Consul on Kubernetes architecture

This topic describes the architecture, components, and resources associated with Consul deployments to Kubernetes. Consul employs the same architectural design on Kubernetes as it does with other platforms, but Kubernetes provides additional benefits that make operating a Consul cluster easier. Refer to Consul control plane architecture for more general information on Consul's architecture.

More specific guidance:
For guidance on datacenter design, refer to Consul and Kubernetes Reference Architecture.
For step-by-step deployment guidance, refer to Consul and Kubernetes Deployment Guide.
For non-Kubernetes guidance, refer to the standard production deployment guide.

Server agents on Kubernetes

The server agents are deployed as a StatefulSet and use persistent volume claims to store the server state. This state ensures that the node ID is persisted so that servers can be rescheduled onto new IP addresses without causing issues.

The server agents are configured with anti-affinity rules so that they are placed on different nodes. A readiness probe is also configured to mark the pod as ready only when it has established a leader.

A Kubernetes Service is registered to represent each Consul server and Kubernetes exposes ports that are required to communicate to the Consul server pods. The servers use the DNS address of this service to join a Consul cluster, without requiring any other access to the Kubernetes cluster. Additional Consul servers may also utilize non-ready endpoints that are published by the Kubernetes Service so that servers can use the service for joining during bootstrap and upgrades.

A PodDisruptionBudget is configured so the Consul server cluster maintains quorum during voluntary operational events. The maximum unavailable is (n/2)-1 where n is the number of server agents.

Note: Kubernetes and Helm do not delete Persistent Volumes or Persistent Volume Claims when a StatefulSet is deleted. You must perform this action manually when removing servers.

Consul dataplane on Kubernetes

By default, Consul on Kubernetes uses an alternate service mesh configuration that injects sidecars without client agents. Consul dataplane manages Envoy proxies and leaves responsibility for other functions to the orchestrator, which removes the need to run client agents on every node.

Diagram of Consul Dataplanes in Kubernetes deployment

Refer to Simplified Service Mesh with Consul dataplanes for more information.

Consul dataplane is the default proxy manager in Consul on Kubernetes 1.14 and later. If you are on Consul 1.13 or older, refer to upgrading to Consul Dataplane for specific upgrade instructions.