killercoda CKA:Services & Networking

killercoda CKA:Services & Networking

1. Services & Networking - Services

You have an existing Nginx pod named nginx-pod. Perform the following steps:

  • Expose the nginx-pod internally within the cluster using a Service named nginx-service .

  • Use port forwarding to service to access the Welcome content of nginx-pod using the curl command.

# @author D瓜哥 · https://www.diguage.com

$ kubectl get pod --show-labels
NAME        READY   STATUS    RESTARTS   AGE     LABELS
nginx-pod   1/1     Running   0          8m48s   app=nginx

$ cat svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80

$ kubectl apply -f svc.yaml
service/nginx-service created

$ kubectl port-forward service/nginx-service 8081:80
Forwarding from 127.0.0.1:8081 -> 80
Forwarding from [::1]:8081 -> 80
Handling connection for 8081


# 打开另外一个终端
$ curl localhost:8081
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

2. Services & Networking - ClusterIP

Part I

Create a Kubernetes ClusterIP service named nginx-service . This service should expose to nginx-deployment , using port 8080 and target port 80

Part II

Retrieve and store the IP addresses of the pods. Sort the output by their IP addresses in Ascending order and save it to the file pod_ips.txt in the following format:

IP_ADDRESS
127.0.0.1
127.0.0.2
127.0.0.3
# @author D瓜哥 · https://www.diguage.com

$ kubectl get pod --show-labels
NAME                                READY   STATUS    RESTARTS   AGE     LABELS
nginx-deployment-588c865b75-6vbqp   1/1     Running   0          2m24s   app=nginx-app,pod-template-hash=588c865b75
nginx-deployment-588c865b75-h86q4   1/1     Running   0          2m24s   app=nginx-app,pod-template-hash=588c865b75
nginx-deployment-588c865b75-hks9z   1/1     Running   0          2m24s   app=nginx-app,pod-template-hash=588c865b75

$ vim svc.yaml

$ cat svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx-app
  ports:
    - name: http
      protocol: TCP
      port: 8080
      targetPort: 80

$ kubectl apply -f svc.yaml
service/nginx-service created

$ kubectl get svc -o wide
NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE    SELECTOR
kubernetes      ClusterIP   10.96.0.1       <none>        443/TCP    7d5h   <none>
nginx-service   ClusterIP   10.98.228.143   <none>        8080/TCP   18s    app=nginx-app

$ kubectl get pod -o wide --no-headers \
   | awk '{ print $6 }' \
   | sort  \
   | awk 'BEGIN { printf "IP_ADDRESS\n"} { print $1 }' \
   | tee pod_ips
.txt
IP_ADDRESS
192.168.1.4
192.168.1.5
192.168.1.6

$ cat pod_ips.txt
IP_ADDRESS
192.168.1.4
192.168.1.5
192.168.1.6

3. Services & Networking - Coredns

Create a ReplicaSet named dns-rs-cka with 2 replicas in the dns-ns namespace using the image registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3 and set the command to sleep 3600 with the container named dns-container .

Once the pods are up and running, run the nslookup kubernetes.default command from any one of the pod and save the output into a file named dns-output.txt.

# @author D瓜哥 · https://www.diguage.com

$ kubectl create ns dns-ns

$ cat rs.yaml
apiVersion: apps/v1
kind: ReplicaSet
metadata:
  name: dns-rs-cka
  namespace: dns-ns
spec:
  replicas: 2
  selector:
    matchLabels:
      app: dns
  template:
    metadata:
      labels:
        app: dns
    spec:
      containers:
      - name: dns-container
        image: registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3
        command:
           - sleep
           - "3600"

$ kubectl apply -f rs.yaml
replicaset.apps/dns-rs-cka created

$ kubectl -n dns-ns get pod --show-labels
NAME               READY   STATUS    RESTARTS   AGE     LABELS
dns-rs-cka-25ssk   1/1     Running   0          5m16s   app=dns
dns-rs-cka-9dfzz   1/1     Running   0          5m16s   app=dns

$ kubectl -n dns-ns exec dns-rs-cka-25ssk  -- nslookup "kubernetes.default"
;; connection timed out; no servers could be reached

command terminated with exit code 1
执行 nslookup kubernetes.default 时,超时!奇怪!

