CKAD : 7.Exposing Applications
ClusterIP range is defined via API server startup option --service-cluster-ip-range
NodePort range is defined in cluster configuration.
ExternalName has no port, no selector, no endpoint. Redirection happen at DNS level.
'kubectl proxy' command create a local service, to access ClusterIP. Useful for troubleshooting and development work.
If we create service with LoadBalancer type on bare metal, and we have not deployed any load balancer then also we can access it as NodePort service.
Grace Period
We should add
pod and deployment have terminationGracePeriodSeconds parameter in spec section. One cannot modify it runtime with kubectl edit command. We can modify it during deployment time only.
KubeProxy Mode
* K8s 1.0 userpace mode
* K8s 1.1 iptables introduced
1.2 iptables become default
it allows max upto approx 5000 worker nodes.
* K8s 1.9 ipvs. configurable load balancing algorithms
- round-robin
- shortest expected delay
- least connection
- others.
IPVS kernel module shall be installed and running.
KubeProxy Mode is configured as startup flag
mode=iptables, mode=IPVS, mode=userspace
Accessing an application with a service
k expose deploy "deploy name" --port=80 --type=NodePort
We can expose pod also as service, if pod has label
k expose pod "pod name" --port=80 --type=NodePort
The targetPort value by default set as value of port.
port is part of endpoint: clusterIP:port
targetPort is opened at pod.
Service can point to service in different namespace, to service which is outside cluster.
External Name is used to access resource, external to cluster. Here selector is not used.
Ingress resource
match : host and path both
rules: HTTP rules only to direct traffic.
Usecase:
- Fan out to service
- name based hosting
- TLS
- load balancing
- expose low numbered port
Ingress Controller
Officially supported
- nginx
- GCE
Community supported
- Traefik (pronounced Traffic)
- HAProxy
Other:
- Contour
- Istio
Ingress controller can be deployed as daemonset. It has its own service account, ClusterRole and ClusterRoleBinding. ClusterRole includes (1) get (2) list (3) watch access to (1) service (2) ep (3) secrets and (4) ingress resource.
Ingress resource has rules. This rule is kind of similar to (1) Ingress GW (2) Virtual Service (3) Destination Rule in Istio.
Ingress resource is created in a same namespace where we have all the svc and deployment.
Traefik has nice UI also accessible with default 8080 port
Questions
What is difference between containerPort and targetPort ?
NodePort range is defined in cluster configuration.
ExternalName has no port, no selector, no endpoint. Redirection happen at DNS level.
'kubectl proxy' command create a local service, to access ClusterIP. Useful for troubleshooting and development work.
If we create service with LoadBalancer type on bare metal, and we have not deployed any load balancer then also we can access it as NodePort service.
Grace Period
We should add
--grace-period=0 --force
for immediate deletionpod and deployment have terminationGracePeriodSeconds parameter in spec section. One cannot modify it runtime with kubectl edit command. We can modify it during deployment time only.
* K8s 1.0 userpace mode
* K8s 1.1 iptables introduced
1.2 iptables become default
it allows max upto approx 5000 worker nodes.
* K8s 1.9 ipvs. configurable load balancing algorithms
- round-robin
- shortest expected delay
- least connection
- others.
IPVS kernel module shall be installed and running.
KubeProxy Mode is configured as startup flag
mode=iptables, mode=IPVS, mode=userspace
Accessing an application with a service
k expose deploy "deploy name" --port=80 --type=NodePort
We can expose pod also as service, if pod has label
k expose pod "pod name" --port=80 --type=NodePort
The targetPort value by default set as value of port.
port is part of endpoint: clusterIP:port
targetPort is opened at pod.
Service can point to service in different namespace, to service which is outside cluster.
External Name is used to access resource, external to cluster. Here selector is not used.
Ingress resource
match : host and path both
rules: HTTP rules only to direct traffic.
Usecase:
- Fan out to service
- name based hosting
- TLS
- load balancing
- expose low numbered port
Ingress Controller
Officially supported
- nginx
- GCE
Community supported
- Traefik (pronounced Traffic)
- HAProxy
Other:
- Contour
- Istio
Ingress controller can be deployed as daemonset. It has its own service account, ClusterRole and ClusterRoleBinding. ClusterRole includes (1) get (2) list (3) watch access to (1) service (2) ep (3) secrets and (4) ingress resource.
Ingress resource has rules. This rule is kind of similar to (1) Ingress GW (2) Virtual Service (3) Destination Rule in Istio.
Ingress resource is created in a same namespace where we have all the svc and deployment.
Traefik has nice UI also accessible with default 8080 port
Questions
What is difference between containerPort and targetPort ?
0 comments:
Post a Comment