- Team 1 is developing gRPC client (web application)
- Team 2 is developing gRPC server
- Use deny all
NetworkPolicyfor team1 and team2 namespaces - Allow only traffic that our applications require (principle of least privilege)
By default, this project ships with minimally configured networking for simplicity and ease of setup, though our services will be available only privately via kubectl proxy (from within the cluster). For this project, you can enable the proxy by typing in your shell
docker-compose upUse can then access the applications using the "Private address" links below.
If we want to expose our services (applications) on the public Internet, we will need to:
- Create an external static IP address for
nginx-ingressservice. - Enable
nginx-ingress(Kubernetes LoadBalancer type of service) - Create DNS records to point clients to this address
- Use cert-manager to enable TLS for the domains
- Enable
Ingressresources for our Helm releases.
Use this pull request as an example of how to set up production networking.
There is also a step-by-step tutorial: https://docs.exekube.com/in-practice/production-networking
This project uses the Exekube base-project as boilerplate.
Modules from base-project:
- gke-network
- gke-cluster
- administration-tasks
We use nginx-ingress as our Kubernetes ingress controller.
- Private address: http://localhost:8001/api/v1/namespaces/team1/services/grpc-client-demo-api:80/proxy/payments/status
- Public address: read instructions above
Expected response: {"status":"ok","message":"200 OK"}
- Private address: access through grpc-client
- Public address: access through grpc-client