Kubernetes Networking
Kubernetes Network model
- All Pods can communicate with all other Pods without using network address translation (NAT).
- All Nodes can communicate with all Pods without NAT.
- The IP that a Pod sees itself as is the same IP that others see it as.
It’s turtles all the down
- Node
- Kube-proxy
- Container
- Container Network Interface
- Pod to Pod
- Kubernetes DNS
- Services
- External to Cluster
- Troubleshooting
- Network Policies
Kubernetes Components
Kubernetes Node
Container Network Interface
Container
Container Networking
Pod to Pod
Pod Networking Demo
Kubernetes DNS
Kubernetes DNS
kubectl exec -it dnsutils -- host -v -t a github.com
Trying "github.com.default.svc.cluster.local"
Trying "github.com.svc.cluster.local"
Trying "github.com.cluster.local"
Trying "github.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9135
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;github.com. IN A
;; ANSWER SECTION:
github.com. 30 IN A 140.82.113.4
Services
- NodePort
- ClusterIP - Default
- LoadBalancer
- ExternalName
- Headless
Service to Pod
Services Demo
External to Cluster
- Service Type Loadbalancer
- Ingress
Service Type LoadBalancer
Ingress
- Ingress Controller
- Ingress rule
Ingress Controller
- Nginx
- Google Cloud Loadbalancer
- Contour
- Kong
- Lots more https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
Ingress Controller
Ingress rule
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: basic-ingress
spec:
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: my-service
port:
number: 8080
Loadbalancer and Ingress Demo
Troubleshooting
- NetShoot image
- Remove label from service endpoint
- Check Ports match
- Check Probes
- CCCC check
Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: demo-db
spec:
podSelector:
matchLabels:
app: demo-db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: demo
Networking and Kubernetes
References: