Scribd
Upload
37 views53 pages

Networking

Uploaded by

parul gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
37 views53 pages

Networking

Uploaded by

parul gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 53

2

Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
80
podSelector:
API
matchLabels: Web
5000 Pod
Pod
role: db

DB
Pod
3306
Network
Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
podSelector:
API
matchLabels: Pod
role: db

policyTypes:
- Ingress

DB
Pod
3306
Network
Policy
dev
apiVersion: networking.k8s.io/v1 API
kind: NetworkPolicy Pod
metadata:
name: db-policy prod
spec:
podSelector: test API
matchLabels: Pod
role: db API
Pod
policyTypes:
- Ingress
ingress:
- from: DB
3306
Pod
- podSelector:
matchLabels: Network
name: api-pod Policy

ports:
- protocol: TCP
port: 3306
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: dev
name: db-policy
spec: API
Pod
podSelector:
matchLabels:
role: db prod
policyTypes:
- Ingress test Web API
Pod Pod
ingress: API
Pod
- from:
- podSelector:
matchLabels:
name: api-pod
namespaceSelector:
DB
Pod
3306
matchLabels:
Network
name: prod Policy
ports:
- protocol: TCP
port: 3306
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: dev
name: db-policy
spec: API
Pod
podSelector:
matchLabels:
role: db prod
policyTypes:
- Ingress test Web API
Pod Pod
ingress: API
Pod
- from:
- podSelector:
matchLabels:
name: api-pod
namespaceSelector:
DB
Pod
3306
matchLabels:
Network
name: prod Backup Server Policy
ports: 192.168.5.10
- protocol: TCP
port: 3306
spec:
podSelector:
matchLabels:
role: db dev
policyTypes: API
- Ingress Pod

ingress:
- from: prod
- podSelector:
matchLabels: test Web API
Pod
name: api-pod Pod
API
- namespaceSelector: Pod
matchLabels:
name: prod
- ipBlock:
cidr: 192.168.5.10/32 DB
Pod
3306
Network
Backup Server Policy
ports: 192.168.5.10
- protocol: TCP
port: 3306
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress: prod
- from:
- podSelector:
API
matchLabels: Pod
name: api-pod
ports:
- protocol: TCP
port: 3306
egress:
- to: DB
Pod
3306
- ipBlock:
cidr: 192.168.5.10/32 Network
Backup Server Policy
ports: 192.168.5.10
- protocol: TCP
port: 80 80
11

INGRESS
www.my-online-store.com
www.my-online-store.com
http://<node-ip>:38080
38080

wear-service (NodePort)

wear wear wear

mysql-service (ClusterIP) POD

Deployment
MySQL
Service
www.my-online-store.com <node-ip>

http://my-online-store.com:38080
http://<node-ip>:38080

38080

wear-service (NodePort)

wear wear wear


www.my-online-store.com <node-ip>
proxy-server

http://my-online-store.com:38080
http://my-online-store.com
http://<node-ip>:38080

80

proxy-server

38080

wear-service (NodePort)

wear wear wear


www.my-online-store.com <node-ip>

http://my-online-store.com:38080
http://<node-ip>:38080

38080

wear-service (NodePort)
(LoadBalancer)

wear wear wear


www.my-online-store.com gcp load-balancer
<node-ip>

http://my-online-store.com:38080
http://my-online-store.com
http://<node-ip>:38080
80

gcp load-balancer

38080

wear-service (LoadBalancer)

wear wear wear


www.my-online-store.com/wear
www.my-online-store.com www.my-online-store.com/watch
www.my-online-store.com gcp load-balancer
<node-ip>

http://my-online-store.com:38080
http://my-online-store.com
http://<node-ip>:38080

gcp load-balancer gcp load-balancer-2

38080 38282

wear-service (LoadBalancer) video-service (LoadBalancer)

wear wear wear Video Video Video


www.my-online-store.com yet
gcpanother
load-balancer
<node-ip> load-balancer

https://my-online-store.com
http://my-online-store.com
http://my-online-store.com:38080
http://<node-ip>:38080
/apparel -> gcp load-balancer
yet another load-balancer
/video -> gcp load-balancer-2

gcp load-balancer gcp load-balancer-2

38080 38282

wear-service (LoadBalancer) video-service (LoadBalancer)

wear wear wear Video Video Video


www.my-online-store.com yet
gcpanother
load-balancer
<node-ip> load-balancer

https://my-online-store.com
http://my-online-store.com
http://my-online-store.com:38080
http://<node-ip>:38080

/apparel -> gcp load-balancer


yet another load-balancer
/video -> gcp load-balancer-2

gcp load-balancer gcp load-balancer-2

38080 38282

wear-service (LoadBalancer) video-service (LoadBalancer)

wear wear wear Video Video Video


Ingress

yet another load-balancer /apparel -> load-balancer


/video -> load-balancer-2

load-balancer load-balancer-2

38080 38282

wear-service (LoadBalancer) video-service (LoadBalancer)


