A Service is an abstraction which defines a logical set of Pods and a policy by which to access them (sometimes this pattern is called a micro-service).
- A service provides a single point of entry for accessing one or more pods.
- Pods are ephemeral and may only live a short time. For example, each pod gets its own IP address and you cannot rely on a pod id address staying the same.
- A service creates endpoints between the service and pods.
- The set of pods targeted by a service is usually determined by a selector.
- The roles of a service
- abstracts pod IP addresses.
- works on TCP/UDP (OSI Layer 4). kube-proxy creates a virtual IP for services.
- relies on labels to associate a service with a pod.
- provides load balancing among pods.
Service Types
- ClusterIP
- The Cluster IP exposes the service IP internally within a cluster (default)
- Only pods within a cluster can access the service.
- Pods can communicate with other pods.
- NodePort
- The Node Port exposes the service externally on each node’s IP at a static port (30000 ~ 32767)
- Each node proxies the allocated port.
- LoadBalancer
- The Load Balancer sets up an external IP to act as a load balancer for the service.
- It works with a cloud provider.
- ExternalName
- The External Name maps the service to a DNS name.
Creating a service
<Example> A service on top of nginx pods that were create by a deployment
- Create a YAML file
apiVersion: v1
kind: Service
metadata:
name: my-nginx-service
spec:
selector:
app: my-nginx-app # matching pods with a label
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30085
type: NodePort
- Run or apply
kubectl create -f <yaml-file>
kubectl apply -f <yaml-file>
Working with services in the cluster
kubectl get services
kubectl describe svc <service-name>
kubectl get endpoints
kubectl describe endpoint <endpoint-name>
kubectl delete service <service-name>
Checking the status of the kubelet service
sudo systemctl status kubelet
Port Forwarding
Using port forwarding, you can access a pod from outside of Kubernetes cluster.
# listen on 8080 and forward to 80 in a pod
kubectl port-forward pod/<pod-name> 8080:80
kubectl port-forward deployment/<deployment-name> 8080:80
kubectl port-forward service/<service-name> 8080:80
Network Policies
- Network policies specify how a pod communicated with various network entities, such as services or endpoints use over the network.
- Network policies restrict and control the network traffic going to and from the pods.
- By default, pods are non-isolated; they accept traffic from any source.
- Pods can be isolated by a NetworkPolicy.
- In NetworkPolicy, you can specify Ingress and Egress rules (based on whitelist rules).
- spec.podSelector: determines which pods are used (matchLabels)
- spec.policyTypes: ingress, egress, or both
- spec.ingress: rules for incoming traffic
- spec.egress: rules for outgoing traffic
- spec.ingress.from: the source of network traffic
- ipBlock, podSelector, or/and namespaceSelector
- spec.egress.to: the destination of network traffic
- ipBlock, podSelector, or/and namespaceSelector
- spec.ingress(egress).ports: the protocol and the port
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-network-policy
spec:
podSelector:
matchLabels:
app: secure-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
role: client
ports:
- protocol: TCP
port: 80
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 80
kubectl get networkpolicies
kubectl describe networkpolicy <name>
kubectl delete networkpolicy <name>
