Skip to content

Advanced Networking & CNI

🎯 Learning Objectives

  • Understand CNI architecture and plugins
  • Master network policies and security
  • Learn advanced networking patterns
  • Troubleshoot complex networking issues
  • Optimize network performance

Networking is one of the most complex aspects of Kubernetes. Understanding CNI, network policies, and advanced patterns is essential for expert-level operations.

Network Complexity

Most Kubernetes issues are networking-related. Deep understanding of CNI and network policies is crucial.

Network Policies

Misconfigured network policies can block legitimate traffic. Always test policies in non-production first.

CNI Architecture

CNI Plugins

CNI (Container Network Interface) plugins provide networking for pods.

Popular CNI Plugins: - Calico: BGP-based networking, network policies - Flannel: Simple overlay network - Weave: Encrypted overlay network - Cilium: eBPF-based, advanced features - Antrea: Open vSwitch-based

CNI Selection

Choose CNI based on requirements: performance, features, encryption, network policies.

CNI Configuration

{
  "cniVersion": "0.3.1",
  "name": "mynet",
  "type": "bridge",
  "bridge": "cni0",
  "ipam": {
    "type": "host-local",
    "subnet": "10.244.0.0/16"
  }
}

CNI Troubleshooting

Check CNI plugin logs, verify IPAM allocation, test pod-to-pod connectivity.

Network Policies

Basic Network Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Default Deny

Network policies are deny-by-default. Explicitly allow required traffic.

Advanced Network Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-network-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    - namespaceSelector:
        matchLabels:
          name: monitoring
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

Network Policy Best Practices

  • Start with deny-all, then allow specific traffic
  • Use labels for policy matching
  • Test policies incrementally
  • Document policy rationale

Troubleshooting

Common Networking Issues

Pods Cannot Communicate

# Check pod IP
kubectl get pod <pod-name> -o wide

# Test connectivity
kubectl exec <pod-1> -- ping <pod-2-ip>

# Check network policies
kubectl get networkpolicies --all-namespaces

# Check CNI plugin
kubectl logs -n kube-system <cni-pod>

Systematic Troubleshooting

  1. Verify pod IPs are assigned
  2. Check network policies
  3. Verify CNI plugin is working
  4. Test node-to-node connectivity
  5. Check firewall rules

Service Not Accessible

# Check service endpoints
kubectl get endpoints <service-name>

# Check service selector
kubectl describe service <service-name>

# Test service from pod
kubectl run test-pod --image=busybox --rm -it -- wget -O- <service-name>

Best Practices

Production Recommendations

  1. Use network policies for security
  2. Monitor network performance metrics
  3. Choose CNI based on requirements
  4. Test network policies thoroughly
  5. Document network architecture
  6. Implement network segmentation

Next Chapter: Service Mesh Deep Dive