CKA Recap — Ingress & NetworkPolicy

1 min read

Ingress

  • ingress to make external to access: domain_name:port/path
  • Field:
    • rules.ingressClassName
    • path -> path
    • backend.service.name -> service
    • port -> service port
    • host -> domain name
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-wildcard-host
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx   # used for ingress controller
  rules:
  - host: "foo.bar.com"
    http:
      paths:
      - pathType: Prefix
        path: "/bar"        # http://domain/path
        backend:
          service:
            name: service1  # svc
            port:
              number: 80    # svc port
  - host: "*.foo.com"
    http:
      paths:
      - pathType: Prefix
        path: "/foo"
        backend:
          service:
            name: service2
            port:
              number: 80

Verification

1. check ingress controller installed

k get ingressclass

if not, install it

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install my-nginx-ingress ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace

2. check IP, domain, port

# 1. check port
#    svc asia|europe is bound with pod
#    svc ingress-nginx-controller bound with ingress-controller pod
#        and the target_port:port is 80:30080, so access port is 30080
controlplane $ k get svc -A
NAMESPACE       NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
default         kubernetes                           ClusterIP   10.96.0.1        <none>        443/TCP                      35h
ingress-nginx   ingress-nginx-controller             NodePort    10.106.174.82    <none>        80:30080/TCP,443:30443/TCP   2m12s
ingress-nginx   ingress-nginx-controller-admission   ClusterIP   10.110.84.81     <none>        443/TCP                      2m13s
kube-system     kube-dns                             ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP       35h
world           asia                                 ClusterIP   10.100.146.115   <none>        80/TCP                       44s
world           europe                               ClusterIP   10.99.31.152     <none>        80/TCP                       45s
# 2. find IP (endpoint -> ingress)
controlplane $ k get endpoints
NAME         ENDPOINTS         AGE
kubernetes   172.30.1.2:6443   35h
controlplane $ k get ing -owide -A
NAMESPACE   NAME    CLASS   HOSTS                 ADDRESS      PORTS   AGE
world       world   nginx   world.universe.mine   172.30.1.2   80      63s
# 3. check domain (if not, append it)
controlplane $ cat /etc/hosts
127.0.0.1 localhost

127.0.0.1 ubuntu
127.0.0.1 host01
127.0.0.1 controlplane
172.30.1.2 world.universe.mine

Notice: don’t confused with the app svc and the ingress svc. The app svc is bound with app pod (here, for example asia), other pod can access it via svc_ip:svc_port; ingress svc is bound with ingress controller pod, these create during the ingress installation in ingress-nginx namespace. Exteranl access pod should use the ingress svc port.

3. curl ingress IP/path

# curl domain_name:port/path
controlplane $ curl world.universe.mine:30080/asia

NetworkPolicy

  • filter the traffics
  • Fields:
    • act on pods:
      • namespace
      • podSelector
    • np type:
      • ingress.from & egress.to
    • traffic flow source/destination pods
      • namespaceSelector
      • podSelector
      • ports
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default        # set act on pod ns label
spec:
  podSelector:
    matchLabels:
      role: db              # set act on pod label
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproj   # set src/dst pods ns label
    - podSelector:
        matchLabels:
          role: frontend    # set src/dst pods label
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978            # set filter port

and find labels

k get ns --show-labels
k get pod -A --show-labels

Verification

According to the filter rules, choose the source pod and destination pod, to check traffic

k exec -it pod01 -- curl svc02.ns02.svc.cluster.local
k exec -it test_pod -- curl svc02.ns02.svc.cluster.local

Leave a Reply

Your email address will not be published. Required fields are marked *