Kubernetes 101 : Kubernetes Networking ( Kube-proxy, clusterIP and nodePort ).

Pods wrap around containers which have namespaces with interfaces and IP addresses assigned to them.
Pods in the cluster communicate through services.

ClusterIP service:

Pods rarely communicate directly with each other, they do it through a service.
A service is an entry point to a pod or a group of pods. 
A service that is accessible from all the pods within the cluster is called a cluster IP service. 

To make an application on a pod (web server for example) accessible 
from the outside we use a nodePort service.


A service is not only an IP address, it is an "IP:Port number" combination.

NodePort services:

As opposed to the clusterIP service, the nodePort service exposes the application running inside the pod by opening the same port on all nodes of the cluster. These ports can be accessed from the outside.
Below the nodePort service opens the port 30090 on all the nodes of the cluster. 
If a request comes to a host on port 30090, it gets forwarded to the node containing the concerned pod.

The kubelet:

The kubelet watches the cluster by communicating with the kube-api server (is is the interface we use to communicate with the cluster) .
If a pod needs to be created, the kubelet creates the pod by calling the container runtime (docker for example) and uses the CNI plugin (Flannel, Weave, ...) to configure the networking.

The kube-proxy:

All the nodes in the kubernetes cluster run a kube-proxy service that communicates with the kube-api server to get information about the services that need to be created. 
If a service needs to be created, the kube-proxy establishes the iptables forwarding rules to make the service accessible from all the pods in the cluster. 
When we create a service it gets assigned an IP address and a port . The kube-proxy uses that "ip_address : port" combination to create forwarding rules on each node using iptables.

A service is a combination of an IP ( and a port (8060).
Any traffic coming to the service ( on port (8080) is routed to the IP of the pod (, according to the forwarding rules established by the kube-proxy on each node.


Kube-proxy default modes uses iptables for forwarding purposes.


Leave as a comment: