Networking, Service va Ingress
Mundarija
Kubernetes Networking Modeli
Asosiy Printsiplar
Kubernetes networking to'rtta asosiy muammoni hal qiladi:
- Container-to-Container: Bitta pod ichida
- Pod-to-Pod: Cluster ichidagi barcha pod'lar
- Pod-to-Service: Service abstraction orqali
- External-to-Service: Tashqaridan kirish
Kubernetes Networking Qoidalari
Kubernetes networking uchta fundamental qoidaga amal qiladi:
1. Har bir Pod Unique IP Address
Pod-A: 10.244.1.5
Pod-B: 10.244.2.3
Pod-C: 10.244.3.7
- Har bir pod cluster-wide unique IP ga ega
- NAT (Network Address Translation) yo'q
- Pod IP to'g'ridan-to'g'ri accessible
2. Pod'lar Bir-birlari bilan To'g'ridan-To'g'ri Gaplashadi
Pod-A (10.244.1.5) → Pod-B (10.244.2.3)
- Qaysi node'da bo'lishidan qat'i nazar
- NAT yoki proxy kerak emas
- Flat network topology
3. Container Ichidan Ko'rinadigan IP = Tashqaridan Ko'rinadigan IP
# Pod ichida
ip addr show eth0
inet 10.244.1.5/24
# Boshqa pod'dan
ping 10.244.1.5
- IP address bir xil
- Container va boshqa pod'lar bir xil IP'ni ko'radi
Container Network Interface (CNI)
CNI - bu Kubernetes va network plugin o'rtasidagi standart interfeys.
CNI Plugin'lari:
1. Flannel
Xususiyatlari:
- Eng oddiy va mashhur
- Overlay network
- VXLAN, host-gw, UDP backend
- Yengil va tez
Ishlash printsipi:
Node-1 (192.168.1.10)
Pod subnet: 10.244.1.0/24
Node-2 (192.168.1.11)
Pod subnet: 10.244.2.0/24
Flannel → VXLAN tunnel → Pod communication
O'rnatish:
kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
2. Calico
Xususiyatlari:
- L3 routing (BGP)
- Network policies
- IP-in-IP yoki VXLAN
- Performance yuqori
Qo'shimcha funktsiyalar:
- Network security
- Egress gateway
- WireGuard encryption
O'rnatish:
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
3. Weave Net
Xususiyatlari:
- Mesh network
- Avtomatik setup
- Encryption (optional)
- Multicast support
O'rnatish:
kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
4. Cilium
Xususiyatlari:
- eBPF-based
- L7 aware
- Advanced observability
- Service mesh integration
Afzalliklar:
- Juda tez
- API-aware filtering
- Load balancing
Container-to-Container Networking
Bitta pod ichidagi konteynerlar:
Shared Network Namespace:
apiVersion: v1
kind: Pod
metadata:
name: multi-container
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
- name: sidecar
image: busybox
command: ['sh', '-c', 'while true; do wget -O- localhost:80; sleep 10; done']
Xususiyatlari:
- Bir xil IP address
- localhost orqali gaplashadi
- Port collision oldini olish kerak
Pod-to-Pod Networking
Bir xil node'da:
Pod-A (10.244.1.5)
↓ veth pair
Linux Bridge (cbr0)
↓ veth pair
Pod-B (10.244.1.6)
Turli node'larda:
Node-1: Pod-A (10.244.1.5)
↓
Network (VXLAN/BGP/etc)
↓
Node-2: Pod-B (10.244.2.3)
CNI plugin routing'ni boshqaradi.
Network Namespaces
Linux network namespace - bu network stack'ni ajratish mexanizmi.
Har bir pod o'z network namespace'iga ega:
Pod Network Namespace:
- Network interfaces
- Routing tables
- iptables rules
- IP addresses
Ko'rish:
# Node'ga SSH
sudo ip netns list
# Namespace ichida
sudo ip netns exec <namespace> ip addr
Service
Ta'rif
Service - bu pod'lar to'plamiga stable network endpoint berish uchun abstraction.
Muammo:
- Pod'lar ephemeral (o'ladi, qayta tug'iladi)
- Pod IP'lari o'zgaradi
- Qanday qilib static endpoint berish mumkin?
Yechim: Service
Service Qanday Ishlaydi?
Service label selector orqali pod'larni topadi va ularga traffic yuboradi:
Service (my-service)
selector: app=nginx
↓
Pod-1 (app=nginx, 10.244.1.5)
Pod-2 (app=nginx, 10.244.2.3)
Pod-3 (app=nginx, 10.244.3.7)
Client → Service → Pod (load balanced)
Service YAML
Basic Service:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 9376
Tushuntirish:
selector: Qaysi pod'larni tanlashport: Service port (client ishlata oladi)targetPort: Pod port (container port)
Service Turlari
Kubernetes to'rtta service turi qo'llab-quvvatlaydi:
1. ClusterIP (Default)
Ta'rif: Internal cluster IP. Faqat cluster ichidan accessible.
YAML:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: ClusterIP
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
Qanday ishlaydi:
Service IP: 10.96.0.100 (virtual IP)
↓ kube-proxy (iptables/IPVS)
Pod-1: 10.244.1.5:8080
Pod-2: 10.244.2.3:8080
Foydalanish:
- Internal services
- Microservice communication
- Database services
Kirish:
# Pod ichidan
curl http://my-service:80
# yoki full DNS
curl http://my-service.default.svc.cluster.local:80
2. NodePort
Ta'rif: Har bir node'ning portidan service'ga kirish.
YAML:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: NodePort
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
nodePort: 30007
Qanday ishlaydi:
External Client
↓
Node-1:30007 yoki Node-2:30007 yoki Node-3:30007
↓
Service (ClusterIP)
↓
Pod-1, Pod-2, Pod-3
Port Range: 30000-32767 (default)
Foydalanish:
- Development/testing
- Direct access kerak bo'lganda
- LoadBalancer mavjud bo'lmaganda
Kirish:
curl http://<node-ip>:30007
3. LoadBalancer
Ta'rif: Cloud provider'ning load balancer'ini yaratadi.
YAML:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: LoadBalancer
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
Qanday ishlaydi:
External Load Balancer (AWS ELB, GCP LB, Azure LB)
↓
NodePort (avtomatik yaratiladi)
↓
Service (ClusterIP)
↓
Pod-1, Pod-2, Pod-3
Cloud Provider Examples:
AWS:
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
GCP:
metadata:
annotations:
cloud.google.com/load-balancer-type: "Internal"
Azure:
metadata:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
External IP:
kubectl get svc my-service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
my-service LoadBalancer 10.96.0.100 35.184.45.123 80:31234/TCP
Foydalanish:
- Production web applications
- Public-facing services
- Cloud environment'larda
Kirish:
curl http://35.184.45.123
4. ExternalName
Ta'rif: Service'ni external DNS nomiga map qilish.
YAML:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: ExternalName
externalName: example.com
Qanday ishlaydi:
Pod → my-service.default.svc.cluster.local
↓ DNS CNAME
example.com
Foydalanish:
- External database
- Third-party API
- Legacy services
Service Endpoints
Service pod'larni selector orqali topadi va Endpoints yaratadi:
Service:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
Endpoints (avtomatik yaratiladi):
apiVersion: v1
kind: Endpoints
metadata:
name: my-service
subsets:
- addresses:
- ip: 10.244.1.5
- ip: 10.244.2.3
- ip: 10.244.3.7
ports:
- port: 8080
Ko'rish:
kubectl get endpoints my-service
Output:
NAME ENDPOINTS AGE
my-service 10.244.1.5:8080,10.244.2.3:8080,10.244.3.7:8080 5m
Headless Service
Ta'rif: ClusterIP = None. DNS direct pod IP'larni qaytaradi.
