Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Managed Service for Kubernetes
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Connecting to a node over SSH
    • Creating a configuration file
    • Configuring a Kubernetes cluster network
      • Granting access to an app running in a Kubernetes cluster
      • Using Kubernetes cluster network policies
    • Encrypting secrets
    • Using persistent volumes
      • Dynamically preparing volumes
      • Statically preparing volumes
      • Managing storage classes
      • Expanding a volume
      • Mounting a volume in Block mode
    • Managing a Kubernetes cluster
      • Adding Kubernetes cluster credentials to the kubectl configuration file
      • Getting information about a Kubernetes cluster
      • Creating a Kubernetes cluster
      • Editing a Kubernetes cluster
      • Deleting a Kubernetes cluster
    • Managing a node group
      • Getting information about a node group
      • Creating a node group
      • Editing a node group
      • Deleting a node group
  • Solutions
    • Integration with Container Registry
    • Running workloads with GPUs
    • Making backups to Object Storage
  • Concepts
    • Relationship between service resources
    • Release channels and updates
    • Using Kubernetes API objects
      • Volume
      • Service
    • Node group
      • Autoscaling node groups
      • Evicting pods from a node
      • Dynamic resource allocation for a node
      • Node groups with GPUs
    • Kubernetes cluster network policies
    • Quotas and limits
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ClusterService
      • NodeGroupService
      • VersionService
      • OperationService
    • REST
      • Overview
      • Cluster
        • Overview
        • create
        • delete
        • get
        • list
        • listNodeGroups
        • listNodes
        • listOperations
        • start
        • stop
        • update
      • NodeGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listNodes
        • listOperations
        • update
      • Version
        • Overview
        • list
  • Questions and answers
  1. Step-by-step instructions
  2. Configuring a Kubernetes cluster network
  3. Granting access to an app running in a Kubernetes cluster

Granting access to an app running in a cluster Kubernetes

  • Create a simple app
  • Create a LoadBalancer service with a public IP address
  • Create a LoadBalancer service with an internal IP address
  • Advanced LoadBalancer service settings

To grant access to an app running in a Kubernetes cluster, you can use various types of public and internal services.

To grant public access to the app, use LoadBalancer type service with a public IP address.

Applications can be accessed from internal networks, but not from Kubernetes clusters: from subnets of Yandex Virtual Private Cloud or a company's internal subnets connected to Yandex.Cloud via Yandex Cloud Interconnect or VPN. To grant access, use a LoadBalancer service based on an internal load balancer.

Note

Unlike the IP address of a pod or node, which may change if the resources in a node group are updated, the IP address of LoadBalancer services don't change.

Prepare and run the application to be granted access to using a LoadBalancer service in the Kubernetes cluster. As an example, use a simple application that responds to HTTP requests on port 8080.

  • Create a simple application
  • Create a LoadBalancer service with a public IP address
  • Create a LoadBalancer service with an internal IP address
  • Advanced LoadBalancer service settings

Create a simple app

  1. Save the following app creation specification to a YAML file named hello.yaml:

    Deployment is the Kubernetes API object that manages the replicated application.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: hello
    spec:
      replicas: 2
      selector:
        matchLabels:
          app: hello
      template:
        metadata:
          labels:
            app: hello
        spec:
          containers:
          - name: hello-app
            image: cr.yandex/crpjd37scfv653nl11i9/hello:1.1
    
  2. Create an application:

    CLI

    If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    kubectl apply -f hello.yaml
    

    Execution result:

    deployment.apps/hello created
    
  3. View information about the created app:

    CLI
    kubectl describe deployment hello
    

    Execution result:

    Name:                   hello
    Namespace:              default
    CreationTimestamp:      Wed, 28 Oct 2020 23:15:25 +0300
    Labels:                 <none>
    Annotations:            deployment.kubernetes.io/revision: 1
    Selector:               app=hello
    Replicas:               2 desired | 2 updated | 2 total | 1 available | 1 unavailable
    StrategyType:           RollingUpdate
    MinReadySeconds:        0
    RollingUpdateStrategy:  25% max unavailable, 25% max surge
    Pod Template:
      Labels:  app=hello
      Containers:
       hello-app:
        Image:        cr.yandex/crpab12cdef353nl11i9/hello:1.1
        Port:         <none>
        Host Port:    <none>
        Environment:  <none>
        Mounts:       <none>
      Volumes:        <none>
    Conditions:
      Type           Status  Reason
      ----           ------  ------
      Available      False   MinimumReplicasUnavailable
      Progressing    True    ReplicaSetUpdated
    OldReplicaSets:  <none>
    NewReplicaSet:   hello-74c9c1b238 (2/2 replicas created)
    Events:
      Type    Reason             Age   From                   Message
      ----    ------             ----  ----                   -------
      Normal  ScalingReplicaSet  10s   deployment-controller  Scaled up replica set hello-74c9c1b238 to 2
    

Create a LoadBalancer service with a public IP address

When you create a LoadBalancer service, the Yandex.Cloud controller creates and configures a network load balancer in your folder with a public IP address.

