Skip to content

Flannel overlay network

Flannel is a network plugin designed for Kubernetes that implements an overlay network by assigning a unique subnet to each host machine^[400-devops-06-kubernetes-k8s-paas-03k8s.md]. This allows containers across different hosts to communicate as if they were on the same physical network^[400-devops-06-kubernetes-k8s-paas-03k8s.md].

Core Architecture

Flannel functions as a layer 3 network fabric. Its primary mechanism involves allocating a specific subnet (e.g., 172.7.21.0/24) to each node in the cluster^[400-devops-06-kubernetes-k8s-paas-03k8s.md]. These subnets are part of a larger super-network, typically configured as 172.7.0.0/16^[400-devops-06-kubernetes-k8s-paas-03k8s.md].

The system relies on a centralized data store, such as [[etcd]], to store the network configuration and mappings between subnets and host IP addresses^[400-devops-06-kubernetes-k8s-paas-03k8s.md].

Backend Mechanisms

Flannel supports different backend types to handle packet forwarding between nodes. A common implementation uses the host-gw backend^[400-devops-06-kubernetes-k8s-paas-03k8s.md].

  • Host Gateway (host-gw): This method relies on adding static routes on the host machines^[400-devops-06-kubernetes-k8s-paas-03k8s.md].
  • Routing Logic: When a container needs to send a packet to a Pod on a different node, the host uses its underlying network (e.g., 10.4.7.x) to route the packet to the target host's physical IP, which then delivers it to the target container^[400-devops-06-kubernetes-k8s-paas-03k8s.md]. This creates a connection where the 172.x.x.x container network effectively "rides" on top of the 10.x.x.x host network^[400-devops-06-kubernetes-k8s-paas-03k8s.md].

SNAT Optimization

In a standard configuration, traffic leaving a Pod might be subject to Source Network Address Translation (SNAT), causing the receiving container to see the traffic as originating from the host's IP rather than the original Pod IP^[400-devops-06-kubernetes-k8s-paas-03k8s.md].

To maintain transparent communication within the cluster, the iptables rules can be optimized^[400-devops-06-kubernetes-k8s-paas-03k8s.md].

  • Goal: Prevent SNAT for traffic remaining within the overlay network range (e.g., 172.7.0.0/16)^[400-devops-06-kubernetes-k8s-paas-03k8s.md].
  • Implementation: The default MASQUERADE rule is replaced or modified so that SNAT occurs only when the destination is outside the cluster network^[400-devops-06-kubernetes-k8s-paas-03k8s.md]. This ensures that application logs and network Metrics reflect the true source Pod IP address^[400-devops-06-kubernetes-k8s-paas-03k8s.md].

Sources

^[400-devops-06-kubernetes-k8s-paas-03k8s.md]