CNI and Flannel in Kubernetes

Understanding CNI (Container Network Interface)

CNI is responsible for all pod networking, providing a unified networking layer that works seamlessly whether pods are on the same node or spread across the cluster.

Flannel

Flannel is focused on networking. For network policy, use "Calico" or similar solutions, but be aware that Calico can be complex.

Deploying Flannel with kubectl

Prerequisites

On the control plane node, ensure that the CNI Network plugins are installed in /opt/cni/bin

Steps

1. Download the latest Flannel YAML:

   wget https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml

2. Modify the pod CIDR in the downloaded YAML file
3. Apply the configuration:

   kubectl apply -f kube-flannel.yml

4. Verify flanneld process is running on control plane and worker nodes:

   ps -eaf | grep flanneld

5. Check kube-flannel pods:

   kubectl get pod --namespace kube-flannel

6. if flannel pods aren't running, and you see errors in kubelet logs:

   you may need to restart the VM

Learning Notes

• You may need to move the default bridge CNI config:

  sudo mv /etc/cni/net.d/11-crio-ipv4-bridge.conflist /etc/cni/net.d/11-crio-ipv4-bridge.conflist.bak

• Flannel creates its own .conflist file named 10-flannel.conflist
• Flannel uses portmap as CNI network plugin by default
• Flannel uses VXLAN as its default backend
• Major cloud providers (AWS, GCP, Azure) often have their own CNI plugins

Useful Commands

# View Flannel logs
kubectl logs --namespace kube-flannel 

# View Flannel config
kubectl get configmap kube-flannel-cfg -n kube-flannel -o yaml

# Check system services
systemctl status systemd-resolved
systemctl status crio

# View logs
sudo journalctl -u crio -n 100
sudo journalctl -u kubelet -n 100

# View kubelet config
sudo cat /var/lib/kubelet/config.yaml

# View CoreDNS config
kubectl get configmap coredns -n kube-system -o yaml

# View DNS policy of all pods
kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.dnsPolicy}{"\n"}{end}'
            

Testing DNS Resolution

1. Start a temporary pod:

   kubectl run -it --rm --restart=Never busybox --image=busybox:1.28 -- nslookup kubernetes.default

2. Test specific service resolution:

   nslookup redis-service.default.svc.cluster.local

DNS Resolution Process

CoreDNS pods read entries from etcd. Each app pod's /etc/resolv.conf will have the IP of the CoreDNS service.