Esra:
@Malayamanas Panda Appreciate if you help me to clarify followings, my exam very soon and my linux knowledge is limited to understand:
• For Network policy and service connectivity questions when to use nslookup, nc, curl or wget? Several labs have different approaches and get confused.
• For example, requirement is to create a NetPol which only allow pods from namespace1 to pods namespace2. how should I test if netpol is working? "k exec -n namespace1 pod1 – curl <pod_namespace2_ip>:port?
• how to test pod to pod connectivity and pod to service connectivity?
Thanks in advance!
Malayamanas Panda:
@Esra Q1: For Network policy and service connectivity questions when to use nslookup, nc, curl or wget?
nslookup => its a dns client , send request to configured dns server (/etc/resolv.conf) to UDP port 53 to DNS server. then it returns an IP address. We run it to know the IP addresss of any kubernetes pods or services
EXAMPLES:
nslookup http://www.google.com|www.google.com
nslookup serviceName.namespace.type.cluster.local
nslookup nginx-service.default.svc.cluster.local
for pod with IP address a.b.c.d
nslookup a-b-c-d.namespace.pod.cluster.local
for pod with IP address 10.12.12.12, in namespace default
nslookup 10-12-12-1.default.pod.cluster.local
run “man nslookup” in bash or in google search for more information
nc => netcat tool , it has many features. one feature is to test a remote TCP/UDP port is opened or not
run “man nc” in bash or in google search for more information
EXAMPLE:
nc -z -v 10.10.8.8 80
-z — checks whether host 10.10.8.8 lsistens on port 80
-v — becomes verbose , dumps more information
nc -z -v 10-12-12-1.default.pod.cluster.local 80
here , firsr 10-12-12-1.default.pod.cluster.local will be resolved through cluster DNS server.
For that you need to allow network policy EGRESS UDP 53 in the test pod from which nc command runs, OR give default allow EGRESS UDP 53 to all
curl => http / ftp client , to fetch http / ftp URI
run “man curl” in bash or in google search for more information
same as nc
wget => http / ftp client, to fetch http / ftp URI
run “man wget” in bash or in google search for more information
same as nc
Q2: How to test pod to pod connectivity and pod to service connectivity?
create a pod of nginx “kubectl pod nginx --image=nginx”
get nginx pod’s IP address “kubectl get pod nginx -o wide”
let us assume the POD’s IP address is a.b.c.d
create service that exposes nginx pod “kubectl expose pod nginx --name=nginx-service --port=80”
create test pod with "kubectl run testpod --image=busybox --command – sleep 1d
then get shell of the pod "kubectl exec -it testpod – sh
cat /etc/resolv.conf
#to get the IP address of the pod run below from testpod container
nslookup a-b-c-d.default.pod.cluster.local
#to get the IP address of the nginx-service run below from testpod container
nslookup nginx-service.default.svc.cluster.local
NOW appply network policy to restrict access or allow access from specific pod to specific pod / service.
Remember that we restrict access to pod from pod, not to any service.