K8s Networking Demystified

Learn pod networking, VXLAN tunneling, and kube-proxy through mental models

Pod Network Isolation

Every pod in Kubernetes gets its own network namespace — a completely isolated network stack. The pod can't see the host's eth0, other pods' interfaces, or any physical network details. It only sees its own eth0 and lo.

Key Insight: Pods Live in Their Own Network World

When a container inside a pod runs ip addr, it sees only two interfaces: eth0 (with a pod IP like 10.42.0.5) and lo. The physical NIC, the bridge, other pods — all invisible. This is Linux network namespaces at work.

Interactive: What Each Perspective Sees

$ ip addr # run on the node

eth0inet 192.168.1.100

Physical NIC

cni0inet 10.42.0.1

Pod bridge

flannel.1inet 10.42.0.0

VXLAN tunnel

veth1234inet —

Pair → Pod A eth0

veth5678inet —

Pair → Pod B eth0

The Building Blocks

The pod sees only eth0 (connected via veth pair to the host bridge). It cannot see the host eth0 or other pods' interfaces.

How a Pod Connects to the Node

Pod Network Namespace

eth0 (10.42.0.5)

veth pair

Host Network Namespace

veth1234 → cni0 bridge (10.42.0.1)

routing

Same node

cni0 → dest veth

Other node

flannel.1 → eth0

The Mental Model

Think of each pod as living in a soundproof room with a single phone line (eth0). The pod can make and receive calls, but it has no idea what the building's phone system looks like — it doesn't know about the switchboard (cni0 bridge), the trunk lines (flannel.1), or other rooms' phones.