I've seen Kubernetes Securing services but I am asking a more basic question.
How are the services secured? I have a repository layer that should not be available outside of the cluster, but only available to services within the cluster. I can't quite see how I can use kubernetes to handle that or whether it does it itself.
ClusterIP is not available outside the cluster. If you create the service of type NodePort or LoadBalancer, then that can be accessed outside the cluster.
https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
If you mean network level security by restricting how the service is accessed , then there are many types of kubernetes options that you use for exposing the service , but in your case , you expose it using the Service of Type ClusterIP so that it is only available inside the cluster.
Types of Services There are five types of Services:
ClusterIP (default): Internal clients send requests to a stable internal IP address.
NodePort: Clients send requests to the IP address of a node on one or more nodePort values that are specified by the Service.
LoadBalancer: Clients send requests to the IP address of a network load balancer.
ExternalName: Internal clients use the DNS name of a Service as an alias for an external DNS name.
Headless: You can use a headless service in situations where you want a Pod grouping, but don't need a stable IP address.
Here is a manifest for a Service of type ClusterIP:
apiVersion: v1
kind: Service
metadata:
name: my-cip-service
spec:
selector:
app: metrics
department: sales
type: ClusterIP
ports:
- protocol: TCP
port: 80
targetPort: 8080