The document discusses Kubernetes networking concepts including pods, services, and ingress. It provides examples of how containers within pods communicate via Docker networking. It also explains how Kubernetes networking solves the problems of pod-to-pod, service-to-pod, and external-to-service communications using services, iptables, and kube-proxy. The document demonstrates creating a deployment, service, and ingress to expose an application externally via a load balancer.

1. Tvorba siete v Kubernetes
pre začiatočníkov
alebo pre tých, čo nevedia čo je iptables
Marián Kuna
mkunask@gmail.com
4. Kubernetes Meetup
October 16th 2019

3. Kto je Gedeon Majunke?
a) Postava z epizódy IX Hviezdnych Vojen - The Rise of Skywalker
b)Ministerský predseda Ugandy
c) Slovenský architekt, staviteľ Teryho Chaty

6. Pod
• A Pod is the basic execution unit of a Kubernetes application
• A Pod encapsulates an application’s container (or, in some cases,
multiple containers), storage resources, a unique network IP, and
options that govern how the container(s) should run.
• Docker is the most common container runtime used in a Kubernetes
Pod

7. Cluster Networking
There are 4 distinct networking problems to solve:
• Highly-coupled container-to-container communications
• Pod-to-Pod communications
• Kubernetes assumes that pods can communicate with other pods,
regardless of which host they land on
• Service-to-Pod communications
• External-to-Service communications

8. Linux containers
host
eth0
10.100.0.2
Container 2
veth0
172.17.0.3
veth2
Container 1
Docker0
172.17.0.1
veth1
veth0
172.17.0.2

10. Pod
• A Pod is the basic execution unit of a Kubernetes application
• A Pod encapsulates an application’s container (or, in some cases,
multiple containers), storage resources, a unique network IP, and
options that govern how the container(s) should run.

11. Docker networking
host
eth0
10.100.0.2
Container 2
veth0
172.17.0.3
Container 1
Docker0
172.17.0.1
veth0
172.17.0.2

12. Docker networking
host
eth0
10.100.0.2
Container 2Container 1
Docker0
172.17.0.1
veth0
172.17.0.2

14. Docker networking
host
eth0
10.100.0.2
Container 2Container 1
Docker0
172.17.0.1
Pause
veth0
172.17.0.2
Pod

15. Cluster Networking
There are 4 distinct networking problems to solve:
• Highly-coupled container-to-container communications
• Pod-to-Pod communications
• Kubernetes assumes that pods can communicate with other pods,
regardless of which host they land on
• Service-to-Pod communications
• External-to-Service communications

16. Kubernetes Pods
node
ens3
10.0.10.3
cni0
10.244.1.1
Pod
veth0
10.244.1.2

17. Pod networking
node
ens3
10.0.10.3
cni0
10.244.1.1
pod 1
veth0
10.244.1.2
node
ens3
10.0.11.3
Switch
pod 2
veth0
10.244.1.3
cni0
10.244.2.1
pod 1
veth0
10.244.2.2
pod 2
veth0
10.244.2.3
10.244.2.0/24 via 10.0.11.3 ens3
Routes
10.244.1.0/24 via 10.0.10.3 ens3
Routes
to: 10.244.2.2
10.0.0.0/16
default via 10.244.1.1 veth0
Routes
default via 10.244.2.1 veth0
Routes

19. apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: microcities
labels:
run: microcities
spec:
replicas: 2
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: microcities
spec:
containers:
- name: microcities
image: bluesnake/microcities
imagePullPolicy: Always
ports:
- name: microcities
containerPort: 8080
protocol: TCP
restartPolicy: Always
deployment.yml

20. apiVersion: v1
kind: Pod
metadata:
name: test
spec:
restartPolicy: Never
containers:
- name: test
image: alpine
command: ["/bin/sh"]
args: ["-c", "echo 'GET / HTTP/1.1rnrn' | nc 10.244.0.18 8080"]
test.yml

21. Pod networking
node
ens3
10.0.10.3
cni0
10.244.1.1
microcities1
veth0
10.244.1.2
node
ens3
10.0.11.3
Switch
test
veth0
10.244.1.3
cni0
10.244.2.1
microcities2
veth0
10.244.2.2
to: 10.244.2.2
10.0.0.0/16

