How Do Pods Get Their IPs? Inside Kubernetes Networking with Flannel and CNI

Background Concepts

Kubernetes requires every pod to have its own IP address for communication. Beginners often know about CNI plugins but not how they are invoked.

Container Networking

Containers on the Same Host

Containers on the same node communicate via a Linux Bridge using veth pairs: one end resides in the container's network namespace, the other connects to the host bridge, which also has an IP address acting as a gateway.

Containers on Different Hosts

Cross‑node communication uses packet encapsulation. Flannel employs VXLAN to wrap original packets in UDP, sending them to the destination node where they are decapsulated and routed to the target pod.

Node IPAM Controller

When the nodeipam flag is passed to kube-controller-manager via --controllers, each node receives a dedicated subnet (podCIDR) from the cluster CIDR, ensuring unique pod IPs. Changing a node's podCIDR requires deregistering and re‑registering the node.

Kubelet, Container Runtime, and CNI Interaction

When a pod is scheduled, kubelet invokes the container runtime (e.g., containerd) to create the container, then calls the CNI plugin to configure networking. The network provider installs a CNI plugin on each node, and the CRI plugin uses it during pod startup.

CRI and CNI Overview

CRI (Container Runtime Interface) lets kubelet use different container runtimes. CNI (Container Network Interface) provides a plugin framework for configuring pod networks.

CNI Configuration Paths

Default CNI config files reside in /etc/cni/net.d/<config-file> and plugins in /opt/cni/bin. For containerd, the CNI paths are set under [plugins."io.containerd.grpc.v1.cri".cni].

Flannel Setup

Flannel’s daemon (flanneld) creates a VXLAN device, fetches network metadata from the API server, and monitors pod updates. It generates a configuration file at /etc/cni/net.d/10-flannel.conflist and assigns routes so pods can reach each other via IP.

Flannel CNI Plugin

Flannel’s CNI plugin reads the subnet information from /run/flannel/subnet.env and invokes the Bridge CNI plugin.

Bridge CNI Plugin

The Bridge plugin creates a Linux bridge (e.g., cni0) and a veth pair for each pod, connecting the container namespace to the bridge. It then calls the host‑local IPAM plugin to allocate IP addresses.

Host‑Local IPAM Plugin

This plugin returns the allocated IP and stores it under /var/lib/cni/networks/<network-name=cni0>/<ip>.

Summary

Kube‑controller‑manager assigns a unique podCIDR to each node; the node IPAM controller allocates pod IPs from these subnets. The combined operation of kubelet, container runtime, CRI, and CNI plugins (Flannel, Bridge, host‑local IPAM) ensures every pod receives a unique IP address across the cluster.