Welcome to the Linux Foundation Forum!

Lab 3.4 - Clarification on services, endpoints, and Calico

Hey everyone, I'm looking for a bit of help understanding the following text from Lab 3.4.

Verify the service configuration. First look at the service, then the endpoint information. Note the ClusterIP is not the current endpoint. Calico provides the ClusterIP. The Endpoint is provided by kubelet and kube-proxy. Take note of the current endpoint IP. In the example below it is We will use this information in a few steps.

Recall from previous labs that we install Calico and don't modify the default IP range, which seems to be:

            # - name: CALICO_IPV4POOL_CIDR
            #   value: ""

Inspecting a pod seems to confirm that the correct IP range is being used for the pod subnet:

$ kubectl get pod -o wide
NAME                     READY   STATUS    RESTARTS   AGE   IP               NODE     NOMINATED NODE   READINESS GATES
nginx-7f456874f4-cx7wb   1/1     Running   0          16m   worker   <none>           <none>

Now, consider the service and endpoint resources:

$ kubectl get svc nginx
nginx   ClusterIP   <none>        80/TCP    113s
$ kubectl get ep nginx
nginx   119s

Notice that the ClusterIP does not seem to come from the Calico IP range however the endpoint IP range does. Also, I'm not seeing any reference to a 10. range in the Calico configuration.

What am I missing about how this works? Did I do something incorrectly? My results seem to contradict the lab text. Thanks in advance for reading and any insight you can provide.

Best Answer

  • chrispokorni
    chrispokorni Posts: 2,012
    Answer ✓

    Hi @josedelarosa,

    The Pod's IP address comes from the Calico network plugin, from the default range.
    The Service's ClusterIP is managed by the Kubernetes control plane from the default network. Once a Service exposes a Pod, the Pod's IP address becomes part of the Service Endpoint, the reason why the Pod's IP and the Endpoint IP are the same.



  • Really helpful answer @chrispokorni, thank you! I was missing the part about the service IP coming from the range.


Upcoming Training