Kubernetes: Relationship between Flannel, VXLAN, and kube-proxy

Very short post to put down my understanding of some Kubernetes topics. May elaborate later.

Flannel (L3): “L3 network fabric”. Allocates IP ranges. Doesn’t forward packets, done by…
VXLAN (L2 in L3, a bit like VLANs over multiple switches except now it’s a broadcast domain routed via IP): Encapsulates Ethernet frames in packets to be sent over the network to other hosts. Creates single logical network that “overlays” the physical and makes it look like the pods are all in the same, directly connected network.
kube-proxy (L4): “Reflects” TCP ports around to make it look like, externally to a pod, that services are running on their standard ports. For example, an app might bind to port 8443 in its container, which is then exposed to some arbitrary port on the host OS. Then the K8s Service will route from the regular port 443 to this arbitrary port and onto the actual service in the container. Kube-proxy is the one “listening” on port 443 then reflecting to the container exposed port. This is commonly done in the Linux kernel via iptables redirections (maybe some NAT too?).

Share on

Example of ZScaler with Python + direnv + update root certs

For those using ZScaler security products to intercept and scan TLS traffic this post shows an approach that worked for me to get Python working. ZScaler int...

AWS CDK and CloudFormation “Logical ID” vs. actual resource name

When I started out with CDK I was confused by the ubiquitous id parameter that all CDK resources take. I now realise this is just a handle for identifying re...

GraphQL to find PR associated with branch

This about a mini adventure to find which PR(s) belong to which branch using GitHub GraphQL for a GitHub Action project.

Josephus - generalised binary recurrence unfolding

I have some confusion around the meaning of $b_m$ and $b_j$. I think it is as follows:

Friedrich "Fred" Clausen