Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

Pod Connectivity (CNI, DNS)

Pod connectivity in Kubernetes involves how pods get network addresses, communicate with each other, and discover services. This is handled by two key components: the Container Network Interface (CNI) for network setup and CoreDNS for service discovery. Understanding pod connectivity is essential for troubleshooting networking issues and designing network architectures.

How Pods Connect

When a pod is created, several things happen to enable network connectivity:

  1. CNI Plugin - Assigns IP address and configures networking
  2. Network Namespace - Pod gets isolated network namespace
  3. DNS Configuration - Pod is configured to use CoreDNS
  4. Service Discovery - Pod can discover Services via DNS
graph TB A[Pod Created] --> B[CNI Plugin] B --> C[Assigns IP Address] C --> D[Configures Network Namespace] D --> E[DNS Configuration] E --> F[CoreDNS for Service Discovery] F --> G[Pod Can Communicate] style A fill:#e1f5ff style B fill:#fff4e1 style C fill:#e8f5e9 style F fill:#fff4e1 style G fill:#e8f5e9

CNI (Container Network Interface)

CNI is the standard interface between Kubernetes and network plugins. When a pod is created:

  1. kubelet calls CNI plugin - Requests network setup
  2. CNI plugin assigns IP - From configured IP pool
  3. CNI plugin configures network - Sets up routes, bridges, etc.
  4. Pod gets network connectivity - Can communicate with other pods
graph LR A[kubelet] --> B[CNI Plugin] B --> C[Network Configuration] C --> D[IP Assignment] D --> E[Routes & Bridges] E --> F[Pod Network Ready] style A fill:#e1f5ff style B fill:#fff4e1 style F fill:#e8f5e9

DNS Integration

Kubernetes automatically configures pods to use CoreDNS for DNS resolution:

  • Service discovery - Pods can find Services by DNS name
  • Automatic configuration - DNS is configured in every pod
  • Namespace-aware - DNS resolution is namespace-aware
graph TB A[Pod] --> B[DNS Query: my-service] B --> C[CoreDNS] C --> D[Service IP: 10.96.0.1] D --> E[Pod Connects to Service] style A fill:#e1f5ff style C fill:#fff4e1 style D fill:#e8f5e9 style E fill:#fff4e1

Network Namespaces

Each pod gets its own network namespace, providing network isolation:

  • Isolated network stack - Pod has its own network interfaces
  • Independent routing - Pod has its own routing table
  • Isolated from host - Pod network is separate from node network
graph TB subgraph node[Node] A[Host Network Namespace] B[Pod 1 Network Namespace] C[Pod 2 Network Namespace] D[Pod 3 Network Namespace] end E[CNI Plugin] --> B E --> C E --> D style A fill:#fff4e1 style B fill:#e8f5e9 style C fill:#e8f5e9 style D fill:#e8f5e9

Pod-to-Pod Communication

Pods communicate with each other using their assigned IP addresses:

Same Node

Pods on the same node communicate via the node’s network bridge:

graph LR A[Pod 1<br/>10.244.1.5] --> B[Network Bridge] C[Pod 2<br/>10.244.1.6] --> B B --> D[Node Network] style A fill:#e8f5e9 style C fill:#e8f5e9 style B fill:#fff4e1

Different Nodes

Pods on different nodes communicate via the cluster network:

graph TB A[Pod on Node 1<br/>10.244.1.5] --> B[Node 1 Network] B --> C[Cluster Network] C --> D[Node 2 Network] D --> E[Pod on Node 2<br/>10.244.2.3] style A fill:#e8f5e9 style E fill:#e8f5e9 style C fill:#fff4e1

Service Discovery

Pods discover Services via DNS:

DNS Names

  • Short name: my-service (same namespace)
  • FQDN: my-service.default.svc.cluster.local
  • Cross-namespace: my-service.production.svc.cluster.local

DNS Resolution Flow

graph LR A[Pod] --> B[DNS Query] B --> C{Namespace?} C -->|Same| D[Short Name Works] C -->|Different| E[Use FQDN] D --> F[CoreDNS] E --> F F --> G[Service IP] G --> H[Service Routes to Pods] style A fill:#e1f5ff style F fill:#fff4e1 style G fill:#e8f5e9

Network Policies Impact

Network Policies can restrict pod connectivity:

  • Ingress rules - Control incoming traffic
  • Egress rules - Control outgoing traffic
  • CNI enforcement - Policies enforced by CNI plugin
graph TB A[Pod A] -->|Policy Allows| B[Pod B] A -.->|Policy Denies| C[Pod C] D[Network Policy] --> E[CNI Plugin Enforces] E --> B E --> C style D fill:#e8f5e9 style E fill:#fff4e1

Common Connectivity Scenarios

Pod to Service

graph LR A[Pod] --> B[DNS: my-service] B --> C[CoreDNS] C --> D[Service IP] D --> E[Service Routes] E --> F[Backend Pods] style A fill:#e1f5ff style D fill:#e8f5e9 style F fill:#fff4e1

Pod to Pod (Direct)

graph LR A[Pod 1] --> B[Knows Pod 2 IP] B --> C[Direct Connection] C --> D[Pod 2] style A fill:#e8f5e9 style D fill:#e8f5e9

Pod to External

graph LR A[Pod] --> B[External IP] B --> C[Node Network] C --> D[Internet] style A fill:#e8f5e9 style D fill:#fff4e1

Troubleshooting Connectivity

Pod Cannot Reach Service

  1. Check Service exists: kubectl get service <name>
  2. Verify DNS resolution: kubectl run -it --rm debug --image=busybox --restart=Never -- nslookup <service-name>
  3. Check Endpoints: kubectl get endpoints <service-name>
  4. Test Service directly: kubectl port-forward service/<name> <port>
  5. Check Network Policies: kubectl get networkpolicies

Pod Cannot Reach Other Pods

  1. Check pod IPs: kubectl get pods -o wide
  2. Test connectivity: kubectl exec <pod> -- ping <other-pod-ip>
  3. Check Network Policies: Verify policies allow communication
  4. Check CNI plugin: Ensure CNI plugin is working
  5. Review node network: Check node network configuration

DNS Not Working

  1. Check CoreDNS: kubectl get pods -n kube-system -l k8s-app=kube-dns
  2. Test DNS: kubectl run -it --rm debug --image=busybox --restart=Never -- nslookup kubernetes.default
  3. Check DNS config: kubectl get configmap coredns -n kube-system -o yaml
  4. Verify Network Policies: Ensure DNS egress is allowed
  5. Check CoreDNS logs: kubectl logs -n kube-system -l k8s-app=kube-dns

Best Practices

  1. Use Services for discovery - Don’t rely on pod IPs directly
  2. Use DNS names - Use Service DNS names instead of IPs
  3. Test connectivity - Regularly test pod-to-pod and pod-to-service connectivity
  4. Monitor DNS - Monitor CoreDNS health and performance
  5. Document network architecture - Document how pods connect
  6. Use Network Policies - Implement network isolation
  7. Choose CNI wisely - Select CNI plugin that meets your needs
  8. Plan IP ranges - Plan pod and service IP ranges carefully
  9. Monitor network performance - Track network latency and throughput
  10. Keep CNI updated - Keep CNI plugin updated

Topics

See Also