Siddharth Mehta's Blog
Understanding Kubernetes Traffic Flow: A Deep Dive into iptables, kube-proxy, and conntrack

Understanding Kubernetes Traffic Flow: A Deep Dive into iptables, kube-proxy, and conntrack

Siddharth Mehta's photo
Siddharth Mehta
·

4 min read

Kubernetes networking can seem daunting, but understanding the interaction between iptables, kube-proxy, and conntrack makes it manageable. This article explains how traffic flows from a user to a Pod, the role of iptables chains like KUBE-SERVICES and KUBE-SEP, and how different Kubernetes service types (ClusterIP, NodePort, and LoadBalancer) handle traffic.

Let’s dive in and break it down step by step

Role of iptables in Kubernetes Networking

iptables is a Linux firewall utility used by kube-proxy to manage packet flow at the kernel level. It rewrites packet destinations (DNAT) and sources (SNAT) to route traffic properly.

Key iptables chains used by Kubernetes in the nat table:

  • PREROUTING: Handles packets before routing decisions.

  • KUBE-SERVICES: Main chain defining Kubernetes Services.

  • KUBE-SEP: Handles traffic to backend Pods (Service Endpoints).

  • KUBE-MARK-MASQ: Marks packets for Source NAT (SNAT).

  • POSTROUTING: Processes packets leaving the node.

Now lets Understand the Traffic Flow for Kubernetes Services

ClusterIP Service

A ClusterIP Service exposes an internal virtual IP (e.g., 10.96.0.1) for communication within the cluster.

Example Flow: User to Pod via ClusterIP

1. User Sends Request

User sends traffic to the ClusterIP (10.96.0.1) and port (8080).

2. Packet Enters PREROUTING Chain

The packet is matched to the Service IP in the PREROUTING chain:

-A PREROUTING -d 10.96.0.1/32 -p tcp --dport 8080 -j KUBE-SERVICES

3. Routing in KUBE-SERVICES Chain

The KUBE-SERVICES chain determines the backend Pods for the Service. For example:

-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp --dport 8080 -j KUBE-SEP-12345

4. Routing in KUBE-SEP Chain

The KUBE-SEP chain DNATs (Destination NAT) the packet to the Pod’s IP (10.244.1.5) and port (8080):

-A KUBE-SEP-12345 -j DNAT --to-destination 10.244.1.5:8080

5. Conntrack Ensures Session Consistency

The conntrack module tracks connections so packets from the same session consistently follow the same path.

6. Pod Receives Packet and Responds

The Pod processes the request and sends a response.

SNAT ensures the response appears to come from the ClusterIP (10.96.0.1).

NodePort Service

A NodePort Service exposes a Service on a specific port (e.g., 30080) across all cluster nodes.

Example Flow: User to Pod via NodePort

1. User Sends Request

External users send traffic to the Node’s IP (192.168.1.10) and NodePort (30080).

2. Packet Matches PREROUTING Chain

The PREROUTING chain matches the NodePort and redirects traffic to KUBE-SERVICES:

-A PREROUTING -p tcp --dport 30080 -j KUBE-SERVICES

3. Routing in KUBE-SERVICES

The Service’s rule sends traffic to a backend Pod via the KUBE-SEP chain.

4. Pod Processes Request and Responds

The Pod’s response is SNAT-ed to appear as if it came from the Node’s IP and NodePort.

LoadBalancer Service

A LoadBalancer Service relies on the cloud provider to expose an external IP. Traffic flow is similar to NodePort, with an extra layer for cloud integration.

Example Flow: User to Pod via LoadBalancer

1. User Sends Request

External users access the LoadBalancer IP (203.0.113.5).

2. Cloud Provider Routes to NodePort

The cloud provider forwards the request to a cluster Node’s IP and NodePort.

Beyond this point, the flow is identical to NodePort.

How kube-proxy Fits In

kube-proxy manages iptables rules to route Service traffic to Pods. Its responsibilities include:

  1. Watching Kubernetes API for Service and Endpoint changes.

  2. Updating iptables Rules to reflect new or removed Services.

  3. Implementing Load Balancing across backend Pods.

Example: kube-proxy iptables Rules

# Rule to match ClusterIP and forward to Service chain

-A PREROUTING -d 10.96.0.1/32 -j KUBE-SERVICES

# Rule in KUBE-SERVICES to direct traffic to a Pod

-A KUBE-SERVICES -d 10.96.0.1/32 -j KUBE-SEP-12345

# Rule in KUBE-SEP to DNAT to Pod IP

-A KUBE-SEP-12345 -j DNAT --to-destination 10.244.1.5:8080

How conntrack Works

conntrack is a Linux kernel feature that tracks network connections. It ensures:

  • Session Consistency: Once a path is established, all packets for the same connection follow it.

  • Efficient NAT Handling: Repeated DNAT and SNAT operations are avoided for established connections.

Inspect active connections using:

conntrack -L

If troubleshooting issues, flush entries with:

conntrack -F

Packet Flow Summary

1. Ingress

User traffic arrives at the cluster (via ClusterIP, NodePort, or LoadBalancer).

The packet is processed by iptables rules created by kube-proxy.

2. Load Balancing

KUBE-SERVICES selects a backend Pod using kube-proxy's iptables rules.

3. DNAT

Traffic is DNAT-ed to the selected Pod’s IP by the KUBE-SEP chain.

4. Pod Processing

The Pod processes the request and sends a response.

5. Egress

Response packets are SNAT-ed to maintain session consistency.

Debugging kubernetes networking


1. Check iptables Rules

iptables -t nat -L -n

2. Inspect conntrack

conntrack -L

3. Verify Services

kubectl get svc

4. Test NodePort Access

curl <Node-IP>:<NodePort>

Conclusion

Mastering Kubernetes traffic flow involves understanding the intricate workings of iptables, kube-proxy, and conntrack. Regardless of whether you're using ClusterIP, NodePort, or LoadBalancer, the core principles remain consistent. By grasping these foundational concepts, you can enhance your ability to troubleshoot and optimize Kubernetes networking, ensuring efficient and reliable communication within your cluster.

#kubernetes-iptables#traffic-kubernetesKubernetes-networkingKuberneteskube-proxyiptablesconntrackkubernetes architecture