Kubernetes deep dive

Network

Kubernetes creates a network namespace for each pod.

Ip forwarding

sudo sysctl --write net.ipv4.ip_forward=1

CNI

ip a

6: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
    link/ether 4a:2f:b7:2b:28:07 brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.1/24 brd 10.42.0.255 scope global cni0
       valid_lft forever preferred_lft forever
    inet6 fe80::482f:b7ff:fe2b:2807/64 scope link
       valid_lft forever preferred_lft forever

When a service is created...

╭─memo at elitebook in ~ 22-11-09 - 22:39:20
╰─○ sudo iptables -L | grep yelb-appserver
NFLOG      all  --  anywhere             anywhere             /* rule to log dropped traffic POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
REJECT     all  --  anywhere             anywhere             /* rule to REJECT traffic destined for POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable

What is this? and where is the IP of the svc? on iptables?

ip a

veth2a30daaa@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
    link/ether 92:43:c9:f8:e6:92 brd ff:ff:ff:ff:ff:ff link-netns cni-483209c9-dd60-93df-0448-a08be95aa6f6
    inet6 fe80::9043:c9ff:fef8:e692/64 scope link
       valid_lft forever preferred_lft forever

References

• https://cloud.redhat.com/blog/kubernetes-namespaces-demystified-how-to-make-the-most-of-them