-
Containers in a pod share namespaces among them.
-
Container-to-Container comms via localhost (because they share the same kernel namespace)
-
The 'pause' container (AKA infra container) is a container which holds the network namespace for the pod. Kubernetes creates pause containers to acquire the respective pod’s IP address and set up the network namespace for all other containers that join that pod. It has one job: DON'T DIE.
-
kube-apiserver
| long watch pub-sub (etcd) -
kube-scheduler (maitre d') / affinity/anti-affinity nodeSelector taints/tolerations reservations/limits (scheduler is fully customizable / write your own, different schedulers per pod supported)
-
kube-controller-manager (no work himself) in charge of namespace controller deployment controller replicaset controller operators (custom controllers)
- kubelet hooks up to apiserver makes containers real (talks to container runtime: docker/rkt) liveness probing (your process is running, doesn't mean it's "aware") readiness checks (are you ready to receive traffic?) reports backs to apiserver
-
kube-proxy talks to apiserver makes services real on nodes (iptables afficionado) new pod comes is -> kube-proxy makes it real
-
Every pod has a unique IP across entire cluster Every pod has a CIDR range (network providers can change that)
Network Providers The most replaced part of Kubernetes Functionally: All containers/pods can talk to all other containers/pods without NAT All nodes can talk to all containers/pods and vice-versa without NAT The IP that a container sees itself as is the same IP others see it as
selector | app=nginx, tier=web
port | 80:3000
type | LoadBalancer/NodePort/ClusterIP(default)
| | \ internal to the cluster
| |
| \ gets a ClusterIP + a port on every node (AKA "Imma bring my own load balancer")
| (additional iptables target port 30001->)
|
\ cloud specific, external to the cluster (think exposed to Internet)
kube-controller-manager
|
talks to cloud provider APIs
|
makes load balancer
|
points it to the node port
The IP address of a service is an iptables target, you won't find it assigned to an interface.
---------------
|
\ kube-proxy makes it real
+---master----------------+ +---master----------------+ +---master----------------+
| | | | | |
| kube-apiserver | | kube-apiserver | kube-apiserver |
| kube-scheduler | | | | |
| | | | | kube-controller-manager |
+-------------------------+ +-------------------------+ +-------------------------+
An Ingress Controller makes it real
LB ingress ---> (Node 1) ingress-controller (pod) ---> your-app (service) ---> (Node 2) ingress-controller (pod) ---> your-app (service)
Upside: no extra hop, Downside: port mapping
or
LB ingress ---> ingress-controller (service) ---> ingress-controller (pod) ---> your-app (service)
+--------- Kernel Namespace --------+
| (process+fs+net) |
| |
| ( Container 1 node-express-api ) |
| ( Container 2 redis-cache ) |
| |
+-----------------------------------+
\_ This is what makes possible sharing the same IP address
by multiple containers inside a pod.
- Namespaces
- Control Groups (cgroups, the Linux way to split up resources)
- Union File System
TO DO NETWORK POLICY AFFINITY