Update network doc for ip-per-pod reqs #12182
Conversation
k8s-ci-robot
added
size/L
|
Thanks @thockin Looks good from my perspective. |
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit 55fe4e2 https://deploy-preview-12182--kubernetes-io-master-staging.netlify.com |
| how to find each other, etc. Rather than deal with this, Kubernetes takes a | ||
| different approach. | ||
| Kubernetes is all about sharing machines between applications. Typically, | ||
| sharing machines requires ensuring that two applications on the same do not try |
There was a problem hiding this comment.
Is there a word missing? i.e. "on the same..."? machine?
|
added text about host port support lgtm |
| network (e.g. Linux supports this): | ||
|
|
||
| * pods in the host network of any node can communicate with all pods on all | ||
| nodes without NAT | ||
|
|
||
| What this means in practice is that you can not just take two computers |
There was a problem hiding this comment.
do we want to remove "editorial" style text?
| * all nodes can communicate with all containers (and vice-versa) without NAT | ||
| * the IP that a container sees itself as is the same IP that others see it as | ||
| * pods on any node can communicate with all pods on all nodes without NAT | ||
| * agents on a node can communicate with all pods on that node |
There was a problem hiding this comment.
is it worth to spend a one liner to define what we consider an agent? I did not see it mentioned in any other part of the doc. Maybe we can link to https://kubernetes.io/docs/concepts/overview/components/#kubelet like in the section above?
There was a problem hiding this comment.
Yeah, we should clarify what they are. "infrastructure agents" or something, which include networking, logging, health checking, networking; eg anything required to get and keep the cluster functional
There was a problem hiding this comment.
Will change to "agents on a node (e.g. system daemons, kubelet) can communicate with all pods on that node"
| In addition to these, for those platforms that support `Pods` running in the host | ||
| network (e.g. Linux supports this): | ||
|
|
||
| * pods in the host network of any node can communicate with all pods on all |
There was a problem hiding this comment.
@thockin hmm this is new; was this something that just came up or that should have been clarified from the start?
There was a problem hiding this comment.
no, this was always intended, and was implied by the first rule (all pods <-> all pods). Otherwise some pods are not able to reach other pods.
I think it is in e2e, too.
As much as I dislike it, some apps run hostNetwork for performance reasons. Removing this constraint would potentially break them.
| insert dynamic port numbers into configuration blocks, services have to know | ||
| how to find each other, etc. Rather than deal with this, Kubernetes takes a | ||
| different approach. | ||
| Kubernetes is all about sharing machines between applications. Typically, |
There was a problem hiding this comment.
I feel like even the rewritten version of this is still kind of explaining Kubernetes to former docker users who have been in a coma since 2015. :) No one these days is going to come into Kubernetes expecting to have to coordinate port numbers between unrelated apps, so it's just confusing to spend so much time explaining why we don't force them to.
There was a problem hiding this comment.
Man, I get asked ALL THE TIME why we don't support dynamic port mapping.
| * agents on a node can communicate with all pods on that node | ||
| * the IP that a pod sees itself as is the same IP that others see it as | ||
|
|
||
| In addition to these, for those platforms that support `Pods` running in the host |
There was a problem hiding this comment.
This isn't "in addition"; we already required that "pods on any node can communicate with all pods on all nodes without NAT", so if host network pods exist, then they are already required to be able to communicate with all pods.
Maybe just something like "Note that for platforms that support Pods running in the host network, these requirements apply to those Pods as well."
(Except see my other comment about hostNetwork pods.)
| How this is implemented is a detail of the particular container runtime in use. | ||
|
|
||
| It is possible to request ports on the `Node` itself which forward to your `Pod` | ||
| (called host-ports), but this is reduced to a very niche operation. How that |
There was a problem hiding this comment.
drop "reduced to" since that's part of the docker-vs-kubernetes comparison, which is now mostly gone
(also, I feel like the original "host ports" is better than "host-ports"?)
| * the IP that a container sees itself as is the same IP that others see it as | ||
| * pods on any node can communicate with all pods on all nodes without NAT | ||
| * agents on a node can communicate with all pods on that node | ||
| * the IP that a pod sees itself as is the same IP that others see it as |
There was a problem hiding this comment.
Hm... what if a pod has multiple IPs? In particular, what about the case of a hostNetwork pod on a node with multiple IPs?
In openshift-sdn, every node has an IP address in the cluster network CIDR in addition to its external/primary/"eth0" IP. A hostNetwork pod would list the node's primary IP as its .spec.podIP, but when it communicates with other non-hostNetwork pods, the source IP would be the node's cluster network IP, not the primary IP. Is that legit?
(If so, we probably want to treat the hostNetwork case separately here, since I think we definitely want to say that for non-hostNetwork pods, the source address of pod-to-pod traffic will always be the pod's .spec.podIP.)
There was a problem hiding this comment.
Do we even need this line? It's somewhat redundant with the "no NAT" line. I propose to remove it.
As per SIG-Network discussion, we can relax the requirement for all nodes to be able to reach all pods on those platforms that do not support hostNetwork. The current thinking on Windows support is that hostNetwork is not a requirement for Window users. As such, satisfying the old requirement is very difficult and has no practical benefit. This DOES NOT change the requirements for platforms that support hostNetwork (e.g. Linux) nor does it make hostNetwork optional for Linux nodes. This PR also removes most comparisons to Docker, as they are stale and no longer germane, and cleans up some of the text.
thockin
force-pushed
the
relax-network-reqs-nodes-to-pods
branch
from
471e507 to
55fe4e2
Compare
k8s-ci-robot
added
size/M
| insert dynamic port numbers into configuration blocks, services have to know | ||
| how to find each other, etc. Rather than deal with this, Kubernetes takes a | ||
| different approach. | ||
| Kubernetes is all about sharing machines between applications. Typically, |
There was a problem hiding this comment.