Warning

  • You will be charged for the network load balancer you created based on the pricing rules.
  • Don't modify or delete the network load balancer or target groups that are automatically created in your folder after creating a LoadBalancer service.
  1. Save the following specification for creating a LoadBalancer service to a YAML file named load-balancer.yaml:

    apiVersion: v1
    kind: Service
    metadata:
      name: hello
    spec:
      ports:
      - port: 80
        name: plaintext
        targetPort: 8080
      selector:
        app: hello
      type: LoadBalancer
    

    Where:

    • port is the network load balancer port to handle user requests.
    • targetPort is the container port where the application is available.
    • selector stands for the selector labels used in the pod template when creating the Deployment object.
  2. Create a network load balancer:

    CLI
    kubectl apply -f load-balancer.yaml
    

    Execution result:

    service/hello created
    
  3. View information about the network load balancer created:

    Management console
    CLI
    1. In the management console, select your default folder.
    2. Select Load Balancer.
    3. The Load balancers tab shows the network load balancer with the k8s prefix in the name and the unique ID of your Kubernetes cluster in the description.
    kubectl describe service hello
    

    Execution result:

    Name:                     hello
    Namespace:                default
    Labels:                   <none>
    Annotations:              Selector:  app=hello
    Type:                     LoadBalancer
    IP:                       172.20.169.7
    LoadBalancer Ingress:     130.193.50.111
    Port:                     plaintext  80/TCP
    TargetPort:               8080/TCP
    NodePort:                 plaintext  32302/TCP
    Endpoints:                10.1.130.4:8080
    Session Affinity:         None
    External Traffic Policy:  Cluster
    Events:
      Type    Reason                Age    From                Message
      ----    ------                ----   ----                -------
      Normal  EnsuringLoadBalancer  2m43s  service-controller  Ensuring load balancer
      Normal  EnsuredLoadBalancer   2m17s  service-controller  Ensured load balancer
    
  4. Make sure the application is available from the internet:

    CLI
    curl http://130.193.50.111
    

    Where:

    • 130.193.50.111 is the public IP address from the LoadBalancer Ingress field.

    Execution result:

    Hello, world!
    Running in 'hello-74c9c1b238-c1rpa'
    

Create a LoadBalancer service with an internal IP address

To create a load balancer with an internal IP address, specify the yandex.cloud/load-balancer-type and yandex.cloud/subnet-id parameters in the YAML specification for the service under annotations:

apiVersion: v1
kind: Service
metadata:
  name: hello
  annotations:
    yandex.cloud/load-balancer-type: internal
    yandex.cloud/subnet-id: e1b23q26ab1c0dce8te9
spec:
  ports:
  - port: 80
    name: plaintext
    targetPort: 8080
  selector:
    app: hello
  type: LoadBalancer

Where:

  • yandex.cloud/subnet-id is the ID of the subnet to allocate the IP address for the network load balancer in.
  • port is the network load balancer port to handle user requests.
  • targetPort is the container port where the application is available.
  • selector stands for the selector labels used in the pod template when creating the Deployment object.

Advanced LoadBalancer service settings

In Managed Service for Kubernetes, the following advanced settings are available for a service with the LoadBalancer type:

  • Assign a pre-allocated public IP address using the loadBalancerIP parameter.
  • Manage traffic using the externalTrafficPolicy parameter:
    • Cluster: Traffic goes to any of the Kubernetes cluster nodes. In this case:
      • If pods are missing from the node, kube-proxy forwards traffic to another node.
    • Local: Traffic goes directly to the nodes where the application containers are running. In this case:
      • The originating IP address of the user query is saved.
      • Horizontal traffic exchanged by VMs is lower.

The loadBalancerIP and externalTrafficPolicy parameters are optional. If you omit them, a load balancer is created with a dynamic IP address and the externalTrafficPolicy: Cluster parameter.

Example of a LoadBalancer service YAML specification with these parameters:

apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  ports:
  - port: 80
    name: plaintext
    targetPort: 8080
  selector:
    app: hello
  loadBalancerIP: <pre-allocated IP address>
  type: LoadBalancer
  externalTrafficPolicy: <Local or Cluster>
In this article:
  • Create a simple app
  • Create a LoadBalancer service with a public IP address
  • Create a LoadBalancer service with an internal IP address
  • Advanced LoadBalancer service settings
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC