Abhiraj Kharbade's Blog

Unleashing the Power of Kubernetes Networking: A Comprehensive Guide to Services, Ingress, Network Policies, DNS, and CNI Plugins

Unleashing the Power of Kubernetes Networking: A Comprehensive Guide to Services, Ingress, Network Policies, DNS, and CNI Plugins

Abhiraj Kharbade's photo
Abhiraj Kharbade
·

5 min read

Table of contents

Kubernetes has revolutionized the way we deploy, manage, and scale containerized applications, but as the complexity of these applications increases, so does the challenge of managing their networking. Kubernetes networking provides a powerful set of tools for managing the network infrastructure for containerized applications, allowing developers and operators to easily configure and manage network connectivity for their applications. At the heart of Kubernetes networking are Services, which provide a stable IP address and DNS name for accessing a set of Pods within a cluster, and which can be exposed in a variety of ways to suit different types of access requirements. In addition to Services, Kubernetes also provides Ingress, Network Policies, DNS, and CNI plugins, all of which play critical roles in managing the network infrastructure of Kubernetes clusters. Understanding these networking concepts is essential for building and operating robust, reliable, and scalable containerized applications.

Services

Services provide a way to expose a set of pods to the network. A service is an abstract way to expose an application running on a set of Pods as a network service. A Service can be exposed in a variety of ways such as ClusterIP, NodePort, and LoadBalancer. ClusterIP is the default and provides a stable IP address for accessing the service from within the cluster. NodePort exposes the service on a port on each node of the cluster. LoadBalancer creates an external load balancer that routes traffic to the service. Services are an important component of Kubernetes networking as they provide a stable IP address and DNS name for accessing the application.

Ingress

Ingress is a Kubernetes object that allows access to HTTP(S) services in the cluster. It provides a way to expose HTTP and HTTPS routes from outside the cluster to services within the cluster. Ingress can be configured to provide load balancing, SSL termination, and name-based virtual hosting. Ingress is a powerful tool for managing traffic to your Kubernetes services.

Network Policies

Network Policies provide a way to control traffic flow at the pod level. Network Policies can be used to control ingress and egress traffic, restrict traffic to specific pods, and restrict traffic based on the source or destination IP address. Network Policies are important for securing the network infrastructure of Kubernetes clusters.

DNS

DNS (Domain Name System) is a system for translating domain names into IP addresses. In Kubernetes, DNS is used to provide a consistent way to access services within the cluster. Kubernetes has an integrated DNS server that can be used to provide DNS resolution for services within the cluster. DNS is important for managing the network infrastructure of Kubernetes clusters.

CNI Plugins

CNI (Container Network Interface) plugins provide a way to configure network interfaces for containers. CNI plugins are responsible for configuring networking between containers and the host. Kubernetes supports a variety of CNI plugins such as Calico, Flannel, and Weave. CNI plugins are important for configuring the network infrastructure of Kubernetes clusters.

Now Let's see an example of a hands-on exercise you can try on an Amazon EC2 instance:

Deploying a Web Application with Kubernetes Networking

Prerequisite:

  1. Create an Amazon EC2 instance and install Kubernetes using a tool like kubeadm.

  2. Deploy a simple web application, such as nginx, using a Kubernetes deployment. Use a replica count of 2 to ensure high availability.

Steps:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.16
        ports:
        - containerPort: 80
  1. Create a Kubernetes Service to expose the nginx deployment. Use the type: LoadBalancer to create an Amazon Elastic Load Balancer (ELB) to handle external traffic.
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  type: LoadBalancer

  1. Use kubectl get services to retrieve the IP address of the ELB, and use a web browser to visit that IP address. You should see the nginx default welcome page.

  2. Create an Ingress resource to route traffic to the nginx service based on the requested URL path. Use annotations to specify the ingress class and the SSL certificate to use.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-certificate: "my-tls-cert"
spec:
  rules:
  - http:
      paths:
      - path: /nginx
        pathType: Prefix
        backend:
          service:
            name: nginx-service
            port:
              name: http
  1. Install and configure the nginx ingress controller using Helm. Use the stable/nginx-ingress chart, and enable TLS by creating a secret with your SSL certificate.
helm repo add stable https://charts.helm.sh/stable
helm install my-nginx stable/nginx-ingress \
    --set controller.publishService.enabled=true \
    --set controller.service.type=LoadBalancer \
    --set controller.service.externalTrafficPolicy=Local \
    --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"="my-tls-cert" \
    --set controller.scope.enabled=true \
    --set rbac.create=true \
    --set controller.stats.enabled=true

  1. Use kubectl get ingress to retrieve the DNS name of the ingress controller, and use a web browser to visit that DNS name with the /nginx path. You should see the nginx default welcome page again.

  2. Create a Network Policy to restrict traffic to the nginx service based on the source IP address. Use a namespaceSelector to select the namespace containing the nginx deployment, and a podSelector to select the nginx pods. Use an ingress rule to allow traffic only from a specific IP address range.

     apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: nginx-policy
 spec:
   podSelector:
     matchLabels:
       app: nginx
   policyTypes:
   - Ingress
   ingress:
   - from:
     - ipBlock:
         cidr: 10.0.0.0/16

  3. Use kubectl describe networkpolicy nginx-policy to verify that the policy was created and is enforcing the desired traffic restrictions.

    This Network Policy restricts all ingress traffic to the nginx pods to only the IP address range of 10.0.0.0/16. By using Kubernetes networking features like Network Policies, you can add an extra layer of security to your cluster, helping to ensure that your applications are protected from unauthorized access.

In conclusion, Kubernetes networking provides a powerful set of tools for managing the network infrastructure for containerized applications. Services, Ingress, Network Policies, DNS, and CNI plugins are important components of Kubernetes networking that provide a stable IP address and DNS name for accessing the application, control traffic flow at the pod level, translate domain names into IP addresses, and configure network interfaces for containers. Understanding these components is essential for managing the network infrastructure of Kubernetes clusters.

The above information is up to my understanding. Suggestions are always welcome.

~Abhiraj kharbade

#Kubernetes #Devops #Trainwithshubham #Kubeweek #kubeweekchallenge

Shubham Londhe

Kubernetes#kubeweek#KubeWeekChallenge TrainWithShubhamDevops