Explanation of kube-proxy iptables and IPVS mechanisms and static Pods in Kubernetes

15. Explain the principle of kube-proxy iptables. Since Kubernetes 1.2, iptables has been the default mode for kube-proxy. In iptables mode, kube-proxy no longer acts as a proxy; its core function is to watch Service and Endpoint changes via the API Server and update the corresponding iptables rules, allowing client traffic to be directly routed to the target Pod through iptables NAT.

16. Explain the principle of kube-proxy IPVS. IPVS became GA in Kubernetes 1.11. It is used for high‑performance load balancing and employs more efficient data structures (hash tables), enabling near‑unlimited scaling, which is why kube-proxy adopts it as the newer mode.

In IPVS mode, ipset (an extension of iptables) is used instead of directly generating iptables rules. ipset can be understood as a collection of IP addresses, subnets, ports, etc. iptables can operate on this mutable collection, greatly reducing the number of iptables rules and thus decreasing performance overhead.

17. Compare the similarities and differences between kube-proxy IPVS and iptables. Both iptables and IPVS are based on Netfilter, but they serve different purposes. iptables is designed as a firewall, while IPVS is specialized for high‑performance load balancing and uses hash‑based data structures, allowing almost unlimited scalability. Advantages of IPVS over iptables include:

1. Better scalability and performance for large clusters.

2. Support for more complex load‑balancing algorithms (least load, least connections, weighted, etc.).

3. Support for server health checks and connection retries.

4. Ability to dynamically modify ipset collections even while iptables rules are using them.

18. Explain what a static Pod is in Kubernetes. A static Pod is managed directly by the kubelet on a specific node and exists only on that node; it is not managed through the API Server. Consequently, it cannot be associated with a ReplicationController, Deployment, or DaemonSet, and the kubelet cannot perform health checks on it. Static Pods are always created by the kubelet and always run on the node where the kubelet resides.