Granting access to an app running in a cluster Kubernetes

Create a simple app
Create a LoadBalancer service with a public IP address
Create a LoadBalancer service with an internal IP address
Advanced LoadBalancer service settings

To grant access to an app running in a Kubernetes cluster, you can use various types of public and internal services.

To grant public access to the app, use LoadBalancer type service with a public IP address.

Applications can be accessed from internal networks, but not from Kubernetes clusters: from subnets of Yandex Virtual Private Cloud or a company's internal subnets connected to Yandex.Cloud via Yandex Cloud Interconnect or VPN. To grant access, use a LoadBalancer service based on an internal load balancer.

Note

Unlike the IP address of a pod or node, which may change if the resources in a node group are updated, the IP address of LoadBalancer services don't change.

Prepare and run the application to be granted access to using a LoadBalancer service in the Kubernetes cluster. As an example, use a simple application that responds to HTTP requests on port 8080.

Create a simple application
Create a LoadBalancer service with a public IP address
Create a LoadBalancer service with an internal IP address
Advanced LoadBalancer service settings

Create a simple app

Save the following app creation specification to a YAML file named hello.yaml:

Deployment is the Kubernetes API object that manages the replicated application.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hello
  template:
    metadata:
      labels:
        app: hello
    spec:
      containers:
      - name: hello-app
        image: cr.yandex/crpjd37scfv653nl11i9/hello:1.1

Create an application:
CLI
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
```
kubectl apply -f hello.yaml
```
Execution result:
```
deployment.apps/hello created
```

View information about the created app:

CLI

kubectl describe deployment hello

Execution result:

Name:                   hello
Namespace:              default
CreationTimestamp:      Wed, 28 Oct 2020 23:15:25 +0300
Labels:                 <none>
Annotations:            deployment.kubernetes.io/revision: 1
Selector:               app=hello
Replicas:               2 desired | 2 updated | 2 total | 1 available | 1 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app=hello
  Containers:
   hello-app:
    Image:        cr.yandex/crpab12cdef353nl11i9/hello:1.1
    Port:         <none>
    Host Port:    <none>
    Environment:  <none>
    Mounts:       <none>
  Volumes:        <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Available      False   MinimumReplicasUnavailable
  Progressing    True    ReplicaSetUpdated
OldReplicaSets:  <none>
NewReplicaSet:   hello-74c9c1b238 (2/2 replicas created)
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  10s   deployment-controller  Scaled up replica set hello-74c9c1b238 to 2

Create a LoadBalancer service with a public IP address

When you create a LoadBalancer service, the Yandex.Cloud controller creates and configures a network load balancer in your folder with a public IP address.

Warning

You will be charged for the network load balancer you created based on the pricing rules.
Don't modify or delete the network load balancer or target groups that are automatically created in your folder after creating a LoadBalancer service.

Save the following specification for creating a LoadBalancer service to a YAML file named load-balancer.yaml:
```
apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  ports:
  - port: 80
    name: plaintext
    targetPort: 8080
  selector:
    app: hello
  type: LoadBalancer
```
Where:
- port is the network load balancer port to handle user requests.
- targetPort is the container port where the application is available.
- selector stands for the selector labels used in the pod template when creating the Deployment object.

Create a network load balancer:

CLI

kubectl apply -f load-balancer.yaml

Execution result:

service/hello created

View information about the network load balancer created:

Management console

CLI

In the management console, select your default folder.
Select Load Balancer.
The Load balancers tab shows the network load balancer with the k8s prefix in the name and the unique ID of your Kubernetes cluster in the description.

kubectl describe service hello

Execution result:

Name:                     hello
Namespace:                default
Labels:                   <none>
Annotations:              Selector:  app=hello
Type:                     LoadBalancer
IP:                       172.20.169.7
LoadBalancer Ingress:     130.193.50.111
Port:                     plaintext  80/TCP
TargetPort:               8080/TCP
NodePort:                 plaintext  32302/TCP
Endpoints:                10.1.130.4:8080
Session Affinity:         None
External Traffic Policy:  Cluster
Events:
  Type    Reason                Age    From                Message
  ----    ------                ----   ----                -------
  Normal  EnsuringLoadBalancer  2m43s  service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   2m17s  service-controller  Ensured load balancer

Make sure the application is available from the internet:
CLI
```
curl http://130.193.50.111
```
Where:
- 130.193.50.111 is the public IP address from the LoadBalancer Ingress field.
Execution result:
```
Hello, world!
Running in 'hello-74c9c1b238-c1rpa'
```

Create a LoadBalancer service with an internal IP address

To create a load balancer with an internal IP address, specify the yandex.cloud/load-balancer-type and yandex.cloud/subnet-id parameters in the YAML specification for the service under annotations:

apiVersion: v1
kind: Service
metadata:
  name: hello
  annotations:
    yandex.cloud/load-balancer-type: internal
    yandex.cloud/subnet-id: e1b23q26ab1c0dce8te9
spec:
  ports:
  - port: 80
    name: plaintext
    targetPort: 8080
  selector:
    app: hello
  type: LoadBalancer

Where:

yandex.cloud/subnet-id is the ID of the subnet to allocate the IP address for the network load balancer in.
port is the network load balancer port to handle user requests.
targetPort is the container port where the application is available.
selector stands for the selector labels used in the pod template when creating the Deployment object.

Advanced LoadBalancer service settings

In Managed Service for Kubernetes, the following advanced settings are available for a service with the LoadBalancer type:

Assign a pre-allocated public IP address using the loadBalancerIP parameter.
Manage traffic using the externalTrafficPolicy parameter:
- Cluster: Traffic goes to any of the Kubernetes cluster nodes. In this case:
  - If pods are missing from the node, kube-proxy forwards traffic to another node.
- Local: Traffic goes directly to the nodes where the application containers are running. In this case:
  - The originating IP address of the user query is saved.
  - Horizontal traffic exchanged by VMs is lower.

The loadBalancerIP and externalTrafficPolicy parameters are optional. If you omit them, a load balancer is created with a dynamic IP address and the externalTrafficPolicy: Cluster parameter.

Example of a LoadBalancer service YAML specification with these parameters:

apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  ports:
  - port: 80
    name: plaintext
    targetPort: 8080
  selector:
    app: hello
  loadBalancerIP: <pre-allocated IP address>
  type: LoadBalancer
  externalTrafficPolicy: <Local or Cluster>