Services, Ingress e Descoberta
Aula 3 de 8
Services — Expondo Aplicações
apiVersion: v1
kind: Service
metadata:
name: api-service
spec:
selector:
app: api # seleciona pods com esse label
ports:
- port: 80 # porta do service
targetPort: 3000 # porta do container
protocol: TCP
type: ClusterIP # padrão: IP interno
Tipos de Service
| Tipo | Acesso | Caso de Uso |
|---|---|---|
| ClusterIP | Apenas dentro do cluster | Comunicação entre serviços |
| NodePort | IP do nó + porta fixa (30000-32767) | Dev/test |
| LoadBalancer | LB cloud (NLB/ALB) | Produção cloud |
| ExternalName | DNS externo | Proxy para serviço externo |
# LoadBalancer (cloud)
apiVersion: v1
kind: Service
metadata:
name: web
spec:
type: LoadBalancer
selector:
app: web
ports:
- port: 80
targetPort: 80
---
# NodePort (local)
apiVersion: v1
kind: Service
metadata:
name: web-nodeport
spec:
type: NodePort
selector:
app: web
ports:
- port: 80
nodePort: 30080
Ingress — Roteamento HTTP
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/rate-limit: "5r/s"
spec:
ingressClassName: nginx
rules:
- host: api.meudominio.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api-v1
port:
number: 80
- path: /v2
pathType: Prefix
backend:
service:
name: api-v2
port:
number: 80
- host: admin.meudominio.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: admin
port:
number: 80
tls:
- hosts:
- api.meudominio.com
secretName: api-tls
# Instalar ingress controller (nginx)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.0/deploy/static/provider/cloud/deploy.yaml
Service Mesh com mTLS (Linkerd)
apiVersion: v1
kind: Service
metadata:
annotations:
linkerd.io/inject: enabled
name: api
---
apiVersion: policy.linkerd.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-authz
spec:
targetRef:
group: ""
kind: Service
name: api
requiredAuthentication:
- anyOf:
- serviceAccount: "monitoring"
---
DNS no Cluster
# CoreDNS resolve names internos
# Formato: <service>.<namespace>.svc.cluster.local
kubectl run dnsutils --image=gcr.io/kubernetes-e2e-test-images/dnsutils:1.3 -- sleep 1d
kubectl exec dnsutils -- nslookup api-service
# Name: api-service.default.svc.cluster.local
# Address: 10.96.0.10
# Headless Service (DNS direto para pods)
apiVersion: v1
kind: Service
metadata:
name: stateful
spec:
clusterIP: None # headless
selector:
app: stateful
# DNS: stateful-0.stateful.default.svc.cluster.local
Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
ports:
- port: 3000
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- port: 5432
Service expõe pods com IP virtual. Ingress faz roteamento HTTP/HTTPS. Network policies controlam tráfego no nível de pod (firewall L3/L4). Por padrão, tudo permite tudo.