How network works in docker
Docker create a bridge docker0
with a subnet.
For example:
docker0 Link encap:Ethernet HWaddr 02:42:d0:45:a7:3d
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
This means that containers can have addresses in: 172.17.0.2 to 172.17.255.254
They can communicate directly between each others (same network) but can't reach other docker container on an other host. To achieve this, docker allows to expose some ports that basically add iptables rules to redirect all trafic on the host:port to be redirected to container_ip:port
10.0.0.105 => pods dans 10.2.13.8 10.0.1.xxx => pods dans 10.2.67.15
So basically, in a kubernetes cluster with two hosts: host1 and host2, each host will have a CIDR (that will be used by containers). For example:
host1 CIDR = 10.0.0.0/24, pods will have ips in 10.0.0.1 .. 10.0.0.254 host2 CIDR = 10.0.1.0/24, pods will have ips in 10.0.1.1 .. 10.0.1.254
So ok, all pods have their own IP address within the cluster. But how 10.0.1.* contact 10.0.0.* ? Here come overlay networks:
flannel is used and is configured like this:
podCIDR: "10.2.0.0/16" and for each host it will give a subnet in 10.2.0.0/24 sor for example 10.2.1.0/24 and 10.2.3.0/24
and pod will be to communicate directly by ip addresses
Note: l'IP masquerading allows to connect to internet pods