iptables

iptables are crucial in Kubernetes networking. They are used by kube-proxy, a networking component running on every node in the Kubernetes cluster.

In Kubernetes, a Service is an abstraction which defines a logical set of Pods and a policy by which to access them. Each Service has an IP address (known as the clusterIP) and port which stay constant for the lifetime of the Service.

When a Service is created in Kubernetes, kube-proxy gets notified of the new Service. kube-proxy then installs iptables rules on each node in the Kubernetes cluster. These rules capture traffic that is destined for the Service’s clusterIP and port.

So, when a request is made to the Service’s clusterIP and port, these iptables rules route the traffic to one of the Service’s backend Pods. This is how kube-proxy uses iptables to handle routing of network traffic in a Kubernetes cluster. It ensures that the network traffic gets directed to the correct backend Pods.

  1. Importance of iptables: iptables is the default mode of operation for kube-proxy, which is responsible for distributing traffic across a set of pods. For each service, it installs iptables rules that capture traffic to the service’s clusterIP and port, and redirect that traffic to one of the service’s backend sets. For each endpoint, it installs iptables rules which select a backend Pod. In iptables mode, kube-proxy creates iptables rules for Kubernetes services which ensure that the request to the service gets routed (and load balanced) to the appropriate pods.

  2. How iptables work in a Kubernetes cluster: When using this mode, kube-proxy watches for changes in a cluster and for each new Service will open a TCP port on a WorkerNode. Then, iptables on this WorkerNode sends traffic from this port to a Kubernetes Service which is actually a chain in the iptables rules, and via this chain, traffic goes directly to pods which are a backend for this Service.

  3. How request is routed to pod via kube-proxy: Kube-proxy helps with Service-to-pod mapping by maintaining a network routing table that maps Service IP addresses to the IP addresses of the pods that belong to the Service. When a request is made to a Service, kube-proxy uses this mapping to forward the request to a Pod belonging to the Service.

  4. Interaction with Kubernetes object service: A Service is a Kubernetes object that has a stable name and stable IP and sits in front of a set of pods. All requests sent to the pods should go to the service and the service will load balance the requests over the pods. When running in this mode, Kube-proxy inserts the Service-to-Pod NAT rules in the IPtables. By doing this, traffic is redirected to the respective backend Pods after the destination IP is NATed from the Service IP to the Pod IP.