Man, I get asked ALL THE TIME why we don't support dynamic port mapping.
| how to find each other, etc. Rather than deal with this, Kubernetes takes a | ||
| different approach. | ||
| Kubernetes is all about sharing machines between applications. Typically, | ||
| sharing machines requires ensuring that two applications on the same do not try |
| * all nodes can communicate with all containers (and vice-versa) without NAT | ||
| * the IP that a container sees itself as is the same IP that others see it as | ||
| * pods on any node can communicate with all pods on all nodes without NAT | ||
| * agents on a node can communicate with all pods on that node |
There was a problem hiding this comment.
Will change to "agents on a node (e.g. system daemons, kubelet) can communicate with all pods on that node"
| * the IP that a container sees itself as is the same IP that others see it as | ||
| * pods on any node can communicate with all pods on all nodes without NAT | ||
| * agents on a node can communicate with all pods on that node | ||
| * the IP that a pod sees itself as is the same IP that others see it as |
There was a problem hiding this comment.
Do we even need this line? It's somewhat redundant with the "no NAT" line. I propose to remove it.
| * agents on a node can communicate with all pods on that node | ||
| * the IP that a pod sees itself as is the same IP that others see it as | ||
|
|
||
| In addition to these, for those platforms that support `Pods` running in the host |
| In addition to these, for those platforms that support `Pods` running in the host | ||
| network (e.g. Linux supports this): | ||
|
|
||
| * pods in the host network of any node can communicate with all pods on all |
There was a problem hiding this comment.
no, this was always intended, and was implied by the first rule (all pods <-> all pods). Otherwise some pods are not able to reach other pods.
I think it is in e2e, too.
As much as I dislike it, some apps run hostNetwork for performance reasons. Removing this constraint would potentially break them.
| network (e.g. Linux supports this): | ||
|
|
||
| * pods in the host network of any node can communicate with all pods on all | ||
| nodes without NAT | ||
|
|
||
| What this means in practice is that you can not just take two computers |
| How this is implemented is a detail of the particular container runtime in use. | ||
|
|
||
| It is possible to request ports on the `Node` itself which forward to your `Pod` | ||
| (called host-ports), but this is reduced to a very niche operation. How that |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
@fcrisciani: changing LGTM is restricted to assignees, and only kubernetes/website repo collaborators may be assigned issues. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@chenopis Could you please take a look at the updated content. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zparnold The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
* Update network doc for ip-per-pod reqs As per SIG-Network discussion, we can relax the requirement for all nodes to be able to reach all pods on those platforms that do not support hostNetwork. The current thinking on Windows support is that hostNetwork is not a requirement for Window users. As such, satisfying the old requirement is very difficult and has no practical benefit. This DOES NOT change the requirements for platforms that support hostNetwork (e.g. Linux) nor does it make hostNetwork optional for Linux nodes. This PR also removes most comparisons to Docker, as they are stale and no longer germane, and cleans up some of the text. * Feedback on contents
| Kubernetes imposes the following fundamental requirements on any networking | ||
| implementation (barring any intentional network segmentation policies): | ||
|
|
||
| * all containers can communicate with all other containers without NAT | ||
| * all nodes can communicate with all containers (and vice-versa) without NAT | ||
| * the IP that a container sees itself as is the same IP that others see it as |
There was a problem hiding this comment.
The classic statements about kubernetes network are removed here
https://youtu.be/90kZRyPcRZw?t=829
https://youtu.be/6v_BDHIgOY8?t=95
https://www.digitalocean.com/community/tutorials/kubernetes-networking-under-the-hood
* Update network doc for ip-per-pod reqs As per SIG-Network discussion, we can relax the requirement for all nodes to be able to reach all pods on those platforms that do not support hostNetwork. The current thinking on Windows support is that hostNetwork is not a requirement for Window users. As such, satisfying the old requirement is very difficult and has no practical benefit. This DOES NOT change the requirements for platforms that support hostNetwork (e.g. Linux) nor does it make hostNetwork optional for Linux nodes. This PR also removes most comparisons to Docker, as they are stale and no longer germane, and cleans up some of the text. * Feedback on contents
* Update network doc for ip-per-pod reqs As per SIG-Network discussion, we can relax the requirement for all nodes to be able to reach all pods on those platforms that do not support hostNetwork. The current thinking on Windows support is that hostNetwork is not a requirement for Window users. As such, satisfying the old requirement is very difficult and has no practical benefit. This DOES NOT change the requirements for platforms that support hostNetwork (e.g. Linux) nor does it make hostNetwork optional for Linux nodes. This PR also removes most comparisons to Docker, as they are stale and no longer germane, and cleans up some of the text. * Feedback on contents
As per SIG-Network discussion, we can relax the requirement for all
nodes to be able to reach all pods on those platforms that do not
support hostNetwork.
The current thinking on Windows support is that hostNetwork is not a
requirement for Window users. As such, satisfying the old requirement
is very difficult and has no practical benefit.
This DOES NOT change the requirements for platforms that support
hostNetwork (e.g. Linux) nor does it make hostNetwork optional for Linux
nodes.
This PR also removes most comparisons to Docker, as they are stale and
no longer germane, and cleans up some of the text.
@dineshgovindasamy