Networking in Managed Service for Kubernetes
When creating a Kubernetes cluster, you can configure the:
- Network and subnet for the master.
- Range of IP addresses for pods.
- Range of IP addresses for services.
- Node subnet mask.
You can also:
- Request a public IP address to access the cluster from outside Yandex Cloud.
- Configure network policy controllers to manage the address space within the cluster.
Network resources
Kubernetes clusters in the Yandex Cloud infrastructure use the following resources:
-
Subnets.
When creating a cluster without tunnel mode, Managed Service for Kubernetes reserves two subnets: for pods and services. For a cluster with tunnel mode, subnets in the address space of the cloud network are not reserved.
-
Public IP addresses.
By creating a node group with a public address, each node in the group will be assigned a public IP address.
Managing address space
Kubernetes clusters that don't use tunnel mode are subject to the following limitations:
- The ranges of the subnets being created should not overlap with the existing ranges.
- Only 50% of the possible subnet range is available for pods, nodes, and services. This limitation is due to the specifics of Virtual Private Cloud and ensures the availability of an unused IP range for cluster service distribution.
The following subnet ranges are available for the pods, nodes, and services of such clusters:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
The node subnet mask and the subnet size for the pods determines the maximum number of nodes in the cluster and the maximum number of pods per node.
In addition, Kubernetes has a standard limit
For clusters in tunnel mode, the following subnet ranges are available:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
100.64.0.0/10
Note
For such clusters, restrictions regarding half the possible subnet range or the overlapping of ranges do not apply.
For example, when creating a cluster with the following parameters:
- Tunnel mode is not enabled.
- Range of IP addresses for pods:
10.1.0.0/16
. - Range of IP addresses for services:
10.2.0.0/16
. - Node subnet mask:
24
.
The cluster will have:
- Ranges of IP addresses for nodes:
10.1.128.0/24
–10.1.255.0/24
. - IP addresses for pods on each node:
10.1.128.2
–10.1.128.255
,10.1.129.2
–10.1.129.255
, and so on.
Node name and FQDN
Managed Service for Kubernetes generates a name for each node when it is created. This name will be the host's fully qualified domain name (FQDN). You cannot change the node name or FQDN.
Use the FQDN to access the node within a single cloud network. For more information, see Cloud resource addresses.
Public access to cluster nodes
Any Kubernetes cluster node can be accessed from outside Yandex Cloud provided that you requested a public address when creating the node group.
To connect to this kind of node from the internet, use its public IP address.
You can request a public IP address:
- For the master, only when creating a cluster.
- For nodes, when creating or changing a group.
When a node is deleted, its corresponding public IP address is revoked.