Submariner is a tool built to connect overlay networks of different Kubernetes clusters. While most testing is performed against Kubernetes clusters that have enabled Flannel/Calico/Canal/Weave/OpenShiftSDN, Submariner should be compatible with any CNI cluster network provider, as it utilizes off-the-shelf components to establish encrypted tunnels between each Kubernetes cluster.
Note that Submariner is in the pre-alpha stage, and should not be used for production purposes. While we welcome usage and experimentation, it is quite possible that you could run into bugs.
The network path of Submariner varies depending on the origin/destination of the IP traffic. In all cases, traffic between two clusters will
transit between the leader elected (in each cluster) gateway nodes, through
ip xfrm rules. Each gateway node has a running Charon daemon
which will perform IPsec keying and policy management.
When the source Pod is on a worker node that is not the elected gateway node, the traffic destined for the remote cluster will transit
through the submariner VXLAN tunnel (
vx-submariner) to the local cluster gateway node. On the gateway node, traffic is encapsulated in an
IPsec tunnel and forwarded to the remote cluster. Once the traffic reaches the destination gateway node, it is routed in one of two ways,
depending on the destination CIDR. If the destination CIDR is a Pod network, the traffic is routed via CNI-programmed network. If the
destination CIDR is a Service network, then traffic is routed through the facility configured via kube-proxy on the destination gateway
Submariner supports deployment via an Operator as well as Helm Charts. The Operator can be deployed directly or via the
subctl CLI helper
subctl greatly simplifies the deployment of Submariner, and is therefore the recommended deployment method.
Submariner provides the
subctl CLI utility to simplify the deployment and maintenance of Submariner across your clusters.
subctl docs on Submariner's website.
See the Helm section on Submariner's website.
When running in OpenShift, Submariner needs to grant the appropriate security context for the service accounts (SAs):
oc adm policy add-scc-to-user privileged system:serviceaccount:submariner:submariner-routeagent oc adm policy add-scc-to-user privileged system:serviceaccount:submariner:submariner-engine
：Code submit frequency
：React/respond to issue & PR etc.
：Well-balanced team members and collaboration
：Recent popularity of project
：Star counts, download counts etc.