https://kubernetes.io/docs/concepts/cluster-administration/networking/
Cluster Networking
Networking is a central part of Kubernetes, but it can be challenging to understand exactly how it is expected to work.
There are 4 distinct networking problems to address:
- Highly-coupled container-to-container communications: this is solved by Pods and localhost communications.
- Pod-to-Pod communications: this is the primary focus of this document.
- Pod-to-Service communications: this is covered by services.
- External-to-Service communications: this is covered by services.
Kubernetes is all about sharing machines between applications.
Typically, sharing machines requires ensuring that two applications do not try to use the same ports.
Coordinating ports across multiple developers is very difficult to do at scale and
exposes users to cluster-level issues outside of their control.
Dynamic port allocation brings a lot of complications to the system
every application has to take ports as flags, the API servers have to know how to insert dynamic port numbers
into configuration blocks, services have to know how to find each other, etc.
Rather than deal with this, Kubernetes takes a different approach.
The Kubernetes network model
Every Pod gets its own IP address.
This means you do not need to explicitly create links between Pods and
you almost never need to deal with mapping container ports to host ports.
This creates a clean, backwards-compatible model
where Pods can be treated much like VMs or physical hosts from the perspectives of
port allocation, naming, service discovery, load balancing, application configuration, and migration.
Kubernetes imposes the following fundamental requirements on any networking
implementation (barring any intentional network segmentation policies):
- pods on a node can communicate with all pods on all nodes without NAT
- agents on a node (e.g. system daemons, kubelet) can communicate with all pods on that node
Note: For those platforms that support Pods running in the host network (e.g. Linux):
- pods in the host network of a node can communicate with all pods on all nodes without NAT
This model is not only less complex overall, but it is principally compatible with the desire for Kubernetes
to enable low-friction porting of apps from VMs to containers.
If your job previously ran in a VM, your VM had an IP and could talk to other VMs in your project.
This is the same basic model.
Kubernetes IP addresses exist at the Pod scope
containers within a Pod share their network namespaces, including their IP address and MAC address.
This means that containers within a Pod can all reach each other's ports on localhost.
This also means that containers within a Pod must coordinate port usage,
but this is no different from processes in a VM.
This is called the IP-per-pod model.
How this is implemented is a detail of the particular container runtime in use.
It is possible to request ports on the Node itself which forward to your Pod (called host ports),
but this is a very niche operation. How that forwarding is implemented is also a detail of the container runtime.
The Pod itself is blind to the existence or non-existence of host ports.
https://kubernetes.io/docs/concepts/services-networking/service/