KubeSlice is a set of cloud resident controller services and Kubernetes native network services that operators can use to build and manage application slices.

The application slice is the key construct of KubeSlice that allows for the creation of logical slices in a single cluster or across clusters designed to group application pods based on one or more organizing principles such as organization, department, application, compliance, and governance to name a few.

An Application Slice is an overlay infrastructure that consists of network services across multiple clusters to provide a surface area with its own L3 domain and IP address space.

This can also be described as an application-specific VPC that spans across clusters.


For example, Slices A and B above (shown to be bound in green and yellow respectively) span across 2 clusters and are connected with the respective Slice VPN Gateways. These Slices use the service export/import functions to export/import Kubernetes services and Istio virtual services for Slice-wide service discovery.

In addition, a Slice Ingress gateway can be used to export services and a Slice Egress gateway can be used for imported services. One or more application namespaces can be associated with these slices. Slice Isolation can be enabled by implementing Network Policies for these namespaces.

KubeSlice Components

KubeSlice consists of the following main components deployed in one or more gateway nodes that work in conjunction to securely connect workloads across multiple Kubernetes clusters located in data centers, public clouds or edge locations:

Network Service Mesh Control Plane and Data plane

The Network Service Mesh Control Plane enables orchestration automation of slice connectivity between the Slice Network Service Clients (Application Pods) and Slice Network Services like Slice routers.

The Data Plane components manage the slice overlay network data plane.

These components include:

  • Network Service Data Plane Daemons

  • Network Service Control Plane Daemons

  • Webhook Pods

  • Slice Network Service Registry

Slice Operator

The Slice Operator is a Kubernetes Operator component that manages the life-cycle of the KubeSlice related Custom Resource Definitions (CRDs).

The Slice Operator performs the following functions:

  • Reconciliation of slice resources in the cluster and with KubeSlice Controller

  • Creation of slice components required for Slice VPN Gateway connectivity and Service Discovery

  • Auto insertion and deletion of slice components to accommodate topology changes

  • Interaction with slice components for config and status updates

  • Lifecycle management of slices, slice configs, slice status, and slice telemetry

  • Lifecycle management of network policies and monitoring of config drift to generate slice events and alerts

  • Lifecycle management of namespace associations with slices

  • Interaction with the KubeSlice Controller to:

    • Facilitate network policy and service discovery across the slice

    • Import/export Istio services to/from the other clusters attached to the slice

    • Implement Role Based Access Control (RBAC) for managing the slice components

  • Support slice resource management using GitOps workflows and declarative management

Slice VPN Gateways

The Slice VPN Gateway is a slice network service component that provides a secure VPN tunnel between multiple clusters that are a part of the slice configuration.

The Slice Operator performs the following life-cycle functions for Slice VPN Gateways:

  • Deploys the configuration and keys or certifications for the operation of the Slice VPN Gateways

  • Interacts with KubeSlice Controller to get slice configuration details and auto inserts associated slice components like VPN Gateways and Slice Routers for the slice

  • Continuously interacts with Slice VPN Gateways for status, keys/certs, and configuration changes.

  • KubeSlice Controller manages the VPN gateway pairs for the attached clusters, creates the keys and configurations required for the operation.

Slice Router

The Slice Router is a network service component that provides a virtual Layer 3 IP forwarding functionality in the slice overlay network. A slice will have a collection of Slice Routers. Each slice in a cluster will have a collection of slice routers with a minimum of one slice router with the possibility of a redundant pair option.

The Slice Operator manages the lifecycle of a Slice Router by overseeing the deployment, configuration, continuous monitoring, and management of the Slice Router.

The Slice Router provides a full mesh network connectivity between the application pods and slice gateway pods in a cluster and across clusters.


Each slice in a cluster is associated with a QoS profile for bandwidth control. The QOS profile is applied on the tunnel interface of the VPN gateways. In addition, on the Gateway nodes the NetOp Pods enforces the QoS profiles for all slices. It uses Hierarchical Token Bucket (HTB), priority and DSCP values for slice traffic classification and bandwidth control.

Mesh DNS

Mesh DNS is a CoreDNS server that is used to resolve service names exposed on application slices.

The Slice Operator manages the DNS entries for all the services running on the slice overlay network(s).

When a service is exported on the slice by installing a ServiceExport object, the Slice Operator creates a DNS entry for the service in the Mesh DNS and a similar entry is created in the other clusters that are a part of the slice.

Slice Istio Components

KubeSlice leverages the Istio Ingress/Egress gateway resources from the Istio Service Mesh to create Slice Ingress/Egress gateways. The Istio components can be installed on the cluster before the KubeSlice components are installed or they can be installed as a part of the KubeSlice installation itself.

Slice Ingress/Egress Gateways are deployed for East-West traffic and Slice Ingress Gateway for N/S traffic (coming soon).

KubeSlice Controller

The KubeSlice Controller provides a central configuration management system for slices across multiple clusters.

The KubeSlice Controller provides:

  • Interaction with the Slice Operators across multiple clusters to manage the slice resources, slice configuration, service export/import for discovery, status, and telemetry.

  • Management of certificates for secure slice VPN gateways.

Try it Out

Introduction This guide will walk you through successfully installing and registering your cluster with KubeSlice. We have worked to make this experience as seamless as possible.

Getting Started

KubeSlice Overview KubeSlice combines network, application, Kubernetes, and deployment services in a framework to accelerate application deployment in a multi-cluster, multi-tenant environment. KubeSlice achieves this by creating logical application “slice” boundaries which allow pods and services to communicate seamlessly across clusters, clouds, edges, and data centers. Read More
Getting Started This guide will walk you through successfully installing and registering your cluster with KubeSlice. We have worked to make this experience as seamless as possible. If you have any comments, questions, or issues, feel free to contact Avesha Support. Read More