Services and Networking (13%)

使用nginx镜像创建一个名为nginx的pod，并公开其端口80

kubectl run nginx --image=nginx --restart=Never --port=80 --expose
# observe that a pod as well as a service are created

确认已创建群集 IP。同时检查endpoints

kubectl get svc nginx # services
kubectl get ep # endpoints

获取服务的 ClusterIP，创建一个临时 busybox pod 并使用 wget 访问该 IP

kubectl get svc nginx # get the IP (something like 10.108.93.130)
kubectl run busybox --rm --image=busybox -it --restart=Never -- sh
wget -O- IP:80
exit

IP=$(kubectl get svc nginx --template={{.spec.clusterIP}}) # get the IP (something like 10.108.93.130)
kubectl run busybox --rm --image=busybox -it --restart=Never --env="IP=$IP" -- wget -O- $IP:80 --timeout 2
# Tip: --timeout is optional, but it helps to get answer more quickly when connection fails (in seconds vs minutes)

将群集 IP 转换为同一服务的 NodePort，然后找到 NodePort 端口。使用节点的IP命中服务。删除末尾的服务和容器。

kubectl edit svc nginx

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: 2018-06-25T07:55:16Z
  name: nginx
  namespace: default
  resourceVersion: "93442"
  selfLink: /api/v1/namespaces/default/services/nginx
  uid: 191e3dac-784d-11e8-86b1-00155d9f663c
spec:
  clusterIP: 10.97.242.220
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  sessionAffinity: None
  type: NodePort # change cluster IP to nodeport
status:
  loadBalancer: {}

kubectl patch svc nginx -p '{"spec":{"type":"NodePort"}}'

kubectl get svc

# result:
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP        1d
nginx        NodePort    10.107.253.138   <none>        80:31931/TCP   3m

wget -O- NODE_IP:31931 # if you're using Kubernetes with Docker for Windows/Mac, try 127.0.0.1
#if you're using minikube, try minikube ip, then get the node ip such as 192.168.99.117

kubectl delete svc nginx # Deletes the service
kubectl delete pod nginx # Deletes the pod

使用映像"dgkanatsios/simpleapp"（返回主机名的简单服务器）和 3 个副本创建名为 foo 的部署。将其标记为"app=foo"。声明此 pod 中的容器将接受端口 8080 上的流量（尚未创建服务）

kubectl create deploy foo --image=dgkanatsios/simpleapp --port=8080 --replicas=3
kubectl label deployment foo --overwrite app=foo

获取容器 IP。创建一个临时busybox Pod 并尝试在端口 8080 上访问它们

kubectl get pods -l app=foo -o wide # 'wide' will show pod IPs
kubectl run busybox --image=busybox --restart=Never -it --rm -- sh
wget -O- POD_IP:8080 # do not try with pod name, will not work
# try hitting all IPs to confirm that hostname is different
exit
# or
kubectl get po -o wide -l app=foo | awk '{print $6}' | grep -v IP | xargs -L1 -I '{}' kubectl run --rm -ti tmp --restart=Never --image=busybox -- wget -O- http://\{\}:8080

创建在端口 6262 上公开deployment的服务。验证其是否存在，检查endpoints

kubectl expose deploy foo --port=6262 --target-port=8080
kubectl get service foo # you will see ClusterIP as well as port 6262
kubectl get endpoints foo # you will see the IPs of the three replica pods, listening on port 8080

创建一个临时busybox pod 并通过 wget 连接到 foo 服务。验证每次返回不同的主机名。最后删除部署和服务以清理群集

kubectl get svc # get the foo service ClusterIP
kubectl run busybox --image=busybox -it --rm --restart=Never -- sh
wget -O- foo:6262 # DNS works! run it many times, you'll see different pods responding
wget -O- SERVICE_CLUSTER_IP:6262 # ClusterIP works as well
# you can also kubectl logs on deployment pods to see the container logs
kubectl delete svc foo
kubectl delete deploy foo

创建包含 2 个副本，且名字为nginx的deployment，通过端口 80 上的 ClusterIP 服务公开它。创建网络策略，以便只有标签为"access: granted"的 Pod 才能访问并应用部署

kubernetes.io > Documentation > Concepts > Services, Load Balancing, and Networking > Network Policies

请注意，默认情况下可能不会强制执行网络策略，具体取决于您的 k8s 实现。例如，默认情况下，Azure AKS 不会强制实施策略，因此创建群集时必须显式支持 Secure pod traffic with network policy - Azure Kubernetes Service | Microsoft Docsnetpol

kubectl create deployment nginx --image=nginx --replicas=2
kubectl expose deployment nginx --port=80

kubectl describe svc nginx # see the 'app=nginx' selector for the pods
# or
kubectl get svc nginx -o yaml

vi policy.yaml

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: access-nginx # pick a name
spec:
  podSelector:
    matchLabels:
      app: nginx # selector for the pods
  ingress: # allow ingress traffic
  - from:
    - podSelector: # from pods
        matchLabels: # with this label
          access: granted

# Create the NetworkPolicy
kubectl create -f policy.yaml

# Check if the Network Policy has been created correctly
# make sure that your cluster's network provider supports Network Policy (https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/#before-you-begin)
kubectl run busybox --image=busybox --rm -it --restart=Never -- wget -O- http://nginx:80 --timeout 2                          # This should not work. --timeout is optional here. But it helps to get answer more quickly (in seconds vs minutes)
kubectl run busybox --image=busybox --rm -it --restart=Never --labels=access=granted -- wget -O- http://nginx:80 --timeout 2  # This should be fine