Is api server serviceIP iptable rule coded by kube-proxy?

[sfc-gh-hyu]

I am trying to understand in the cluster, who is responsible for setting the serviceIP, is it calico or kube-proxy? I am using kubeadm to start a k8s cluster, and deploy the calico by canal.yaml with bpf dataplane disabled.

We have some serviceIP like 10.96.0.13, and apparently I can see from felix logs that it's trying to code the iptable rule. However, I can also see that when cluster is initially provisioned, kube-flannel is trying to talk to API server with ip 10.96.0.1, and it failed with following logs

I1031 04:09:56.318400       1 main.go:211] CLI flags config: {etcdEndpoints:http://127.0.0.1:4001,http://127.0.0.1:2379 etcdPrefix:/coreos.com/network etcdKeyfile: etcdCertfile: etcdCAFile: etcdUsername: etcdPassword: version:false kubeSubnetMgr:true kubeApiUrl: kubeAnnotationPrefix:flannel.alpha.coreos.com kubeConfigFile: iface:[] ifaceRegex:[] ipMasq:true ifaceCanReach: subnetFile:/run/flannel/subnet.env publicIP: publicIPv6: subnetLeaseRenewMargin:60 healthzIP:0.0.0.0 healthzPort:0 iptablesResyncSeconds:5 iptablesForwardRules:true netConfPath:/etc/kube-flannel/net-conf.json setNodeNetworkUnavailable:true}
W1031 04:09:56.321037       1 client_config.go:618] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
E1031 04:10:26.321756       1 main.go:228] Failed to create SubnetManager: error retrieving pod spec for 'kube-system/canal-f99407f9-fg22x': Get "https://10.96.0.1:443/api/v1/namespaces/kube-system/pods/canal-f99407f9-fg22x": dial tcp 10.96.0.1:443: i/o timeout

And then kube-flannel pod is restarted, and then it is able to connect to API server. So it looks to me that in this case, kube-proxy is apparently setting up the iptable rule for api server and 10.96.0.1, and I think calico-node container also needs to talk to API server, but for another cluster serviceIP, like 10.96.0.13, apparently calico-node is setting up the iptable rule. So my question is: is my understanding correct that kube-proxy will only be responsible for setting up 10.96.0.1? If yes, how does calico tell kube-proxy that calico should setup the iptable rule for other services?

[frozenprocess]

Generally speacking, Service IPs are allocated and distributed by Kubernetes. However, after you create a service then your CNI (here Calico) will write some iptables logic(using kube-proxy) or programs some eBPF logic (using libbpf) depending on your dataplane of choice to map those IPs to your workloads.

Try calico certified operator course level 1 it has a dedicated module around this topic.

[tomastigera]

who is responsible for setting the serviceIP, is it calico or kube-proxy?

What do you mean by "setting" ? k8s is reponsible for allocating the IP and assigning it to the service (unless explicitly set by user). KUbe-proxy is responsible for implementing the service, that is, making sure that the service IP is translated to an IP of the backend pod. If you are using ebpf dataplane, calico's replacement of kube-proxy implements the service.

calico is setting up many iptable rules, however, if you are using ebpf, then calico is not setting up rules for implementing services in iptables.