Understanding Kubernetes Networking. Part 2: POD Network, CNI, and Flannel CNI Plug-in.

Hi Daniel, many thanks for your kind words! Correct , Flannel performs SNAT of the originating POD. Thanks again for your feedback!

@@TheLearningChannel-Tech Thanks for the response that is very helpful. I still don't understand the reason why the source needs to be translated in both Flannel and Calico cases as shown in your demonstrations. From what I can see, in both forward and revere directions the routes to the pods on the other node are symmetrically available so technically communication can happen without nat translations.

Hi @daniel qian. In both cases (Calico and Flannel) the packet capturing shows that they perform SNAT. You can see that in the Flannel video (czcams.com/video/U35C0EPSwoY/video.html). I haven't had time to research why that's the case, I'll update this post if I find the answer.
In Calico case I was running it in "ipip" mode and the Calico doc says the following:
"Note: Setting natOutgoing is recommended on any IP Pool with ipip enabled. When ipip is enabled without natOutgoing routing between Workloads and Hosts running Calico is asymmetric and may cause traffic to be filtered due to RPF checks failing." (docs.projectcalico.org/reference/resources/ippool). "
Hope this helps. Thanks again for your questions and comments!

@@TheLearningChannel-Tech Thanks for the great information again. I will do some research as well and update if I ever find anything.

Glad it was helpful!

Thanks for your feedback!

Hi Stephen, thank you for the kind words and glad you fount it useful. Thanks again!

Glad it helped

Glad you like them!

Thank you!

Glad it was helpful!

Thank you!

Glad you liked it!

Glad it was helpful!

Thank you! Cheers!

Glad it was helpful!

Glad it was helpful!

Thank you very much for kind words!

Thank you very much, glad you like them!

Hi Tracy, thanks for the update. Sorry, the issue wasn't resolved but that shouldn't prevent you from moving forward. Raw container communication is a bit involved but fortunately, CNIs (Container Network Interfaces) hide a lot of that complexity in Kubernetes. We can revisit the issue in the future if needed, I'll just need a bit of info such as the command that caused the issue. Thanks and take care, Gary.

Thank you, Ajit, much appreciated!

Glad it was helpful!

Thank you very much for the kind words and glad you found it useful!

Thank you!

Thank you very much, glad it was helpful!

Thank you! Cheers!

Many thanks for your kind feedback!

Hi, thanks for your feedback! So, you are saying Flannel 1 does not SNAT the calling POD IP? If all your worker nodes are on the same subnet, then the newer Flannel CNI might be smart enough to bypass the tunnel and take advantage of Linux's direct routing. The video was recorded last year, it is possible that the Flannel plug-in might have gone through changes. when I tested this, with all my worker nodes being on the same subnet, it still went through the tunnel as you saw in the video. Overlay networks do add to the overhead so if they can be avoided, that would be a plus. Hope this helps.

Can you provide me link for OSI tutorial please?

Hi, yes that is correct.

Hi,
There is no direct way that I know of to tie the two halves of the veth set together. Deploy a POD with replicas set to 1 and take note of the name of veth half on the node by running:
ip link show type veth
If you are experimenting with more than one number of replicas for that POD then set the number of replicas to two and record the second veth, and so on....

One question is that the source IP masquerading as the tun ip FMHO looks like NAT, if so, doesn't it break the rule NO NAT mentioned in the part 1?

@@jaxx4fun Hi, no NAT means that as far as PODs are concerned, they can connect directly to other PODs without having to worry about natting. The overlay network does that seamlessly and PODs are oblivious to that.

@VY, hello and thank you! There are two ethernet frames involved here, the outer ethernet frame embeds the POD to POD communication. The outer frame is sent through the tunnel, when it arrives on the other end, the other server is not aware that the received frame has another frame embedded within it, I think this is where the Flannel1 interface intercepts the message and delivers the last leg of the journey which is the POD that initiated the call to other side. Hope this helps. Thanks again!

