Professional Documents
Culture Documents
Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
80
podSelector:
API
matchLabels: Web
5000 Pod
Pod
role: db
DB
Pod
3306
Network
Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
podSelector:
API
matchLabels: Pod
role: db
policyTypes:
- Ingress
DB
Pod
3306
Network
Policy
dev
apiVersion: networking.k8s.io/v1 API
kind: NetworkPolicy Pod
metadata:
name: db-policy prod
spec:
podSelector: test API
matchLabels: Pod
role: db API
Pod
policyTypes:
- Ingress
ingress:
- from: DB
3306
Pod
- podSelector:
matchLabels: Network
name: api-pod Policy
ports:
- protocol: TCP
port: 3306
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: dev
name: db-policy
spec: API
Pod
podSelector:
matchLabels:
role: db prod
policyTypes:
- Ingress test Web API
Pod Pod
ingress: API
Pod
- from:
- podSelector:
matchLabels:
name: api-pod
namespaceSelector:
DB
Pod
3306
matchLabels:
Network
name: prod Policy
ports:
- protocol: TCP
port: 3306
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: dev
name: db-policy
spec: API
Pod
podSelector:
matchLabels:
role: db prod
policyTypes:
- Ingress test Web API
Pod Pod
ingress: API
Pod
- from:
- podSelector:
matchLabels:
name: api-pod
namespaceSelector:
DB
Pod
3306
matchLabels:
Network
name: prod Backup Server Policy
ports: 192.168.5.10
- protocol: TCP
port: 3306
spec:
podSelector:
matchLabels:
role: db dev
policyTypes: API
- Ingress Pod
ingress:
- from: prod
- podSelector:
matchLabels: test Web API
Pod
name: api-pod Pod
API
- namespaceSelector: Pod
matchLabels:
name: prod
- ipBlock:
cidr: 192.168.5.10/32 DB
Pod
3306
Network
Backup Server Policy
ports: 192.168.5.10
- protocol: TCP
port: 3306
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress: prod
- from:
- podSelector:
API
matchLabels: Pod
name: api-pod
ports:
- protocol: TCP
port: 3306
egress:
- to: DB
Pod
3306
- ipBlock:
cidr: 192.168.5.10/32 Network
Backup Server Policy
ports: 192.168.5.10
- protocol: TCP
port: 80 80
11
INGRESS
www.my-online-store.com
www.my-online-store.com
http://<node-ip>:38080
38080
wear-service (NodePort)
Deployment
MySQL
Service
www.my-online-store.com <node-ip>
http://my-online-store.com:38080
http://<node-ip>:38080
38080
wear-service (NodePort)
http://my-online-store.com:38080
http://my-online-store.com
http://<node-ip>:38080
80
proxy-server
38080
wear-service (NodePort)
http://my-online-store.com:38080
http://<node-ip>:38080
38080
wear-service (NodePort)
(LoadBalancer)
http://my-online-store.com:38080
http://my-online-store.com
http://<node-ip>:38080
80
gcp load-balancer
38080
wear-service (LoadBalancer)
http://my-online-store.com:38080
http://my-online-store.com
http://<node-ip>:38080
38080 38282
https://my-online-store.com
http://my-online-store.com
http://my-online-store.com:38080
http://<node-ip>:38080
/apparel -> gcp load-balancer
yet another load-balancer
/video -> gcp load-balancer-2
38080 38282
https://my-online-store.com
http://my-online-store.com
http://my-online-store.com:38080
http://<node-ip>:38080
38080 38282
load-balancer load-balancer-2
38080 38282
wear-service video-service
ingress-service (NodePort)
(LoadBalancer)
INGRESS
wear-service video-service
INGRESS CONTROLLER
2. Configure
INGRESS RESOURCES
INGRESS CONTROLLER
GCP HTTP(S)
Load Balancer (GCE)
Contour
Istio
INGRESS CONTROLLER
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
spec:
replicas: 1
selector:
matchLabels:
name: nginx-ingress
template:
metadata:
labels:
name: nginx-ingress
spec:
ConfigMap containers:
nginx-configuration - name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-
controller/nginx-ingress-controller:0.21.0
kind: ConfigMap
args:
apiVersion: v1
metadata: - /nginx-ingress-controller
name: nginx-configuration - --configmap=$(POD_NAMESPACE)/nginx-configuration
name: nginx-ingress-controller
spec:
INGRESS CONTROLLER replicas: 1
selector:
matchLabels:
name: nginx-ingress
template:
metadata:
labels:
name: nginx-ingress
spec:
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-
controller/nginx-ingress-controller:0.21.0
args:
- /nginx-ingress-controller
ConfigMap - --configmap=$(POD_NAMESPACE)/nginx-configuration
nginx-configuration env:
- name: POD_NAME
valueFrom:
kind: ConfigMap fieldRef:
apiVersion: v1 fieldPath: metadata.name
metadata: - name: POD_NAMESPACE
name: nginx-configuration valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-
INGRESS CONTROLLER args:
controller/nginx-ingress-controller:0.21.0
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
ConfigMap containerPort: 80
nginx-configuration
- name: https
containerPort: 443
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
fieldPath: metadata.namespace
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
ConfigMap targetPort: 443
nginx-configuration protocol: TCP
kind: ConfigMap name: https
apiVersion: v1 selector:
metadata: name: nginx-ingress
name: nginx-configuration
protocol: TCP
name: http
INGRESS CONTROLLER - port: 443
targetPort: 443
protocol: TCP
name: https
selector:
name: nginx-ingress
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
ClusterRol RoleBinding
Roles
es s
ConfigMap ServiceAccount
nginx-configuration nginx-ingress-serviceaccount
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
INGRESS CONTROLLER
Deployment
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
