Kubernets Terms

Ambassador API Gateway

This is Kubernetes-native API Gateway for controlling and managing traffic between microservices within a Kubernetes cluster. Built on top of Envoy Proxy.
It integrates with Kubernetes Service objects to route traffic to the appropriate microservices based on the service name and port.
Advatanges:
1. Supports Multiple Protocols: HTTP/1.1, HTTP/2, WebSocket, gRPC, and OpenAPI/Swagger
2. Other Functions: traffic splitting, load balancing, rate limiting, and authentication.

Namespace

Namespace divides cluster into smaller units to isolate services,volumes and manage.
Namespace contains pods.
3 predefined namespaces: Default, Kube-system(resources created by kubernets), Kube-public(reserved for future)


$ kubectl create namespace test                       //Creating new namespace
$ kubectl --namespace=test  run ngnix --image=nginx   //Deploy namespace

Nodeport

When we create a NodePort service in Kubernetes, Kubernetes will dynamically allocate a port (in the range of 30000-32767) for a Application running container. Eg:30001
Then this port=30001 is mapped to targetPort=8080 internally.
Why NodePort? 2 Applications can use same internal ports. Eg: App1 uses 8080 & App2 uses 8080. And with NodePort both can be accessed using external port without port change on application level.


apiVersion: v1
kind: Service
metadata:
    name: jams-server         //Application using Nodeport. Kubernets will assign an IP=30001
spec:
    selector:
    app: my-app             //Run application on pods with Label = my-app
    type: NodePort
    ports:
    - protocol: TCP
        port: 80
        targetPort: 8080      //30001 is mapped to 8080 internally.

Authorization in kubernets

Name	Description
1. Service Token	Each pod has a associated service account. Each service account has a service token. This service account token is mounted as a file in the pod's filesystem. The default path is `/var/run/secrets/kubernetes.io/serviceaccount/token`. Usage of service token? if service want to communicate/access resources of other services, then this service will present the service token to API-server and API server will authorize the service. API server will check <> of service(whether service is allowed to access other service or not). Can be used Only within cluster
2. Istio Authorization Poliy	Can be used across cluster

Name

Description

1. Service Token

Each pod has a associated service account. Each service account has a service token. This service account token is mounted as a file in the pod's filesystem. The default path is `/var/run/secrets/kubernetes.io/serviceaccount/token`.
Usage of service token? if service want to communicate/access resources of other services, then this service will present the service token to API-server and API server will authorize the service.
API server will check <> of service(whether service is allowed to access other service or not).
Can be used Only within cluster

2. Istio Authorization Poliy

Can be used across cluster