Skip to main content
Version: 1.3.0

KubeSlice Components

KubeSlice consists of the following main components deployed in one or more gateway nodes that work in conjunction to securely connect workloads across multiple Kubernetes clusters located in data centers, public clouds, or edge locations:

KubeSlice Controller

The KubeSlice Controller is installed in one of the clusters and provides a central configuration management system, for slices across multiple clusters.

We recommend that you install the KubeSlice Controller on a separate cluster.

The KubeSlice Controller provides:

A communication interface through which Slice Operators on multiple clusters can connect to it. The slice configuration that includes slice VPN gateway, service discovery with service import/export, and ingress/egress gateway related parameters are relayed to the Slice Operators on registered clusters.

Creation and management of cryptographic certificates for secure slice VPN gateways.

APIs through the API Gateway for the KubeSlice Manager to create and manage the application slices.

Slice Operator

The Slice Operator, also known as a Worker Operator is a Kubernetes Operator component that manages the life-cycle of the KubeSlice related Custom Resource Definitions (CRDs).

The Slice Operator performs the following functions:

  • Interacts with the KubeSlice controller to receive slice configuration updates.
  • Reconciliation of slice resources in the cluster KubeSlice Controller.
  • Creation of slice components required for Slice VPN Gateway connectivity and Service Discovery.
  • Auto insertion and deletion of slice components to accommodate topology changes.
  • Lifecycle management of slices, slice configurations, slice status, and slice telemetry.
  • Lifecycle management of network policies and monitoring of configuration drift to generate slice events and alerts.
  • Management of the association of slices with namespaces
  • Interaction with the KubeSlice Controller to:
    • Facilitate network policy and service discovery across the slice.
    • Import/export Istio services to/from the other clusters attached to the slice.
    • Implement Role-Based Access Control (RBAC) for managing the slice components.

Slice VPN Gateways

The Slice VPN Gateway is a slice network service component that provides a secure VPN tunnel between multiple clusters that are a part of the slice configuration.

The Slice Operator performs the following life-cycle functions for Slice VPN Gateways:

  • Interacts with the KubeSlice controller to receive configuration related to slice gateways.
  • Maintains cryptographic keys and certificates needed for secure VPN tunnels.
  • Deploys and reconciles slice VPN gateway pods.
  • Periodically monitors the status of the gateway pods.
  • Continuously interacts with Slice VPN Gateways for status, keys/certificates, and configuration changes.

KubeSlice Controller manages the VPN gateway pairs for the attached clusters, and creates the keys & configurations required for the operation.

Slice Router

A slice router is a virtual layer 3 device that sets up the routing and forwarding rules in the slice overlay network. A minimum of one slice router pod is provisioned per slice on a cluster.

The slice operator manages the life cycle of the slice router deployment and monitors its status periodically.

Slice Istio Components

KubeSlice provides the option of setting up ingress and egress gateways for a slice using Istio Service Mesh resources. Ingress/Egress gateway is not a core component of KubeSlice, it is an add-on feature that users can activate if needed. The Istio components must be installed in the cluster before the KubeSlice components are installed or they can be installed as a part of the KubeSlice installation itself.

Slice Ingress/Egress Gateways are used for internal East-West traffic (inter-cluster, egress from one cluster, and ingress into another cluster) and Slice North-South Ingress Gateway for external traffic.

Slice Gateway Edge

The Slice Gateway Edge comes into play when the configured gateway connectivity type is LoadBalancer for a cluster of a slice. A network load balancer connects the cluster to the other clusters in the slice. The Slice Gateway Edge is programmed by the Slice Operator to distribute the external traffic coming in through the Load Balancer to the right slice gateway pods. Based on its communication with the Slice Operator, it sets up NAT rules to filter the traffic, and forward to the appropriate slice gateway VPN pod.

KubeSlice DNS

The KubeSlice DNS is a DNS server that is used to resolve service names exposed on application slices.

The Slice Operator manages the DNS entries for all the services exposed on the slice overlay network(s).

When a service is exported on the slice by installing a ServiceExport object, a DNS entry is created in the KubeSlice DNS server in all the clusters that are part of the slice.

Network Service Mesh Control and Data Plane

The Network Service Mesh (NSM) component sets up the KubeSlice data plane and connects application pods to the slice overlay network. It consists of:

  • NSM Control plane daemon set
  • NSM Data plane daemon set
  • NSM admission webhook controller pod
  • NSM CRD objects that facilitate setting up the slice overlay network

NSM Kernel Forwarder

The NSM kernel forwarder is a DaemonSet that works with the NSM manager to set up the data plane for the slice overlay network within a cluster. Its functions include:

  • Inserting the NSM interfaces in the application pods and the vL3 slice router pod
  • Configuring the interfaces
  • Setting the operational state of the interfaces
  • Setting up the routing table in the pods

Spire Server and Agents

The NSM components communicate with each other over gRPC (Google version of Remote Procedure Calls) to set up and maintain the slice overlay network. Spire, a reference implementation of the SPIFFE software identity management standard, is used to establish the NSM control plane and the data plane workload identities. The Spire implementation on Kubernetes contains a server as a StatefulSet and an agent that runs on every cluster node
as a DaemonSet. The NSM pods communicate with the node local Spire agent using the Workload API to receive X.509 SVIDs (SPIFFE Verifiable Identity Document). The SVIDs and the Spire trust bundle establish workload identities for authentication and authorization. The SVIDs and the Spire trust bundle are also used in secure gRPC with Transport Layer Security (TLS) between the NSM components to ensure confidentiality and integrity.


Each slice in a cluster is associated with a QoS profile for bandwidth control across the clusters. The QoS profile is applied to the external interface of the VPN gateway nodes. NetOps pods configure and enforce the QoS profile for a slice on a cluster.