Demystifying Kubernetes Networking: From Pods to the Internet

Kubernetes Basics

Kubernetes is built for running distributed clusters, making networking a core component. Understanding the Kubernetes networking model helps you correctly run, monitor, and troubleshoot applications.

Kubernetes API Server

The API server (kube-apiserver) provides the gateway to the etcd data store and maintains the desired state of the cluster.

Controllers

Controllers continuously observe the API server state and act to reconcile the current state with the desired state. Example pseudo‑code:

while true:
    X = currentState()
    Y = desiredState()
    if X == Y:
        return  # Do nothing
    else:
        do(tasks to get to Y)

Pods

A Pod is the smallest deployable unit in Kubernetes, encapsulating one or more containers, storage, and a unique IP address that is shared among the containers.

Nodes

Nodes are the machines (bare‑metal or virtual) that run the Kubernetes workload.

Kubernetes Networking Model

Kubernetes imposes three fundamental networking requirements:

All Pods can communicate with all other Pods without NAT.

All Nodes can communicate with all Pods without NAT.

Pod IPs are seen consistently by every other Pod.

These requirements lead to four networking problems:

Container‑to‑container networking

Pod‑to‑Pod networking

Pod‑to‑Service networking

Internet‑to‑Service networking

Container‑to‑Container Communication

Linux places each process in a network namespace, providing an isolated network stack. You can create a namespace with: $ ip netns add ns1 Namespaces are visible under /var/run/netns and can be listed with ip netns.

Pod‑to‑Pod Communication

Same‑Node Pods

Each Pod gets its own network namespace and a virtual Ethernet (veth) pair that connects the namespace to the root namespace. A Linux bridge (cbr0) links the veth interfaces, allowing Pods on the same node to exchange traffic.

Cross‑Node Pods

Each node receives a CIDR block for the Pods it hosts. Traffic destined for a Pod IP is routed to the appropriate node, which then forwards it to the target Pod via its bridge and veth pair.

Pod‑to‑Service Communication

Services provide a stable virtual IP that abstracts a set of Pods. Kubernetes uses netfilter with iptables (or IPVS) to perform load‑balancing and address translation.

netfilter and iptables

iptables rules, managed by kube‑proxy, rewrite Service IPs to selected Pod IPs and handle return‑path rewriting so Pods see the Service IP as the source.

IPVS

IPVS implements transport‑layer load balancing in the kernel, offering higher performance and scalability compared to iptables.

DNS

Kubernetes runs a DNS service (kubedns or CoreDNS) that maps Service names to their virtual IPs, allowing Pods to discover Services via DNS names.

Internet ↔ Service Communication

Egress (Pod → Internet)

Pods’ traffic is NAT‑translated at the node level so that the external Internet sees the node’s IP. iptables performs source NAT before packets leave the node.

Ingress (Internet → Kubernetes)

Two common approaches:

LoadBalancer services provision cloud load balancers that forward traffic to node ports, where iptables/kube‑proxy route it to the correct Pods.

Ingress controllers (e.g., AWS ALB Ingress) provide HTTP/HTTPS routing based on URL paths, creating underlying load balancers and target groups for Services.

Summary

This guide establishes a foundation for understanding the Kubernetes networking model and how it supports common networking tasks such as pod communication, service load‑balancing, and external traffic handling.

Network Terminology

Layer 2 (Data Link)

Provides node‑to‑node data transfer and defines protocols for establishing and terminating connections.

Layer 4 (Transport)

Implements reliable data exchange using TCP.

Layer 7 (Application)

Handles HTTP and other application‑level protocols.

NAT

Network Address Translation maps one address space to another, typically translating private IPs to a public IP.

SNAT

Source NAT modifies the source address of packets.

DNAT

Destination NAT modifies the destination address of packets.

Network Namespace

Isolates a full network stack (routes, firewall rules, devices) per set of processes.

veth Pair

Virtual Ethernet devices that act as a tunnel between two network namespaces.

Network Bridge

Aggregates multiple network segments into a single logical network.

CIDR

Classless Inter‑Domain Routing defines IP address allocation and routing.

CNI

Container Network Interface provides a standard API for configuring container networking.

VIP

Virtual IP addresses are software‑defined and not tied to a physical interface.

netfilter

Linux framework for packet filtering, NAT, and other packet processing.

iptables

Utility to configure netfilter rules for packet filtering and NAT.

conntrack

Tracks connections to ensure consistent NAT and firewall behavior.

IPVS

Implements transport‑layer load balancing within the Linux kernel.

DNS

Distributed system that maps domain names to IP addresses.