Skip to main content

Kubernetes Networking

Andrey Dyatlov
  • Updated

Pod Network

Every cluster routes and delivers packets to Pod IPs. Konvoy uses Calico to implement an overlay network. The Pod IPs are managed by Calico.

Service Network

Every cluster also routes and delivers packets to Services. Each Service gets a Virtual IP. Konvoy uses kube-proxy to implement this.

The Service IPs are managed by the Kubernetes control plane, specifically kube-controller-manager, which is given the CIDR from which to allocate Service IPs.

apiVersion: v1kind: Podmetadata:
  name: kube-controller-managernamespace: kube-systemspec:
  containers:
  - command:
    - kube-controller-manager
    - --service-cluster-ip-range=10.96.0.0/12

Calico

Calico allocates Pod IPs from a range defined in the Installation resource. For example:

apiVersion: operator.tigera.io/v1kind: Installationspec:
  calicoNetwork:
    ipPools:
    - blockSize: 26cidr: 192.168.0.0/16

Calico divides this range into blocks, allocates blocks to nodes, and records the allocation for each node in a BlockAffinity resource. For example:

apiVersion: v1items:
- apiVersion: crd.projectcalico.org/v1kind: BlockAffinityname: ip-10-0-104-134.us-west-2.compute.internal-192-168-164-128-26spec:
    cidr: 192.168.164.128/26deleted: "false"node: ip-10-0-104-134.us-west-2.compute.internalstate: confirmed
- apiVersion: crd.projectcalico.org/v1kind: BlockAffinitymetadata:
    name: ip-10-0-129-232.us-west-2.compute.internal-192-168-134-0-26spec:
    cidr: 192.168.134.0/26deleted: "false"node: ip-10-0-129-232.us-west-2.compute.internalstate: confirmed

Note that each node gets a /26 allocation, as specified by the blockSize field in the Installation resource.

The Kubernetes control plane still takes some inputs related to Pod networking and uses them, but they have no effect. For example, kube-controller-manager is given a cluster CIDR, and told to allocate CIDRs to each node:

apiVersion: v1kind: Podmetadata:
  name: kube-controller-managernamespace: kube-systemspec:
  containers:
  - command:
    - kube-controller-manager
    - --allocate-node-cidrs=true
    - --cluster-cidr=192.168.0.0/16
    - --service-cluster-ip-range=10.96.0.0/12

It does in fact do this, setting the spec.podCIDR field on each Node resource. However, these values are not used by any component. Importantly, they are not used by Calico.