Updates after 20230503

nicholasdille · May 3, 2023 · 38749b1 · 38749b1
1 parent 2883b84
commit 38749b1
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 27 deletions.
diff --git a/120_kubernetes/cilium/hubble.md b/120_kubernetes/cilium/hubble.md
@@ -18,6 +18,4 @@ Costs up to 15% performance
 
 Check flows from previous demos
 
-Check service map
-
-Filter flows
+Check service map
diff --git a/120_kubernetes/dns/headless.demo b/120_kubernetes/dns/headless.demo
@@ -53,8 +53,11 @@ spec:
     targetPort: 80
 EOF
 
-# Check DNS for service (could not resolve)
-kubectl get pod --selector app=web --output name | head -n 1 | xargs -I{} kubectl exec {} -- curl -sv http://web
+# Install dig
+kubectl get pod --selector app=web --output name | xargs -I{} kubectl exec {} -- bash -c 'apt-get update && apt-get -y install dnsutils'
 
-# Check DNS for pods
-kubectl get pod --selector app=web --output name | head -n 1 | cut -d/ -f2 | xargs -I{} kubectl exec {} -- curl -sv http://{}
+# Check DNS service web (single A record for cluster IP)
+kubectl get pod --selector app=web --output name | head -n 1 | cut -d/ -f2 | xargs -I{} kubectl exec {} -- dig +short web
+
+# Check DNS service web-headless (one or more A records for pods)
+kubectl get pod --selector app=web --output name | head -n 1 | cut -d/ -f2 | xargs -I{} kubectl exec {} -- dig +short web-headless
diff --git a/120_kubernetes/dns/slides.md b/120_kubernetes/dns/slides.md
@@ -8,7 +8,7 @@ Usually CoreDNS is used for cluster DNS
 
 DNS record (A) for a service:<br/>`<service>.<namespace>.svc.cluster.local`
 
-DNS record (A) for a pod:<br/>`<1-2-3-4>.<namespace>.pod.cluster.local`
+DNS record (A) for a pod with IP `1.2.3.4`:<br/>`<1-2-3-4>.<namespace>.pod.cluster.local`
 
 Add DNS server for custom domains [](https://coredns.io/2017/05/08/custom-dns-entries-for-kubernetes/)
 
@@ -48,14 +48,19 @@ For example, central database server
 
 ### `ClusterIP=None` (headless service)
 
-No cluster IP and no DNS record
+No cluster IP
 
 No load balancing
 
-DNS records for all matched pods [](https://kubernetes.io/docs/concepts/services-networking/service/#headless-services)
+DNS A records for all matched pods [](https://kubernetes.io/docs/concepts/services-networking/service/#headless-services)
 
 ---
 
 ## Demo: Headless Services [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/dns/headless.demo "headless.demo")
 
-Understand how they work
+Understand how they work
+
+| Type      | IP  | LB  | DNS                     |
+|-----------|-----|-----|-------------------------|
+| ClusterIP | Yes | No  | Resolves to cluster IP  |
+| None      | No  | Yes | Resolves to all pod IPs |
diff --git a/120_kubernetes/network_policy/slides.md b/120_kubernetes/network_policy/slides.md
@@ -4,13 +4,19 @@ Firewall for intra-cluster communication [](https://kubernetes.io/docs/concepts/
 
 Must be implemented by CNI plugin
 
-### Resource `NetworkPolicy`
+### Resource `NetworkPolicy` (namespaced)
+
+Network policies are enforced per namespace
 
 Allow all traffic without policies
 
 Deny by default when a policy exists
 
-Policies only allow traffic
+Policies can only allow traffic
+
+Policies are applied using label selector
+
+Ingress and egress are handled separately
 
 Supports layer 3 and layer 4
 

diff --git a/2023-05-03_heise-Webinar-KubernetesNetworkPolicies.html b/2023-05-03_heise-Webinar-KubernetesNetworkPolicies.html
@@ -127,12 +127,13 @@
 - <span class="fa-li"><i class="fa-duotone fa-puzzle-piece-simple"></i></span> Choosing a CNI plugin is hard
 - <span class="fa-li"><i class="fa-duotone fa-monitor-waveform"></i></span> No audit to understand network traffic
 - <span class="fa-li"><i class="fa-duotone fa-shield-check"></i></span> Network policies allow traffic explicitly
+- <span class="fa-li"><i class="fa-duotone fa-person-carry-box"></i></span> Resource `NetworkPolicy` is portable
 - <span class="fa-li"><img src="images/cilium.svg" style="height: 1em; width: 1em; object-fit: cover; object-position: left top;" /></span> Cilium provides valuable features
 - <span class="fa-li"><i class="fa-duotone fa-rocket"></i></span> eBPF enables fast, low-overhead CNI plugin
 - <span class="fa-li"><i class="fa-duotone fa-chart-network"></i></span> Cross-node flow visualization with Hubble
 - <span class="fa-li"><i class="fa-duotone fa-magnifying-glass"></i></span> Integrated observability
 
-<!-- .element: class="fa-ul" -->
+<!-- .element: class="fa-ul" style="line-height: 1.5em;" -->
 
 Cilium Performance Benchmark [](https://docs.cilium.io/en/stable/operations/performance/benchmark/)
 </textarea></section>

diff --git a/2023-05-03_heise-Webinar-KubernetesNetworkPolicies.md b/2023-05-03_heise-Webinar-KubernetesNetworkPolicies.md