Published on 00/00/0000
Last updated on 00/00/0000
Published on 00/00/0000
Last updated on 00/00/0000
Share
INSIGHTS
8 min read
Published on 01/16/2021
Last updated on 06/18/2024
Inside Kubernetes networking: Maintaining communication in Kubernetes network security
Share
Kubernetes Networking is a core abstraction of Kubernetes. In a nutshell, the Kubernetes Networking Model guarantees that all Kubernetes Pods on a cluster are able to communicate. In addition, on top of the Kubernetes Networking Model, Kubernetes provides additional core abstractions, Kubernetes Services and Kubernetes Ingress. Using a systems modeling approach, this blog post will explore Kubernetes Networking. Kubernetes network security functions off of its basic ability to maintain a well-organized, highly communicative network.
Here, we will develop a concise mental model to reason about Container-to-Container and Pod-to-Pod communication. Future blog posts will explore Kubernetes networking security in more detail, including Kubernetes Services and Kubernetes Ingress.
All models are wrong, but some models are useful ⎯ George Box 
How to think about networking
Without a doubt, networking is a vast and complex field that demands years of theory and practice to claim proficiency. However, here we reason about networking on a conceptual level, skipping a host of details that would be necessary if we reasoned on an implementation level. 
Figure 1. illustrates a network as a Network Graph that consists of a set of Nodes and a set of Links between the Nodes: One Node may exchange a message with another Node if and only if there exists a link between the Nodes. 
A Node, the Source, exchanges a message with another Node, the Target, by placing the message in the Target’s input queue. The message exchange is represented by a Send Event, Send●M, observed at the Source, and a corresponding Receive Event, Recv●M, observed at the Target. 
A Node in the network is either a Process or a Switch. Processes produce and consume messages, Switches process messages according to their Forward Information Base (FIB). 
Figure 2. illustrates the Forward Information Base of Switch S1 and S2. On receiving a message, each Switch consults its Forward Information Base to determine whether to deliver, forward, or discard the message. The Switch
matches the message’s header, that is, the source address, source port, target address, and target port with its Forward Information Base
- performs the associated action, discarding being the default.
Kubernetes networking model
The Kubernetes Networking Model is a descriptive networking model, that is, any network that satisfies the specification of the Kubernetes Networking Model is a Kubernetes Network. However, Kubernetes does not prescribe how to implement the Networking Model. Many alternative implementations, called Network Plugins, exist today. This section describes the Kubernetes Networking Model in terms of a set of constraints on message exchange.
Constraint ● Network addressable entities
The Kubernetes Networking Model defines three Addressable Entities, K8s Pods, K8s Nodes, and K8s Services, where each unique entity is associated with a unique IP Address.
(K8s-Pod(E₁) ∨ K8s-Node(E₁) ∨ K8s-Service(E₁))
∧ (K8s-Pod(E₂) ∨ K8s-Node(E₂) ∨ K8s-Service(E₂)):
addr(E₁, a) ∧ addr(E₂, a)₂
⟺ E₁ = E₂However, the Networking Model does not make any further statements about these IP Addresses. For example, the Kubernetes Networking Model does not make any further statements about the IP Address Spaces these IP Addresses are drawn from.
Constraint ● Container to container communication
The Kubernetes Networking model requires that a Container C₁ executing in the context of a Pod P can communicate with any other Container C₂ executing in the context of P via localhost.
K8s-Pod(P) ∧ K8s-Container(C₁, P) ∧ K8s-Container(C₂, P):
open(C₂, p)
⟹
Send(e, C₁, 127.0.0.1, _, 127.0.0.1, p)
⟹
Recv(e, C₂, 127.0.0.1, _, 127.0.0.1, p)Constraint ● Pod to pod
The Kubernetes Networking model requires that a Container C₁ executing in the context of a Pod P₁ can communicate with any other Container C₂ executing in the context of a Pod P₂ via the address of the P₂.
∧ K8s-Pod(P₁) ∧ K8s-Container(C₁, P₁)
∧ K8s-Pod(P₂) ∧ K8s-Container(C2, P₂):
addr(P₁, sa) ∧ addr(P₁, ta) ∧ open(C₂, tp)
⟹
Send(e, C₁, sa, sp, ta, tp)
⟹
Recv(e, C₂, sa, sp, ta, tp)Constraint ● Process to Pod
The Kubernetes Networking model requires that a Process, called a Daemon D, hosted on a Node N, can communicate with any Container C executing in the context of a Pod P hosted on N via the address of the P.
