Outshift Logo

INSIGHTS

8 min read

Blog thumbnail
Published on 01/16/2021
Last updated on 03/21/2024

Inside Kubernetes Networking

Share

Kubernetes Networking is a core abstraction of Kubernetes. In a nutshell, the Kubernetes Networking Model guarantees that all Kubernetes Pods on a cluster are able to communicate. In addition, on top of the Kubernetes Networking Model, Kubernetes provides additional core abstractions, Kubernetes Services and Kubernetes Ingress. Using a systems modeling approach, this blog post will explore Kubernetes Networking. Here, we will develop a concise mental model to reason about Container-to-Container and Pod-to-Pod communication. Future blog posts will explore Kubernetes Services and Kubernetes Ingress. All models are wrong, but some models are useful ⎯ George Box Kubernetes Networking Model

How To Think About Networking

Without a doubt, networking is a vast and complex field that demands years of theory and practice to claim proficiency. However, here we reason about networking on a conceptual level, skipping a host of details that would be necessary if we reasoned on an implementation level. Switching Plane Figure 1. illustrates a network as a Network Graph that consists of a set of Nodes and a set of Links between the Nodes: One Node may exchange a message with another Node if and only if there exists a link between the Nodes. illustrates a network as a Network Graph A Node, the Source, exchanges a message with another Node, the Target, by placing the message in the Target’s input queue. The message exchange is represented by a Send Event, Send●M, observed at the Source, and a corresponding Receive Event, Recv●M, observed at the Target. A Node Source A Node in the network is either a Process or a Switch. Processes produce and consume messages, Switches process messages according to their Forward Information Base (FIB). Forward Information Base (FIB) Figure 2. illustrates the Forward Information Base of Switch S1 and S2. On receiving a message, each Switch consults its Forward Information Base to determine whether to deliver, forward, or discard the message. The Switch
  • matches the message’s header, that is, the source address, source port, target address, and target port with its Forward Information Base
  • performs the associated action, discarding being the default.
In the next blog post Kubernetes Services, we will extend the model of a Switch to allow for Network Address Translation.

Kubernetes Networking Model

The Kubernetes Networking Model is a descriptive networking model, that is, any network that satisfies the specification of the Kubernetes Networking Model is a Kubernetes Network. However, Kubernetes does not prescribe how to implement the Networking Model. In fact, many alternative implementations, called Network Plugins, exist today. This section describes the Kubernetes Networking Model in terms of a set of constraints on message exchange.

Constraint ● Network Addressable Entities

The Kubernetes Networking Model defines three Addressable Entities, K8s Pods, K8s Nodes, and K8s Services, where each unique entity is associated with a unique IP Address.
(K8s-Pod(E₁) ∨ K8s-Node(E₁) ∨ K8s-Service(E₁))
∧ (K8s-Pod(E₂) ∨ K8s-Node(E₂) ∨ K8s-Service(E₂)):
  addr(E₁, a) ∧ addr(E₂, a)₂
   ⟺ E₁ = E₂

However, the Networking Model does not make any further statements about these IP Addresses. For example, the Kubernetes Networking Model does not make any further statements about the IP Address Spaces these IP Addresses are drawn from.

Constraint ● Container to Container Communication

The Kubernetes Networking model requires that a Container C₁ executing in the context of a Pod P can communicate with any other Container C₂ executing in the context of P via localhost.
K8s-Pod(P) ∧ K8s-Container(C₁, P) ∧ K8s-Container(C₂, P):
 open(C₂, p)
  ⟹
   Send(e, C₁, 127.0.0.1, _, 127.0.0.1, p)
    ⟹
     Recv(e, C₂, 127.0.0.1, _, 127.0.0.1, p)

Constraint ● Pod to Pod

The Kubernetes Networking model requires that a Container C₁ executing in the context of a Pod P₁ can communicate with any other Container C₂ executing in the context of a Pod P₂ via the address of the P₂.
∧ K8s-Pod(P₁) ∧ K8s-Container(C₁, P₁)
∧ K8s-Pod(P₂) ∧ K8s-Container(C2, P₂):
 addr(P₁, sa) ∧ addr(P₁, ta) ∧ open(C₂, tp)
  ⟹
   Send(e, C₁, sa, sp, ta, tp)
    ⟹
     Recv(e, C₂, sa, sp, ta, tp)

Constraint ● Process to Pod

The Kubernetes Networking model requires that a Process, called a Daemon D, hosted on a Node N, can communicate with any Container C executing in the context of a Pod P hosted on N via the address of the P.
K8s-Node(N) ∧ K8s-Daemon(D) ∧ K8s-Pod(P) ∧ K8s-Container(C, P):
 host(N, D) ∧ host(N, P) ∧ addr(P, a) ∧ open(C, p)
  ⟹
   Send(e, D, _, _, a, p)
    ⟹
     Recv(e, C, _, _, a, p)

Kubernetes Networks as Network Graphs

Kubernetes Networks as Network Graphs This section describes the Kubernetes Networking Model in terms of a Kubernetes Network Graph, an idealized model. Figure 5. illustrates the example used in this section: A Kubernetes Cluster K₁ that consists of two Nodes. Each Node hosts two Pods. Each Pod executes two Containers, one Container listening on port 8080, one Container listening on port 9090. Additionally, each Node hosts one Daemon. Kubernetes Networking Model in terms of a Kubernetes Network Graph We can model a Kubernetes Cluster Network as a Graph with a set of Nodes and a set of Links.

