Develop Intelligence - Kubernetes Service, Ingress and Networking

Agenda: Services and Ingress

• Kubernetes Services
• Service Types
• ClusterIP Service
• NodePort Service
• LoadBalancer Service
• External Service
• Kubernetes Services DNS
• Ingress Controllers and Alternatives
• Setting up Ingress Locally
• Creating the Ingress Config

Kubernetes Services
The Problem:
• Kubernetes gives Pods their own IP addresses and a single DNS name for a set of Pods, and can load-balance
across them.
• In Kubernetes, if you use a Deployment to run your app, it can create and destroy Pods dynamically. Each
Pod gets its own IP address, however in a Deployment, the set of Pods running in one moment in time could
be different from the set of Pods running that application a moment later.
• This can lead to a problem: if some set of Pods (call them “backends”) provides functionality to other Pods
(call them “frontends”) inside our cluster, how do the frontends find out and keep track of which IP address
to connect to, so that the frontend can use the backend part of the workload?
This is where Services can be helpful.

Service Resources:
• Kubenetes Service is an abstract way to expose an application running on a logical set of Pods and a policy
by which to access them.
• Services enable a loose coupling between dependent Pods. Frontend Pods don’t need to know the direct IP
address of the Backend Pods.

Page 1 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

• A Service in Kubernetes is a REST object, similar to a Pod.

• Like all of the REST objects, you can POST a Service definition to the API server to create a new instance.
• The name of a Service object must be a valid DNS label name.
apiVersion: apps/v1
kind: Deployment
metadata:
name: mynginx-deployment
spec:
replicas: 3
selector:
matchLabels:
app: mynginx
template:
metadata:
labels:
app: mynginx
spec:
containers:
- name: mynginx-container
image: nginx
ports:
- containerPort: 80

---

apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: ClusterIP
selector:
app: mynginx
ports:
- protocol: TCP
port: 8080
targetPort: 80

Page 2 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

• This specification creates a new Service object named “my-service”, which targets TCP port 80 on any Pod
with the app=mynginx label.
• Kubernetes assigns this Service an IP address (sometimes called the "cluster IP").
• The controller for the Service selector continuously scans for Pods that match its selector, and then POSTs
any updates to an Endpoint object also named “my-service”.

Multi-Port Services
For some Services, you need to expose more than one port. Kubernetes lets you configure multiple port
definitions on a Service object. When using multiple ports for a Service, you must give all of your ports names
so that these are unambiguous. For example:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: ClusterIP
selector:
app: MyApp
ports:
- name: http-port
protocol: TCP
port: 8080
targetPort: 80
- name: https-port
protocol: TCP
port: 44433
targetPort: 443

ServiceTypes:
• Pod IP address are not exposed outside the cluster without a Service. Services allow our applications to
receive traffic from outside the cluster.
• For some parts of our application (for example, frontends) we may want to expose a Service on to an
external IP address, i.e. outside of our cluster.
• Kubernetes ServiceTypes allow us to specify what kind of Service we want.
1. ClusterIP
2. LoadBalancer
3. NodePort
4. ExternalName

Page 3 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

CLUSTER-IP SERVICE
• Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from
within the cluster.
• This is the default ServiceType.
• ClusterIP is the preferred option for internal/backend service access and uses an internal/private IP address
to access the service.
• Some examples of where ClusterIP might be the best option include service debugging during development
and testing and internal traffic.

Steps to create a ClusterIP Service:

1) kubectl create deployment mynginx --image nginx
2) kubectl scale deploy/mynginx --replicas 5
3) kubectl expose deploy/mynginx --name myservice-cip --type=ClusterIP --port 8080 --target-port=80
Note: Expose uses service creating generator to create the service.
If the service name is not mentioned, it uses the name of deployment. In this case, it would be mynginx
4) kubectl get all OR kubectl get service
Note the ClusterIP for further use (eg: 10.99.158.232)

5) kubectl get service/myservice-cip (to get service details)

6) kubectl get service/myservice-cip -o yaml (to get service details in yaml format)

Create a New POD (tmp-shell) to login to cluster

7) kubectl run tmp-shell --rm -it --image nicolaka/netshoot -- /bin/bash
Note: nicolaka/netshoot is a popular network trouble shooting image.
8) At the command prompt,
a. curl http://10.99.158.232:8080
b. curl http://myservice-cip:8080
c. curl http://myservice-cip.default.svc.cluster.local:8080
Note: To will list IP and FQDN: nslookup myservice-cip.