Alright. I will set up the environment to play around with it. Thanks again for the detailed explanation this is by far the best one I have seen.

Thank you, glad you found it useful.

Hi,
Flannel listens on UDP port 8472 for VXLAN traffic. The official assigned port for VXLAN is "4789" but Flannel for some reason uses port "8472". Please make sure that UDO port "8472" is open if you have enabled the firewall and also make sure both VMs can ping each other as VXLAN relies on L3 connectivity.
#To view which UDP ports are open, please run:
netstat -lntu
#To monitor VXLAN traffic you can install "tshark" and run the following command, watch the video on how to run it and waht to look for:
sudo tshark -V --color -i eth0 -d udp.port=8472,vxlan -f "port 8472"
Good luck.

@Avinash Reddy, thank you for feedback! I just tested Part 1 and it is working for me. Do you get any specific errors? Could you try again please? Thank you!

No, a CNI plug-in is required to set up the POD network. Kube-proxy's job is to set up a ClusterIP for service and program the iptables to route the call through the POD network (setup by CNI) to a POD. So in short, a CNI plug-in is needed for your cluster to function.

Hi,
No, Flannel1 and two in two different subnets as shown on the screen (one is in 192.168.0.x and the other in 192.168.1.x). Flannel1 and 2 are the VTEPs.

@@TheLearningChannel-Tech I saw flann;el1 and flannel2 MAC address inside UDP as payload in your capture. How does Flannel1 finds the MAC address of Flanel2 as ARP can not be used because they are being in different subnets? Much appreciated!!

@vuhoanghiep1993, thank you for your kind words. You can follow this page to set up your VS code remote SSH: code.visualstudio.com/docs/remote/ssh-tutorial. Hope that helps.

Forgot to mention that the remote VS ssh link I provided is useful when you want to access the remote machine also, for instance if you have scripts on that machine. If that's not required, you can ssh to that machine as the first line of code in VS, for example "ssh gary@10.0.0.144". In both cases the ssh server must be running on the remote. Let me know if you further questions. Cheers!

@Peng Du, thank you for the feedback!
The route I'm showing is for when a POD on one node talks to another POD on the same node, that is the communication goes through the bridge. Sorry if that caused confusion. I apologize if I misunderstood your post, if that's the case, please repost. Thank you!

Hi, which episode are you referring to? All CNIs provide the same basic functionality but differ in implementation. So, if you just want to set up a cluster, any CNI would work.

@@TheLearningChannel-Tech Thank you for replying. I am referring to Episode 2 of the series where you demonstrate how Flannel uses VXLAN for POD to POD communication across nodes. When I install cluster I see Calico as CNI Plugin. In order to see flannel , can I change to Flannel and then revert back to Calico?

@@453nabeel You'll have to uninstall Calico and then install Flannel. There is no way to swap CNIs.

@@TheLearningChannel-Tech is there any guide that shows how to remove Calico and install flannel? Because after testing flannel I will revert back to Calico by again installing it

I'm not quite sure what you are asking. Simply put, a Kubernetes service is simply a load balancer. When the client and servers are on the same Kubernetes cluster when a client calls the ClusterIP of the service, one of the PODs behind the service is randomly selected by Kubernetes and answers the call. Makes sense?
If you want to better understand Kubernetes services, watch this: czcams.com/video/BZk2HUKsxAQ/video.html
Hope this helps.

@@TheLearningChannel-Tech I will tell all my requirements as I want to deploy a three tier project that is mern stack I have connected backend with mongodb as my frontend is react and backend is nodejs I have to follow the previous reply that you have suggest I am Right

Basically you are telling that backend as a nodeport and frontend as load balancer as service type

@@yalappahero5912 No, I think it would be best if you watched the Kubernetes service I linked in the previous post. ClusterIP is the load balancer as I explained earlier and is used by clients that are inside the cluster and want to communicate with another pod (service) inside the cluster. Clients outside the cluster can communicate with a service inside a cluster through NodePort. NodePort internally calls the services ClusterIP.