Nodes

Every K8s Container C maps to a Network Process C
K8s-Pod(P) ∧ K8s-Container(C, P):
  Process(C)
Every Daemon D maps to a Network Process C
K8s-Daemon(D):
  Process(D)
Every K8s Pod P maps to a Network Switch P, the Pod Switch
K8s-Pod(P):
  Switch(P)
Every K8s Node N maps to a Network Switch N, the Node Switch
K8s-Pod(N):
  Switch(N)

Links

Each Container C is linked to its Pod Switch P
K8s-Pod(P) ∧ K8s-Container(C, P):
 link(C, P)
Each Daemon D is linked to its Node Switch N
K8s-Node(N) ∧ K8s-Daemon(D):
 host(N, D)
  ⟹
   link(D, N)
Each Pod Switch P is linked to its Node Switch N
K8s-Node(N) ∧ K8s-Pod(P):
 host(N, P)
  ⟹
   link(P, N)
Each Node Switch N₁ is linked to every other Node Switch N₂
K8s-Node(N₁) ∧ K8s-Node(N₂):
 N₁ ≠ N₂
  ⟹
   link(N₁, N₂)

Forward Information Base at the Pod Switch

Forward Information Base at the Pod Switch
  • Delivery on localhost
K8s-Pod(P) ∧ K8s-Container(C, P):
 open(C, p)
  ⟹
   [* * 127.0.0.1 p Deliver(C)] in FIB[P]
  • Delivery on Pod Address
K8s-Pod(P) ∧ K8s-Container(C, P):
 addr(P, a) ∧ open(C, p)
  ⟹
   [* * a p Deliver(C)] in FIB[P]
  • Local Forwarding Rule
K8s-Node(N) ∧ K8s-Pod(P):
 host(N, P)
  ⟹
   [* * * * Forward(N)] in FIB[P]

Forward Information Base at the Node Switch

Forward Information Base at the Pod Switch_2
  • Node to Pod Forwarding Rule
K8s-Node(N) ∧ K8s-Pod(P):
 host(N, P) ∧ addr(P, a)
  ⟹
   [* * a * Forward(P)] in FIB[N]
  • Node to Node Forwalding Rule
K8s-Node(N₁) ∧ K8s-Node(N₂) ∧ K8s-Pod(P):
 N₁ ≠ N₂ ∧ host(N₂, P) ∧ addr(P, a)
  ⟹
   [* * a * Forward(N₂)] in FIB[N₁]

Examples

This section walks through some examples and follows the Life of a Message in the Kubernetes Cluster Network K₁.

Container to Container

Here, Container C₁.₁ needs to communicate with Container C₁.₂:
  • C₁.₁ executes in the context of Pod P₁
  • C₁.₂ executes in the context of Pod P₁
Container C₁.₁ needs to communicate with Container C₁.₂

Pod to Pod Communication, Intra Node

Here, Container C₁.₁ needs to communicate with Container C₃.₁:
  • C₁.₁ executes in the context of Pod P₁ which is hosted on Node N₁.
  • C₃.₁ executes in the context of Pod P₃ which is hosted on Node N₁.
Pod to Pod Communication, Intra Node

Pod to Pod Communication, Inter Node

Here, Container C₁.₁ needs to communicate with Container C₂.₁:
  • C₁.₁ executes in the context of Pod P₁ which is hosted on Node N₁.
  • C₂.₁ executes in the context of Pod P₂ which is hosted on Node N₂.
Pod to Pod Communication, Intra Node_2

Deamon to Pod Communication

Here, Daemon D₁ needs to communicate with Container C₁.₁:
  • D₁ is hosted on Node N₁.
  • C₁.₁ executes in the context of Pod P₁ which is hosted on Node N₁.
Deamon to Pod Communication

Conclusion

The Kubernetes Networking Model is a permissive networking model, that is, any network that satisfies the constraints of the Kubernetes Networking Model is a valid Kubernetes Network. Mapping the Kubernetes Networking Model to a Networking Graph enables us to reason about the network on a conceptual level, skipping a host of details that would be necessary if we reasoned on an implementation level.
Subscribe card background
Subscribe
Subscribe to
the Shift!

Get emerging insights on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

thumbnail
I
Subscribe
Subscribe
 to
the Shift
!
Get
emerging insights
on emerging technology straight to your inbox.

The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.

Outshift Background