How Kube-Proxy Uses Service/Endpoints Info

We've defined Services (the stable frontend) and seen how the Endpoints object dynamically lists the ready backend Pod IPs. But how does the cluster actually make traffic sent to the Service's ClusterIP:Port magically arrive at one of those backend Pod IPs? This translation is the primary job of a component called kube-proxy.

What is kube-proxy?

kube-proxy is a network proxy and load balancer that runs on every node in your Kubernetes cluster. It's typically deployed as a DaemonSet, ensuring an instance is present on each worker and control-plane node. It's not a proxy in the traditional sense of sitting between the client and server for every single request packet; rather, it configures network rules on the node itself to achieve the desired traffic redirection and load balancing.

The Core Task: Implementing the Service Abstraction

The fundamental goal of kube-proxy is to watch the Kubernetes API server and make the Service abstraction actually work at the network level. When you create a Service, kube-proxy sees it. When the Endpoints object for that Service is updated (because Pods became ready, unready, were added, or removed), kube-proxy sees that too.

Mechanism (Conceptual)

Based on the information gathered from watching Service and Endpoints objects, kube-proxy does the following (conceptually):

  1. Watches: It continuously monitors the API server for the creation, update, or deletion of Service and Endpoints objects.

  2. Configures Node Networking: For each Service, it modifies the networking rules on the node it's running on. These rules are designed to:

    • Intercept: Recognize traffic destined for a Service's ClusterIP and Port.

    • Select Backend: Choose one of the healthy backend Pod IPs listed in the addresses field of the corresponding Endpoints object's relevant subset. This selection process provides the load balancing (often simple round-robin or random selection).

    • Redirect/DNAT: Rewrite the destination IP and port of the incoming packet to match the selected backend Pod's IP and targetPort, and then forward the packet.

Example Flow:

  1. A Pod (Client Pod) sends traffic to Service-ClusterIP:Service-Port.

  2. The traffic hits the network stack on the Client Pod's Node.

  3. Networking rules configured by kube-proxy on that Node intercept the packet because the destination matches a known ClusterIP:Port.

  4. kube-proxy's rules consult the current list of ready backend IPs from the Service's Endpoints object (e.g., PodA-IP:TargetPort, PodB-IP:TargetPort).

  5. A backend is selected (e.g., PodB-IP:TargetPort).

  6. The packet's destination is rewritten to PodB-IP:TargetPort.

  7. The packet is forwarded through the cluster network (CNI) towards Pod B.

kube-proxy Modes (Briefly)

kube-proxy can operate in different modes, which change the specific mechanism used to configure the node's network rules, but the goal remains the same. Common modes include:

  • iptables (Common): Uses Linux iptables rules to perform the interception, selection, and redirection (DNAT). Reliable and widespread but can become slow with a very large number of Services.

  • IPVS (IP Virtual Server): Uses the Linux IPVS kernel module, which is designed for load balancing and often offers better performance and scalability than iptables for a large number of services. It typically uses hash tables for efficient lookups.

  • Userspace (Older/Deprecated): Actually proxied connections in userspace. Less efficient and generally not used anymore.

  • Kernelspace (Windows): Uses kernel-level packet filtering on Windows nodes.

Why Understanding This Matters (Even Without Direct Interaction)

As developers interacting with the Kubernetes API using client-go, we do not directly program or configure kube-proxy's logic. We create and manage the input objects (Services, Pods, Labels) that kube-proxy reads from the API server.

However, understanding kube-proxy's role is crucial for:

  • Troubleshooting: When traffic isn't reaching your Pods via a Service, knowing that kube-proxy relies on the Endpoints object helps you check if the endpoints are populated correctly (Are Pods ready? Do they match the selector?). It also points towards potential node-level network rule issues.

  • Performance Considerations: Knowing the difference between iptables and IPVS modes can inform cluster setup decisions if you anticipate a very large number of Services.

  • Conceptual Clarity: It completes the picture of how the stable Service abstraction is translated into dynamic Pod-level routing.

In essence, you use client-go to declare your desired service state (via the Service object), Kubernetes controllers update the observed state (via the Endpoints object), and kube-proxy implements that state across the cluster's nodes.

Next, we'll look at how Kubernetes DNS uses Service information to provide convenient name-based discovery within the cluster.

PreviousThe Endpoints Object: The Real Connection Behind ServicesNextWatching Endpoints Changes in Real-time using Go watch Interface

Last updated

Was this helpful?