Page 4 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

Benefit: Now even if the POD is destroyed and recreated, we can still access the application using service url.

LOAD BALANCER SERVICE

Exposes the Service externally using a cloud provider’s load balancer. NodePort and ClusterIP Services, to which
the external load balancer routes, are automatically created and are hidden from us. It assigns a fixed external
IP to the Service. It is superset of NodePort.
This works at Layer4 of OSI layers.

Create LoadBalancer type of Service:

1) kubectl expose deploy/mynginx --port 8888 --target-port=80 --type=LoadBalancer --name myservice-lb
2) curl localhost:high-port or open in web browser
We can access the service through localhost without getting into the cluster.
apiVersion: v1
kind: Service
metadata:
name: my-service-lb
spec:
type: LoadBalancer
selector:
app: mynginx
ports:
- name: http
protocol: TCP
port: 8080
targetPort: 80

Page 5 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

NODEPORT SERVICE:
• Exposes the Service on each Node’s IP at a static port (the NodePort [Hi Range Port]). High range port (30000
to 32767) used for exposing NodePort.
• A ClusterIP Service, to which the NodePort Service routes, is automatically created.
• We will be able to contact the NodePort Service, from outside the cluster, by requesting
<NodeIP>:<NodePort>.
• A NodePort is primarily used for exposing services in a non-production environment. As an example, a
NodePort would be used to expose a single pod functionality (with no load-balancing requirements for
multiple services).
• Same NodePort will be used across all the nodes in a multi node cluster. Also, same service (single instance)
can be used to access container in any Pod or any Node in the cluster.

Create NodePort type of Service:

1. kubectl expose deploy/mynginx --port 8080 --nodePort=30145 --target-port=80 --type=NodePort --name
myservice-np
Note that 8080 is port for NodePort which is 30145.
2. kubectl get service
Note the High Port under PORT(S) section (Eg: 30145)
3. curl http://localhost:<high-port> or open in web browser

Page 6 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

We can access the service through localhost without getting into the cluster. This works only in Docker and not
in minicube.
4. kubectl get svc myservice-np -o yaml
Note: 3 ports are involved
a) 30145 (High Port) is of NodePort Service
b) 8080 is of ClusterIP
c) 80 is Application port in container
apiVersion: v1
kind: Service
metadata:
name: my-service-np
spec:
type: NodePort
selector:
app: mynginx
ports:
- protocol: TCP
nodePort: 30377 #Port or Node
port: 8080 #Port of Service
targetPort: 80 #Port of Container

ExternalName Service
Maps the Service to the contents of the externalName field (e.g. abc.example.com), by returning a CNAME
record with its value. No proxying of any kind is needed. Services of type ExternalName map a Service to a DNS
name, not to a typical selector.

apiVersion: v1
kind: Service
metadata:
name: my-service-ext

Page 7 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

spec:
type: ExternalName
externalName: my.database.com
When looking up the host my-service-ext.prod.svc.cluster.local, the cluster DNS Service returns
a CNAME record with the value my.database.com.
Accessing my-service works in the same way as other Services but with the crucial difference that redirection
happens at the DNS level rather than via proxying or forwarding. Should you later decide to move your
database into your cluster, you can start its Pods, add appropriate selectors or endpoints, and change the
Service's type.

Blue Green Deployment:

https://www.ianlewis.org/en/bluegreen-deployments-kubernetes
• You can perform a blue/green deployment by using a label scheme with more than one set of labels.
• In the exercise files, the day 4 directory, you’ll find two files you can use: service.yaml and
deployment.yaml.
• Modify the deployment to have a label for version. Then modify the service to match.
• Apply the service and deployment. Now create a copy of the deployment, but use version 2.0 of the
Docker image.
• Now apply this deployment and then do a full blue-->green cutover at once without doing a rolling
deployment.

