The kube-proxy manages everything related to services.
In summary, a service has the following characteristics
- Each service gets its own stable IP address and port.
- Clients and pods connect to the service ip address and port.
- The IP address is virtual
- The IP address in not assigned to any network interface and is not listed as source or destination IP address in a network packet when the packet leaves the node.
- You can’t ping the service IP.
kube-proxy and iptables
When a service is created,
kubectl create -f sevice.yaml, the following happens:
- The virtual IP is created.
- The API Server notifies kube-proxy agents in each node that a new service has been created.
- kube-proxy creates iptables rules to route traffic from the virtual IP/port to the pods behind the service.
In the following figure, we can see a pod try to reach another pod backing up by a service.
- The packet destination is initially set to the IP/port of the service (
- The packet is handled by the iptables rules on the node.
- The iptables rules check if there is any match.
- One of the rules is: if the packet destination equals to
172.30.0.1and equals to port
80, replace the IP/port destination with the IP/port of a pod (the target pod specified in the Service spec).
- From here, it’s exactly as if the client pod had sent the packet to pod B directly instead of through the service.