Hi,
What is the reason that pods are isolated from outside?
They can be accessed only by service.
So this is really just an arbitrary design choice like any other choice made for any other system. There is no technical reason a pod couldn’t have been implemented differently. Though this arbitrary design choice lends into the other ones that make up the Kubernetes eco system.
A container is just a linux namespace in which a process is running. They get spawned by the unshare syscall.
Containers are isolated environments, which can have various parts of their namespace exposed. A pod is just a group of containers that may or may not be configured to work together in some way.
Since the design choice is to keep them isolated, networking features are necessary to expose them. Logical mapping can be done with ingresses to services for virtual hosting. Network policies can be used to safely keep services from reaching out of their bounds. Also if a container has a service that gets compromised, the intruder will have a limited reach.
Also if the networking stuff wasn’t logically isolated and everything were just open, replicas of the same workload couldn’t be scheduled on the same host. Controlling the amount of compute a pod has when it acts as a replica makes bin packing possible for the scheduler.
There’s plenty of “reasons” to pick from for why it’s isolated, I would suppose.
If i have a load balancer in front of workers going through ingress controller to services and to pods,then in every worker run an ingress controller.right?
then to check the health check,this load balancer send to pod liveness probe?
I think the CCM is expected to handle services with type: LoadBalancer. These should configure the load balancer to route traffic in a way to reach the service. This is a pluggable feature like the CNI and CSI, because no one opinion works everywhere.
Services select pods based on labels. I think the CNI handles configuring the Endpoints and routing at this level.
Liveness probes exist to do checks at the pod level. Individual pods are maintained based on health checks.
^ Everywhere above that I said “I think” is because I’m not confident about which component is responsible, these are my best guesses, but the things I describe happening are definitely happening somewhere.