Kubernetes Ingress, Network Policies, DNS,CNI (Container Network Interface)

PoorvashaPoorvasha
6 min read

Ingress

In Kubernetes, an Ingress is a Kubernetes API object that defines rules for how incoming HTTP and HTTPS traffic should be routed to services within a cluster.

An Ingress object defines the rules for how incoming requests to a particular host and path should be directed to the appropriate service and port. In addition to routing traffic, an Ingress object can also specify features such as TLS termination and load balancing. Essentially, an Ingress object serves as a configuration file that enables traffic to flow into a Kubernetes cluster and be routed to the appropriate destination based on the defined rules.

When a request comes into a Kubernetes cluster, the Ingress controller (a software component responsible for implementing the Ingress rules) examines the incoming request and uses the rules defined in the Ingress object to route the request to the appropriate service.

Ingress is a powerful feature of Kubernetes that allows you to expose multiple services to the outside world using a single IP address and a single port. This makes it easier to manage traffic and enables you to configure advanced routing rules, such as routing based on HTTP headers or cookie values.

Overall, Ingress provides a flexible and powerful way to manage traffic in a Kubernetes cluster, and is a key component of any production-grade Kubernetes deployment.

Here is an example of an Ingress object in Kubernetes:

yamlCopy codeapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
spec:
  rules:
    - host: mydomain.com
      http:
        paths:
          - path: /service-a
            pathType: Prefix
            backend:
              service:
                name: service-a
                port:
                  name: http
          - path: /service-b
            pathType: Prefix
            backend:
              service:
                name: service-b
                port:
                  name: http

In this example, the Ingress object is named my-ingress. It specifies two rules for routing traffic based on the requested path: one for /service-a and one for /service-b.

Each rule specifies a backend service to handle the traffic. In this case, the services are named service-a and service-b and both use the http port.

The pathType is set to Prefix, which means that any requests that match the specified path prefix will be routed to the corresponding service.

The host field specifies the domain name that this Ingress rule should apply to. In this example, it is set to mydomain.com.

This is just a simple example, and there are many other options and configurations that can be used with Ingress in Kubernetes.

Network Policies

In Kubernetes, Network Policies are a way to define rules that control how traffic is allowed to flow between pods in a cluster. These policies provide a way to enforce network segmentation and enhance security by controlling the traffic that is allowed to enter or leave a pod.

Network Policies are implemented as Kubernetes API objects, which can be created, updated, and deleted using the kubectl command-line tool or other Kubernetes management tools.

A Network Policy object includes a set of rules that define which pods can communicate with each other based on various criteria such as IP addresses, ports, and labels. These rules can be applied at the pod level, namespace level, or cluster level.

Network Policies are enforced by a network plugin that implements the Kubernetes Network Policy API. Different network plugins may have different capabilities and support different types of Network Policy rules.

Here's an example of a Network Policy in Kubernetes:

yamlCopy codeapiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend

In this example, we're creating a Network Policy object named allow-from-frontend. The podSelector field specifies that this policy applies to all pods labeled with app: backend. The ingress field specifies that incoming traffic is allowed only from pods labeled with app: frontend.

With this Network Policy in place, any incoming traffic to pods labeled with app: backend from pods that do not have the label app: frontend will be blocked by the network plugin.

Overall, Network Policies are a powerful feature of Kubernetes that enable administrators to control network traffic between pods in a fine-grained way, enhancing security and enabling greater network segmentation.

DNS (Domain Name System)

In Kubernetes, DNS (Domain Name System) is a critical component that enables pods and services to communicate with each other using human-readable domain names instead of hard-to-remember IP addresses.

Kubernetes includes a built-in DNS service called kube-dns (or CoreDNS in newer versions), which provides a reliable and scalable way to resolve domain names to IP addresses within a cluster.

The kube-dns/ CoreDNS service runs as a set of pods within the Kubernetes cluster, and each pod has a DNS server that can resolve names for the cluster's services and pods.

By default, each pod in a Kubernetes cluster is assigned a DNS name that follows the format <pod-ip-address>.<namespace>.pod.cluster.local. Kubernetes services are also assigned DNS names that follow the format <service-name>.<namespace>.svc.cluster.local.

For example, if you have a service named my-service running in the my-namespace namespace, you can access it from other pods in the cluster using the DNS name my-service.my-namespace.svc.cluster.local. Similarly, you can access a pod with IP address 10.0.0.1 running in the my-namespace namespace using the DNS name 10-0-0-1.my-namespace.pod.cluster.local.

In addition to the default DNS names, Kubernetes also supports custom DNS entries that can be defined using annotations on services or pods.

Overall, DNS is a critical component of any Kubernetes deployment, as it enables pods and services to communicate with each other using human-readable names and makes it easier to manage and scale complex deployments.

CNI (Container Network Interface)

In Kubernetes, CNI (Container Network Interface) plugins are used to enable communication between pods and services across a network. CNI is a standardized interface for configuring network interfaces in Linux containers, and it provides a common API that network providers can use to integrate their network solutions with container runtimes like Docker and Kubernetes.

CNI plugins are small executables that can be installed on each node in a Kubernetes cluster to provide network connectivity. These plugins are responsible for configuring the network interfaces of pods and services on each node, and they communicate with the Kubernetes API server to ensure that each pod or service has a unique IP address and can communicate with other pods or services in the cluster.

There are many different CNI plugins available for Kubernetes, each with its own strengths and weaknesses. Some of the most popular CNI plugins include:

  • Flannel: A simple and lightweight CNI plugin that provides a virtual overlay network for Kubernetes clusters.

  • Calico: A powerful CNI plugin that provides network security and policy enforcement for Kubernetes clusters.

  • Weave Net: A CNI plugin that provides a virtual overlay network for Kubernetes clusters, with features like automatic IP address management and network encryption.

  • Cilium: A CNI plugin that provides network security and policy enforcement for Kubernetes clusters using eBPF (extended Berkeley Packet Filter) technology.

  • Antrea: A CNI plugin that provides network security and policy enforcement for Kubernetes clusters, with a focus on simplicity and ease of use.

Each of these CNI plugins has its own configuration options and requirements, and choosing the right one for your Kubernetes deployment will depend on your specific needs and goals.

Overall, CNI plugins are a critical component of any Kubernetes deployment, as they enable pods and services to communicate with each other across a network and provide the foundation for network security and policy enforcement in the cluster.

0
Subscribe to my newsletter

Read articles from Poorvasha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Poorvasha
Poorvasha

Cloud & DevOps Engineer | Kubernetes | AWS | Ansible | GIT | Gitlab | Docker | Python