Ingress

38080 INGRESS 38282

wear-service video-service

wear wear wear Video Video Video


Ingress
38080

ingress-service (NodePort)
(LoadBalancer)

INGRESS

wear-service video-service

wear wear wear Video Video Video


Ingress
INGRESS
1. Deploy

INGRESS CONTROLLER

2. Configure
INGRESS RESOURCES
INGRESS CONTROLLER

GCP HTTP(S)
Load Balancer (GCE)
Contour

Istio
INGRESS CONTROLLER
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
spec:
replicas: 1
selector:
matchLabels:
name: nginx-ingress
template:
metadata:
labels:
name: nginx-ingress
spec:
ConfigMap containers:
nginx-configuration - name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-
controller/nginx-ingress-controller:0.21.0
kind: ConfigMap
args:
apiVersion: v1
metadata: - /nginx-ingress-controller
name: nginx-configuration - --configmap=$(POD_NAMESPACE)/nginx-configuration
name: nginx-ingress-controller
spec:
INGRESS CONTROLLER replicas: 1
selector:
matchLabels:
name: nginx-ingress
template:
metadata:
labels:
name: nginx-ingress
spec:
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-
controller/nginx-ingress-controller:0.21.0
args:
- /nginx-ingress-controller
ConfigMap - --configmap=$(POD_NAMESPACE)/nginx-configuration
nginx-configuration env:
- name: POD_NAME
valueFrom:
kind: ConfigMap fieldRef:
apiVersion: v1 fieldPath: metadata.name
metadata: - name: POD_NAMESPACE
name: nginx-configuration valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-
INGRESS CONTROLLER args:
controller/nginx-ingress-controller:0.21.0

- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

ports:
- name: http
ConfigMap containerPort: 80
nginx-configuration
- name: https
containerPort: 443
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
fieldPath: metadata.namespace

INGRESS CONTROLLER ports:


- name: http
containerPort: 80
- name: https
containerPort: 443

apiVersion: v1
kind: Service
metadata:
name: nginx-ingress
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
ConfigMap targetPort: 443
nginx-configuration protocol: TCP
kind: ConfigMap name: https
apiVersion: v1 selector:
metadata: name: nginx-ingress
name: nginx-configuration
protocol: TCP
name: http
INGRESS CONTROLLER - port: 443
targetPort: 443
protocol: TCP
name: https
selector:
name: nginx-ingress

apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount

ClusterRol RoleBinding
Roles
es s

ConfigMap ServiceAccount
nginx-configuration nginx-ingress-serviceaccount

kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
INGRESS CONTROLLER
Deployment
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
Service
name: nginx-ingress-controller apiVersion: v1
spec: kind: Service
replicas: 1 metadata:
selector: name: nginx-ingress
matchLabels: spec:
name: nginx-ingress type: NodePort
template: ports:
metadata: - port: 80
labels: targetPort: 80
name: nginx-ingress protocol: TCP
spec: name: http
containers: - port: 443
- name: nginx-ingress-controller targetPort: 443
image: quay.io/kubernetes-ingress- protocol: TCP
controller/nginx-ingress-controller:0.21.0
name: https
args: selector:
- /nginx-ingress-controller name: nginx-ingress
- --configmap=$(POD_NAMESPACE)/nginx-configuration
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
ConfigMap
- name: POD_NAMESPACE kind: ConfigMap
valueFrom: apiVersion: v1
fieldRef: metadata:
fieldPath: metadata.namespace name: nginx-configuration

ConfigMap ServiceAccount ports:


- name: http
containerPort: 80 Auth
nginx-configuration nginx-ingress-serviceaccount - name: https
containerPort: 443 apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount

Roles ClusterRoles RoleBindings


INGRESS RESOURCE

www.my-online-store.com www.my-online-store.com wear.my-online-store.com watch.my-online-store.com

/wear /watch

wear wear VID wear VID


INGRESS RESOURCE

www.my-online-store.com
Ingress-wear.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear
spec:

wear
INGRESS RESOURCE

www.my-online-store.com
Ingress-wear.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear
spec:
backend:
serviceName: wear-service
servicePort: 80

wear-service
kubectl create –f Ingress-wear.yaml

wear
ingress.extensions/ingress-wear created

kubectl get ingress


NAME HOSTS ADDRESS PORTS
ingress-wear * 80 2s
INGRESS RESOURCE - RULES

www.my-online-store.com www.wear.my-online-store.com www.watch.my-online-store.com Everything Else

Rule 1 Rule 2 Rule 3 Rule 4


INGRESS RESOURCE - RULES
DNS Name Forward IP
www.my-online-store.com 10.123.23.12 (INGRESS
SERVICE)
www.wear.my-online- 10.123.23.12
store.com
www.watch.my- 10.123.23.12
online.store.com
www.my-wear-store.com 10.123.23.12

www.my-watch-store.com
www.my-online-store.com www.wear.my-online-store.com 10.123.23.12
www.watch.my-online-store.com Everything Else

