Cloud Networking

Container and Kubernetes Networking

0:00

0% complete

LearnStep 1 of 3

Deep Dive into Container and Orchestration Networking

Learning Objectives

•Analyze Docker networking drivers including Bridge, Host, and Overlay modes
•Explain the Kubernetes flat networking model and the role of CNI plugins
•Implement Network Policies to secure east-west traffic between pods
•Configure Ingress Controllers for efficient north-south traffic management

Lesson Outline

LearnStep 1/3

Deep Dive into Container and Orchestration Networking

1. Docker Networking Fundamentals

Unlike traditional virtualization where VMs get their own virtual NICs connected to a virtual switch, containers share the host's kernel but live in isolated network namespaces. Docker manages this via network drivers.

Docker Bridge Mode (Default)

The default network driver. Containers connected to the same bridge network can communicate. It uses NAT to access the outside world.

bash

Host Mode

Removes network isolation. The container shares the host's networking namespace directly. High performance but port conflicts are common.

bash

Overlay Mode

Used for multi-host networking (Docker Swarm). It encapsulates traffic (usually VXLAN) allowing containers on different hosts to communicate as if they were on the same L2 link.

2. The Kubernetes Networking Model

Kubernetes imposes a set of fundamental requirements (the "Flat Network Model"):

Pods can communicate with all other pods on any other node without NAT.
Agents on a node (e.g., system daemons, kubelet) can communicate with all pods on that node.

CNI (Container Network Interface)

K8s doesn't implement the network itself; it offloads it to plugins via CNI. Popular implementations include:

Calico: Uses pure Layer 3 approach with BGP protocol. Good for scalable, standard IP routing.
Cilium: Uses eBPF (Extended Berkeley Packet Filter) for high-performance connectivity, visibility, and security at the kernel level.
Flannel: A simpler overlay network (typically VXLAN) often used in smaller clusters.

3. Securing Traffic with Network Policies

By default, all pods in a K8s cluster can talk to everyone (non-isolated). Network Policies are K8s resources that control traffic at the IP/Port level (Layer 3/4).

yaml

4. Ingress Controllers (North-South Traffic)

While NodePort and LoadBalancer services expose ports, an Ingress manages external access to services, typically HTTP/HTTPS. It provides load balancing, SSL termination, and name-based virtual hosting.

Common controllers: NGINX Ingress, Traefik, Istio Gateway.