10 videos 📅 2026-01-05 11:00:00 America/New_York
Watch Video
1:27:43
2026-01-05 11:02:48
36:42
2026-01-05 13:23:18
24:18
2026-01-05 14:51:28
23:08
2026-01-06 11:00:44
1:25:19
2026-01-06 12:03:13
37:20
2026-01-07 10:43:36
59:05
2026-01-07 13:35:15
34:36
2026-01-08 10:59:14
48:32
2026-01-08 12:32:09
17:47
2026-01-08 15:06:46

Course recordings on DaDesktop for Training platform

Visit NobleProg websites for related course

Visit outline: Kubernetes from Basic to Advanced (Course code: kubernetes)

Categories: Docker · Kubernetes

Summary

Overview

This course lesson provides a comprehensive overview of Kubernetes networking, service types, DNS, Ingress, Gateway API, CNI (specifically Cilium), ConfigMaps, and Secrets. The session covers theoretical concepts, practical demonstrations, and hands-on lab exercises using Minikube to deploy and troubleshoot services, ingress rules, and secrets. Key focus areas include the evolution from legacy Ingress API to Gateway API, the role of CNI in cluster networking, and secure handling of sensitive data via Secrets. The lesson concludes with a review of core principles and preparation for advanced cluster management on RKE2.

Topic (Timeline)

1. Networking Fundamentals and Service Types [00:00:00 - 00:05:14]

Introduces the four layers of Kubernetes networking: container-to-container, pod-to-pod, pod-to-service, and external-to-service. Explains that services abstract pod IP changes using the Service API, selectors, and labels (e.g., app.kubernetes.io/name). Details the three service types: ClusterIP (default, internal-only), NodePort (exposes service on node IP + port in range 30000–32767), and LoadBalancer (external IP provisioned via cloud or bare-metal providers). Notes that NodePort is largely deprecated in favor of Ingress/Gateway API. Mentions bare-metal load balancers (e.g., MetalLB, KubeVip) and their decline due to CNI integration.

2. Headless Services and DNS in Kubernetes [00:05:14 - 00:07:04]

Explains headless services (spec.clusterIP: None) that bypass kube-proxy and use DNS for pod discovery, typically used with StatefulSets. Describes Kubernetes DNS structure: <service>.<namespace>.svc.cluster.local. Emphasizes namespace importance in DNS queries for multi-cluster or multi-namespace deployments. Notes that kubelet configures DNS on each node, enabling container name resolution.

3. Ingress and Gateway API Evolution [00:07:04 - 00:09:59]

Describes Ingress as a layer-7 routing mechanism managed via the Ingress API and an Ingress Controller (e.g., nginx). Notes that Ingress API is deprecated and being replaced by the Gateway API, which uses Custom Resource Definitions (CRDs) for Gateway and HTTPRoute resources. Highlights Gateway API’s advantages: standardization, scalability, shared gateways, and support for TCP/HTTP. Notes that Cilium is nearing full Gateway API support (TCP route pending as of 2025).

4. Container Network Interface (CNI) and Cilium [00:09:59 - 00:12:55]

Defines CNI as a plugin interface for cluster networking and security. Introduces Cilium as a full-featured, open-source CNI providing Layer 3–7 network policies, IPAM, encryption, and replacement of kube-proxy. Notes Cilium’s integration with Gateway API and compatibility with KubeVip for control plane HA on bare metal. Mentions Cilium’s observability and security features.

5. ConfigMaps and Secrets: Data Management [00:12:55 - 00:14:16]

Compares ConfigMaps (non-confidential key-value data, max 1 MiB, UTF-8 or base64-encoded binary) and Secrets (sensitive data, same size limit, stored unencrypted in etcd by default). Notes that Secrets can be used for Docker registry credentials, TLS certs, SSH keys, and environment variables. Emphasizes that encryption-at-rest must be enabled in production. Lists secret types: kubernetes.io/dockerconfigjson, kubernetes.io/basic-auth, kubernetes.io/tls.

6. Lab: ClusterIP, NodePort, and LoadBalancer Services [00:14:16 - 00:22:01]

Guides creation of a ClusterIP service (internal-only, not externally accessible), then replaces it with a NodePort service. Demonstrates troubleshooting a service with no endpoints due to mismatched pod labels (app=nginx vs app.kubernetes.io/name=nginx). Fixes by updating deployment labels and reapplying. Confirms external access via minikube service <service> --url.

7. Lab: LoadBalancer via Minikube Tunnel [00:22:01 - 00:37:05]

Creates a LoadBalancer service in Minikube using minikube tunnel to simulate external IP assignment. Confirms external access via browser using the assigned IP and port. Demonstrates tunnel termination with Ctrl+C and verifies external IP disappears. Notes MetalLB is skipped due to environment constraints.

