Skip to content

Lab 8: Service Networking

Field Value
Tier 2 — Kubernetes Core
Estimated Time 45 minutes
Prerequisites k3s cluster, kubectl
Auto-Grade Yes

Scenario

Your platform team runs a multi-namespace architecture: frontend-ns for public-facing services, backend-ns for APIs, and data-ns for databases. A new security policy requires network segmentation — the frontend should only talk to the backend, the backend should only talk to the data tier, and no direct frontend-to-data communication is allowed.

Currently, everything is wide open. An intern set up an ingress controller last week but it is routing traffic to the wrong service. The backend API returns 404 because the ingress path is misconfigured. You need to fix the ingress, deploy NetworkPolicies to enforce the segmentation rules, and verify connectivity works end-to-end through the allowed paths while being blocked on the forbidden paths.

Objectives

  • Create namespaces: lab-frontend-ns, lab-backend-ns, lab-data-ns
  • Deploy services in each namespace (nginx frontend, echo API, redis data)
  • Configure Ingress routing /api/* to the backend service
  • Create NetworkPolicy: frontend can reach backend on port 8080
  • Create NetworkPolicy: backend can reach data tier on port 6379
  • Create NetworkPolicy: frontend CANNOT reach data tier directly
  • Verify end-to-end connectivity through allowed paths

Setup

./setup.sh

Creates three namespaces with basic deployments but no networking configuration.

Hints

Hint 1: Cross-namespace services Use the FQDN: `..svc.cluster.local`. For example, `api.lab-backend-ns.svc.cluster.local:8080`.
Hint 2: Ingress path configuration Make sure the Ingress resource references the correct service name and port. Use `pathType: Prefix` for path-based routing.
Hint 3: NetworkPolicy basics A default-deny policy blocks all traffic. Then add explicit allow rules: 
ingress:
- from:
  - namespaceSelector:
      matchLabels:
        name: lab-frontend-ns
  ports:
  - port: 8080
Hint 4: Testing connectivity Use `kubectl exec` to run `wget` or `curl` from one pod to another: `kubectl exec -n lab-frontend-ns deploy/frontend -- wget -qO- --timeout=3 http://api.lab-backend-ns:8080/`
Hint 5: Namespace labels NetworkPolicies use namespace labels for cross-namespace rules. Label your namespaces: `kubectl label namespace lab-frontend-ns name=lab-frontend-ns`.

Grading

./grade.sh

Solution

See the solution/ directory for Ingress and NetworkPolicy manifests.