dev-resources.site
for different kinds of informations.
CKA Recap -- Ingress & NetworkPolicy
Published at
1/3/2025
Categories
kubernetes
cka
ingress
networkpolicy
Author
cheedge_lee
Author
11 person written this
cheedge_lee
open
Ingress
- ingress to make external to access:
domain_name:port/path - Field:
rules.ingressClassName-
path-> path -
backend.service.name-> service -
port-> service port -
host-> domain name
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-wildcard-host
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx # used for ingress controller
rules:
- host: "foo.bar.com"
http:
paths:
- pathType: Prefix
path: "/bar" # http://domain/path
backend:
service:
name: service1 # svc
port:
number: 80 # svc port
- host: "*.foo.com"
http:
paths:
- pathType: Prefix
path: "/foo"
backend:
service:
name: service2
port:
number: 80
Verification
1. check ingress controller installed
k get ingressclass
if not, install it
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install my-nginx-ingress ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace
2. check IP, domain, port
# 1. check port
# svc asia|europe is bound with pod
# svc ingress-nginx-controller bound with ingress-controller pod
# and the target_port:port is 80:30080, so access port is 30080
controlplane $ k get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 35h
ingress-nginx ingress-nginx-controller NodePort 10.106.174.82 <none> 80:30080/TCP,443:30443/TCP 2m12s
ingress-nginx ingress-nginx-controller-admission ClusterIP 10.110.84.81 <none> 443/TCP 2m13s
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 35h
world asia ClusterIP 10.100.146.115 <none> 80/TCP 44s
world europe ClusterIP 10.99.31.152 <none> 80/TCP 45s
# 2. find IP (endpoint -> ingress)
controlplane $ k get endpoints
NAME ENDPOINTS AGE
kubernetes 172.30.1.2:6443 35h
controlplane $ k get ing -owide -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
world world nginx world.universe.mine 172.30.1.2 80 63s
# 3. check domain (if not, append it)
controlplane $ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 ubuntu
127.0.0.1 host01
127.0.0.1 controlplane
172.30.1.2 world.universe.mine
Notice: don't confused with the app svc and the ingress svc. The app svc is bound with app pod (here, for example asia), other pod can access it via
svc_ip:svc_port; ingress svc is bound with ingress controller pod, these create during the ingress installation iningress-nginxnamespace. Exteranl access pod should use the ingress svc port.
3. curl ingress IP/path
# curl domain_name:port/path
controlplane $ curl world.universe.mine:30080/asia
NetworkPolicy
- filter the traffics
- Fields:
- act on pods:
namespacepodSelector
- np type:
-
ingress.from&egress.to
-
- traffic flow source/destination pods
namespaceSelectorpodSelector-
ports
- act on pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # set act on pod ns label
spec:
podSelector:
matchLabels:
role: db # set act on pod label
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproj # set src/dst pods ns label
- podSelector:
matchLabels:
role: frontend # set src/dst pods label
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978 # set filter port
and find labels
k get ns --show-labels
k get pod -A --show-labels
Verification
According to the filter rules, choose the source pod and destination pod, to check traffic
k exec -it pod01 -- curl svc02.ns02.svc.cluster.local
k exec -it test_pod -- curl svc02.ns02.svc.cluster.local
cka Article's
30 articles in total
Turning Markdown into Learning: publishing a challenge on labs.iximiuz.com
read article
CKA Quick Check Points -- RBAC
read article
CKA Quick Check Points -- Network
read article
CKA Quick Check Points -- Logs & Configs
read article
CKA Recap -- Deployment
read article
ClusterIP vs. NodePort
read article
CKA Recap -- Ingress & NetworkPolicy
currently reading
Kubernets Storage Demos
read article
3. CKA Storage
read article
Why must a Kubernetes cluster have an odd number of nodes
read article
Understanding Pod Topology Spread Constraints in Kubernetes
read article
Deployments and Replica Sets in Kubernetes
read article
40 days of Kubernetes: Docker Fundamentals
read article
Understanding Kubernetes Pods and YAML Fundamentals
read article
Creating a Kubernetes Cluster with Kubeadm and Containerd: A Comprehensive Step-by-Step Guide
read article
Mastering Multi-Stage Builds in Docker 🚀
read article
Mastering Docker Fundamentals: The First Step in Becoming a Certified Kubernetes Administrator
read article
How I Passed the Certified Kubernetes Administrator (CKA) Exam and How You Can Too
read article
AWS EKS Ingress - Canary
read article
Certified Kubernetes Administrator (CKA) Prep.
read article
Certified Kubernetes Administrator (CKA) - Several Successful Story
read article
YouTube 13k Subscriber crossed! Exciting Giveaway
read article
How to Pass the Certified Kubernetes Administrator Examination
read article
'Kubernetes Complete Course In 10 Hours' – your ultimate beginner's guide to Kubernetes FREE!
read article
Kubernetes CKA Exam Question Bank .. 17 Questions with Complete Lab .. In 3 hours .. FREE!
read article
ROAD TO CKA [Certified Kubernetes Administrator ]-Core Concept- Pod(Day-7)
read article
ROAD TO CKA [Certified Kubernetes Administrator ]-Kubernetes Architecture(Day-4)
read article
Installing Kubernetes-1.27.0 in Ubuntu 22.04
read article
ROAD TO CKA [Certified Kubernetes Administrator ]-What Kubernetes is & is not?(Day-3)
read article
ROAD TO CKA [Certified Kubernetes Administrator ]-Core Concept- Control Plane/Master Node (Day-5)
read article
Featured ones: