All containers that are part of a pod have the same network namespace, and (can) bind to all IPs in that namespace. Kubernetes does not offer any implicit filtering between pod network namespace and what is exposed at the network level. If a container binds to a port in the pod, that port is reachable at cluster-level1.
Let’s take this pod as reference:
> k describe pod instancename-appname-64d7cc857f-ffzmk
...
Node: ip-10-1-54-136.eu-west-3.compute.internal/10.1.54.136
Status: Running
IP: 10.1.50.84
Containers:
nginx:
Image: ...
Port: 80/TCP
Host Port: 0/TCP
...
Our Nginx listens to multiple ports, but only some are advertised in the pod description. The port list above is purely informational. It does not exclude any port not listed there from being accessed.
We can test this from another pod:
$ curl -I 10.1.50.84:8000
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 08 Nov 2023 12:02:22 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://10.1.50.84/
This lack of filtering is useful in case containers need to open connections between each other, but without advertising it in the manifest.
only if the CNI is configured to allow pod-to-pod connectivity ↩︎