Intranode Visibility

This page shows how to set up Intranode Visibility in a Google Kubernetes Engine cluster. With Intranode Visibility, all network traffic in your cluster is seen by the Google Cloud Platform network. This means you can see flow logs for all traffic between Pods, including traffic between Pods on the same node. And you can create firewall rules that apply to all traffic between Pods.

When a Pod sends a packet to another Pod on the same node, the packet leaves the node and is processed by the GCP network. Then the packet is immediately sent back to the same node and on to the destination Pod.

Intranode Visibility is available in GKE 1.11 and later.

Before you begin

To prepare for this task, perform the following steps:

Ensure that you have enabled the Google Kubernetes Engine API.

Enable Google Kubernetes Engine API

Ensure that you have installed the Cloud SDK.
Set your default project ID:
```
gcloud config set project [PROJECT_ID]
```
Update gcloud to the latest version:
```
gcloud components update
```

Overview

Here's the big picture of the steps you perform in this topic:

Enable flow logs for the default subnet in the us-central1 region.
Create a cluster, in the us-central1-a zone, that has one node.
Create two Pods in your cluster.
Send an HTTP request from one Pod to the other Pod.
View the flow log entry for the Pod-to-Pod request.

Enabling flow logs for a subnet

gcloud

Enable flow logs for the default subnet in the us-central1 region:

gcloud compute networks subnets update default --region us-central1 --enable-flow-logs

Verify that your subnet has flow logs enabled:

gcloud compute networks subnets describe default --region us-central1

The output shows that flow logs are enabled:

...
enableFlowLogs: true
...
ipCidrRange: 10.128.0.0/20
region: https://www.googleapis.com/compute/v1/projects/abc-712099/regions/us-central1

Console

Follow these steps to enable flow logs for the default subnet in the us-central1 region:

Visit the Google Kubernetes Engine VPC networks page in GCP Console.

Visit the VPC networks page
In the us-central1 row, click default.
Click Edit
Under Flow logs, select On.
Click Save.

Creating a cluster

Create a cluster that has one node:

gcloud

gcloud beta container clusters create my-inv-cluster \
    --zone us-central1-a \
    --num-nodes 1 \
    --enable-intra-node-visibility

Console

Visit the Kuberneters clusrers page in GCP Console.

Visit Kubernetes clusters page
Click Create cluster.
For Name, enter my-inv-cluster.
For Zone, select us-central1-a.
For Number of nodes, enter 1.
At the bottom of the page, click Advanced options.
Select Enable intranode visibility.
Click Create.

Getting credentials for your cluster:

Enter this command to get credentials for your new cluster:

gcloud container clusters get-credentials my-inv-cluster \
    --zone us-central1-a

The credentials are saved in your kubeconfig file, which is typically at $HOME/.kube/config.

Creating two Pods

Here is a manifest for a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: pod-1
spec:
  containers:
  - name: container-1
    image: gcr.io/google-samples/hello-app:2.0

Save the manifest to a file named pod-1.yaml, and create the Pod:

kubectl apply -f pod-1.yaml

Here is a manifest for a second Pod:

apiVersion: v1
kind: Pod
metadata:
  name: pod-2
spec:
  containers:
  - name: container-2
    image: gcr.io/google-samples/node-hello:1.0

Save the manifest to a file named pod-2.yaml, and create the Pod:

kubectl apply -f pod-2.yaml

View the Pods:

kubectl get pod pod-1 pod-2 --output wide

The output shows the IP addresses of your Pods. Make a note of theses addresses:

NAME      READY     STATUS    RESTARTS   AGE       IP           ...
pod-1     1/1       Running   0          1d        10.52.0.13   ...
pod-2     1/1       Running   0          1d        10.52.0.14   ...

Sending a request from `pod-1` to `pod-2`

Get a shell to the container in pod-1:

kubectl exec -it pod-1 sh

In your shell, send a request to pod-2:

wget -qO- [POD_2_IP_ADDRESS]:8080

where [POD_2_IP_ADDRESS] is the IP address of pod-2 that you found earlier in this exercise.

The output shows the response from the container running in pod-2:

Hello Kubernetes!

Enter exit to leave the shell and return to your main command-line environment.

Viewing flow log entries

gcloud

In your regular command-line window, enter this command to view a flow log entry for the request from pod-1 to pod-2.

gcloud logging read \
    'logName="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Fvpc_flows" AND jsonPayload.connection.src_ip="[POD_1_IP_ADDRESS]"'

where:

[PROJECT_ID] is your project ID.
[POD_1_IP_ADDRESS] is the IP address of pod-1.

The output shows a flow log entry for a request from pod-1 to pod-2. In this example, pod-1 has IP address 10.56.0.13, and pod-2 has IP address 10.56.0.14.

...
jsonPayload:
  bytes_sent: '0'
  connection:
    dest_ip: 10.56.0.14
    dest_port: 8080
    protocol: 6
    src_ip: 10.56.0.13
    src_port: 35414
...

Console

Visit the Google Kubernetes Engine Stackdriver logs page in GCP Console.

Visit the Stackdriver logs page
At the top of the page, in the filter box, at the right, click the down arrow, and select Convert to advanced filter.
Delete any text that is in the filter box, and enter this query:
```
resource.type="gce_subnetwork"
logName="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.connection.src_ip="[POD_1_IP_ADDRESS]"
```
where:
- [PROJECT_ID] is your project ID.
- [POD_1_IP_ADDRESS] is the IP address of pod-1.
Expand the log entry that appears. Under jsonPayload you can that the request was sent from pod-1 to pod-2. In this example, pod-1 has IP address 10.56.0.13, and pod-2 has IP address 10.56.0.14.
```
jsonPayload: {
  bytes_sent:  "0"
  connection: {
    dest_ip:  "10.56.0.14"
    dest_port:  8080
    protocol:  6
    src_ip:  "10.56.0.13"
    src_port:  35414
```

Recall that your cluster has only one node. So pod-1 and pod-2 are on the same node. Even so, flow log entries are available for the intranode communication between pod-1 and pod-2.

Upgrading an existing cluster to use Intranode Visibility

To enable Intranode Visibility for an existing cluster, enter this command:

gcloud beta container clusters update [CLUSTER_NAME] \
    --enable-intra-node-visibility

where [CLUSTER_NAME] is the name of your existing cluster.

When you enable Intranode Visibility for an existing cluster, components in both the control plane and the worker nodes are restarted.

After you've enabled this feature, you can confirm it's activated by examining the routing rules on your node:

# ip rule show
0:  from all lookup local
30001:  from all fwmark 0x4000/0x4000 lookup main
30002:  from all iif lo lookup main
30003:  not from all iif eth0 lookup 1
32766:  from all lookup main
32767:  from all lookup default
# ip route show table 1
default via [GKE_NODE_SUBNET_GW] dev eth0

General availability

The Intranode Visibilty feature is currently in Beta. When the feature becomes generally available, it will be the default for new clusters.

What's next

Learn how to control the communication between your cluster's Pods and Services by creating a cluster network policy.
Learn about the benefits of GCP alias IP ranges in VPC-native clusters.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated August 6, 2019.

Before you begin

Overview

Enabling flow logs for a subnet

gcloud

Console

Creating a cluster

gcloud

Console

Getting credentials for your cluster:

Creating two Pods

Sending a request from pod-1 to pod-2

Viewing flow log entries

gcloud

Console

Upgrading an existing cluster to use Intranode Visibility

General availability

What's next

Send feedback about...

Sending a request from `pod-1` to `pod-2`