NodePort Support on Kubernetes and OpenShift
Accessing Cluster Services
Kubernetes (and OpenShift) provide a mechanism to access cluster services from the outside world, of type NodePort. This service exposes a port on all nodes in the cluster on which traffic will be forwarded to any of the backing pods that match the service's selector.
Scenario:
The Kubernetes cluster and containerized applications are in the Production environment.
The containerized application, called RiskAssessment, has each Pod listening on TCP port 8080.
The RiskAssessment application is exposed to the outside world via a FrontEnd service with type NodePort.
The exact NodePort in use is not specified, but is automatically allocated by Kubernetes.
There may be clients for the FrontEnd service within the cluster or outside the cluster - in both cases, they are labeled as Client.
The rules you need to write are:
Example Ruleset 1: Internal and External Access to Service
Scope
Application | Environment | Location |
|---|---|---|
Risk Assessment | Production | Cloud |
Extra-Scope Rule
Source | Service | Destination | Notes |
|---|---|---|---|
FrontEnd (Virtual Service Role label for Risk Assessment service) + Use Virtual Services Only | Derived from Source Virtual Service | Client (Role label for Web pods and external workloads) | Once the Risk Assessment service gets discovered by the PCE, it becomes a virtual service object in the PCE. The Source here should be the role label of the virtual service plus the "Use Virtual Service Only" option. |