IPTables & Kubernetes Load Balancing

Author

Bibin Wilson
January 28, 2025

In today's edition, we will explore a brief concept on how Kubernetes services manage load balancing.

By default, the kube-proxy component in Kubernetes uses iptables for routing requests. (Supports IPVS as well).

I got curious about how it manages load balancing behind the scenes, and I discovered something interesting: a feature in iptables called statistic mode random probability.

This feature is part of iptables and is used for packet filtering and network address translation. It allows you to create rules that match a specific percentage of packets at random.

For example, I tested a service endpoint pointing to a three pod deployemnt.

It showed statistic mode random probability as 0.33 , essentially balancing the load across the three pods.

The following image shows the statistic mode random probability for that service with three backend pods.

It is more of a probabilistic traffic distribution and not actual load balancing.

  • It doesn't consider the actual load on the servers.

  • It doesn't guarantee an even distribution of traffic over time.

  • It doesn't maintain session persistence

You might wonder, "Is it really necessary to understand Kubernetes at this level?"

From my experience, the answer is Yes & No 😀.

In one of my projects, we encountered a major routing issue. By looking at the the iptables rules, we ruled out any cluster configuration issues and pinpointed the problem.

Wrapping Up

In most Kubernetes implementations today, iptables mode is commonly used in kube-proxy.

But iptables, built over two decades ago for packet filtering and firewall tasks within the Linux kernel, faces performance bottlenecks in large clusters.

nftables is another modern replacement for iptables, introduced to address some of its limitations while maintaining backward compatibility.

There are also implementations where eBPF can be used instead of iptables. It is optimized for modern networking needs in Kubernetes environments.

In future editions, I might explore these topics in greater detail and provide an in-depth analysis.

Reply

or to participate.