4. Services & Networking - Coredns - 1

Create a Deployment named dns-deploy-cka with 2 replicas in the dns-ns namespace using the image registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3 and set the command to sleep 3600 with the container named dns-container .

Once the pods are up and running, run the nslookup kubernetes.default command from any one of the pod and save the output into a file named dns-output.txt.

# @author D瓜哥 · https://www.diguage.com

$ kubectl create namespace dns-ns
namespace/dns-ns created

$ cat deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: dns-deploy-cka
  name: dns-deploy-cka
  namespace: dns-ns
spec:
  replicas: 2
  selector:
    matchLabels:
      app: dns-deploy-cka
  template:
    metadata:
      labels:
        app: dns-deploy-cka
    spec:
      containers:
      - image: registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3
        name: dns-container
        command: [ 'sleep', '3600']

$ kubectl apply -f deploy.yaml
deployment.apps/dns-deploy-cka created

$ kubectl -n dns-ns get pods
NAME                             READY   STATUS    RESTARTS   AGE
dns-deploy-cka-fd5f8fbf5-7cnt4   1/1     Running   0          8s
dns-deploy-cka-fd5f8fbf5-gd827   1/1     Running   0          8s

$ kubectl -n dns-ns exec dns-deploy-cka-fd5f8fbf5-7cnt4 -- nslookup kubernetes.default | tee dns-output.txt
Server:         10.96.0.10
Address:        10.96.0.10#53

Name:   kubernetes.default.svc.cluster.local
Address: 10.96.0.1

$ cat dns-output.txt
Server:         10.96.0.10
Address:        10.96.0.10#53

Name:   kubernetes.default.svc.cluster.local
Address: 10.96.0.1

5. Services & Networking - Ingress

There exists a deployment named nginx-deployment exposed through a service called nginx-service . Create an ingress resource named nginx-ingress-resource to efficiently distribute incoming traffic with the following settings: pathType: Prefix , path: /shop , Backend Service Name: nginx-service , Backend Service Port: 80 , ssl-redirect should be configured as false .

# @author D瓜哥 · https://www.diguage.com

$ kubectl get deployments
NAME               READY   UP-TO-DATE   AVAILABLE   AGE
nginx-deployment   1/1     1            1           23s

$ kubectl get pod --show-labels
NAME                                READY   STATUS    RESTARTS   AGE   LABELS
nginx-deployment-5959b5b5c9-kdsd8   1/1     Running   0          32s   app=nginx-deployment,pod-template-hash=5959b5b5c9

$ kubectl get svc -o wide
NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE   SELECTOR
kubernetes      ClusterIP   10.96.0.1       <none>        443/TCP   8d    <none>
nginx-service   ClusterIP   10.108.77.211   <none>        80/TCP    44s   app=nginx-deployment

$ cat ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress-resource
  annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /shop
        pathType: Prefix
        backend:
          service:
            name: nginx-service
            port:
              number: 80

$ kubectl apply -f ingress.yaml
ingress.networking.k8s.io/nginx-ingress-resource configured

6. Services & Networking - NodePort

Create a NodePort service named app-service-cka (with below specification) to expose the nginx-app-cka deployment in the nginx-app-space namespace.

  • port & target port 80

  • protocol TCP

  • node port 31000

# @author D瓜哥 · https://www.diguage.com

$ kubectl -n nginx-app-space get pod --show-labels
NAME                           READY   STATUS    RESTARTS   AGE    LABELS
nginx-app-cka-b9fb585f-rj6pb   1/1     Running   0          4m4s   app=nginx-app-cka,pod-template-hash=b9fb585f
nginx-app-cka-b9fb585f-xfrss   1/1     Running   0          4m4s   app=nginx-app-cka,pod-template-hash=b9fb585f

$ vim svc.yaml
# 输入如下内容

$ cat svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: app-service-cka
  namespace: nginx-app-space
spec:
  type: NodePort
  selector:
    app: nginx-app-cka
  ports:
    - port: 80
      targetPort: 80
      nodePort: 31000
      protocol: TCP

$ kubectl apply -f svc.yaml
service/app-service-cka created

7. Services & Networking - NodePort - 1

Create a deployment named my-web-app-deployment using the Docker image wordpress with 2 replicas. Then, expose the my-web-app-deployment as a service named my-web-app-service , making it accessible on port 30770 on the nodes of the cluster.