K8s-Node(N) ∧ K8s-Daemon(D) ∧ K8s-Pod(P) ∧ K8s-Container(C, P):
host(N, D) ∧ host(N, P) ∧ addr(P, a) ∧ open(C, p)
⟹
Send(e, D, _, _, a, p)
⟹
Recv(e, C, _, _, a, p)Kubernetes networks as network graphs
This section describes the Kubernetes Networking Model in terms of a Kubernetes Network Graph, an idealized model. Figure 5. illustrates the example used in this section: A Kubernetes Cluster K₁ that consists of two Nodes. Each Node hosts two Pods. Each Pod executes two Containers, one Container listening on port 8080, one Container listening on port 9090. Additionally, each Node hosts one Daemon. 
We can model a Kubernetes Cluster Network as a Graph with a set of Nodes and a set of Links.
Nodes
Every K8s Container C maps to a Network Process C
K8s-Pod(P) ∧ K8s-Container(C, P):
Process(C)Every Daemon D maps to a Network Process C
K8s-Daemon(D):
Process(D)Every K8s Pod P maps to a Network Switch P, the Pod Switch
K8s-Pod(P):
Switch(P)Every K8s Node N maps to a Network Switch N, the Node Switch
K8s-Pod(N):
Switch(N)Links
Each Container C is linked to its Pod Switch P
K8s-Pod(P) ∧ K8s-Container(C, P):
link(C, P)Each Daemon D is linked to its Node Switch N
K8s-Node(N) ∧ K8s-Daemon(D):
host(N, D)
⟹
link(D, N)Each Pod Switch P is linked to its Node Switch N
K8s-Node(N) ∧ K8s-Pod(P):
host(N, P)
⟹
link(P, N)Each Node Switch N₁ is linked to every other Node Switch N₂
K8s-Node(N₁) ∧ K8s-Node(N₂):
N₁ ≠ N₂
⟹
link(N₁, N₂)Forward information base at the pod switch
- Delivery on localhost
K8s-Pod(P) ∧ K8s-Container(C, P):
open(C, p)
⟹
[* * 127.0.0.1 p Deliver(C)] in FIB[P]- Delivery on Pod Address
K8s-Pod(P) ∧ K8s-Container(C, P):
addr(P, a) ∧ open(C, p)
⟹
[* * a p Deliver(C)] in FIB[P]- Local Forwarding Rule
K8s-Node(N) ∧ K8s-Pod(P):
host(N, P)
⟹
[* * * * Forward(N)] in FIB[P]Forward information base at the node switch
- Node to Pod Forwarding Rule
K8s-Node(N) ∧ K8s-Pod(P):
host(N, P) ∧ addr(P, a)
⟹
[* * a * Forward(P)] in FIB[N]- Node to Node Forwalding Rule
K8s-Node(N₁) ∧ K8s-Node(N₂) ∧ K8s-Pod(P):
N₁ ≠ N₂ ∧ host(N₂, P) ∧ addr(P, a)
⟹
[* * a * Forward(N₂)] in FIB[N₁]Examples of Kubernetes networking in action
This section walks through some examples and follows the Life of a Message in the Kubernetes Cluster Network K₁.
Container to container
Here, Container C₁.₁ needs to communicate with Container C₁.₂:
- C₁.₁ executes in the context of Pod P₁
- C₁.₂ executes in the context of Pod P₁
Pod to pod communication, intra node
Here, Container C₁.₁ needs to communicate with Container C₃.₁:
- C₁.₁ executes in the context of Pod P₁ which is hosted on Node N₁.
- C₃.₁ executes in the context of Pod P₃ which is hosted on Node N₁.
Pod to pod communication, inter node
Here, Container C₁.₁ needs to communicate with Container C₂.₁:
- C₁.₁ executes in the context of Pod P₁ which is hosted on Node N₁.
- C₂.₁ executes in the context of Pod P₂ which is hosted on Node N₂.
Deamon to pod communication
Here, Daemon D₁ needs to communicate with Container C₁.₁:
- D₁ is hosted on Node N₁.
- C₁.₁ executes in the context of Pod P₁ which is hosted on Node N₁.
The Kubernetes networking model
The Kubernetes Networking Model is a permissive networking model. Any network that satisfies the constraints of the Kubernetes Networking Model is a valid Kubernetes Network. Mapping the Kubernetes Networking Model to a Networking Graph enables us to reason about the network on a conceptual level, skipping a host of details that would be necessary if we reasoned on an implementation level.
To understand Kubernetes network security and Kubernetes network policy, you have to first understand the core concepts that makeup Kubernetes networking—from the inside out. Read more in our overview of Kubernetes and multi-cloud security.
Subscribe to
the Shift!
Get emerging insights on innovative technology straight to your inbox.
