After all this theory, you might be wondering how a pod is actually created by Kubernetes. Kubernetes is only using what Docker provides. So, how does this network namespace share work? First, Kubernetes creates the so-called pause container as mentioned previously. This container has no other function than to reserve the kernel namespaces for that pod and keep them alive, even if no other container inside the pod is running. Let's simulate the creation of a pod, then. We start by creating the pause container and take Nginx for this purpose:
$ docker container run -d --name pause nginx:alpine
And now we add a second container called main, attaching it to the same network namespace as the pause container:
$ docker container run --name main -dit \
--net container:pause \
alpine:latest /bin/sh
Since the pause and the sample container are both part of the same network namespace, they can reach each other through localhost. To show this, we first have to exec into the main container:
$ docker exec -it main /bin/sh
Now, we can test the connection to Nginx running in the pause container and listening on port 80. Here is what we get if we use the wget utility to do so:
The output shows that we can indeed access Nginx on localhost. This is proof that the two containers share the same namespace. If that is not enough, we can use the ip tool to show eth0 inside both containers and we will get the exact same result, specifically, the same IP address which is one of the characteristics of a pod, where all its containers share the same IP address:
If we inspect the bridge network, we can only see that the pause container is listed. The other container didn't get an entry in the Containers list since it is reusing the pause container's endpoint:
