0
# Networking Resources
1
2
The Networking API groups provide resources for managing network traffic, ingress routing, network policies, and advanced networking features across multiple API versions.
3
4
## Package Import
5
6
```typescript { .api }
7
import { networking } from "@pulumi/kubernetes";
8
import * as k8s from "@pulumi/kubernetes";
9
10
// Direct networking imports
11
import { Ingress, NetworkPolicy, IngressClass } from "@pulumi/kubernetes/networking/v1";
12
```
13
14
## Ingress (networking/v1)
15
16
Ingress manages external access to services in a cluster, typically HTTP and HTTPS traffic routing.
17
18
```typescript { .api }
19
class Ingress extends pulumi.CustomResource {
20
constructor(name: string, args?: IngressArgs, opts?: pulumi.CustomResourceOptions)
21
22
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Ingress
23
24
// Output properties
25
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1">;
26
public readonly kind!: pulumi.Output<"Ingress">;
27
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
28
public readonly spec!: pulumi.Output<outputs.networking.v1.IngressSpec>;
29
public readonly status!: pulumi.Output<outputs.networking.v1.IngressStatus>;
30
}
31
32
interface IngressArgs {
33
apiVersion?: pulumi.Input<"networking.k8s.io/v1">;
34
kind?: pulumi.Input<"Ingress">;
35
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
36
spec?: pulumi.Input<inputs.networking.v1.IngressSpec>;
37
}
38
```
39
40
### Ingress Path Types
41
42
```typescript { .api }
43
type PathType = "Exact" | "Prefix" | "ImplementationSpecific";
44
45
// Path matching behavior:
46
// - Exact: Matches the URL path exactly
47
// - Prefix: Matches based on URL path prefix split by '/'
48
// - ImplementationSpecific: Depends on ingress controller implementation
49
```
50
51
### Ingress Usage Examples
52
53
```typescript { .api }
54
// Basic HTTP ingress
55
const webIngress = new k8s.networking.v1.Ingress("web-ingress", {
56
spec: {
57
rules: [{
58
host: "example.com",
59
http: {
60
paths: [{
61
path: "/",
62
pathType: "Prefix",
63
backend: {
64
service: {
65
name: "web-service",
66
port: {
67
number: 80,
68
},
69
},
70
},
71
}],
72
},
73
}],
74
},
75
});
76
77
// HTTPS ingress with TLS termination
78
const httpsIngress = new k8s.networking.v1.Ingress("https-ingress", {
79
metadata: {
80
annotations: {
81
"kubernetes.io/ingress.class": "nginx",
82
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
83
"nginx.ingress.kubernetes.io/ssl-redirect": "true",
84
},
85
},
86
spec: {
87
tls: [{
88
hosts: ["api.example.com"],
89
secretName: "api-tls-cert",
90
}],
91
rules: [{
92
host: "api.example.com",
93
http: {
94
paths: [{
95
path: "/api",
96
pathType: "Prefix",
97
backend: {
98
service: {
99
name: "api-service",
100
port: {
101
number: 8080,
102
},
103
},
104
},
105
}, {
106
path: "/admin",
107
pathType: "Prefix",
108
backend: {
109
service: {
110
name: "admin-service",
111
port: {
112
name: "http",
113
},
114
},
115
},
116
}],
117
},
118
}],
119
},
120
});
121
122
// Multi-host ingress with path-based routing
123
const multiHostIngress = new k8s.networking.v1.Ingress("multi-host-ingress", {
124
metadata: {
125
annotations: {
126
"nginx.ingress.kubernetes.io/rewrite-target": "/$1",
127
"nginx.ingress.kubernetes.io/configuration-snippet": `
128
more_set_headers "X-Frame-Options: DENY";
129
more_set_headers "X-Content-Type-Options: nosniff";
130
`,
131
},
132
},
133
spec: {
134
ingressClassName: "nginx",
135
tls: [{
136
hosts: ["app.example.com", "api.example.com"],
137
secretName: "wildcard-tls-cert",
138
}],
139
rules: [