22. Cluster Networking
There are 4 distinct networking problems to solve:
• Highly-coupled container-to-container communications
• Pod-to-Pod communications
• Kubernetes assumes that pods can communicate with other pods,
regardless of which host they land on
• Service-to-Pod communications
• External-to-Service communications

23. apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: microcities
labels:
run: microcities
spec:
replicas: 2
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: microcities
spec:
containers:
- name: microcities
image: bluesnake/microcities
imagePullPolicy: Always
ports:
- name: microcities
containerPort: 8080
protocol: TCP
restartPolicy: Always
deployment.yml
kind: Service
apiVersion: v1
metadata:
name: microcities-svc
spec:
selector:
run: microcities
ports:
- port: 80
targetPort: 8080
type: ClusterIP
service.yml

25. Pods
λ kubectl apply -f deployment.yml
deployments "microcities" created
λ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP
microcities-65944d6586-8chwt 1/1 Running 0 38m 10.244.0.18
microcities-65944d6586-hwgvz 1/1 Running 0 38m 10.244.2.11
λ kubectl apply -f service.yml
service "microcities-svc" created
λ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
microcities-svc ClusterIP 10.96.226.20 <none> 80/TCP 4m45s

26. Services
node
ens3
10.0.10.3
cni0
10.244.1.1
microcities
veth0
10.244.1.2
node
ens3
10.0.11.3
test
veth1
10.244.1.3
cni0
10.244.2.1
Microcities
veth0
10.244.2.2
to: 10.96.226.20:80
?
?
?
?Switch
10.0.0.0/16

27. Services
node
ens3
10.0.10.3
cni0
10.244.1.1
microcities
veth0
10.244.1.2
node
ens3
10.0.11.3
test
veth1
10.244.1.3
cni0
10.244.2.1
Microcities
veth0
10.244.2.2
to: 10.96.226.20:80
Switch
kube-proxy
iptables/netfilter
10.0.0.0/16

28. What is a netfilter and iptables[tl;dr]
• netfilter is a rules-based packet processing engine. It runs in kernel
space and gets a look at every packet at various points in its life cycle.
• It matches packets against rules and when it finds a rule that matches
it takes the specified action.
• Among the many actions it can take is redirecting the packet to
another destination.
• iptables is a user space interface to netfilter

29. Services
node
ens3
10.0.10.3
cni0
10.244.1.1
microcities
veth0
10.244.1.2
node
ens3
10.0.11.3
test
veth1
10.244.1.3
cni0
10.244.2.1
Microcities
veth0
10.244.2.2
to: 10.96.226.20:80
Switch
kube-proxy
netfilter
10.96.226.20:80 > 10.244.2.2:8080
Kubernetes master
10.0.0.0/16

30. Cluster Networking
There are 4 distinct networking problems to solve:
• Highly-coupled container-to-container communications
• Pod-to-Pod communications
• Kubernetes assumes that pods can communicate with other pods,
regardless of which host they land on
• Service-to-Pod communications
• External-to-Service communications

31. External Access
node
ens3
10.0.10.3
cni0
10.244.1.1
microcities
veth0
10.244.1.2
node
ens3
10.0.11.3
test
veth1
10.244.1.3
cni0
10.244.2.1
Microcities
veth0
10.244.2.2
to: 10.96.226.20:80
Switch
gateway
destination next hop
External
Client
kube-proxy
netfilter
kube-proxy
netfilter
10.96.226.0/24 10.0.10.3

32. kind: Service
apiVersion: v1
metadata:
name: microcities-swc
spec:
selector:
run: microcities
ports:
- port: 80
targetPort: 8080
type: ClusterIP
service.yml

33. kind: Service
apiVersion: v1
metadata:
name: microcities-swc
spec:
selector:
run: microcities
ports:
- port: 80
targetPort: 8080
type: NodePort
service.yml

