Ingress
- ingress to make external to access:
domain_name:port/path
- Field:
rules.ingressClassName
-
path
-> path -
backend.service.name
-> service -
port
-> service port -
host
-> domain name
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-wildcard-host
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx # used for ingress controller
rules:
- host: "foo.bar.com"
http:
paths:
- pathType: Prefix
path: "/bar" # http://domain/path
backend:
service:
name: service1 # svc
port:
number: 80 # svc port
- host: "*.foo.com"
http:
paths:
- pathType: Prefix
path: "/foo"
backend:
service:
name: service2
port:
number: 80
Verification
1. check ingress controller installed
k get ingressclass
if not, install it
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install my-nginx-ingress ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace
2. check IP, domain, port
# 1. check port
# svc asia|europe is bound with pod
# svc ingress-nginx-controller bound with ingress-controller pod
# and the target_port:port is 80:30080, so access port is 30080
controlplane $ k get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 35h
ingress-nginx ingress-nginx-controller NodePort 10.106.174.82 <none> 80:30080/TCP,443:30443/TCP 2m12s
ingress-nginx ingress-nginx-controller-admission ClusterIP 10.110.84.81 <none> 443/TCP 2m13s
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 35h
world asia ClusterIP 10.100.146.115 <none> 80/TCP 44s
world europe ClusterIP 10.99.31.152 <none> 80/TCP 45s
# 2. find IP (endpoint -> ingress)
controlplane $ k get endpoints
NAME ENDPOINTS AGE
kubernetes 172.30.1.2:6443 35h
controlplane $ k get ing -owide -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
world world nginx world.universe.mine 172.30.1.2 80 63s
# 3. check domain (if not, append it)
controlplane $ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 ubuntu
127.0.0.1 host01
127.0.0.1 controlplane
172.30.1.2 world.universe.mine
Notice: don’t confused with the app svc and the ingress svc. The app svc is bound with app pod (here, for example asia), other pod can access it via
svc_ip:svc_port
; ingress svc is bound with ingress controller pod, these create during the ingress installation iningress-nginx
namespace. Exteranl access pod should use the ingress svc port.
3. curl ingress IP/path
# curl domain_name:port/path
controlplane $ curl world.universe.mine:30080/asia
NetworkPolicy
- filter the traffics
- Fields:
- act on pods:
namespace
podSelector
- np type:
-
ingress.from
&egress.to
-
- traffic flow source/destination pods
namespaceSelector
podSelector
-
ports
- act on pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # set act on pod ns label
spec:
podSelector:
matchLabels:
role: db # set act on pod label
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproj # set src/dst pods ns label
- podSelector:
matchLabels:
role: frontend # set src/dst pods label
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978 # set filter port
and find labels
k get ns --show-labels
k get pod -A --show-labels
Verification
According to the filter rules, choose the source pod and destination pod, to check traffic
k exec -it pod01 -- curl svc02.ns02.svc.cluster.local
k exec -it test_pod -- curl svc02.ns02.svc.cluster.local