Service
name: nginx-ingress-controller apiVersion: v1
spec: kind: Service
replicas: 1 metadata:
selector: name: nginx-ingress
matchLabels: spec:
name: nginx-ingress type: NodePort
template: ports:
metadata: - port: 80
labels: targetPort: 80
name: nginx-ingress protocol: TCP
spec: name: http
containers: - port: 443
- name: nginx-ingress-controller targetPort: 443
image: quay.io/kubernetes-ingress- protocol: TCP
controller/nginx-ingress-controller:0.21.0
name: https
args: selector:
- /nginx-ingress-controller name: nginx-ingress
- --configmap=$(POD_NAMESPACE)/nginx-configuration
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
ConfigMap
- name: POD_NAMESPACE kind: ConfigMap
valueFrom: apiVersion: v1
fieldRef: metadata:
fieldPath: metadata.namespace name: nginx-configuration
/wear /watch
www.my-online-store.com
Ingress-wear.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear
spec:
wear
INGRESS RESOURCE
www.my-online-store.com
Ingress-wear.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear
spec:
backend:
serviceName: wear-service
servicePort: 80
wear-service
kubectl create –f Ingress-wear.yaml
wear
ingress.extensions/ingress-wear created
www.my-watch-store.com
www.my-online-store.com www.wear.my-online-store.com 10.123.23.12
www.watch.my-online-store.com Everything Else
http://www.my-online-store.com/wear
http://www.my-online-store.com/watch
http://www.my-online-store.com/listen
Path /wear
Path /watch
Path /
INGRESS RESOURCE - RULES
www.my-online-store.com www.wear.my-online-store.com www.watch.my-online-store.com Everything Else
ttp://www.my-online-store.com/wear http://www.wear.my-online-store.com/
ttp://www.my-online-store.com/watch http://www.wear.my-online-store.com/returns
ttp://www.my-online-store.com/listen http://www.wear.my-online-store.com/support
http://www.wear.my-online-store.com/
http://www.my-online-store.com/wear http://www.watch.my-online-store.com/
http://www.wear.my-online-store.com/returns
http://www.my-online-store.com/watch http://www.watch.my-online-store.com/movies
http://www.wear.my-online-store.com/support
http://www.my-online-store.com/listen http://www.watch.my-online-store.com/tv
http://www.wear.my-online-store.com/ http://www.watch.my-online-store.com/
http://www.my-online-store.com/wear http://www.listen.my-online-store.com/
http://www.wear.my-online-store.com/returns http://www.watch.my-online-store.com/movies
http://www.my-online-store.com/watch http://www.eat.my-online-store.com/
http://www.wear.my-online-store.com/support http://www.watch.my-online-store.com/tv
http://www.my-online-store.com/listen http://www.drink.my-online-store.com/tv
- path: /watch
backend:
wear
serviceName: watch-service
VID
servicePort: 80
INGRESS RESOURCE
kubectl describe ingress ingress-wear-watch
Name: ingress-wear-watch
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
*
/wear wear-service:80 (<none>)
/watch watch-service:80 (<none>)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 14s nginx-ingress-controller Ingress default/ingress-wear-watch
INGRESS RESOURCE www.my-online-store.com/eat
www.my-online-store.com/listen
www.my-online-store.com/wear
www.my-online-store.com www.my-online-store.com/watch
INGRESS RESOURCE
Ingress-wear-watch.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear-watch
wear.my-online-store.com watch.my-online-store.com spec:
rules:
- host: wear.my-online-store.com
http:
paths:
- backend:
serviceName: wear-service
servicePort: 80
- host: watch.my-online-store.com
http:
WEAR VIDEO
paths:
- backend:
serviceName: watch-service
servicePort: 80
INGRESS RESOURCE
Ingress-wear-watch.yaml
Ingress-wear-watch.yaml
apiVersion: extensions/v1beta1
apiVersion: extensions/v1beta1
kind: Ingress
kind: Ingress
metadata:
metadata:
name: ingress-wear-watch
name: ingress-wear-watch
spec:
spec:
rules: rules:
- http: - host: wear.my-online-store.com
paths: http:
- path: /wear paths:
backend: - backend:
serviceName: wear-service serviceName: wear-service
servicePort: 80 servicePort: 80
- path: /watch - host: watch.my-online-store.com
backend: http:
serviceName: watch-service paths:
servicePort: 80 - backend:
serviceName: watch-service
servicePort: 80
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress
RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding
ConfigMap
nginx-configuration
Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress
RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding
ConfigMap
nginx-configuration
Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress
RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding
ConfigMap
nginx-configuration
Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress
RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding
ConfigMap
nginx-configuration
Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress
RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding
ConfigMap
nginx-configuration
Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress
RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding
ConfigMap
nginx-configuration
Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress
RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding
ConfigMap
nginx-configuration
Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space