8. Lab: DNS Query with dnsutils Pod [00:37:05 - 00:39:53]

Deploys a dnsutils pod to test internal and external DNS resolution. Uses kubectl exec -it dnsutils -- nslookup kubernetes.com (internal) and nslookup google.com (external) to validate egress and cluster DNS functionality. Deletes the pod after testing.

9. Lab: Ingress with Nginx Ingress (Deprecated) [00:39:53 - 00:58:05]

Enables Minikube’s deprecated nginx-ingress add-on. Deploys an Nginx app and NodePort service. Creates an Ingress resource (service-ingress.yaml) but initially fails due to namespace mismatch (Ingress in kube-system, service in default). Fixes by editing namespace to default, reapplying, and confirming endpoints appear. Tests access via http://nginx.example (requires /etc/hosts entry pointing to Minikube IP). Confirms 503 error resolved after fix.

10. Lab: Cilium CNI Deployment and Health Check [00:58:05 - 01:04:11]

Starts a fresh 3-node Minikube cluster with Cilium CNI. Verifies Cilium components: cilium-agent, cilium-envoy, cilium-operator on nodes. Uses kubectl get pods -o wide to show node assignments. Describes Cilium pods to confirm startup probe success. Runs cilium status to verify operator and envoy are healthy; notes Hubble telemetry disabled (expected).

11. Lab: Secrets and TLS Certificates [01:04:11 - 01:18:36]

Demonstrates base64 encoding/decoding of strings (e.g., echo -n "password" | base64). Creates a self-signed TLS certificate for nginx.example using OpenSSL. Stores it as a Kubernetes TLS secret (kubernetes.io/tls). Uses kubectl get secret -o yaml and jq to extract and decode the cert/key. Uses openssl x509 -in cert.pem -text -noout to view human-readable certificate details. Applies the secret to a TLS Ingress configuration.

12. Lab: TLS Ingress and Browser Behavior [01:18:36 - 01:20:06]

Applies a TLS-enabled Ingress resource. Accesses https://nginx.example in browser, accepting self-signed cert warning. Notes browser behavior (HSTS) may auto-redirect to HTTP, requiring incognito mode or manual override. Fixes misconfigured Ingress name/namespace to ensure proper routing.

13. Review and Final Notes [01:20:06 - 01:23:48]

Summarizes key learnings: service types, DNS structure, Ingress → Gateway API transition, Cilium as modern CNI, ConfigMap vs Secret use cases, and secret encoding. Notes Docker config secret creation is documented in PDF for self-study. Confirms session end at 01:23:48.

Appendix

Key Principles

  • Service Types: ClusterIP (internal), NodePort (node IP + port), LoadBalancer (external IP via cloud/CNI).
  • Headless Services: Use DNS instead of ClusterIP; ideal for StatefulSets.
  • DNS Resolution: Format: <service>.<namespace>.svc.cluster.local.
  • Ingress vs Gateway API: Ingress API is deprecated; Gateway API (Gateway + HTTPRoute) is the future standard with better scalability and multi-namespace support.
  • CNI Role: Cilium provides networking, security, and observability; replaces kube-proxy and supports Gateway API.
  • ConfigMaps: Store non-sensitive data; no encryption.
  • Secrets: Store sensitive data; base64-encoded by default; encryption-at-rest required in production.

Tools Used

  • kubectl get services, describe service
  • minikube service <name> --url
  • minikube tunnel
  • kubectl exec -it <pod> -- nslookup
  • kubectl get ingress
  • kubectl get secrets -o yaml
  • base64, jq, openssl x509
  • cilium status
  • minikube addons enable ingress

Common Pitfalls

  • Mismatched pod labels and service selectors → no endpoints.
  • Ingress in wrong namespace → no endpoints, 503 errors.
  • Forgetting to add nginx.example to /etc/hosts → DNS resolution failure.
  • Using HTTP instead of HTTPS for TLS Ingress → browser redirects or errors.
  • Not enabling encryption-at-rest for Secrets in production.
  • Using deprecated nginx-ingress without plan to migrate to Gateway API.

Practice Suggestions

  • Recreate all service types (ClusterIP, NodePort, LoadBalancer) in a new cluster.
  • Deploy a StatefulSet with a headless service and verify DNS resolution.
  • Migrate a legacy Ingress manifest to Gateway API (Gateway + HTTPRoute).
  • Create a secret for a private Docker registry and use it in a Pod spec.
  • Use cilium status to monitor network policy enforcement and connectivity.
  • Test DNS from within a pod using nslookup and dig for advanced validation.