Introduction#

  • question 15 network policy
  • question 16 expose service
  • question 17 ingress rules

Question 15 Network Policy#

ckad question 15
  • create a namespace app-stack
  • retrieve the pod definition https://github.com/speedracer55/ckad-files/blob/main/networkp.yaml
  • create a network policy
  • the network policy should allow incoming traffic from the backend to the database
  • disallow the incoming traffic from the frontend to the database
  • incoming traffic to the database should only allowed on TCP port 3306

please install Callio network policy engine for AWS EKS first

create a namespace app-stack

kubectl create namespace app-stack

deploy three pods

kubectl create -f q15.yaml

create a network policy yaml, follow this link

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-stack-network-policy
  namespace: app-stack
spec:
  podSelector:
    matchLabels:
      app: todo
      tier: database
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: todo
              tier: backend
      ports:
        - protocol: TCP
          port: 3306

verify that allow backend => connect db:3306

kubectl run busybox --image=busybox --labels="app=todo,tier=backend" -it --rm -- /bin/sh --namespace=app-stack

then get the backend ip address

kubectl get pods --namespace=app-stack --output=wide
wget -O- BACKEND_IP_ADDRESS

verify that deny frontend => connect db:3306

kubectl run busybox --image=busybox --labels="app=todo,tier=frontend" -it --rm -- /bin/sh --namespace=app-stack

Question 16 Expose Service#

ckad question 16
  • create a service named myapp of type clusterIP that exposes port 80 to target port 80
  • create a deployment named myapp that create 1 replica running the image nginx
  • expose the container on port 80
  • verify that port 80 is exposed - list the endpoint values
  • scale the deployment to 2 replicas
  • create a temporary pod using busybox and run wget command against the IP address of the service
  • change the service type so the pods can be reached from outside of the cluster
  • run wget command against the service from outside the cluster

create a service named myapp

kubectl create service myapp clusterip --tcp=80:80 --dry-run=client --output=yaml > q14_service.yaml

content of the service yaml

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: myapp
  name: myapp
spec:
  ports:
  - name: 80-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: myapp
  type: ClusterIP
status:
  loadBalancer: {}

create deployment named myapp with 1 replica and image nginx, port 80

kubectl create deployment myapp --image=nginx --replica=1 --port=80 --dry-run=client --output=yaml > q14_deployment.yaml

deploy the service and deployment

kubectl create -f q14_service.yaml
kubectl create -f q14_deployment.yaml

expose the service on port 8

kubectl expose service myapp --port=80

verify that service and endpoint

kubectl get service myapp
kubectl describe service myapp
kubectl get pods --output=wide

scale the deployment to 2 replicas

kubectl scale --replicas=2 deployment myapp

create a temporary busybox and wget to the service

kubectl run busybox --image=busybox --rm -it -- /bin/sh

then wget -O- to the ip address of the service

wget -O- SERVICE_IP_ADDRESS

change expose type to loadBalancer in AWS so it can be access from outside of the cluster

kubectl edit service myapp

edit the service yaml

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: myapp
  name: myapp
spec:
  ports:
    - name: 80-80
      port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: myapp
  type: LoadBalancer
status:
  loadBalancer: {}

verify that the service can be accessed from outside of the cluster

kubectl get service myapp
wget -O- SERVICE_IP_ADDRESS

Question 17 Ingress Rules (TODO)#

ckad question 17