Kube works

Kentik Kube relies on data generated from a lightweight eBPF agent that is installed onto your Kubernetes cluster. It sends data back to the Kentik SaaS platform, allowing you to query, graph and alert on conditions in your data. This data coupled with our analytics engine, enables users to gain complete visibility and context for traffic performance inside and among Kubernetes clusters.

Mapping your network with Kentik Kube

Kentik Kube provides east-west and north-south traffic analytics inside and among Kubernetes clusters. 

Network map showing EKS clusters communicating between AWS regions.

Kentik Kube can display details so you can see if your route tables, NACLs, etc. are all configured correctly. You can drill down into a cluster to see if there are latency or other issues. Our eBPF telemetry agent deployed into these clusters lets you see the traffic between nodes and pods as well as any latency.

How to get started with Kentik Kube

Kentik Kube is now in beta. You can apply to trial the beta by clicking on the Kentik Kube section of the menu. Please share your feedback with us. We’d love to hear what you think.

We continue developing new features for the connectivity checker in order to ensure better user experience for our customers

• It’s now possible to run an ad-hoc test without creating a report first. This test can be saved as a report for later use.
• New source and destination types. You can run a test between subnets, network interfaces and instances. All of the source and destination types are searchable using their names.

• You can start a connectivity test directly from the object on the topology, with the source being automatically pre-filled.

• Direct link to the AWS console is added on under details of impacted objects for easier failed connectivity test troubleshooting.

BGP enrichment to flow-collected telemetry from a Kentik user’s network was historically made possible via public peering of a Kentik registered device to Kentik’s public BGP cluster (or leveraging the BGP table from another, BGP-peered device).

However, there are situations where devices exporting flow telemetry to Kentik cannot reach the public internet (e.g., have no public IP address for a BGP session with Kentik).

Enters Kentik’s BGP proxy, aka kbgp.

What is kbgp ? tl;dr

Kentik BGP proxy, aka kbgp has just been released in its initial beta version. It can be deployed in a private environment — upon deployment, the aforementioned devices will be able to peer with the kbgp instance which will multiplex and relay in real time, all BGP updates “as if” these devices were peering with our public BGP ingest layer.

Initial discussions took place around making kbgp a part of kproxy, Kentik's well known flow proxy. There's a variety of pros and cons, but for now, the main deciding factor was separation of concerns: the BGP and Flow proxy functions being fundamentally different, we wanted to avoid building a monolithic agent that would instantly become a single point of failure and also avoid situations where flow export could be interrupted by the BGP portion and vice versa. 

How does kbgp work ?

We are pretty proud of the design behind kbgp — a lot of engineering forethought was put into it and the early testing customers have been impressed with the polish, stability and scalability of this early version and are already starting to adopt it quickly.

Multiple Kentik registered devices can peer with a single kbgp instance, as it is highly scalable and takes care of all the multiplexing over a secure gRPC transport. Kbgp will not store BGP state to remain the least intrusive possible and will just manage state of the peering sessions established with it, as well as forward in real time, any BGP updates directly to Kentik.

• kbgp scales very well (since there’s no storing of routes) and can accept peering sessions from a lot of devices — the max # BGP sessions per kbgp agent is yet unknown, make sure not to create a single point of failure.
• The transport that was chosen back to Kentik's BGP ingest layer offers a layer of encryption over the public internet to relay the BGP updates — it is an added benefit offered by gRPC.
• A great side benefit is that it unlocks IPv6 BGP peering (and therefore BGP related enrichments to IPv6 flows) without the need of establishing a public IPv6 BGP session. All that’s needed is an internal IPv6 address to peer with from the device, and the updates will be transported by kbgp using IPv4.

What comes next / How can you gain access to it?

As any Beta software, kbgp comes with a few rough edges, but our closed-beta testers have so far been very positive about it.

Contact your Customer Success Engineer if you want to get access to the agent and deploy it on your system, our engineering team is ready to welcome your feedback to make it better !

As we build kbgp's roadmap towards a GA, more features will be added to upgrade kbgp so that you can manage it more efficiently, this will likely include things such including it as a first class citizen in Kentik Portal, reporting the health of its host and the BGP sessions it proxies ... Stay tuned !

We may in the future consolidate kproxy and kbgp into a single binary, but to avoid each function competing for resources on the host and prevent the resulting agent from becoming a single point of failure, we may very well favor a mutually exclusive switch, turning the agent into one or the other. 
Don't hesitate to let us know what your thoughts are on this.