Services and Networking (13%)

Create a pod with image nginx called nginx and expose its port 80


kubectl run nginx --image=nginx --restart=Never --port=80 --expose
# observe that a pod as well as a service are created

Confirm that ClusterIP has been created. Also check endpoints


kubectl get svc nginx # services
kubectl get ep # endpoints

Get service’s ClusterIP, create a temp busybox pod and ‘hit’ that IP with wget


kubectl get svc nginx # get the IP (something like
kubectl run busybox --rm --image=busybox -it --restart=Never -- sh
wget -O- IP:80


IP=$(kubectl get svc nginx --template={{.spec.clusterIP}}) # get the IP (something like
kubectl run busybox --rm --image=busybox -it --restart=Never --env="IP=$IP" -- wget -O- $IP:80 --timeout 2
# Tip: --timeout is optional, but it helps to get answer more quickly when connection fails (in seconds vs minutes)

Convert the ClusterIP to NodePort for the same service and find the NodePort port. Hit service using Node’s IP. Delete the service and the pod at the end.


kubectl edit svc nginx
apiVersion: v1
kind: Service
  creationTimestamp: 2018-06-25T07:55:16Z
  name: nginx
  namespace: default
  resourceVersion: "93442"
  selfLink: /api/v1/namespaces/default/services/nginx
  uid: 191e3dac-784d-11e8-86b1-00155d9f663c
  - port: 80
    protocol: TCP
    targetPort: 80
    run: nginx
  sessionAffinity: None
  type: NodePort # change cluster IP to nodeport
  loadBalancer: {}
kubectl get svc
# result:
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP        <none>        443/TCP        1d
nginx        NodePort   <none>        80:31931/TCP   3m
wget -O- NODE_IP:31931 # if you're using Kubernetes with Docker for Windows/Mac, try
#if you're using minikube, try minikube ip, then get the node ip such as
kubectl delete svc nginx # Deletes the service
kubectl delete pod nginx # Deletes the pod

Create a deployment called foo using image ‘dgkanatsios/simpleapp’ (a simple server that returns hostname) and 3 replicas. Label it as ‘app=foo’. Declare that containers in this pod will accept traffic on port 8080 (do NOT create a service yet)


kubectl run foo --image=dgkanatsios/simpleapp --labels=app=foo --port=8080 --replicas=3

Or, you can use the more recent approach of creating the requested deployment as kubectl run has been deprecated.

kubectl create deploy foo --image=dgkanatsios/simpleapp --dry-run -o yaml > foo.yml

vi foo.yml

Update the yaml to update the replicas and add container port.

apiVersion: apps/v1
kind: Deployment
  creationTimestamp: null
    app: foo
  name: foo
  replicas: 3 # Update this
      app: foo
  strategy: {}
      creationTimestamp: null
        app: foo
      - image: dgkanatsios/simpleapp
        name: simpleapp
        ports:                   # Add this
          - containerPort: 8080  # Add this
        resources: {}
status: {}

Get the pod IPs. Create a temp busybox pod and trying hitting them on port 8080


kubectl get pods -l app=foo -o wide # 'wide' will show pod IPs
kubectl run busybox --image=busybox --restart=Never -it --rm -- sh
wget -O- POD_IP:8080 # do not try with pod name, will not work
# try hitting all IPs to confirm that hostname is different

Create a service that exposes the deployment on port 6262. Verify its existence, check the endpoints


kubectl expose deploy foo --port=6262 --target-port=8080
kubectl get service foo # you will see ClusterIP as well as port 6262
kubectl get endpoints foo # you will see the IPs of the three replica nodes, listening on port 8080

Create a temp busybox pod and connect via wget to foo service. Verify that each time there’s a different hostname returned. Delete deployment and services to cleanup the cluster


kubectl get svc # get the foo service ClusterIP
kubectl run busybox --image=busybox -it --rm --restart=Never -- sh
wget -O- foo:6262 # DNS works! run it many times, you'll see different pods responding
wget -O- SERVICE_CLUSTER_IP:6262 # ClusterIP works as well
# you can also kubectl logs on deployment pods to see the container logs
kubectl delete svc foo
kubectl delete deploy foo

Create an nginx deployment of 2 replicas, expose it via a ClusterIP service on port 80. Create a NetworkPolicy so that only pods with labels ‘access: granted’ can access the deployment and apply it > Documentation > Concepts > Services, Load Balancing, and Networking > Network Policies


kubectl run nginx --image=nginx --replicas=2 --port=80 --expose
kubectl describe svc nginx # see the 'run=nginx' selector for the pods
# or
kubectl get svc nginx -o yaml

vi policy.yaml
kind: NetworkPolicy
  name: access-nginx # pick a name
      run: nginx # selector for the pods
  ingress: # allow ingress traffic
  - from:
    - podSelector: # from pods
        matchLabels: # with this label
          access: granted
# Create the NetworkPolicy
kubectl create -f policy.yaml

# Check if the Network Policy has been created correctly
# make sure that your cluster's network provider supports Network Policy (
kubectl run busybox --image=busybox --rm -it --restart=Never -- wget -O- http://nginx:80 --timeout 2                          # This should not work. --timeout is optional here. But it helps to get answer more quickly (in seconds vs minutes)
kubectl run busybox --image=busybox --rm -it --restart=Never --labels=access=granted -- wget -O- http://nginx:80 --timeout 2  # This should be fine

comments powered by Disqus