Skip to content

Flannel overlay networking

Flannel is a network plugin designed for Kubernetes that solves the problem of container communication across different physical hosts.^[03.k8s集群.md] It functions by assigning a unique subnet to each host machine, creating a virtual overlay network that allows containers to see each other as if they were on the same logical network, even though they reside on different servers.^[03.k8s集群.md]

This overlay capability is essential because, without a plugin like Flannel, containers on different hosts (e.g., 172.7.21.2 and 172.7.22.2) cannot communicate directly.^[03.k8s集群.md] A functional cluster requires this cross-host connectivity, which is why Flannel is deployed to implement the Container Network Interface (CNI) specification.^[03.k8s集群.md]

Architecture

Flannel uses an etcd distributed key-value store to manage the network configuration state.^[03.k8s集群.md] It operates by monitoring this store for subnet allocations and changes.^[03.k8s集群.md]

To handle data forwarding, Flannel supports a backend driver known as host-gw.^[03.k8s集群.md] This backend creates a routing table entry on the host, instructing it to route traffic for a specific container subnet (e.g., 172.7.x.x) directly to the physical IP address of the node hosting that subnet (e.g., 10.4.7.x).^[03.k8s集群.md] This relies on the premise that the underlying physical infrastructure (the 10.4.7.x network) is already fully routable.^[03.k8s集群.md]

Traffic flow and SNAT optimization

In a standard setup, traffic leaving a container might undergo Source Network Address Translation (SNAT), causing the source IP to appear as the host's IP rather than the original container's IP^[03.k8s集群.md]. This is often managed byiptablesrules (specifically in thePOSTROUTINGchain) using theMASQUERADEtarget^[03.k8s集群.md].

To ensure transparent access where the original container IP is preserved within the cluster, these iptables rules must be optimized.^[03.k8s集群.md] This involves modifying the POSTROUTING rules to exclude traffic destined for the internal overlay network (e.g., 172.7.0.0/16) from NAT translation.^[03.k8s集群.md] Consequently, SNAT is applied only when traffic is destined for external networks, maintaining internal visibility.^[03.k8s集群.md]

Sources

^[03.k8s集群.md]