Skip to content

Kubernetes Service implementation modes

Kubernetes Service implementation modes determine how cluster-internal traffic is routed to a group of Pods, abstracting the stable network location of application components^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].

Service Rationale

The primary need for Services arises from two inherent characteristics of Pods: their IP addresses are not fixed, and groups of Pod instances typically require load balancing^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].

Core Mechanism

At a fundamental level, a Service is implemented through the collaboration of the kube-proxy component running on each node and the host's packet filtering system^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]. When a Service is created, kube-proxy detects the change via the API server and configures the node to direct traffic destined for the Service's Virtual IP (VIP) to the appropriate backend Pods^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].

Implementation Modes

There are two primary modes used by kube-proxy to implement this routing: iptables and IPVS.

iptables Mode

In this mode, kube-proxy manipulates the iptables rules on the host node^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].

  • Mechanism: Kube-proxy creates an iptables rule that matches packets destined for the Service's ClusterIP and port. These packets are then jumped to a chain responsible for load balancing (e.g., KUBE-SVC-...), which randomly selects a target Pod (using Round Robin) and applies DNAT (Destination Network Address Translation) to forward the traffic^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].
  • Performance Limitations: As the number of Pods increases, the number of required iptables rules grows proportionally^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]. Kube-proxy must continuously refresh these rules in a control loop. In large-scale clusters with hundreds or thousands of Pods, this maintenance process can consume significant CPU resources, potentially acting as a bottleneck for the cluster^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].

IPVS Mode

To overcome the scaling limitations of iptables, Kubernetes supports IPVS (IP Virtual Server) mode^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].

  • Mechanism: When a Service is created, kube-proxy creates a virtual network interface (typically named kube-ipvs0) and assigns the Service's VIP to it^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]. It then uses the kernel's IPVS module to set up virtual servers for the VIP, using a load balancing scheduler such as round-robin (rr)^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].
  • Advantages: While IPVS also relies on Netfilter (like iptables), it moves the packet processing logic into kernel space^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]. This avoids the overhead of traversing and refreshing a large number of userspace iptables rules, significantly reducing maintenance costs and improving performance in large-scale environments^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].
  • Interaction with iptables: IPVS handles the core load balancing and proxying, but auxiliary functions such as packet filtering and SNAT (Source Network Address Translation) are still managed by a smaller, fixed set of iptables rules^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].
  • [[ClusterIP]]
  • [[kube-proxy]]
  • [[Endpoints]]
  • Ingress

Sources

  • 400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md