140
{
141
host: "app.example.com",
142
http: {
143
paths: [{
144
path: "/(.*)",
145
pathType: "ImplementationSpecific",
146
backend: {
147
service: {
148
name: "frontend-service",
149
port: { number: 80 },
150
},
151
},
152
}],
153
},
154
},
155
{
156
host: "api.example.com",
157
http: {
158
paths: [{
159
path: "/v1/(.*)",
160
pathType: "ImplementationSpecific",
161
backend: {
162
service: {
163
name: "api-v1-service",
164
port: { number: 8080 },
165
},
166
},
167
}, {
168
path: "/v2/(.*)",
169
pathType: "ImplementationSpecific",
170
backend: {
171
service: {
172
name: "api-v2-service",
173
port: { number: 8080 },
174
},
175
},
176
}],
177
},
178
},
179
],
180
},
181
});
182
183
// Load balancer ingress with advanced annotations
184
const loadBalancerIngress = new k8s.networking.v1.Ingress("lb-ingress", {
185
metadata: {
186
annotations: {
187
"kubernetes.io/ingress.class": "alb",
188
"alb.ingress.kubernetes.io/scheme": "internet-facing",
189
"alb.ingress.kubernetes.io/target-type": "ip",
190
"alb.ingress.kubernetes.io/listen-ports": '[{"HTTP": 80}, {"HTTPS": 443}]',
191
"alb.ingress.kubernetes.io/ssl-redirect": "443",
192
"alb.ingress.kubernetes.io/certificate-arn": "arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012",
193
},
194
},
195
spec: {
196
rules: [{
197
http: {
198
paths: [{
199
path: "/*",
200
pathType: "ImplementationSpecific",
201
backend: {
202
service: {
203
name: "app-service",
204
port: { number: 80 },
205
},
206
},
207
}],
208
},
209
}],
210
},
211
});
212
```
213
214
## IngressClass (networking/v1)
215
216
IngressClass represents the class of the Ingress, referenced by the Ingress spec.
217
218
```typescript { .api }
219
class IngressClass extends pulumi.CustomResource {
220
constructor(name: string, args?: IngressClassArgs, opts?: pulumi.CustomResourceOptions)
221
222
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): IngressClass
223
224
// Output properties
225
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1">;
226
public readonly kind!: pulumi.Output<"IngressClass">;
227
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
228
public readonly spec!: pulumi.Output<outputs.networking.v1.IngressClassSpec>;
229
}
230
231
interface IngressClassArgs {
232
apiVersion?: pulumi.Input<"networking.k8s.io/v1">;
233
kind?: pulumi.Input<"IngressClass">;
234
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
235
spec?: pulumi.Input<inputs.networking.v1.IngressClassSpec>;
236
}
237
```
238
239
### IngressClass Usage Examples
240
241
```typescript { .api }
242
// NGINX Ingress Class
243
const nginxIngressClass = new k8s.networking.v1.IngressClass("nginx", {
244
metadata: {
245
name: "nginx",
246
annotations: {
247
"ingressclass.kubernetes.io/is-default-class": "true",
248
},
249
},
250
spec: {
251
controller: "k8s.io/ingress-nginx",
252
},
253
});
254
255
// AWS Load Balancer Controller Ingress Class
256
const albIngressClass = new k8s.networking.v1.IngressClass("alb", {
257
metadata: {
258
name: "alb",
259
},
260
spec: {
261
controller: "ingress.k8s.aws/alb",
262
parameters: {
263
apiGroup: "elbv2.k8s.aws",
264
kind: "IngressClassParams",
265
name: "alb-params",
266
},
267
},
268
});
269
270
// Traefik Ingress Class
271
const traefikIngressClass = new k8s.networking.v1.IngressClass("traefik", {
272
metadata: {
273
name: "traefik",
274
},
275
spec: {
276
controller: "traefik.io/ingress-controller",
277
},
278
});
279
```
280
281
## NetworkPolicy (networking/v1)
282
283
NetworkPolicy specifies how groups of pods are allowed to communicate with each other and other network endpoints.
