Kubernetes networking model

The Kubernetes network model is based on several key concepts, with pod characteristics being the most crucial to understand initially:

  • Every pod in the cluster has its own unique, cluster-wide IP.
  • The pod IP is shared among all its containers, allowing containers within a pod to reach each other’s ports on localhost.
  • Pods communicate with other pods (on the same node or different nodes) using pod IPs without NAT.
  • The service API provides a stable IP address or hostname for a service implemented by one or more pods.
  • The gateway API allows services to be accessible to clients outside the cluster.
  • Network policies define isolation, controlling traffic between pods or between pods and external clients.

Cluster networking

As described in the Kubernetes cluster networking documentation, four distinct networking problems presented in diagram 1.1 and listed below are addressed in the Kubernetes networking model:

  • Highly-coupled container-to-container communications: Containers within the same pod use localhost (via loopback) to communicate with each other.
  • Pod-to-pod communications: Pods use their IPs to communicate with each other without NAT.
  • Pod-to-service communications: Pods find services by DNS name.
  • External-to-service communications: Services (with types ClusterIP, NodePort, LoadBalancer, or ExternalName), Ingress, or Gateway can be used for communication with external clients.
architecture-beta
    group k8s(carbon:kubernetes)[Kubernetes cluster]

    group worker1(carbon:kubernetes-worker-node)[Worker node 1] in k8s
    group worker2(carbon:kubernetes-worker-node)[Worker node 2] in k8s

    group pod1(carbon:kubernetes-pod)[Pod 1] in worker1
    group pod2(carbon:kubernetes-pod)[Pod 2] in worker2

    service container11(carbon:container-runtime)[Container 11] in pod1
    service container12(carbon:container-runtime)[Container 12] in pod1
    service container21(carbon:container-runtime)[Container 21] in pod2

    service service1(carbon:ibm-cloud-kubernetes-service)[Service] in k8s

    service user1(carbon:user)[User]

    service1:R --> L:container11
    container11:T <--> B:container12
    container11:R <--> L:container21
    user1:R --> L:service1

IP Management

In a Kubernetes cluster, IP addresses are assigned to different resources by the following components:

  • The network plugin assigns IP addresses to pods.
  • The kube-apiserver assigns IP addresses to services.
  • The kubelet assigns IP addresses to nodes.

Implementation of the Networking Model

The Kubernetes networking model is implemented by the container runtime on each node. In most cases, Container Network Interface (CNI) plugins are used to manage network and security features. There are multiple networking addons supported by Kubernetes. In this book, we focus on three implementations, which are described in detail in the next chapter.