Kubernetes Networking
Table of contents
Services
Services provide a way to expose a set of pods to the network. A service is an abstract way to expose an application running on a set of Pods as a network service. A Service can be exposed in a variety of ways such as ClusterIP, NodePort, and LoadBalancer.
ClusterIP:
Exposes a service which is only accessible from within the cluster. NodePort. Exposes a service via a static port on each node’s IP. LoadBalancer. Exposes the service via the cloud provider’s load balancer. ExternalName. Maps a service to a predefined externalName field by returning a value for the CNAME record.ClusterIP is the default type of service, which is used to expose a service on an IP address internal to the cluster. Access is only permitted from within the cluster.
What is a Kubernetes NodePort service?
NodePorts are open ports on every cluster node. Kubernetes will route traffic that comes into a NodePort to the service, even if the service is not running on that node. NodePort is intended as a foundation for other higher-level methods of ingress such as load balancers and are useful in development.
What is a Kubernetes ExternalName service?
ExternalName services are similar to other Kubernetes services; however, instead of being accessed via a clusterIP address, it returns a CNAME record with a value that is defined in the externalName: parameter when creating the service.
How do you define a Kubernetes service?
apiVersion: v1
kind: Service
metadata:
name: service-backend
spec:
ports:
- port: 4000
protocol: TCP
targetPort: 333
selector:
run: deployment-backend
type: ClusterIP
There are two ways to discover a Kubernetes service:
1 DNS
2 ENV
Ingress
Kubernetes Ingress is an API object that helps developers expose their applications and manage external access by providing http/s routing rules to the services within a Kubernetes cluster. It can simplify production environments because it facilitates a simple method of establishing rules to route traffic rather than creating specialized load balancers or manually exposing each service within a node. Today's production environments need powerful features like content-based routing, multiple protocol support, and strong authentication. Kubernetes Ingress provides these capabilities and allows developers to configure all of them within the cluster.
Network policies:
This is Kubernetes assets that control the traffic between pods. Kubernetes network policy lets developers secure access to and from their applications. This is how we can restrict a user for access.
Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is always allowed, which allows all requests. In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access).
Network Policy Specification
PodSelector – Each of these includes a pod selector that selects the grouping of pods to which the policy applies. This selects particular Pods in the same namespace as the Kubernetes Network Policy which should be allowed as ingress sources or egress destinations.
Policy Types – indicates which sorts of arrangements are remembered for this approach, Ingress, or Egress.
Ingress – Each Network Policies may include a list of allowed ingress rules. This includes inbound traffic whitelist rules.
Egress – Each Network Policy may include a list of allowed egress rules. This includes outbound traffic whitelist rules.
DNS :
Kubernetes creates DNS records for Services and Pods. You can contact Services with consistent DNS names instead of IP addresses. Kubelet configures Pods' DNS so that running containers can lookup Services by name rather than IP.
CNI PLUGINS:
Container Network Interface, a Cloud Native Computing Foundation venture, comprises of detail and libraries for writing plugins to configure network interfaces in Linux containers.