YAML:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
clusterIP: None
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
DNS Response:
nslookup my-service.default.svc.cluster.local
# Output:
Name: my-service.default.svc.cluster.local
Address: 10.244.1.5
Address: 10.244.2.3
Address: 10.244.3.7
Foydalanish:
- StatefulSet bilan
- Direct pod access kerak bo'lsa
- Service discovery custom implementation
Session Affinity
Ta'rif: Client'ning requestlari bir xil pod'ga yo'naltirilishi.
YAML:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
Qiymatlar:
None(default): Har bir request load balancedClientIP: Client IP asosida sticky session
Foydalanish:
- Stateful sessions
- Shopping cart
- User sessions
Multi-Port Services
Bir service bir nechta port expose qilishi mumkin:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: nginx
ports:
- name: http
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
Eslatma: Port nomlarini berish majburiy.
Service Discovery
Kubernetes ikkita service discovery mexanizmini taqdim etadi:
1. Environment Variables
Har bir pod yaratilganda, mavjud service'lar uchun environment variable'lar inject qilinadi:
Service:
apiVersion: v1
kind: Service
metadata:
name: redis-master
spec:
ports:
- port: 6379
targetPort: 6379
selector:
app: redis
Pod environment:
REDIS_MASTER_SERVICE_HOST=10.96.0.100
REDIS_MASTER_SERVICE_PORT=6379
REDIS_MASTER_PORT=tcp://10.96.0.100:6379
REDIS_MASTER_PORT_6379_TCP=tcp://10.96.0.100:6379
REDIS_MASTER_PORT_6379_TCP_PROTO=tcp
REDIS_MASTER_PORT_6379_TCP_PORT=6379
REDIS_MASTER_PORT_6379_TCP_ADDR=10.96.0.100
Cheklov: Pod service'dan oldin yaratilgan bo'lishi kerak.
2. DNS
Tavsiya: DNS ishlatish yaxshiroq!
CoreDNS pod'larga DNS service beradi.
Service DNS Format:
<service-name>.<namespace>.svc.cluster.local
Misollar:
my-service.default.svc.cluster.local
redis-master.production.svc.cluster.local
Qisqa nomlar (namespace ichida):
my-service
redis-master
Pod ichidan:
curl http://my-service:80
curl http://my-service.default.svc.cluster.local:80
Ingress
Ta'rif
Ingress - bu HTTP/HTTPS traffic'ni cluster ichidagi service'larga yo'naltirish uchun.
Service vs Ingress:
| Service (LoadBalancer) | Ingress |
|---|---|
| L4 (TCP/UDP) | L7 (HTTP/HTTPS) |
| Har bir service uchun alohida LB | Bitta LB, ko'p service |
| Qimmat | Arzon |
| Domain-based routing yo'q | Domain-based routing |
Ingress Qanday Ishlaydi?
User → DNS → External IP (Ingress Controller)
↓
Ingress Rules
↓
Service-A Service-B Service-C
↓ ↓ ↓
Pods Pods Pods
Ingress Controller
Ingress resource'i o'zi hech narsa qilmaydi. Ingress Controller kerak!
Mashhur Ingress Controller'lar:
- NGINX Ingress Controller (eng mashhur)
- Traefik
- HAProxy
- Istio Gateway
- AWS ALB Ingress Controller
- GCE Ingress Controller
O'rnatish (NGINX):
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml
Ingress YAML
Basic Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
Path-Based Routing:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- path: /web
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Multi-Domain:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Path Types
-
Exact: To'liq mos kelishi kerak
pathType: Exact
path: /api
# Match: /api
# No match: /api/, /api/v1 -
Prefix: Prefix mos kelishi kerak
pathType: Prefix
path: /api
# Match: /api, /api/, /api/v1, /api/users -
ImplementationSpecific: Controller'ga bog'liq
pathType: ImplementationSpecific
TLS/HTTPS
TLS Secret yaratish:
kubectl create secret tls my-tls-secret \
--cert=path/to/tls.crt \
--key=path/to/tls.key
Ingress YAML:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
tls:
- hosts:
- myapp.example.com
secretName: my-tls-secret
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
Ingress Annotations
Ingress Controller-specific konfiguratsiya:
NGINX:
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/rate-limit: "100"
Traefik:
metadata:
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
Default Backend
Agar hech bir rule mos kelmasa:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
defaultBackend:
service:
name: default-service
port:
number: 80
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
Network Policies
Ta'rif
Network Policy - bu pod'lar o'rtasida network traffic'ni boshqarish uchun firewall qoidalari.
