DEV Community

Cheedge Lee
Cheedge Lee

Posted on • Originally published at Medium

1

CKA Recap -- Ingress & NetworkPolicy

Ingress

  • ingress to make external to access: domain_name:port/path
  • Field:
    • rules.ingressClassName
    • path -> path
    • backend.service.name -> service
    • port -> service port
    • host -> domain name
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-wildcard-host
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx   # used for ingress controller
  rules:
  - host: "foo.bar.com"
    http:
      paths:
      - pathType: Prefix
        path: "/bar"        # http://domain/path
        backend:
          service:
            name: service1  # svc
            port:
              number: 80    # svc port
  - host: "*.foo.com"
    http:
      paths:
      - pathType: Prefix
        path: "/foo"
        backend:
          service:
            name: service2
            port:
              number: 80
Enter fullscreen mode Exit fullscreen mode

Verification

1. check ingress controller installed

k get ingressclass
Enter fullscreen mode Exit fullscreen mode

if not, install it

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install my-nginx-ingress ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace
Enter fullscreen mode Exit fullscreen mode

2. check IP, domain, port

# 1. check port
#    svc asia|europe is bound with pod
#    svc ingress-nginx-controller bound with ingress-controller pod
#        and the target_port:port is 80:30080, so access port is 30080
controlplane $ k get svc -A
NAMESPACE       NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
default         kubernetes                           ClusterIP   10.96.0.1        <none>        443/TCP                      35h
ingress-nginx   ingress-nginx-controller             NodePort    10.106.174.82    <none>        80:30080/TCP,443:30443/TCP   2m12s
ingress-nginx   ingress-nginx-controller-admission   ClusterIP   10.110.84.81     <none>        443/TCP                      2m13s
kube-system     kube-dns                             ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP       35h
world           asia                                 ClusterIP   10.100.146.115   <none>        80/TCP                       44s
world           europe                               ClusterIP   10.99.31.152     <none>        80/TCP                       45s
# 2. find IP (endpoint -> ingress)
controlplane $ k get endpoints
NAME         ENDPOINTS         AGE
kubernetes   172.30.1.2:6443   35h
controlplane $ k get ing -owide -A
NAMESPACE   NAME    CLASS   HOSTS                 ADDRESS      PORTS   AGE
world       world   nginx   world.universe.mine   172.30.1.2   80      63s
# 3. check domain (if not, append it)
controlplane $ cat /etc/hosts
127.0.0.1 localhost

127.0.0.1 ubuntu
127.0.0.1 host01
127.0.0.1 controlplane
172.30.1.2 world.universe.mine
Enter fullscreen mode Exit fullscreen mode

Notice: don't confused with the app svc and the ingress svc. The app svc is bound with app pod (here, for example asia), other pod can access it via svc_ip:svc_port; ingress svc is bound with ingress controller pod, these create during the ingress installation in ingress-nginx namespace. Exteranl access pod should use the ingress svc port.

3. curl ingress IP/path

# curl domain_name:port/path
controlplane $ curl world.universe.mine:30080/asia
Enter fullscreen mode Exit fullscreen mode

NetworkPolicy

  • filter the traffics
  • Fields:
    • act on pods:
      • namespace
      • podSelector
    • np type:
      • ingress.from & egress.to
    • traffic flow source/destination pods
      • namespaceSelector
      • podSelector
      • ports
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default        # set act on pod ns label
spec:
  podSelector:
    matchLabels:
      role: db              # set act on pod label
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproj   # set src/dst pods ns label
    - podSelector:
        matchLabels:
          role: frontend    # set src/dst pods label
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978            # set filter port
Enter fullscreen mode Exit fullscreen mode

and find labels

k get ns --show-labels
k get pod -A --show-labels
Enter fullscreen mode Exit fullscreen mode

Verification

According to the filter rules, choose the source pod and destination pod, to check traffic

k exec -it pod01 -- curl svc02.ns02.svc.cluster.local
k exec -it test_pod -- curl svc02.ns02.svc.cluster.local
Enter fullscreen mode Exit fullscreen mode

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more