K8S_POD-to-POD
root@ems203-m1:/home/labadmin# kubectl get pods -A -o wide | grep ems203-w2
ems edgecloud-suse-adapter-df5d6d78b-m5zc2 1/1 Running 0 13m 10.233.101.222 ems203-w2 <none> <none>
ems ems-a10nsp-accounting-89c69b796-rpb9k 1/1 Running 0 4m28s 10.233.101.224 ems203-w2 <none> <none>
root@ems203-w2:/home/labadmin# ip r
default via 172.27.71.254 dev ens3 proto static
blackhole 10.233.101.192/26 proto 80
10.233.101.222 dev cali11299111064 scope link
10.233.101.224 dev caliaa479e31ff6 scope link
** Both IPs are in: 10.233.101.192/26
default via 172.27.71.254 dev ens3 proto static
blackhole 10.233.101.192/26 proto 80
10.233.101.222 dev cali11299111064 scope link
10.233.101.224 dev caliaa479e31ff6 scope link
** Both IPs are in: 10.233.101.192/26
Step-by-step: Pod → Pod on same node
1️.Pod A sends packet
Pod A (10.233.101.222) sends traffic to:
DST = 10.233.101.224
2️.Packet enters host namespace
Leaves Pod A via veth
Enters host on interface:
cali11299111064
3️.Linux routing lookup (THIS table)
Kernel evaluates routes top-down, longest prefix first.
It finds:
10.233.101.224 dev caliaa479e31ff6 scope link
** Exact /32 route wins ** VXLAN route is NOT used ** Blackhole is NOT used
4️.Why VXLAN is NOT used
You also have:
10.233.101.128/26 via 10.233.101.128 dev vxlan.calico onlink
But /32 routes (10.233.101.224) are more specific than /26.
** Linux routing rule: Most specific route always wins
So: /32 (pod) > /26 (subnet)
5️.Blackhole route (why it exists)
blackhole 10.233.101.192/26 proto 80
This is a Calico safety mechanism:
Prevents packets from leaking into VXLAN accidentally
If a pod IP has no local cali route*, traffic is dropped
Avoids routing loops & silent failures
But since /32 exists → blackhole is ignored.
6️.Packet delivered to Pod B
Packet exits via:
cali aa479e31ff6
Enters Pod B’s veth
App receives packet
** No NAT,No VXLAN,No physical NIC,No kube-proxy
Visual datapath (your exact node)
Pod A (10.233.101.222)
|
| veth
|
cali11299111064
|
| Linux routing (/32 match)
|
cali aa479e31ff6
|
| veth
|
Pod B (10.233.101.224)
What VXLAN routes are used for
Example:
10.233.100.128/26 via 10.233.100.128 dev vxlan.calico onlink
Pods on other nodes
Flow:
Pod → cali → vxlan.calico → ens3 → remote node → vxlan → cali → pod
1️.Pod A sends packet
Pod A (10.233.101.222) sends traffic to:
DST = 10.233.101.224
2️.Packet enters host namespace
Leaves Pod A via veth
Enters host on interface:
cali11299111064
3️.Linux routing lookup (THIS table)
Kernel evaluates routes top-down, longest prefix first.
It finds:
10.233.101.224 dev caliaa479e31ff6 scope link
** Exact /32 route wins ** VXLAN route is NOT used ** Blackhole is NOT used
4️.Why VXLAN is NOT used
You also have:
10.233.101.128/26 via 10.233.101.128 dev vxlan.calico onlink
But /32 routes (10.233.101.224) are more specific than /26.
** Linux routing rule: Most specific route always wins
So: /32 (pod) > /26 (subnet)
5️.Blackhole route (why it exists)
blackhole 10.233.101.192/26 proto 80
This is a Calico safety mechanism:
Prevents packets from leaking into VXLAN accidentally
If a pod IP has no local cali route*, traffic is dropped
Avoids routing loops & silent failures
But since /32 exists → blackhole is ignored.
6️.Packet delivered to Pod B
Packet exits via:
cali aa479e31ff6
Enters Pod B’s veth
App receives packet
** No NAT,No VXLAN,No physical NIC,No kube-proxy
Visual datapath (your exact node)
Pod A (10.233.101.222)
|
| veth
|
cali11299111064
|
| Linux routing (/32 match)
|
cali aa479e31ff6
|
| veth
|
Pod B (10.233.101.224)
What VXLAN routes are used for
Example:
10.233.100.128/26 via 10.233.100.128 dev vxlan.calico onlink
Pods on other nodes
Flow:
Pod → cali → vxlan.calico → ens3 → remote node → vxlan → cali → pod
Comments
Post a Comment