Default: Barcha pod'lar bir-biriga kirishi mumkin (no restrictions).
Network Policy bilan: Explicit allow/deny qoidalari.
Network Policy YAML
Basic Policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Bu policy default namespace'dagi barcha pod'larga ingress va egress traffic'ni block qiladi.
Allow Specific Ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-nginx
namespace: default
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 80
Tushuntirish:
app=nginxpod'lariga- Faqat
app=frontendpod'lardan - TCP port 80'ga kirish mumkin
Allow from Namespace:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-namespace
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: production
ports:
- protocol: TCP
port: 5432
Allow Egress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-dns
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
- podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
Network Policy Best Practices
-
Deny all by default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress -
Allow specific traffic: Har bir service uchun aniq qoidalar
-
Namespaces: Har bir namespace uchun alohida policy
-
Testing: Policy'larni test qiling
DNS
CoreDNS
Kubernetes DNS service provider.
O'rnatilgan: Har bir cluster'da default CoreDNS.
DNS Record'lar
Service DNS
Format:
<service-name>.<namespace>.svc.cluster.local
A Record:
my-service.default.svc.cluster.local → 10.96.0.100 (ClusterIP)
Headless Service:
my-service.default.svc.cluster.local → Pod IP'lar
Pod DNS
Format:
<pod-ip-with-dashes>.<namespace>.pod.cluster.local
Misol:
10-244-1-5.default.pod.cluster.local → 10.244.1.5
DNS Configuration
Pod'larda DNS configuration:
dnsPolicy:
-
ClusterFirst (default): CoreDNS ishlatadi
-
Default: Node DNS configuration
-
None: Custom DNS
-
ClusterFirstWithHostNet: Host network + CoreDNS
Custom DNS:
apiVersion: v1
kind: Pod
metadata:
name: custom-dns
spec:
dnsPolicy: "None"
dnsConfig:
nameservers:
- 8.8.8.8
- 8.8.4.4
searches:
- custom.local
options:
- name: ndots
value: "2"
containers:
- name: nginx
image: nginx
Service Mesh
Ta'rif
Service Mesh - bu microservice'lar o'rtasidagi komunikatsiyani boshqarish uchun infrastructure layer.
Asosiy Xususiyatlar
-
Traffic Management:
- Load balancing
- Circuit breaking
- Retries
- Timeouts
-
Security:
- mTLS (mutual TLS)
- Authentication
- Authorization
-
Observability:
- Metrics
- Logging
- Tracing
Mashhur Service Mesh'lar
1. Istio
Xususiyatlari:
- Eng mashhur
- Envoy proxy
- To'liq ecosystem
- Complex setup
Komponentlar:
- Istiod (control plane)
- Envoy (data plane)
- Ingress/Egress gateway
2. Linkerd
Xususiyatlari:
- Yengil
- Oson setup
- Rust-based proxy
- CNCF graduated
3. Consul
Xususiyatlari:
- HashiCorp
- Multi-platform
- Service discovery
- K/V store
Service Mesh Pattern
Sidecar Pattern:
Pod
├── Application Container
└── Envoy Proxy (Sidecar)
Har bir pod o'z proxy'siga ega. Barcha traffic proxy orqali o'tadi.
Traffic Flow:
Service-A → Envoy → Service-B → Envoy
Xulosa
Kubernetes Networking murakkab lekin kuchli:
✅ Flat Network: Har bir pod unique IP ✅ Service: Stable endpoint, load balancing ✅ Ingress: HTTP/HTTPS routing, cost-effective ✅ Network Policy: Security, traffic control ✅ DNS: Service discovery ✅ Service Mesh: Advanced traffic management