# @author D瓜哥 · https://www.diguage.com

$ cat ds.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-web-app-deployment
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-web-app-deployment
  template:
    metadata:
      labels:
        app: my-web-app-deployment
    spec:
      containers:
      - image: wordpress
        name: wordpress
        ports:
        - containerPort: 80
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: my-web-app-service
spec:
  type: NodePort
  selector:
    app: my-web-app-deployment
  ports:
    - port: 80
      targetPort: 80
      nodePort: 30770

$ kubectl apply -f ds.yaml
deployment.apps/my-web-app-deployment created
service/my-web-app-service created

8. Services & Networking - Nslookup

Create an nginx pod named nginx-pod-cka using the nginx image, and expose it internally with a service named nginx-service-cka . Verify your ability to perform DNS lookups for the service name from within the cluster using the busybox:1.28 image. Record the results in nginx-service.txt .

# @author D瓜哥 · https://www.diguage.com

$ vim dns.ymal

$ cat dns.ymal
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-cka
  labels:
    app: nginx
spec:
  containers:
  - name: nginx
    image: nginx
    ports:
    - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service-cka
spec:
  selector:
    app: nginx
  ports:
    - port: 80
      targetPort: 80
---
apiVersion: v1
kind: Pod
metadata:
  name: busybox
spec:
  containers:
  - name: main
    image: busybox:1.28
    command: [ "sleep", "3600" ]

$ kubectl apply -f dns.ymal
pod/nginx-pod-cka created
service/nginx-service-cka created
pod/busybox created

$ kubectl get  pod
NAME            READY   STATUS    RESTARTS   AGE
busybox         1/1     Running   0          12s
nginx-pod-cka   1/1     Running   0          12s

$ kubectl exec busybox -- nslookup nginx-service-cka | tee nginx-service.txt
Server:    10.96.0.10
Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local

Name:      nginx-service-cka
Address 1: 10.98.53.250 nginx-service-cka.default.svc.cluster.local

$ cat nginx-service.txt
Server:    10.96.0.10
Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local

Name:      nginx-service-cka
Address 1: 10.98.53.250 nginx-service-cka.default.svc.cluster.local
一起顺利,没有异常,但是检查不通过!

9. Services & Networking - Network Policy

my-app-deployment and cache-deployment deployed, and my-app-deployment deployment exposed through a service named my-app-service . Create a NetworkPolicy named my-app-network-policy to restrict incoming and outgoing traffic to my-app-deployment pods with the following specifications:

  • Allow incoming traffic only from pods.

  • Allow incoming traffic from a specific pod with the label app=trusted

  • Allow outgoing traffic to pods.

  • Deny all other incoming and outgoing traffic.

# @author D瓜哥 · https://www.diguage.com

$ kubectl get deployments.apps  -o wide
NAME                READY   UP-TO-DATE   AVAILABLE   AGE     CONTAINERS          IMAGES         SELECTOR
cache-deployment    1/1     1            1           3m36s   trusted-container   redis:latest   app=trusted
my-app-deployment   2/2     2            2           3m36s   my-app-container    nginx:latest   app=my-app

$ kubectl get pod --show-labels
NAME                                READY   STATUS    RESTARTS   AGE     LABELS
cache-deployment-5588c6786f-t6g5m   1/1     Running   0          3m47s   app=trusted,pod-template-hash=5588c6786f
my-app-deployment-67dc9477b-2k7kh   1/1     Running   0          3m47s   app=my-app,pod-template-hash=67dc9477b
my-app-deployment-67dc9477b-wbzvl   1/1     Running   0          3m47s   app=my-app,pod-template-hash=67dc9477b

$ kubectl get svc -o wide
NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE     SELECTOR
kubernetes       ClusterIP   10.96.0.1       <none>        443/TCP   8d      <none>
my-app-service   ClusterIP   10.99.186.183   <none>        80/TCP    9m18s   app=my-app

$ cat np.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: my-app-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector: {}
  - from:
    - podSelector:
        matchLabels:
          app: trusted
  egress:
  - to:
    - podSelector: {}

$ kubectl apply -f np.yaml
networkpolicy.networking.k8s.io/my-app-network-policy created