Rule 1 Rule 2 Rule 3 Rule 4


INGRESS RESOURCE - RULES
www.my-online-store.com www.wear.my-online-store.com www.watch.my-online-store.com Everything Else

http://www.my-online-store.com/wear

http://www.my-online-store.com/watch

http://www.my-online-store.com/listen

Rule 1 Rule 2 Rule 3 Rule 4

Path /wear

Path /watch

Path /
INGRESS RESOURCE - RULES
www.my-online-store.com www.wear.my-online-store.com www.watch.my-online-store.com Everything Else

ttp://www.my-online-store.com/wear http://www.wear.my-online-store.com/

ttp://www.my-online-store.com/watch http://www.wear.my-online-store.com/returns

ttp://www.my-online-store.com/listen http://www.wear.my-online-store.com/support

Rule 1 Rule 2 Rule 3 Rule 4

Path /wear Path /

Path /watch Path /returns

Path / Path /support


INGRESS RESOURCE - RULES
www.my-online-store.com www.wear.my-online-store.com www.watch.my-online-store.com Everything Else

http://www.wear.my-online-store.com/
http://www.my-online-store.com/wear http://www.watch.my-online-store.com/
http://www.wear.my-online-store.com/returns
http://www.my-online-store.com/watch http://www.watch.my-online-store.com/movies
http://www.wear.my-online-store.com/support
http://www.my-online-store.com/listen http://www.watch.my-online-store.com/tv

Rule 1 Rule 2 Rule 3 Rule 4

Path /wear Path / Path /

Path /watch Path /returns Path /movies

Path / Path /support Path /tv


INGRESS RESOURCE - RULES
www.my-online-store.com www.wear.my-online-store.com www.watch.my-online-store.com Everything Else

http://www.wear.my-online-store.com/ http://www.watch.my-online-store.com/
http://www.my-online-store.com/wear http://www.listen.my-online-store.com/

http://www.wear.my-online-store.com/returns http://www.watch.my-online-store.com/movies
http://www.my-online-store.com/watch http://www.eat.my-online-store.com/
http://www.wear.my-online-store.com/support http://www.watch.my-online-store.com/tv
http://www.my-online-store.com/listen http://www.drink.my-online-store.com/tv

Rule 1 Rule 2 Rule 3 Rule 4

Path /wear Path / Path / Path /

Path /watch Path /returns Path /movies

Path / Path /support Path /tv


INGRESS RESOURCE
Ingress-wear.yaml Ingress-wear-watch.yaml
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Ingress kind: Ingress
metadata: metadata:
www.my-online-store.com
name: ingress-wear name: ingress-wear-watch
spec: spec:
/wear /watch backend: rules:
serviceName: wear-service
wear-service - http:
servicePort: 80
80 paths:
- path: /wear

- path: /watch
backend:
wear
serviceName: watch-service
VID
servicePort: 80
INGRESS RESOURCE
kubectl describe ingress ingress-wear-watch
Name: ingress-wear-watch
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
*
/wear wear-service:80 (<none>)
/watch watch-service:80 (<none>)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 14s nginx-ingress-controller Ingress default/ingress-wear-watch
INGRESS RESOURCE www.my-online-store.com/eat
www.my-online-store.com/listen
www.my-online-store.com/wear
www.my-online-store.com www.my-online-store.com/watch
INGRESS RESOURCE
Ingress-wear-watch.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear-watch
wear.my-online-store.com watch.my-online-store.com spec:
rules:
- host: wear.my-online-store.com
http:
paths:
- backend:
serviceName: wear-service
servicePort: 80
- host: watch.my-online-store.com
http:
WEAR VIDEO
paths:
- backend:
serviceName: watch-service
servicePort: 80
INGRESS RESOURCE
Ingress-wear-watch.yaml
Ingress-wear-watch.yaml
apiVersion: extensions/v1beta1
apiVersion: extensions/v1beta1
kind: Ingress
kind: Ingress
metadata:
metadata:
name: ingress-wear-watch
name: ingress-wear-watch
spec:
spec:
rules: rules:
- http: - host: wear.my-online-store.com
paths: http:
- path: /wear paths:
backend: - backend:
serviceName: wear-service serviceName: wear-service
servicePort: 80 servicePort: 80
- path: /watch - host: watch.my-online-store.com
backend: http:
serviceName: watch-service paths:
servicePort: 80 - backend:
serviceName: watch-service
servicePort: 80
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress

RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding

ConfigMap
nginx-configuration

Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress

RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding

ConfigMap
nginx-configuration

Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress

RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding

ConfigMap
nginx-configuration

Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress

RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding

ConfigMap
nginx-configuration

Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress

RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding

ConfigMap
nginx-configuration

Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress

RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding

ConfigMap
nginx-configuration

Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space
ServiceAccount Deployment Service
ingress-serviceaccount ingress-controller ingress

RoleBinding ClusterRoleBinding
ingress-role-binding ingress-clusterrole-binding

ConfigMap
nginx-configuration

Role ClusterRole
ingress-role ingress-clusterrole NameSpace
Ingress-space

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy