Kubernetes is an increasingly popular open-source platform that automates the deployment, scaling, and management of containerized applications. Kubernetes provides a way to create, manage, and deploy containerized applications across multiple hosts, making it easier to deploy, scale, and manage applications in a cloud-native environment. Kubernetes networking is an important part of the kubernetes platform, providing a way to connect and manage the various components of a kubernetes cluster.

What is Kubernetes Networking?

Kubernetes networking is the communication between different components of a kubernetes cluster. It is used to enable communication between applications running inside the cluster, as well as communication between the cluster and external services. Kubernetes networking also provides a way to manage the network traffic within the cluster, allowing users to configure ingress and ingress rules to control the flow of traffic.

Kubernetes networking is based on the Container Network Model (CNM), which is a set of standards and specifications for container networking. The CNM defines the various components of a kubernetes networking system, including Service, Ingress, Network Policies, DNS & CNI Plugins. Each of these components has a specific purpose and is used to configure and manage network traffic within a kubernetes cluster.

Services:

In Kubernetes, a service is an abstraction layer that defines a logical set of Pods and a policy to access them.

A Pod is the smallest deployable unit in Kubernetes, representing a single instance of a running process. Pods are ephemeral in nature and can be created, deleted, or moved around by the Kubernetes scheduler.

A service provides a stable IP address and DNS name for a set of Pods, allowing clients to access the Pods by the service name instead of their individual IP addresses. Services can also provide load balancing and automatic scaling capabilities to distribute traffic across multiple Pods.

Services can be exposed within the Kubernetes cluster or externally, depending on the type of service you create. Kubernetes supports several types of services, including ClusterIP, NodePort, LoadBalancer, and ExternalName. Each type of service has its own unique use case and configuration options.

In summary, services in Kubernetes provide a way to abstract and access a set of Pods as a single entity, making it easier to manage and scale applications in a dynamic and distributed environment.

Ingress :

In Kubernetes, an Ingress is an API object that provides a way to expose HTTP and HTTPS routes from outside the cluster to services within the cluster.

While a service exposes a set of Pods to the network, an Ingress exposes a set of services to the outside world. It acts as a reverse proxy, forwarding requests from the outside world to the appropriate service within the cluster based on the rules defined in the Ingress configuration.

The Ingress resource itself does not provide load balancing, but rather acts as a configuration layer that defines how traffic should be routed to the services. The actual load balancing is performed by the Ingress controller, which is a separate component that runs in the cluster and reads the Ingress configuration to configure the load balancer.

Ingress rules are defined using a set of path and host rules, which are matched against incoming requests to determine which service should handle the request. In addition to path and host-based routing, Ingress also supports TLS termination, which enables secure communication between clients and services by terminating SSL/TLS connections at the Ingress controller.

Overall, Ingress provides a powerful and flexible way to route traffic into a Kubernetes cluster, making it easier to expose services to the outside world and manage complex networking configurations.

Network Policies :

In Kubernetes, network policies are a way to control the traffic flow between Pods and external network endpoints.

Network policies allow you to define a set of rules that specify how traffic should be allowed or blocked between Pods based on their labels, namespaces, or IP addresses. These rules can be applied at the namespace level or the cluster level, depending on your requirements.

Network policies use labels to identify the Pods that the policy should apply to. You can use label selectors to specify which Pods the policy should apply to and match on specific ports, protocols, and IP addresses to allow or block traffic as needed.

By default, all traffic between Pods in a Kubernetes cluster is allowed, so network policies can be used to enforce stricter security and isolation policies. For example, you can use network policies to block all incoming traffic to a specific set of Pods, or to only allow traffic from specific IP addresses or Pods.

Network policies are implemented using a network plugin that supports the Kubernetes network policy API, such as Calico or Cilium. If the network plugin does not support the network policy API, network policies will not be enforced.

Overall, network policies provide a powerful tool for controlling network traffic within a Kubernetes cluster and enforcing security and isolation policies.

DNS & CNI ( Container Network Interface) Plugins :

DNS and CNI are two important networking components in Kubernetes.

DNS (Domain Name System) is responsible for resolving domain names to IP addresses within a Kubernetes cluster. Each Pod in the cluster is assigned a unique hostname, and DNS allows other Pods to communicate with that Pod using its hostname. Kubernetes provides a built-in DNS service that maps domain names to IP addresses for services and Pods within the cluster.

CNI (Container Network Interface) is a plugin-based networking specification for containers and Kubernetes. CNI plugins allow Kubernetes to configure networking for Pods, including IP address allocation, routing, and network isolation. CNI plugins are responsible for setting up the virtual network interfaces for each Pod, connecting them to the appropriate networks, and configuring IP address allocation and routing.

There are many CNI plugins available for Kubernetes, including Calico, Flannel, Weave Net, and Cilium. Each plugin has its own unique features and configuration options, and choosing the right plugin for your cluster depends on your specific networking requirements.

Overall, DNS and CNI are both essential components of the Kubernetes networking stack, providing the foundation for communication and networking between Pods and services within the cluster.

Deploying a Web Application with Kubernetes Networking

Prerequisite:

1. Create an Amazon EC2 instance and install Kubernetes using a tool like kubeadm.

2. Deploy a simple web application, such as nginx, using a Kubernetes deployment. Use a replica count of 2 to ensure high availability.

Steps:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.16
        ports:
        - containerPort: 80

1. Create a Kubernetes Service to expose the nginx deployment. Use the type: LoadBalancer to create an Amazon Elastic Load Balancer (ELB) to handle external traffic.

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  type: LoadBalancer

1. Use kubectl get services to retrieve the IP address of the ELB, and use a web browser to visit that IP address. You should see the nginx default welcome page.

2. Create an Ingress resource to route traffic to the nginx service based on the requested URL path. Use annotations to specify the ingress class and the SSL certificate to use.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-certificate: "my-tls-cert"
spec:
  rules:
  - http:
      paths:
      - path: /nginx
        pathType: Prefix
        backend:
          service:
            name: nginx-service
            port:
              name: http

1. Install and configure the nginx ingress controller using Helm. Use the stable/nginx-ingress chart, and enable TLS by creating a secret with your SSL certificate.

helm repo add stable https://charts.helm.sh/stable
helm install my-nginx stable/nginx-ingress \
    --set controller.publishService.enabled=true \
    --set controller.service.type=LoadBalancer \
    --set controller.service.externalTrafficPolicy=Local \
    --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"="my-tls-cert" \
    --set controller.scope.enabled=true \
    --set rbac.create=true \
    --set controller.stats.enabled=true

1. Use kubectl get ingress to retrieve the DNS name of the ingress controller, and use a web browser to visit that DNS name with the /nginx path. You should see the nginx default welcome page again.

2. Create a Network Policy to restrict traffic to the nginx service based on the source IP address. Use a namespaceSelector to select the namespace containing the nginx deployment, and a podSelector to select the nginx pods. Use an ingress rule to allow traffic only from a specific IP address range.

     apiVersion: networking.k8s.io/v1
     kind: NetworkPolicy
     metadata:
       name: nginx-policy
     spec:
       podSelector:
         matchLabels:
           app: nginx
       policyTypes:
       - Ingress
       ingress:
       - from:
         - ipBlock:
             cidr: 10.0.0.0/16
   

3. Use kubectl describe networkpolicy nginx-policy to verify that the policy was created and is enforcing the desired traffic restrictions.

   This Network Policy restricts all ingress traffic to the nginx pods to only the IP address range of 10.0.0.0/16. By using Kubernetes networking features like Network Policies, you can add an extra layer of security to your cluster, helping to ensure that your applications are protected from unauthorized access.

In conclusion, Kubernetes networking provides a powerful set of tools for managing the network infrastructure for containerized applications. Services, Ingress, Network Policies, DNS, and CNI plugins are important components of Kubernetes networking that provide a stable IP address and DNS name for accessing the application, control traffic flow at the pod level, translate domain names into IP addresses, and configure network interfaces for containers. Understanding these components is essential for managing the network infrastructure of Kubernetes clusters.