A brief guide to Kubernetes networking

For folks interested in the Kubernetes networking model, I recommend looking elsewhere. This post appears to be content marketing wrapped in a thin shell of introductory tutorial for an approach that isn&#x27;t used by non-trivial deployments.<p>First, if you want to do a networking tutorial, start with something simple -- an HTTP server and curl, for example. You want to be able to tcpdump the traffic to understand what&#x27;s going on under the hood. The first half of the blog post is some massively complex magic -- CRDs? An operator? Just why? -- and there&#x27;s no reason to run an Elasticsearch instance just to test out packet routing.<p>Second, you almost certainly don&#x27;t want to use kube-proxy. It uses (abuses?) iptables&#x2F;nftables in a way that will make your sysadmins cry tears of blood. For small deployments, every major cloud provider (AWS, Azure, GCP, etc) has a CNI plugin that lets you allocate pod IPs out of a dedicated NAT prefix. For larger or bare-metal deployments, either use IPv6 natively (if available) or 6to4 (if on an IPv4-only network). I wrote a tutorial on the 6to4 approach[0], but honestly if you have someone on staff who is familiar with the Linux kernel network configs they&#x27;ll probably have a better idea of how to set it up to work with your system.<p>Third, you probably want to avoid getting super-magical with your DNS. Approaches like that described in the article (coredns configured to directly resolve non-namespaced Kubernetes service names) have poor performance once you get beyond toy-sized clusters, and having to hunt down all the places your code does a single-name lookup is <i>not</i> fun. Instead, configure a &quot;normal&quot; DNS server (or equivalent non-DNS address resolver) to read Kubernetes-announced endpoints in bulk (with caching, etc), and use hostnames like `myservice.mynamespace.mycluster.yourproddomain.com`, which lets you (1) figure out where your packets are getting routed to, and (2) provision mTLS certificates to pods that let them authenticate themselves as a given service identity. Yes, it&#x27;s longer, but your future self (or future underlings) will thank you.<p>[0] <a href="https:&#x2F;&#x2F;john-millikin.com&#x2F;stateless-kubernetes-overlay-networks-with-ipv6" rel="nofollow">https:&#x2F;&#x2F;john-millikin.com&#x2F;stateless-kubernetes-overlay-netwo...</a>

This is definitely just an ad for ergomake, there&#x27;s barely any networking knowledge here at all.

Does anyone know how they make those hand drawn style kubernetes diagrams?

Wait, if the documentation failed at explaining core technologies for a 5 years old baby to understand, it&#x27;s a scam.

Question to the author. How does ergomake do multi tenancy on K8s?

honestly I learnt a lot about k8s networking from reading how ciliums bgp replacement for kube proxy works. real nice docs and some good diagrams.