CKA Recap -- Ingress & NetworkPolicy
Cheedge LeeTable of contents
Ingress
ingress to make external to access:
domain_name:port/pathField:
rules.ingressClassNamepath-> pathbackend.service.name-> serviceport-> service porthost-> domain name
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-wildcard-host
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx # used for ingress controller
rules:
- host: "foo.bar.com"
http:
paths:
- pathType: Prefix
path: "/bar" # http://domain/path
backend:
service:
name: service1 # svc
port:
number: 80 # svc port
- host: "*.foo.com"
http:
paths:
- pathType: Prefix
path: "/foo"
backend:
service:
name: service2
port:
number: 80
Verification
1. check ingress controller installed
k get ingressclass
if not, install it
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install my-nginx-ingress ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace
2. check IP, domain, port
# 1. check port
# svc asia|europe is bound with pod
# svc ingress-nginx-controller bound with ingress-controller pod
# and the target_port:port is 80:30080, so access port is 30080
controlplane $ k get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 35h
ingress-nginx ingress-nginx-controller NodePort 10.106.174.82 <none> 80:30080/TCP,443:30443/TCP 2m12s
ingress-nginx ingress-nginx-controller-admission ClusterIP 10.110.84.81 <none> 443/TCP 2m13s
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 35h
world asia ClusterIP 10.100.146.115 <none> 80/TCP 44s
world europe ClusterIP 10.99.31.152 <none> 80/TCP 45s
# 2. find IP (endpoint -> ingress)
controlplane $ k get endpoints
NAME ENDPOINTS AGE
kubernetes 172.30.1.2:6443 35h
controlplane $ k get ing -owide -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
world world nginx world.universe.mine 172.30.1.2 80 63s
# 3. check domain (if not, append it)
controlplane $ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 ubuntu
127.0.0.1 host01
127.0.0.1 controlplane
172.30.1.2 world.universe.mine
Notice: don't confused with the app svc and the ingress svc. The app svc is bound with app pod (here, for example asia), other pod can access it via
svc_ip:svc_port; ingress svc is bound with ingress controller pod, these create during the ingress installation iningress-nginxnamespace. Exteranl access pod should use the ingress svc port.
3. curl ingress IP/path
# curl domain_name:port/path
controlplane $ curl world.universe.mine:30080/asia
NetworkPolicy
filter the traffics
Fields:
act on pods:
namespacepodSelector
np type:
ingress.from&egress.to
traffic flow source/destination pods
namespaceSelectorpodSelectorports
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # set act on pod ns label
spec:
podSelector:
matchLabels:
role: db # set act on pod label
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproj # set src/dst pods ns label
- podSelector:
matchLabels:
role: frontend # set src/dst pods label
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978 # set filter port
and find labels
k get ns --show-labels
k get pod -A --show-labels
Verification
According to the filter rules, choose the source pod and destination pod, to check traffic
k exec -it pod01 -- curl svc02.ns02.svc.cluster.local
k exec -it test_pod -- curl svc02.ns02.svc.cluster.local
Subscribe to my newsletter
Read articles from Cheedge Lee directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Cheedge Lee
Cheedge Lee
Some blogs are from my previous blogs, even though I have renovated and checked before migration, but there may be still some parts out of date. (https://blog.sina.com.cn/u/1784323047 or https://blog.csdn.net/li_6698230?type=blog, if they're still accessible.)