Why doesn't Kubernetes networking model ask for service cluster ip range to be opened on firewall?

10/22/2019

The only requirement in Kubernetes networking docs is to open firewall between pods. How does pod to service connectivity works, as service cluster ip range and pod cidrs are different?

-- user6317694
kubernetes
project-calico

1 Answer

10/22/2019

Services has an virtual IP assigned. When a Pod communicates with a Service, the Kubeproxy on the local node replaces the virtual IP with an IP to one of the pods that represents the service.

An example: E.g. Pod-A on Node-A want to send a request to Service-B. Service-B is for example implemented by the pods with label app-b, and in this example Pod-D and Pod-E on Node-C and Node-E. When Pod-A sends the request, the target IP is changed from an virtual IP, to the IP for Pod-D or Pod-E by kubeproxy and the request is routed to one of the pods that represents Service-B.

Layout:
Service-B with selector: app=b

Pod-D with label: app=b
Pod-E with label: app=b

Pod-A should address the Service virtual IP, since pods comes and goes when new versions are deployed. But the virtual IP is translated to a pod with the implementation of the Service.

-- Jonas
Source: StackOverflow