Сетевое взаимодействие контейнеров

Network Namespaces and Virtual Interfaces

Container networking is built on Linux network namespaces, which give each container an isolated network stack with its own interfaces, routing table, and FirewallA network security device or software that monitors and filters incoming and outgoing traffic based on predefined rules. Firewalls can block traffic by IP address, port number, protocol, or application-layer content. rules. Containers connect to the host network via virtual Ethernet pairs (veth). A container runtime or CNI (Container Network Interface) plugin creates these pairs, attaches one end to the container namespace and the other to a bridge or directly to an Overlay NetworkA virtual network built on top of an existing physical (underlay) network using encapsulation protocols like VXLAN or GRE. Overlay networks provide logical separation and flexibility without modifying the underlying infrastructure. interface on the host.

CNI Plugins and Networking Models

Different CNI plugins implement different networking models. Bridge mode places containers on a shared Layer 2 segment with NATNetwork Address Translation. A method of remapping private IP addresses to a single public IP address (and vice versa) at a router, allowing multiple devices to share one public IP. A key technique for mitigating IPv4 address exhaustion. for external connectivity — simple but limits ThroughputThe actual rate of successful data transfer over a network, measured in bits per second. Unlike bandwidth (theoretical maximum), throughput reflects real-world performance after accounting for latency, packet loss, and protocol overhead.. Host networking shares the host's network stack directly, maximizing performance but losing isolation. Overlay plugins like Flannel and Calico build Overlay NetworkA virtual network built on top of an existing physical (underlay) network using encapsulation protocols like VXLAN or GRE. Overlay networks provide logical separation and flexibility without modifying the underlying infrastructure. fabrics that route container traffic across hosts using VXLAN or BGP, enabling pod-to-pod communication without depending on the physical Underlay NetworkThe physical network infrastructure (routers, switches, cables, fiber) upon which overlay and virtual networks are built. The underlay handles actual packet forwarding while overlays provide logical abstraction. topology.

Service Discovery and Load Balancing

Containers are ephemeral — IPs change with restarts. Service discovery mechanisms provide stable virtual IPs backed by dynamic Load BalancerA device or service that distributes incoming network traffic across multiple backend servers to ensure no single server is overwhelmed. Improves availability, reliability, and scalability of web applications. rules implemented in iptables or eBPF. East-west traffic within a cluster travels through these virtual IPs without leaving the host. North-south traffic passes through an ingress controller or Reverse ProxyA server that sits in front of backend servers, forwarding client requests and returning responses on their behalf. Used for SSL termination, load balancing, caching, and hiding the origin server's identity.. MTUMaximum Transmission Unit. The largest packet size (in bytes) that a network interface can transmit without fragmentation. Standard Ethernet MTU is 1500 bytes; jumbo frames allow up to 9000 bytes for high-performance networks. must be reduced inside containers to account for overlay encapsulation headers — typically set at 1450 bytes for VXLAN over a 1500-byte underlay. Subnet Calculator helps plan pod and service CIDR ranges without conflicting with host networks.