Ingress
- ingress to make external to access:
domain_name:port/path - Field:
rules.ingressClassName-
path-> path -
backend.service.name-> service -
port-> service port -
host-> domain name
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-wildcard-host annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: ingressClassName: nginx # used for ingress controller rules: - host: "foo.bar.com" http: paths: - pathType: Prefix path: "/bar" # http://domain/path backend: service: name: service1 # svc port: number: 80 # svc port - host: "*.foo.com" http: paths: - pathType: Prefix path: "/foo" backend: service: name: service2 port: number: 80 Verification
1. check ingress controller installed
k get ingressclass if not, install it
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm install my-nginx-ingress ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace 2. check IP, domain, port
# 1. check port # svc asia|europe is bound with pod # svc ingress-nginx-controller bound with ingress-controller pod # and the target_port:port is 80:30080, so access port is 30080 controlplane $ k get svc -A NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 35h ingress-nginx ingress-nginx-controller NodePort 10.106.174.82 <none> 80:30080/TCP,443:30443/TCP 2m12s ingress-nginx ingress-nginx-controller-admission ClusterIP 10.110.84.81 <none> 443/TCP 2m13s kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 35h world asia ClusterIP 10.100.146.115 <none> 80/TCP 44s world europe ClusterIP 10.99.31.152 <none> 80/TCP 45s # 2. find IP (endpoint -> ingress) controlplane $ k get endpoints NAME ENDPOINTS AGE kubernetes 172.30.1.2:6443 35h controlplane $ k get ing -owide -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE world world nginx world.universe.mine 172.30.1.2 80 63s # 3. check domain (if not, append it) controlplane $ cat /etc/hosts 127.0.0.1 localhost 127.0.0.1 ubuntu 127.0.0.1 host01 127.0.0.1 controlplane 172.30.1.2 world.universe.mine Notice: don't confused with the app svc and the ingress svc. The app svc is bound with app pod (here, for example asia), other pod can access it via
svc_ip:svc_port; ingress svc is bound with ingress controller pod, these create during the ingress installation iningress-nginxnamespace. Exteranl access pod should use the ingress svc port.
3. curl ingress IP/path
# curl domain_name:port/path controlplane $ curl world.universe.mine:30080/asia NetworkPolicy
- filter the traffics
- Fields:
- act on pods:
namespacepodSelector
- np type:
-
ingress.from&egress.to
-
- traffic flow source/destination pods
namespaceSelectorpodSelector-
ports
- act on pods:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default # set act on pod ns label spec: podSelector: matchLabels: role: db # set act on pod label policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproj # set src/dst pods ns label - podSelector: matchLabels: role: frontend # set src/dst pods label ports: - protocol: TCP port: 6379 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 5978 # set filter port and find labels
k get ns --show-labels k get pod -A --show-labels Verification
According to the filter rules, choose the source pod and destination pod, to check traffic
k exec -it pod01 -- curl svc02.ns02.svc.cluster.local k exec -it test_pod -- curl svc02.ns02.svc.cluster.local 
Top comments (0)