284
285
```typescript { .api }
286
class NetworkPolicy extends pulumi.CustomResource {
287
constructor(name: string, args?: NetworkPolicyArgs, opts?: pulumi.CustomResourceOptions)
288
289
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): NetworkPolicy
290
291
// Output properties
292
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1">;
293
public readonly kind!: pulumi.Output<"NetworkPolicy">;
294
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
295
public readonly spec!: pulumi.Output<outputs.networking.v1.NetworkPolicySpec>;
296
}
297
298
interface NetworkPolicyArgs {
299
apiVersion?: pulumi.Input<"networking.k8s.io/v1">;
300
kind?: pulumi.Input<"NetworkPolicy">;
301
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
302
spec?: pulumi.Input<inputs.networking.v1.NetworkPolicySpec>;
303
}
304
```
305
306
### NetworkPolicy Types
307
308
```typescript { .api }
309
// Policy types that can be specified
310
type PolicyType = "Ingress" | "Egress";
311
312
// Protocol types for network rules
313
type Protocol = "TCP" | "UDP" | "SCTP";
314
```
315
316
### NetworkPolicy Usage Examples
317
318
```typescript { .api }
319
// Deny all ingress traffic (default deny)
320
const denyAllIngress = new k8s.networking.v1.NetworkPolicy("deny-all-ingress", {
321
spec: {
322
podSelector: {}, // Empty selector matches all pods in namespace
323
policyTypes: ["Ingress"],
324
// No ingress rules specified = deny all
325
},
326
});
327
328
// Allow specific ingress traffic to web pods
329
const webIngressPolicy = new k8s.networking.v1.NetworkPolicy("web-ingress", {
330
spec: {
331
podSelector: {
332
matchLabels: {
333
app: "web",
334
},
335
},
336
policyTypes: ["Ingress"],
337
ingress: [{
338
from: [
339
// Allow traffic from pods with specific label
340
{
341
podSelector: {
342
matchLabels: {
343
role: "frontend",
344
},
345
},
346
},
347
// Allow traffic from specific namespace
348
{
349
namespaceSelector: {
350
matchLabels: {
351
name: "production",
352
},
353
},
354
},
355
// Allow traffic from specific IP blocks
356
{
357
ipBlock: {
358
cidr: "10.0.0.0/16",
359
except: ["10.0.1.0/24"],
360
},
361
},
362
],
363
ports: [{
364
protocol: "TCP",
365
port: 80,
366
}, {
367
protocol: "TCP",
368
port: 443,
369
}],
370
}],
371
},
372
});
373
374
// Database access policy (ingress and egress)
375
const databasePolicy = new k8s.networking.v1.NetworkPolicy("database-policy", {
376
spec: {
377
podSelector: {
378
matchLabels: {
379
app: "database",
380
},
381
},
382
policyTypes: ["Ingress", "Egress"],
383
ingress: [{
384
from: [{
385
podSelector: {
386
matchLabels: {
387
role: "api-server",
388
},
389
},
390
}],
391
ports: [{
392
protocol: "TCP",
393
port: 5432,
394
}],
395
}],
396
egress: [
397
// Allow DNS resolution
398
{
399
to: [{
400
namespaceSelector: {
401
matchLabels: {
402
name: "kube-system",
403
},
404
},
405
podSelector: {
406
matchLabels: {
407
"k8s-app": "kube-dns",
408
},
409
},
410
}],
411
ports: [{
412
protocol: "UDP",
413
port: 53,
414
}],
415
},
416
// Allow backup to external storage
417
{
418
to: [{
419
ipBlock: {
420
cidr: "0.0.0.0/0",
421
},
422
}],
423
ports: [{
424
protocol: "TCP",
425
port: 443, // HTTPS for cloud storage
426
}],
427
},
428
],
429
},
430
});
431
432
// Microservices communication policy
433
const microservicesPolicy = new k8s.networking.v1.NetworkPolicy("microservices-policy", {
434
spec: {
435
podSelector: {
436
matchLabels: {
437
tier: "backend",
438
},
439
},
440
policyTypes: ["Ingress", "Egress"],
441
ingress: [{
442
from: [{
443
podSelector: {
444
matchLabels: {
445
tier: "frontend",
446
},
447
},
448
}, {
449
podSelector: {
450
matchLabels: {
451
tier: "backend",
452
},
453
},
454
}],
455
ports: [{
456
protocol: "TCP",
457
port: 8080,
458
}],
459
}],
460
egress: [
461
// Allow communication to other backend services
462
{
463
to: [{
464
podSelector: {
465
matchLabels: {
466
tier: "backend",
467
},
468
},
469
}],
470
},
471
// Allow access to external APIs
472
{
473
to: [{
474
ipBlock: {
475
cidr: "0.0.0.0/0",
476
},
477
}],
478
ports: [{
479
protocol: "TCP",
480
port: 443,
481
}, {
482
protocol: "TCP",
483
port: 80,
484
}],
485
},
486
],
487
},
488
});
489
```
490
491
## Advanced Networking Resources (networking/v1alpha1, v1beta1)
492
493
### IPAddress (networking/v1beta1)
494
495
IPAddress represents a single IP address allocation.
496
497
```typescript { .api }
498
class IPAddress extends pulumi.CustomResource {
499
constructor(name: string, args?: IPAddressArgs, opts?: pulumi.CustomResourceOptions)
500
501
// Output properties
502
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1beta1">;
503
public readonly kind!: pulumi.Output<"IPAddress">;
504
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
505
public readonly spec!: pulumi.Output<outputs.networking.v1beta1.IPAddressSpec>;
506
}
507
```
508
509
### ServiceCIDR (networking/v1beta1)
510
511
ServiceCIDR defines a range of IP addresses for Services.
