Networking YAML Files

Node Port Service file

apiVersion: v1              # As this is part of the core API group,
                            # we don't need to specify the API group.
kind: Service
metadata:
  name: nginx-service
spec:
  type: NodePort
  sessionAffinity: ClientIP   # the service proxy redirects all incoming
                              # requests from a client to the same pod as before
  selector:
    app: nginx-app         # Mandatory field to link to the right set of pods
  ports:
    - targetPort: 80       # The port used by the container.  Also called containerPort
      port: 8123           # The port exposed externally by the service on the service IP
                           # Under ports, this is the only mandatory field.
      nodePort: 30080

External name Service file

apiVersion: v1
kind: Service
metadata:
  name: external-service
spec:
  type: ExternalName        # Assuming externalName has been configured in DNS, allows access
                            #   to this svc through this DNS name.  Does not create DNS entry
  externalName: tom-web-notes.bigtom.local    # Access the service with this DNS name
  ports:
  - targetPort: 80
    port: 8123              # Under ports, only this field 'port' is mandatory

Simple Ingress definition

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
spec:
backend:
  serviceName: web-notes-svc
  servicePort: 80

The yaml above shows a very basic Single Service Ingress by defining a default backend without any ingress rules. Ingress controllers will usually be defined with path redirection, (host)name based redirection or some other redirection.

Path redirection Ingress

 1apiVersion: extensions/v1beta1
 2kind: Ingress
 3metadata:
 4  name: my-ingress
 5spec:
 6  rules:
 7  - http:
 8      paths:
 9      - path: /web
10        backend:
11          serviceName: my-web-service
12          servicePort: 80
13      - path: /notes
14        backend:
15          serviceName: my-notes-service
16          servicePort: 80

Hostname redirection Ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
spec:
  rules:
  - host: www.thomas-pk.com
    http:
      paths:
      - backend:
          serviceName: my-web-service
          servicePort: 80
  - host: home.susaansart.com
    http:
      paths:
      - backend:
          serviceName: my-notes-service
          servicePort: 80

Network Policy yaml

 1apiVersion: networking.k8s.io/v1
 2kind: NetworkPolicy
 3metadata:
 4  name: test-network-policy
 5  namespace: default
 6spec:
 7  podSelector:
 8    matchLabels:
 9      role: db
10  policyTypes:
11  - Ingress
12  - Egress
13  ingress:
14  - from:                     # Whitelist or allow
15    - ipBlock:
16        cidr: 172.17.0.0/16   # network traffic from 172.17.0.0
17        except:
18        - 172.17.1.0/24
19    - namespaceSelector:
20        matchLabels:
21          project: myproject  # for pods in the project=myproject
22    - podSelector:
23        matchLabels:
24          role: frontend      # for traffic from frontend pods
25    ports:
26    - protocol: TCP
27      port: 6379
28  egress:                     # Note how we can have multiple rules
29  - to:
30    - ipBlock:
31        cidr: 10.0.0.0/24
32    - podSelector
33        matchLabels:
34          name: payroll
35    ports:
36    - protocol: TCP
37      port: 8080
38  - to:                       # Note the '-' even though its not the
39    - podSelector:            #   the first item in the egress dictionary
40        matchLabels:
41          name: mysql
42    ports:
43    - protocol: TCP
44      port: 3306
  • The yaml above defines an ingress network policy for pods with the selector role=db so that they can accept traffic from frontend pods in the network 172.17.0.0/16, but not from 172.17.1.0/24. Network traffic is only allowed to come in to port 6379 for the db pod.

  • egress network policy is defined so that these role=db pods can communicate to ports 8080 and 3306 of pods in the 10.0.0.0/24 network.