[Kubernetes] Services

A Service is an abstraction which defines a logical set of Pods and a policy by which to access them (sometimes this pattern is called a micro-service).

Service | Kubernetes

• A service provides a single point of entry for accessing one or more pods.
  • Pods are ephemeral and may only live a short time. For example, each pod gets its own IP address and you cannot rely on a pod id address staying the same.
• A service creates endpoints between the service and pods.
• The set of pods targeted by a service is usually determined by a selector.

• The roles of a service
  • abstracts pod IP addresses.
  • works on TCP/UDP (OSI Layer 4). kube-proxy creates a virtual IP for services.
  • relies on labels to associate a service with a pod.
  • provides load balancing among pods.

Service Types

• ClusterIP
  • The Cluster IP exposes the service IP internally within a cluster (default)
  • Only pods within a cluster can access the service.
  • Pods can communicate with other pods.
• NodePort
  • The Node Port exposes the service externally on each node’s IP at a static port (30000 ~ 32767)
  • Each node proxies the allocated port.
• LoadBalancer
  • The Load Balancer sets up an external IP to act as a load balancer for the service.
  • It works with a cloud provider.
• ExternalName
  • The External Name maps the service to a DNS name.

Creating a service

<Example> A service on top of nginx pods that were create by a deployment

• Create a YAML file

apiVersion: v1
kind: Service
metadata:
  name: my-nginx-service
spec:
  selector:
    app: my-nginx-app # matching pods with a label
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 30085
  type: NodePort

• Run or apply

kubectl create -f <yaml-file>
kubectl apply -f <yaml-file>

Working with services in the cluster

kubectl get services
kubectl describe svc <service-name>

kubectl get endpoints
 kubectl describe endpoint <endpoint-name>

kubectl delete service <service-name>

Checking the status of the kubelet service

sudo systemctl status kubelet

Port Forwarding

Using port forwarding, you can access a pod from outside of Kubernetes cluster.

# listen on 8080 and forward to 80 in a pod
kubectl port-forward pod/<pod-name> 8080:80

kubectl port-forward deployment/<deployment-name> 8080:80 

kubectl port-forward service/<service-name> 8080:80

Network Policies

• Network policies specify how a pod communicated with various network entities, such as services or endpoints use over the network.
• Network policies restrict and control the network traffic going to and from the pods.

• By default, pods are non-isolated; they accept traffic from any source.
• Pods can be isolated by a NetworkPolicy.

• In NetworkPolicy, you can specify Ingress and Egress rules (based on whitelist rules).
  • spec.podSelector: determines which pods are used (matchLabels)
  • spec.policyTypes: ingress, egress, or both
  • spec.ingress: rules for incoming traffic
  • spec.egress: rules for outgoing traffic
  • spec.ingress.from: the source of network traffic
    • ipBlock, podSelector, or/and namespaceSelector
  • spec.egress.to: the destination of network traffic
    • ipBlock, podSelector, or/and namespaceSelector
  • spec.ingress(egress).ports: the protocol and the port

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: my-network-policy
spec:
  podSelector:
    matchLabels:
      app: secure-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: client
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 80

kubectl get networkpolicies
 
kubectl describe networkpolicy <name>

kubectl delete networkpolicy <name>