Submariner Multi-Cluster Connectivity in Kubernetes (eBook)

Chapter 2
Submariner Architecture and Components

Beneath Submariner’s simplicity lies a sophisticated technical machinery that redefines cluster interconnectivity. This chapter lifts the hood on Submariner’s inner workings, tracing critical data flows, its modular design, and the architectural choices enabling secure, scalable, and resilient multi-cluster networking. Discover how Submariner’s components fit together to create a seamless foundation for cross-cluster services and enterprise-grade reliability.

2.1 Submariner Core Components Deep Dive

Submariner is architected to provide secure and seamless connectivity across multiple Kubernetes clusters, overcoming network isolation inherent in multi-cluster environments. Its core functionality is built upon several foundational components: Gateway Engine, RouteAgent, GlobalNet, Service Discovery, and various supporting agents. Each of these plays a distinct yet interdependent role, collectively enabling robust inter-cluster communication.

Gateway Engine

The Gateway Engine acts as the primary entry and exit point for cross-cluster traffic. Deployed on nodes designated as gateways, this component manages traffic encapsulation, encryption, and forwarding. The Gateway Engine generally employs strong encapsulation protocols such as VXLAN or IP-in-IP to tunnel packets securely between clusters over untrusted networks.

Internally, the Gateway Engine maintains several critical data structures, including:

• Peer Endpoint List: Maintains addresses and connection metadata of remote cluster gateways.
• Encapsulation Contexts: Defines VXLAN tunnel endpoints and keys used to distinguish tenant traffic.
• Routing Tables: Control the forwarding of pod and service CIDRs across the cluster boundaries.

The Gateway Engine leverages IPsec or WireGuard (depending on configuration) for encrypting traffic to protect data integrity and confidentiality. It integrates tightly with the underlying Kubernetes network fabric by monitoring changes to gateway nodes and cluster memberships, dynamically adjusting tunnels and routes as cluster scale fluctuates.

RouteAgent

The RouteAgent is responsible for propagating cluster routes and configuring node-level routing tables to ensure pod traffic destined for remote clusters is correctly directed toward gateway nodes. It operates on every node within a cluster, continually syncing the desired routes with the actual kernel routing table.

RouteAgent depends on the Kubernetes API to watch for relevant endpoint and service changes, thereby enabling timely updates to cluster routing state. It adds specific static routes for remote pod CIDRs, pointing these via gateway IPs discovered from the Gateway Engine. When combined with gateway encapsulation, these routing adjustments enable transparent inter-cluster pod communication without manual network configuration.

Notably, RouteAgent handles failover scenarios by detecting gateway node unavailability and rerouting traffic through alternative gateways when necessary, thus preserving connectivity resilience.

GlobalNet

GlobalNet addresses the issue of overlapping IP address spaces typical in multi-cluster scenarios by allocating globally unique intermediate CIDRs. These CIDRs are used to translate pod and service IP addresses at the cluster network edge, ensuring packets are routable and unambiguous on cross-cluster links.

Internally, GlobalNet incorporates a distributed IP address management service that coordinates CIDR assignments across clusters, avoiding conflicts and ensuring scalability. The translation mechanism is implemented via IP masquerading or Network Address Translation (NAT) at the gateway nodes:

This approach allows existing cluster networks to remain unchanged while Submariner handles cross-cluster routing transparently, an essential feature for environments where CIDR reassignment is impractical.

Service Discovery

Submariner’s Service Discovery component synchronizes Kubernetes service information across multiple clusters, enabling pods to discover and communicate with remote services seamlessly. This is accomplished through two primary mechanisms: EndpointSlices synchronization and multi-cluster DNS integration.

• EndpointSlices Synchronization: Submariner watches EndpointSlices in local clusters and replicates them to remote clusters, updating IPs and ports while preserving service semantics. This mirrors the actual service endpoints cross-cluster, thereby enabling load balancing and fault tolerance.
• Integrated DNS: Submariner can integrate with DNS systems (e.g., CoreDNS) to resolve multi-cluster service names to the appropriate endpoints using cluster-aware DNS records. This abstraction allows standard Kubernetes service discovery workflows to operate transparently across clusters.

Underlying this functionality is a custom resource definition (CRD) schema for multi-cluster service endpoints, representing synchronization state and metadata. Event-driven synchronization leverages Kubernetes watch APIs and controller-runtime libraries for low-latency updates.

Supporting Agents

A set of supporting agents facilitates coordination, configuration, and health monitoring across the Submariner architecture. These include:

• Network Discovery Agent: Detects network topology changes, including IPAM updates, gateway node availability, and cluster membership.
• Health Check Agent: Performs heartbeat checks between gateways to assess link status and trigger failover or reconfiguration.
• Configuration Controller: Manages centralized configuration dissemination, distributing policies for encryption, route preferences, and GlobalNet CIDR allocations.

Internally, these agents communicate using gRPC or REST APIs with authentication and authorization enforced via mutual TLS, ensuring integrity and preventing unauthorized modifications.

Intercomponent Interaction and Protocols

The interplay among these components follows a modular but tightly coupled protocol architecture. The Gateway Engine and RouteAgent collaboratively maintain the network forwarding plane:

• RouteAgent updates node routing tables, directing traffic destined for remote pod CIDRs toward gateway nodes.
• Gateway Engine encapsulates and tunnels the traffic to remote gateways using VXLAN or IP-in-IP.

GlobalNet operates orthogonally, applying address translations transparently before the RouteAgent installs routes, maintaining unique addressing across clusters.

Service Discovery ensures that multi-cluster service endpoints are synchronized asynchronously but with strong eventual consistency, supporting resilient application failover and scaling patterns.

Messages exchanged over the control plane employ Protobuf-encoded payloads carried via secure gRPC streams. This design enables efficient event-based updates with minimal latency. For example, when a new cluster joins or an existing gateway changes its IP, these events propagate rapidly across all components, triggering incremental route recalculations and tunnel adjustments.

Real-time health monitoring protocols use periodic probes and status reporting over control channels, enabling automated detection and remediation of failures, such as gateway node crashes or network partitions.

Collectively, these protocols form a robust, scalable mesh that abstracts cluster boundaries and presents a cohesive network fabric to containerized workloads, providing both high availability and security guarantees appropriate for production multi-cloud and hybrid-cloud environments.

2.2 Control and Data Plane Separation

The architectural separation between the control plane and data plane in Submariner is a fundamental design principle that enables robust multi-cluster connectivity by dividing responsibilities into distinct operational domains. This separation facilitates scalability, modularity, resilience, and performance optimization for both signaling and packet forwarding components within the system.

The control plane in Submariner undertakes functions related to cluster discovery, endpoint signaling, topology updates, and orchestration of inter-cluster connectivity. It maintains knowledge of the network state, including active clusters, their endpoint IPs, and service availability. Control plane components exchange messages using protocols aligned with the Kubernetes control mechanisms, such as Custom Resource Definitions (CRDs) and dedicated controllers. This logical layer handles dynamic updates that reflect changes in cluster membership, network policies, and route advertisements, thereby enabling consistent, up-to-date inter-cluster routing information.

Conversely, the data plane is solely concerned with executing packet forwarding decisions based on the state established by the control plane. It manages traffic ...