34. External Access
node
ens3
10.0.10.3
cni0
10.244.1.1
microcities
veth0
10.244.1.2
node
ens3
10.0.11.3
test
veth1
10.244.1.3
cni0
10.244.2.1
Microcities
veth0
10.244.2.2
Switch
gateway External
Client
kube-proxy
netfilter
kube-proxy
netfilter
listen: 10.0.10.3: 32601
10.96.226.20:80 > 10.244.2.2:8080
Kubernetes master
10.0.0.3: 32601 > 10.96.226.20:80

35. External Access
node
ens3
10.0.10.3
cni0
10.244.1.1
microcities
veth0
10.244.1.2
node
ens3
10.0.11.3
test
veth1
10.244.1.3
cni0
10.244.2.1
Microcities
veth0
10.244.2.2
Switch
gateway
kube-proxy
netfilter
kube-proxy
netfilter
listen: 10.0.10.3: 32601
10.96.226.20:80 > 10.244.2.2:8080
10.0.0.3: 32601 > 10.96.226.20:80
External
Client
Loadbalancer
LB public IP
10.0.10.2: 32601
10.011.3: 32601

36. kind: Service
apiVersion: v1
metadata:
name: microcities-swc
spec:
selector:
run: microcities
ports:
- port: 80
targetPort: 8080
type: LoadBalancer
service.yml

37. apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: microcities-ing
annotations:
kubernetes.io/ingress.class: 'nginx'
ingress.kubernetes.io/add-base-url: 'true'
ingress.kubernetes.io/rewrite-target: /
nginx.org/hsts-max-age: '0'
nginx.org/hsts-include-subdomains: '0'
spec:
tls:
- secretName: tls-secret
rules:
- http:
paths:
- path: /meetup/microcities
backend:
serviceName: microcities-svc
servicePort: 80
ingress.yml

38. Ingress
node
ens3
10.0.10.3
cni0
10.244.1.1
microcities
veth0
10.244.1.2
node
ens3
10.0.11.3
Ingress CTRL
veth1
10.244.1.6
cni0
10.244.2.1
Microcities
veth0
10.244.2.2
netfilter
kube-proxy
listen: 10.0.10.3:30021
10.0.0.3: 30021 > ingress_svc_ClusterIP
ingress_svc_ClusterIP > 10.244.1.6:80
kube-proxy
netfilter
Ingress
*/meetup/microcities > microcities_svc_ClusterIP
gateway External
Client
<LBpublicIP>/meetup/microcities
10. 0.10.3:30021/*
10.0.11.3:30021/*
Loadbalancer
Ingress CTRL
veth1
10.244.2.5
microcities_svc_ClusterIP > 10.244.1.2:8080

40. apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: microcities
labels:
run: microcities
spec:
replicas: 2
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: microcities
spec:
containers:
- name: microcities
image: bluesnake/microcities
imagePullPolicy: Always
ports:
- name: microcities
containerPort: 8080
protocol: TCP
restartPolicy: Always
deployment.yml
kind: Service
apiVersion: v1
metadata:
name: microcities-svc
spec:
selector:
run: microcities
ports:
- port: 80
targetPort: 8080
type: ClusterIP
service.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: microcities-ing
annotations:
kubernetes.io/ingress.class: 'nginx'
ingress.kubernetes.io/add-base-url: 'true'
ingress.kubernetes.io/rewrite-target: /
nginx.org/hsts-max-age: '0'
nginx.org/hsts-include-subdomains: '0'
spec:
tls:
- secretName: tls-secret
rules:
- http:
paths:
- path: /meetup/microcities
backend:
serviceName: microcities-svc
servicePort: 80
ingress.yml

41. Pods
$ kubectl apply -f ingress.yml --namespace=meetup
$ kubectl get ingress –-namespace=meetup
NAME HOSTS ADDRESS PORTS AGE
microcities-ing * 80, 443 5m32s
http://132.145.10.92/meetup/microcities

42. References
• https://kubernetes.io/docs/concepts/cluster-administration/networking/
• https://medium.com/google-cloud/understanding-kubernetes-networking-pods-7117dd28727
• https://medium.com/@ApsOps/an-illustrated-guide-to-kubernetes-networking-part-1-d1ede3322727
• https://developer.ibm.com/recipes/tutorials/networking-your-docker-containers-using-docker0-bridge/
• https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md
• https://kubernetes.io/docs/concepts/services-networking/service/