[Kubernetes] Services

A Service is an abstraction which defines a logical set of Pods and a policy by which to access them (sometimes this pattern is called a micro-service).

Service | Kubernetes

  • A service provides a single point of entry for accessing one or more pods.
    • Pods are ephemeral and may only live a short time. For example, each pod gets its own IP address and you cannot rely on a pod id address staying the same.
  • A service creates endpoints between the service and pods.
  • The set of pods targeted by a service is usually determined by a selector.
  • The roles of a service
    • abstracts pod IP addresses.
    • works on TCP/UDP (OSI Layer 4). kube-proxy creates a virtual IP for services.
    • relies on labels to associate a service with a pod.
    • provides load balancing among pods.

Service Types

  • ClusterIP
    • The Cluster IP exposes the service IP internally within a cluster (default)
    • Only pods within a cluster can access the service.
    • Pods can communicate with other pods.
  • NodePort
    • The Node Port exposes the service externally on each node’s IP at a static port (30000 ~ 32767)
    • Each node proxies the allocated port.
  • LoadBalancer
    • The Load Balancer sets up an external IP to act as a load balancer for the service.
    • It works with a cloud provider.
  • ExternalName
    • The External Name maps the service to a DNS name.

Creating a service

<Example> A service on top of nginx pods that were create by a deployment

  • Create a YAML file
apiVersion: v1
kind: Service
metadata:
  name: my-nginx-service
spec:
  selector:
    app: my-nginx-app # matching pods with a label
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 30085
  type: NodePort
  • Run or apply
kubectl create -f <yaml-file>
kubectl apply -f <yaml-file>


Working with services in the cluster

kubectl get services
kubectl describe svc <service-name>

kubectl get endpoints
 kubectl describe endpoint <endpoint-name>

kubectl delete service <service-name>


Checking the status of the kubelet service

sudo systemctl status kubelet

Port Forwarding

Using port forwarding, you can access a pod from outside of Kubernetes cluster.

# listen on 8080 and forward to 80 in a pod
kubectl port-forward pod/<pod-name> 8080:80

kubectl port-forward deployment/<deployment-name> 8080:80 

kubectl port-forward service/<service-name> 8080:80

Network Policies

  • Network policies specify how a pod communicated with various network entities, such as services or endpoints use over the network.
  • Network policies restrict and control the network traffic going to and from the pods.
  • By default, pods are non-isolated; they accept traffic from any source.
  • Pods can be isolated by a NetworkPolicy.
  • In NetworkPolicy, you can specify Ingress and Egress rules (based on whitelist rules).
    • spec.podSelector: determines which pods are used (matchLabels)
    • spec.policyTypes: ingress, egress, or both
    • spec.ingress: rules for incoming traffic
    • spec.egress: rules for outgoing traffic
    • spec.ingress.from: the source of network traffic
      • ipBlock, podSelector, or/and namespaceSelector
    • spec.egress.to: the destination of network traffic
      • ipBlock, podSelector, or/and namespaceSelector
    • spec.ingress(egress).ports: the protocol and the port
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: my-network-policy
spec:
  podSelector:
    matchLabels:
      app: secure-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: client
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 80
kubectl get networkpolicies
 
kubectl describe networkpolicy <name>

kubectl delete networkpolicy <name>

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s