Networking

Networks are isolated using network namespaces

See listening ports

netstat -npa

Local Networking

Show local networks

ip link

Network Namespaces

List namespaces:

ip netns

Add two namespaces:

ip netns add fox
ip netns add bear

Run a command within a namespace

ip netns exec fox ip link
ip -n fox link

Bridges, Virtual networks, and NATs

Namespaced networks have virtual interfaces veth

You must set ip_forward for the host to route traffic around.

Permanent change

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

Temporary Change

echo 1 > /proc/sys/net/ipv4/ip_forward

Add a namespaced interface to our virtual network (which is really just an interface on the host)

VNET_CIDR=192.168.202.0/24

# Create a Bridge named vnet-animals and mark the interfaef as up
ip link add vnet-animals type bridge
ip link set dev vnet-animals up

# Allow our host to act as a NAT
ip tables -t nat -A POSTROUTING -s 192.168.202.0/24 -j MASQUERADE

# Give our host an IP on our virtual network (becomes the gateway for other interfaces)
ip addr add 192.168.202.1/24 dev veth-animals

# Create an interface pair and attache each side to the namespace or master
ip link add veth-fox type veth peer name veth-fox-br 
ip link set veth-fox netns fox 
ip link set veth-red-br master vnet-animals 

# Give the namespaced side an IP address and mark it as up
ip -n fox addr add 192.168.202.11/24 dev veth-animals
ip -n fox link set veth-fox up

# Either route the subnet, or setup a default route for full internet access:
ip netns exec fox ip route add 192.168.202.0/24 via 192.168.202.1
ip netns exec fox ip route add default via 192.168.202.1

# Repeat with another namespace...
ip link add veth-bear type veth peer name veth-bear-br
ip link set veth-bear netns bear
ip link set veth-bear-br master vnet-animals
ip -n bear addr add 192.168.202.12 dev veth-animals
ip -n bear link set veth-bear up
ip netns exec fox ip route add default via 192.168.202.1

Allow inbound traffic from the host to an interface

iptables -t nat -A PREROUTING --dport 80 --to-destination 192.168.202.11:80 -j DNAT

todo! Define how to config podCIDR, serviceCIDR, nodeCIDRs!

Getting the CIDRs of

pods

kubectl get node -o json | jq -r '.items[] | ( .metadata.name + "=" + .spec.podCIDR ) '

services (kube-apiserver)

cat /etc/kubernetes/manifests/kube-apiserver.yaml  | grep cluster-ip-range  ```

What type of Proxy?

kubectl logs -n kube-system kube-proxy-8nmt7 | grep -i proxy

Networking

See listening ports​

Local Networking​

Network Namespaces​

Bridges, Virtual networks, and NATs​

Allow inbound traffic from the host to an interface​

Getting the CIDRs of​