Kubernetes Networking Model
K8s makes opinionated choices about how pods are networked, to be specific the following requirements should be fulfilled by a networking implementation
- all Pods can communicate with all other Pods without using network address translation.
- All Nodes can communicate with all Pods without NAT
- the IP that Pod sees itself is the same IP that others see it as.
Given these constraints we are left with four distinct networking problems to solve
- Container-to-Container Network
- Pod-to-Pod networking
- Pod-to-Service Networking
- Internet-to-Service Networking
Container to Container Networking
- In Linux, each running process communicates with network namespace that provides a networking stack with its own routes, firewall rules and network devices
- A Pod is modelled as group of Docker Containers that share same network name space.
- Containers with in a Pod all have same IP address and port space assigned through network namespace assigned to the pod and can find each other via localhost
Pod to Pod Networking
From the pod’s perspective, it exists in its own network namespace. Linux Network namespaces can be connected using Linux Virtual Ethernet Device Pair or veth pair
We want Pods to talk with each other through the root namespace and for this we use a network bridge.
Bridge implements ARP protocol
Pod to Pod Networking within Same Node:
- Packets moving b/w pods on same node
- Lets understand the flow
- Pod1 sends a packet to its own ethernet device eth0 which is connected via virtual ethernet device to root namespace
- The bridge cbr0 is configured with veth0 a network segment attached to it.
- Once the packet reaches the bridge, the bridge resolves the network segment to send the packet to veth1 using ARP Protocol
- After resolution and the packet once reaches the virtual device veth1 will be forwarded to Pod2’s namespace and eth0 device of pod2
Pod to Pod networking across Nodes
- Generally every Node in our cluster is assigned a CIDR block specifying the IP addresses available to Pods running on that node.
- To be continued
- Create a GCP Account
- Enable Compute Engine API
- Create a Firewall rule for the network tag openall
- Create a ssh key configuration for the project
- Create an ssh key pair on the local machine
- Upload the public key pair to gcp project