Reputation: 1982
What iptables knows about pods?
Let's say we have 2 Nodes in a cluster.
Node A has 1 replica of a pod, Node B has 2 replicas. According to this talk (YouTube video with a time tag) from Google Cloud engineers, a request which was routed to Node A might be rerouted to the Node B by iptables which is inside the Node A. I have several questions regarding this behavior:
What information
iptablesofNode Aknows about replicas of a pod outside of it? How does it know where to send the traffic?Can it be that
iptablesof theNode Breroutes this request toNode C? If so, then will the egress traffic go back to theNode B->Node A-> Client?
Upvotes: 0
Views: 187
Answers (2)
Reputation: 3684
Packets can move between nodes, services and pods before reaching the final destination.
All the intra-cluster routing (node-to-node, pod-to-pod, service-to-service, pod-to-service, service-to-pod, pod-to-node, node-to-pod, etc) in kubernetes is done by:
- CNI
- load-balancing algorithm
- kube-proxy
- iptables.
Packet route in k8s also depends on many things like load in the cluster, per-node load, affinity/anti-affinity rules, nodeSelectors, taints/tolerations, autoscaling, number of pod replicas, etc.
Intra-cluster routing is transparent to the router and ideally the user need not know about it unless there are networking issues to debug.
Doing sudo iptables -L -n -v on any k8s node shows the low-level iptables rules and chains used for packet-forwarding.
Upvotes: 0
Reputation: 54249
I think you might be mixing up two subsystems, service proxies and CNI. CNI is first, it’s a plug-in based system that sets up the routing rules across all your nodes so that the network appears flat. A pod IP will work like normal from any node. Exactly how that happens varies by plugin, Calico uses BGP between the nodes. Then there’s the service proxies, usually implemented using iptables though also somewhat pluggable. Those define the service IP -> endpoint IP (read: pod IP) load balancing. But the actual routing is handled by whatever your CNI plugin set up. There’s a lot of special modes and cases but that’s the basic overview.
Upvotes: 2
Related Questions
- Why my Kubernetes pod network traffic does not go through the iptables NAT table?
- How to block outgoing traffic to ip in IP tables in K8S
- Understanding Kubernetes networking, pods with same ip
- Kubernetes networking: is service information stored in every node's IPTable?
- iptables rules for kube-dns
- Add iptable rules by a pod inside itself and also in the worker node
- relationship between K8S iptables and the one of a container inside a pod
- Implementing iptables rules on Kubernetes nodes
- Iptables error prevents Pod starting in Kubernetes
- Kubernetes iptables - should the master node be running pods?