AKS Kubernetes questions

Question

Can someone please explain how POD to POD works in AKS? from the docs, I can see it uses kube proxy component to send the traffic to the desired POD.

But I have been told that I must use clusterIP service and bind all the relevant POD's together. So what is real flow? Or I missed something. below a couple of questions to be more clear.

Questions:

1. how POD to POD inside one node can talk to each other? what is the flow?
2. how POD to POD inside a cluster (different nodes) can talk to each other? what is the flow?
3. if it's possible it will be highly appreciated if you can describe the flows for #1 and #2 in the deployment of kubenet and CNI.

Thanks a lot!

Answer 1

for pod to pod communication we use services. so first we need to understand,

why we need service: what actually do service for us that, they resolve the dns name and give us the the exact ip that we need to connect a specific pod. now as you want to communicate with pod to pod you need to create a ClusterIP service.

ClusterIP: Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the default ServiceType. with ClusterIP service you can't access a pod from outside the cluster for this reason we use clusterip service if we want the communication between pod to pod only.

kube-proxy is the network proxy that runs on each node in your cluster.

it maintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster. every service maintain iptables.And kube-proxy handled these ip tables for every service. so yes, kube-proxy is the most vital point for network setup in our k8s cluster.

how the network policy works in kubernetes:

• all Pods can communicate with all other Pods without using network address translation (NAT).
• all Nodes can communicate with all Pods without NAT.
• the IP that a Pod sees itself as is the same IP that others see it as.

with those point:

• Container-to-Container networking
• Pod-to-Pod networking
• Pod-to-Service networking
• Internet-to-Service networking

It handles transmission of packets between pod to pods, and also with the outside world. It acts like a network proxy and load balancer for pods running on the node by implementing load-balancing using NAT in iptables.

The kube-proxy process stands in between the Kubernetes network and the pods that are running on that particular node. It is responsible for ensuring that communication is maintained efficiently across all elements of the cluster. When a user creates a Kubernetes service object, the kube-proxy instance is responsible to translate that object into meaningful rules in the local iptables rule set on the worker node. iptables is used to translate the virtual IP assigned to the service object to all of the pod IPs mapped by the service. i hope it's clear your idea about kube proxy.

lets see a example how it's works. here i used headless service so that i can connect a specific pod.

---
apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: default
spec:
  clusterIP: None
  selector:
    app: my-test
  ports:
  - port: 80
    name: rest
---

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: my-sts
spec:
  serviceName:  my-service
  replicas: 3
  selector:
    matchLabels:
      app: my-test
  template:
    metadata:
      labels:
        app: my-test
    spec:
      containers:
        - name: nginx
          image: nginx
          ports:
            - containerPort: 80
              name: web

---

this will create 3 pods. as : my-sts-0, my-sts-1, my-sts-2. now if we want to connect to the pod my-sts-0 just use this dns name my-sts-0.my-service.default.svc:80 . and the service will resolve the dns name and will provide the exact podip of my-sts-0. now if you need to comminucate from my-sts-1 to my-sts-0, you can just use this dns name.

The template is like my_pod_name.my_Service_Name.my_Namespace.svc.cluster-domain.example , but you can skip the cluster-domain.example part. Only Service_Name.Namespace.svc will work fine.

ref