In K8S, does every kube-proxy (running on every node) have the same implementation?

12/28/2019

I am new to K8S and I am trying to understand the exact role of kube-proxy running on each node in a cluster. The documentation mentions that "kube-proxy reflects services as defined in the Kubernetes API on each node and can do simple TCP, UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP forwarding across a set of backends". For this to be true, each kube-proxy will need to have complete information about all the services running in the cluster as it is the responsibility of the kube-proxy to provide access to any service which is demanded by an application running on a pod (on that respective node). So does that mean that all the kube-proxies inside a K8S cluster (running on each node) are mirror images? If so, why is a kube-proxy present on each node instead of a centralized one for entire cluster?

link to K8S documentaion on proxies: https://kubernetes.io/docs/concepts/cluster-administration/proxies/

-- adi
kube-proxy
kubernetes

1 Answer

12/28/2019

So does that mean that all the kube-proxies inside a K8S cluster (running on each node) are mirror images?

Yea, They are instance of same image.

If so, why is a kube-proxy present on each node instead of a centralized one for entire cluster?

kube-proxy uses the operating system packet filtering layer if there is one and it’s available such as IPtable, IPVS. Otherwise, kube-proxy forwards the traffic itself. kube-proxy

Kube-Proxy is a k8s controller itself which watch the desired state(service & endpoints) of the cluster and make changes on the nodes, as it manage IPtabels (in use of iptable mode)

For this to be true, each kube-proxy will need to have complete information about all the services running in the cluster .....

there are following flags to set the behaviour of kube-proxy

--iptables-min-sync-period duration
The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').
--iptables-sync-period duration     Default: 30s
The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.

IMO, Decision of the connections (forwarding, accepting ) among pods on nodes should be made by node components rather than a central plane components. Besides, K8s Control plane (api-server, etcd) keep the desired state and current state of the cluster, so all of the controller can reconcile according to their set behaviour.

-- Suresh Vishnoi
Source: StackOverflow