512
513
```typescript { .api }
514
class ServiceCIDR extends pulumi.CustomResource {
515
constructor(name: string, args?: ServiceCIDRArgs, opts?: pulumi.CustomResourceOptions)
516
517
// Output properties
518
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1beta1">;
519
public readonly kind!: pulumi.Output<"ServiceCIDR">;
520
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
521
public readonly spec!: pulumi.Output<outputs.networking.v1beta1.ServiceCIDRSpec>;
522
}
523
```
524
525
## Extension Resources (extensions/v1beta1)
526
527
### Ingress (Legacy - extensions/v1beta1)
528
529
Legacy Ingress resource from extensions API (deprecated).
530
531
```typescript { .api }
532
// Note: Use networking/v1 Ingress instead
533
import { Ingress as LegacyIngress } from "@pulumi/kubernetes/extensions/v1beta1";
534
```
535
536
## Common Networking Patterns
537
538
### Complete Web Application Setup
539
540
```typescript { .api }
541
// 1. Ingress Class
542
const nginxClass = new k8s.networking.v1.IngressClass("nginx-class", {
543
metadata: {
544
name: "nginx",
545
annotations: {
546
"ingressclass.kubernetes.io/is-default-class": "true",
547
},
548
},
549
spec: {
550
controller: "k8s.io/ingress-nginx",
551
},
552
});
553
554
// 2. Network Policies
555
const webNetworkPolicy = new k8s.networking.v1.NetworkPolicy("web-network-policy", {
556
spec: {
557
podSelector: {
558
matchLabels: {
559
app: "web-app",
560
},
561
},
562
policyTypes: ["Ingress", "Egress"],
563
ingress: [{
564
from: [{}], // Allow all ingress for web frontend
565
ports: [{
566
protocol: "TCP",
567
port: 80,
568
}],
569
}],
570
egress: [{
571
to: [{
572
podSelector: {
573
matchLabels: {
574
app: "api-server",
575
},
576
},
577
}],
578
ports: [{
579
protocol: "TCP",
580
port: 8080,
581
}],
582
}],
583
},
584
});
585
586
// 3. Ingress Resource
587
const appIngress = new k8s.networking.v1.Ingress("app-ingress", {
588
metadata: {
589
annotations: {
590
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
591
"nginx.ingress.kubernetes.io/rate-limit": "100",
592
"nginx.ingress.kubernetes.io/rate-limit-window": "1m",
593
},
594
},
595
spec: {
596
ingressClassName: "nginx",
597
tls: [{
598
hosts: ["myapp.example.com"],
599
secretName: "app-tls-cert",
600
}],
601
rules: [{
602
host: "myapp.example.com",
603
http: {
604
paths: [{
605
path: "/",
606
pathType: "Prefix",
607
backend: {
608
service: {
609
name: "web-service",
610
port: { number: 80 },
611
},
612
},
613
}],
614
},
615
}],
616
},
617
});
618
```
619
620
## Resource Variants
621
622
All networking resources include the following variants:
623
624
### List Resources
625
- `IngressList`, `NetworkPolicyList`, `IngressClassList`
626
627
### Patch Resources
628
- `IngressPatch`, `NetworkPolicyPatch`, `IngressClassPatch`
629
630
```typescript { .api }
631
// Example patch operation
632
const ingressPatch = new k8s.networking.v1.IngressPatch("update-ingress", {
633
metadata: {
634
name: "existing-ingress",
635
annotations: {
636
"nginx.ingress.kubernetes.io/rate-limit": "200", // Update rate limit
637
},
638
},
639
});
640
```
641
642
## Best Practices
643
644
### Network Policy Best Practices
645
646
1. **Start with Deny All**: Create default deny policies and explicitly allow required traffic
647
2. **Namespace Isolation**: Use namespace selectors to isolate environments
648
3. **Principle of Least Privilege**: Only allow minimum required network access
649
4. **DNS Access**: Always allow DNS resolution for pods that need it
650
5. **Monitoring**: Monitor network policy violations and adjust as needed
651
652
### Ingress Best Practices
653
654
1. **Use IngressClass**: Always specify ingress class for predictable behavior
655
2. **TLS Termination**: Use TLS for production traffic with proper certificates
656
3. **Path Types**: Choose appropriate path types for your routing requirements
657
4. **Resource Limits**: Set appropriate rate limiting and resource constraints
658
5. **Health Checks**: Configure proper health checks for backend services
659
660
The Networking API groups provide comprehensive traffic management and security capabilities for modern Kubernetes applications, enabling secure and efficient communication patterns.