I am new to kubernetes and I am trying to understand how kubernetes networking works when we have NodePort exposing a port for the outside world.
Let's imagine we have two nodes in our kubernetes cluster, call it Node1 and Node2. We have one pod deployed on Node2.
Then we create a NodePort service for this pod. For simplicity lets assume all ports (targetPort, nodePort, port) are 3000. Now a packet comes to Node1's port 3000 (where there is no pod deployed). As far as I understand, iptables rules dictate that this packet goes to the pod on Node2. My question is what ip does the pod see when it receives the packet and how its response packet goes back to our initial client from outside world.
Packet is source NAT'd at Node1. Node1 replaces the source IP with its IP and destination IP as pod IP. Pod's reply is sent to Node1 and Node1 sends it back to client.
(In the docs pod is running on node1 and node 2 is the one receiving the packet from client.)
- Client sends packet to node2:nodePort
- node2 replaces the source IP address (SNAT) in the packet with its own IP address
- node2 replaces the destination IP on the packet with the pod IP
- packet is routed to node 1, and then to the endpoint
- the pod’s reply is routed back to node2
- the pod’s reply is sent back to the client
client
\ ^
\ \
v \
node 1 <--- node 2
| ^ SNAT
| | --->
v |
endpoint