I've seen Kubernetes Securing services but I am asking a more basic question.
How are the services secured? I have a repository layer that should not be available outside of the cluster, but only available to services within the cluster. I can't quite see how I can use kubernetes to handle that or whether it does it itself.
ClusterIP
is not available outside the cluster. If you create the service of type NodePort
or LoadBalancer
, then that can be accessed outside the cluster.
https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
If you mean network level security by restricting how the service is accessed , then there are many types of kubernetes options that you use for exposing the service , but in your case , you expose it using the Service of Type ClusterIP so that it is only available inside the cluster.
Types of Services There are five types of Services:
ClusterIP (default): Internal clients send requests to a stable internal IP address.
NodePort: Clients send requests to the IP address of a node on one or more nodePort values that are specified by the Service.
LoadBalancer: Clients send requests to the IP address of a network load balancer.
ExternalName: Internal clients use the DNS name of a Service as an alias for an external DNS name.
Headless: You can use a headless service in situations where you want a Pod grouping, but don't need a stable IP address.
Here is a manifest for a Service of type ClusterIP:
apiVersion: v1
kind: Service
metadata:
name: my-cip-service
spec:
selector:
app: metrics
department: sales
type: ClusterIP
ports:
- protocol: TCP
port: 80
targetPort: 8080