DNS for Services and Pods

• Built-in service discovery makes it easier for applications to find and communicate with each other on
Kubernetes clusters, even when pods and services are being created, deleted, and shifted between nodes.
• By default most Kubernetes clusters automatically configure an internal DNS service to provide a
lightweight mechanism for service discovery.
• Every Service defined in the cluster (including the DNS server itself) is assigned a DNS name.
• By default, a client Pod's DNS search list will include the Pod's own namespace and the cluster's default
domain.

We can see the domain name for the cluster (cluster.local)

kubectl get configmaps coredns -n kube-system -o yaml

Services:
• The full DNS A record of a Kubernetes service will look like myservice.namespace.svc.cluster.local. This
resolves to the cluster IP of the Service.

Page 8 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

• Assume a Service named foo in the Kubernetes namespace n1. A Pod running in namespace n1 can look
up this service by simply doing a DNS query for foo. A Pod running in namespace namespace n2 can look
up this service by doing a DNS query for n1.bar.
foo.n1.svc.cluster.local

Pods:
• A pod would have a record in this format, reflecting the actual IP address of the pod :
pod-ip-address.namespace.pod.cluster.local
pod-ip-address.namespace.pod (eg: 10-1-1-100.default.pod)

Ingress Controller

• Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic
routing is controlled by rules defined on the Ingress resource.
• An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL
/ TLS, and offer name-based virtual hosting.
• Ingress controllers work at layer 7 (unlike Load Balancer which works at layer 4), and can use more intelligent
rules to distribute application traffic.

In order for the Ingress resource to work, the cluster must have an ingress controller running.
(List of Ingress Controllers: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/)

Ingress with NGINX Ingress Controller as a reverse proxy and load balancer
(https://kubernetes.github.io/ingress-nginx/deploy/).
Step1: Install NGINX Ingress controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-
v1.1.0/deploy/static/provider/cloud/deploy.yaml

Step2: Create a YAML file as below

apiVersion: apps/v1
kind: Deployment
metadata:
labels:

Page 9 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

app: mynginx
name: mynginx
spec:
replicas: 1
selector:
matchLabels:
app: mynginx
template:
metadata:
labels:
app: mynginx
spec:
containers:
- image: nginx
name: mynginx
---

apiVersion: v1
kind: Service
metadata:
labels:
app: mynginx
name: mynginx-cip
spec:
ports:
- port: 8090
protocol: TCP
targetPort: 80
selector:
app: mynginx

---

apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: myhttpd

Page 10 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

name: myhttpd
spec:
replicas: 1
selector:
matchLabels:
app: myhttpd
template:
metadata:
labels:
app: myhttpd
spec:
containers:
- image: httpd
name: myhttpd

---
apiVersion: v1
kind: Service
metadata:
labels:
app: myhttpd
name: myhttpd-cip
spec:
ports:
- port: 8091
protocol: TCP
targetPort: 80
selector:
app: myhttpd
---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:

Page 11 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

ingressClassName: nginx
defaultBackend:
service:
name: mynginx-cip
port:
number: 8090
rules:
- host: demo.mydomain.com
http:
paths:
- path: /nginx
pathType: Prefix #Exact
backend:
service:
name: mynginx-cip
port:
number: 8090
- path: /httpd
pathType: Prefix
backend:
service:
name: myhttpd-cip
port:
number: 8091

Note: Stop IIS or Apache or Tomcat or any other service running on your machine.
Step3: Edit as administrator: c:\windows\system32\drivers\etc\hosts (Mac/Linux: /etc/hosts)
127.0.0.1 demo.mydomain.com

Step4: Open in browser following URL's (may require to wait for couple of minutes). Also stop other WebService
Services running on Port 80.
1) http://demo.mydomain.com
2) http://demo.mydomain.com/nginx
3) http://demo.mydomain.com/httpd

To View the Logs and the POD to which the traffic is forward:
kubectl get pods -n ingress-nginx
kubectl logs -n ingress-nginx pod/ingress-nginx-controller-XXXXXXX-xxxx

Page 12 of 13
Develop Intelligence - Kubernetes Service, Ingress and Networking

Page 13 of 13