Hello,
lecture 34 of course explains we can’t access pod direct from laptop because pod is in different network. However, the pod network does get installed in the linux kernel as cni interface. As such, why can’t the pod be accessed externally using the Linux kernel routing?
Excerpt from deployment lab:
controlplane ~ ➜ ip route
default via 169.254.1.1 dev eth0
10.22.0.0/16 dev cni0 scope link src 10.22.0.1 <— Pod subnet
169.254.1.1 dev eth0 scope link
Which course is this? It’s not clear what lecture “Lecture 34” is either, TBH. If this is a lab: please include a link to it.
As a general point – remember that normally in production settings, you don’t access K8s directly from nodes. If you are on a node, you can do things like this:
controlplane ~ ➜ k run nginx --image nginx
pod/nginx created
controlplane ~ ➜ k get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 12s 10.22.0.9 controlplane <none> <none>
controlplane ~ ➜ curl 10.22.0.9
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
So because of how CNI route the pod network, if you’re actually running on a node, you can access a pod’s ports w/o using a service. But in general, you’ll be using a service instead, especially since pods come and go, and you usually create pods using deployments. The service will be a stable point-of-access, while the pod’s IP is not.
Hi Rob,
My question is that why can’t we access the pod from outside the node without a service. The node hosting the pod has a cni interface, and also an interface for direct connection to the external laptop. Why can’t traffic from the laptop be routed by the kernel on the node to the pods?
I agree that service has the benefit of providing a constant IP, whereas pod IPs are ephemeral. But I do not understand the point in the lecture that we cannot access the pod because it is in a different network
Assuming I understand your question, this is largely by design. The CNI is set up on a private network. An IP on the Pod CIDR is accessible on any node of the cluster, because each node has an IP on its own subnet of that CIDR, and it has routes to other subnets of the pod CIDR on a multi-node cluster. This is to allow all pods to “see” all of the other pods in the cluster.
If you’re not on one of the nodes of the cluster, this will not be the case, and if there’s a need to access the pod from the “outside”, you’ll need some other mechanism to do that. This would be a service, which can either use an exposed IP for a node to grant that access (NodePort service, which exposes all of its select pods on all node’s exposed IP addresses), or via a public IP using a LoadBalancer service.