Updated guide/deploy-k8s: dns name, ingress and network policies (#72)

neicnordic · Dec 18, 2023 · 32f3cd2 · 32f3cd2
2 parents b4e3c51 + 8563593
commit 32f3cd2
Show file tree

Hide file tree

Showing 2 changed files with 156 additions and 0 deletions.
diff --git a/docs/dictionary/wordlist.txt b/docs/dictionary/wordlist.txt
@@ -33,6 +33,7 @@ aj
 amqp
 amqps
 apis
+apiVersion
 atitle
 auth
 automagically
@@ -55,6 +56,7 @@ cegamq
 centralega
 centralega's
 cgktxeg
+cidr
 chacha
 checksumed
 checksums
@@ -139,6 +141,7 @@ initd
 initdb
 insertfile
 integrationtest
+ipBlock
 isolations
 jks
 jku
@@ -167,6 +170,7 @@ localmq
 logstash
 makefile
 mapfilestodataset
+matchLabels
 markcompleted
 markready
 microservice
@@ -186,9 +190,13 @@ mvn
 nack
 nack'ed
 nacked
+namespace
+namespaceSelector
 nbis
 neic
 neicnordic
+NetworkPolicy
+nginx
 notls
 nss
 oidc
@@ -209,6 +217,8 @@ phenome
 pkcs
 png
 podman
+podSelector
+policyTypes
 posix
 postgres
 postgresAdminPassword
@@ -295,6 +305,59 @@ wyenrumyh
 yaml
 yihkqimti
 yml
+JWTPUBKEYURL
+RegisterFile
+PREFETCHCOUNT
+SetAccessionID
+DNS
+helpdesk
+submitters
+backupArchive
+backupRoutingKey
+clusterIssuer
+dbPassword
+dbUser
+glbal
+jwtKey
+jwtPub
+jwtSecret
+mqPassword
+mqUser
+routingError
+secretName
+storageType
+NSS
+nss
+svc
+adminPassword
+adminUser
+postgresAdminPassword
+autonumber
+sequenceDiagram
+BIGINT
+FK
+PGDATA
+bigint
+dbschema
+erDiagram
+jsonb
+ACCESSIONROUTING
+Bigpicture
+INGESTROUTING
+MAPPINGROUTING
+bigpicture
+stableIDs
+syncapi
+CENTERPREFIX
+HOSTKEY
+PEMKEYPASS
+PEMKEYPATH
+SYNCPUBKEYPATH
+rabbitmqctl
+TCP
+UDP
+kube
+nodeport
 FS
 Mina's
 SPRINGFRAMEWORK

diff --git a/docs/guides/deploy-k8s.md b/docs/guides/deploy-k8s.md
@@ -241,6 +241,99 @@ Below is a minimal list of variables that need to be configured in the [values.y
 ## Network policies
 
  - DNS names and ingress for services
+
+    When deploying applications on Kubernetes, it is essential to understand the DNS naming conventions and ingress configurations for [Pods](https://kubernetes.io/docs/concepts/workloads/pods/) and [Services](https://kubernetes.io/docs/concepts/services-networking/service/). Each Pod within the cluster is assigned a [DNS name](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) in the format of `pod-ip-address.<cluster>.pod.cluster.local`. This DNS resolution allows seamless communication between Pods within the same cluster.
+
+   Services, representing sets of Pods, are assigned A DNS records with names structured as `<service_name>.<namespace>.svc.cluster.local`. This DNS record resolves to the cluster IP of the respective Service.
+
+    | Service Name | Common DNS Name                         |
+    | ------------ | ----------------------------------------|
+    | inbox        | sda-svc-inbox.<namespace>.svc.cluster.local   |
+    | download     | sda-svc-download.<namespace>.svc.cluster.local|
+    | auth         | sda-svc-auth.<namespace>.svc.cluster.local    |
+    | mq           | broker-sda-mq.<namespace>.svc.cluster.local   |
+
+    Certain services, such as `inbox`, `download`, and `auth`, are configured to expect an ingress. [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) provides external access to these services, allowing external clients to communicate with them. The following services specifically expect an ingress:
+
+    - inbox
+    - download
+    - auth
+
+    In addition, Kubernetes allows you to define [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to control the communication between Pods. Network Policies are crucial for enforcing security measures within your cluster. They enable you to specify which Pods can communicate with each other and define rules for ingress and egress traffic.
+    Here are two recommended basic examples of a Network Policy for namespace isolation and allowing traffic to inbox ingress, a similar policies needs to be in place for `download` and `auth` service:
+
+    ```yaml
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: namespace-isolation
+    spec:
+      podSelector: {}
+      policyTypes:
+      - Egress
+      - Ingress
+      egress:
+      - to:
+        - podSelector: {}
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+        ports:
+          - port: 53
+            protocol: UDP
+          - port: 53
+            protocol: TCP
+      ingress:
+        - from:
+          - podSelector: {}
+    ```
+    ```yaml
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: inbox-ingress-with-ingress-controller
+    spec:
+      podSelector: 
+          matchLabels:
+          app: sda-svc-inbox
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: controller
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+      - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: controller
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx-direct
+      policyTypes:
+      - Ingress
+    ```
+    ```yaml
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+        name: inbox-ingress-with-nodeport
+    spec:
+        podSelector: 
+            matchLabels:
+            app: sda-svc-inbox
+        ingress:
+        - from:
+            - ipBlock:
+                cidr: 0.0.0.0/0
+        policyTypes:
+        - Ingress
+    ```
 
 ## Complementary services