Networking YAML Files
Node Port Service file
apiVersion: v1 # As this is part of the core API group,
# we don't need to specify the API group.
kind: Service
metadata:
name: nginx-service
spec:
type: NodePort
sessionAffinity: ClientIP # the service proxy redirects all incoming
# requests from a client to the same pod as before
selector:
app: nginx-app # Mandatory field to link to the right set of pods
ports:
- targetPort: 80 # The port used by the container. Also called containerPort
port: 8123 # The port exposed externally by the service on the service IP
# Under ports, this is the only mandatory field.
nodePort: 30080
External name Service file
apiVersion: v1
kind: Service
metadata:
name: external-service
spec:
type: ExternalName # Assuming externalName has been configured in DNS, allows access
# to this svc through this DNS name. Does not create DNS entry
externalName: tom-web-notes.bigtom.local # Access the service with this DNS name
ports:
- targetPort: 80
port: 8123 # Under ports, only this field 'port' is mandatory
Simple Ingress definition
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
spec:
backend:
serviceName: web-notes-svc
servicePort: 80
The yaml above shows a very basic Single Service Ingress by defining a default backend without any ingress rules. Ingress controllers will usually be defined with path redirection, (host)name based redirection or some other redirection.
Path redirection Ingress
1apiVersion: extensions/v1beta1
2kind: Ingress
3metadata:
4 name: my-ingress
5spec:
6 rules:
7 - http:
8 paths:
9 - path: /web
10 backend:
11 serviceName: my-web-service
12 servicePort: 80
13 - path: /notes
14 backend:
15 serviceName: my-notes-service
16 servicePort: 80
Hostname redirection Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- host: www.thomas-pk.com
http:
paths:
- backend:
serviceName: my-web-service
servicePort: 80
- host: home.susaansart.com
http:
paths:
- backend:
serviceName: my-notes-service
servicePort: 80
Network Policy yaml
1apiVersion: networking.k8s.io/v1
2kind: NetworkPolicy
3metadata:
4 name: test-network-policy
5 namespace: default
6spec:
7 podSelector:
8 matchLabels:
9 role: db
10 policyTypes:
11 - Ingress
12 - Egress
13 ingress:
14 - from: # Whitelist or allow
15 - ipBlock:
16 cidr: 172.17.0.0/16 # network traffic from 172.17.0.0
17 except:
18 - 172.17.1.0/24
19 - namespaceSelector:
20 matchLabels:
21 project: myproject # for pods in the project=myproject
22 - podSelector:
23 matchLabels:
24 role: frontend # for traffic from frontend pods
25 ports:
26 - protocol: TCP
27 port: 6379
28 egress: # Note how we can have multiple rules
29 - to:
30 - ipBlock:
31 cidr: 10.0.0.0/24
32 - podSelector
33 matchLabels:
34 name: payroll
35 ports:
36 - protocol: TCP
37 port: 8080
38 - to: # Note the '-' even though its not the
39 - podSelector: # the first item in the egress dictionary
40 matchLabels:
41 name: mysql
42 ports:
43 - protocol: TCP
44 port: 3306
The yaml above defines an
ingress
network policy for pods with the selector role=db so that they can accept traffic from frontend pods in the network 172.17.0.0/16, but not from 172.17.1.0/24. Network traffic is only allowed to come in to port 6379 for the db pod.egress
network policy is defined so that these role=db pods can communicate to ports 8080 and 3306 of pods in the 10.0.0.0/24 network.