Yeah; this article seems like a pretty nice overview of how Linux network namespaces work, but my frustrations usually aren't at that level. I usually know what I want in those terms, but it seems like the container runtimes/frameworks often refuse to do it for obscure reasons, or it requires knowledge of undocumented implications.

Well, more or less. The pod IPs are assigned to the host ENIs and not to pods directly. The VPC CNI manages the virtual Ethernet devices in the host and pod network namespaces and sets up routes on the host such that inbound traffic using a pod IP will get routed to the correct virtual Ethernet device for the corresponding pod.

K8s defines an interface with requirements (such as every pod must be directly addressable by ip from every other pod) and you bring your own networking implementation. It's never just the standard container networking though as it needs to span horizontally.

Kubernetes does not use the traditional Docker networking model, but rather implements its own networking model. The Kubernetes networking model ensures that every pod gets its own IP address and allows pods to communicate with each other without NAT (Network Address Translation).

So there used to be something called "kubenet" which was built-in implementation that worked similar to what this article described, nowadays all networking is out-of-tree and handled by external networking plugins via the CNI[0].

[0] - https://cni.dev

There's a very nice book The Box by Leninson about Shopping Containers, their history and economic impact!