Non HTTP Services - TCP & UDP Ingress
Accessing a TCP or UDP service directly, not using the provided OpenShift router but via the route object is possible, thanks to services of type LoadBalancer.
| The explanation below only works on the cloudscale.ch - LPG 2 region of APPUiO Cloud. |
Deploy a sample TCP service, in this case an IRC chat server:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ggircd
labels:
app: ggircd
spec:
selector:
matchLabels:
app: ggircd
strategy:
type: Recreate
template:
metadata:
labels:
app: ggircd
spec:
containers:
- image: registry.gitlab.com/vshn/demos/demo-irc-openshift:latest
name: ggircd
ports:
- containerPort: 6667
name: ggircdExpose this deployment with a LoadBalancer service:
apiVersion: v1
kind: Service
metadata:
name: ggircd-service
spec:
ports:
- name: ggircd-port
port: 6667
targetPort: 6667
protocol: TCP
type: LoadBalancer
selector:
app: ggircdConfigure a CiliumNetworkPolicy to allow access to all workloads in the namespace from outside the cluster:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-from-world
spec:
endpointSelector: {} (1)
ingress: (2)
- fromEntities:
- world| 1 | By configuring a more restrictive endpoointSelector you can restrict which workloads are reachable from outside the cluster |
| 2 | This example policy allows traffic from anywhere outside the cluster (via entity world). |
See the Cilium Network Policy documentation for a detailed overview of what configuration options are available with CiliumNetworkPolicy.
|
On the cloudscale.ch - LPG 2 zone, the cluster automatically assigns a unique external IPv4 address to this service. To see which IPv4 address has been assigned, go to the OpenShift Web Console and navigate to "Networking/Services." The IP is displayed in the field "External IP."
Using the CLI is also possible:
oc describe service ggircd-service|
Please pay attention to the following:
|