tessl/npm-pulumi--kubernetes
A comprehensive Pulumi resource provider for creating and managing Kubernetes resources and workloads in a running cluster
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
networking-resources.mddocs/
Networking Resources
The Networking API groups provide resources for managing network traffic, ingress routing, network policies, and advanced networking features across multiple API versions.
Package Import
import { networking } from "@pulumi/kubernetes";
import * as k8s from "@pulumi/kubernetes";
// Direct networking imports
import { Ingress, NetworkPolicy, IngressClass } from "@pulumi/kubernetes/networking/v1";Ingress (networking/v1)
Ingress manages external access to services in a cluster, typically HTTP and HTTPS traffic routing.
class Ingress extends pulumi.CustomResource {
constructor(name: string, args?: IngressArgs, opts?: pulumi.CustomResourceOptions)
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Ingress
// Output properties
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1">;
public readonly kind!: pulumi.Output<"Ingress">;
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
public readonly spec!: pulumi.Output<outputs.networking.v1.IngressSpec>;
public readonly status!: pulumi.Output<outputs.networking.v1.IngressStatus>;
}
interface IngressArgs {
apiVersion?: pulumi.Input<"networking.k8s.io/v1">;
kind?: pulumi.Input<"Ingress">;
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
spec?: pulumi.Input<inputs.networking.v1.IngressSpec>;
}Ingress Path Types
type PathType = "Exact" | "Prefix" | "ImplementationSpecific";
// Path matching behavior:
// - Exact: Matches the URL path exactly
// - Prefix: Matches based on URL path prefix split by '/'
// - ImplementationSpecific: Depends on ingress controller implementationIngress Usage Examples
// Basic HTTP ingress
const webIngress = new k8s.networking.v1.Ingress("web-ingress", {
spec: {
rules: [{
host: "example.com",
http: {
paths: [{
path: "/",
pathType: "Prefix",
backend: {
service: {
name: "web-service",
port: {
number: 80,
},
},
},
}],
},
}],
},
});
// HTTPS ingress with TLS termination
const httpsIngress = new k8s.networking.v1.Ingress("https-ingress", {
metadata: {
annotations: {
"kubernetes.io/ingress.class": "nginx",
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
"nginx.ingress.kubernetes.io/ssl-redirect": "true",
},
},
spec: {
tls: [{
hosts: ["api.example.com"],
secretName: "api-tls-cert",
}],
rules: [{
host: "api.example.com",
http: {
paths: [{
path: "/api",
pathType: "Prefix",
backend: {
service: {
name: "api-service",
port: {
number: 8080,
},
},
},
}, {
path: "/admin",
pathType: "Prefix",
backend: {
service: {
name: "admin-service",
port: {
name: "http",
},
},
},
}],
},
}],
},
});
// Multi-host ingress with path-based routing
const multiHostIngress = new k8s.networking.v1.Ingress("multi-host-ingress", {
metadata: {
annotations: {
"nginx.ingress.kubernetes.io/rewrite-target": "/$1",
"nginx.ingress.kubernetes.io/configuration-snippet": `
more_set_headers "X-Frame-Options: DENY";
more_set_headers "X-Content-Type-Options: nosniff";
`,
},
},
spec: {
ingressClassName: "nginx",
tls: [{
hosts: ["app.example.com", "api.example.com"],
secretName: "wildcard-tls-cert",
}],
rules: [
{
host: "app.example.com",
http: {
paths: [{
path: "/(.*)",
pathType: "ImplementationSpecific",
backend: {
service: {
name: "frontend-service",
port: { number: 80 },
},
},
}],
},
},
{
host: "api.example.com",
http: {
paths: [{
path: "/v1/(.*)",
pathType: "ImplementationSpecific",
backend: {
service: {
name: "api-v1-service",
port: { number: 8080 },
},
},
}, {
path: "/v2/(.*)",
pathType: "ImplementationSpecific",
backend: {
service: {
name: "api-v2-service",
port: { number: 8080 },
},
},
}],
},
},
],
},
});
// Load balancer ingress with advanced annotations
const loadBalancerIngress = new k8s.networking.v1.Ingress("lb-ingress", {
metadata: {
annotations: {
"kubernetes.io/ingress.class": "alb",
"alb.ingress.kubernetes.io/scheme": "internet-facing",
"alb.ingress.kubernetes.io/target-type": "ip",
"alb.ingress.kubernetes.io/listen-ports": '[{"HTTP": 80}, {"HTTPS": 443}]',
"alb.ingress.kubernetes.io/ssl-redirect": "443",
"alb.ingress.kubernetes.io/certificate-arn": "arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012",
},
},
spec: {
rules: [{
http: {
paths: [{
path: "/*",
pathType: "ImplementationSpecific",
backend: {
service: {
name: "app-service",
port: { number: 80 },
},
},
}],
},
}],
},
});IngressClass (networking/v1)
IngressClass represents the class of the Ingress, referenced by the Ingress spec.
class IngressClass extends pulumi.CustomResource {
constructor(name: string, args?: IngressClassArgs, opts?: pulumi.CustomResourceOptions)
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): IngressClass
// Output properties
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1">;
public readonly kind!: pulumi.Output<"IngressClass">;
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
public readonly spec!: pulumi.Output<outputs.networking.v1.IngressClassSpec>;
}
interface IngressClassArgs {
apiVersion?: pulumi.Input<"networking.k8s.io/v1">;
kind?: pulumi.Input<"IngressClass">;
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
spec?: pulumi.Input<inputs.networking.v1.IngressClassSpec>;
}IngressClass Usage Examples
// NGINX Ingress Class
const nginxIngressClass = new k8s.networking.v1.IngressClass("nginx", {
metadata: {
name: "nginx",
annotations: {
"ingressclass.kubernetes.io/is-default-class": "true",
},
},
spec: {
controller: "k8s.io/ingress-nginx",
},
});
// AWS Load Balancer Controller Ingress Class
const albIngressClass = new k8s.networking.v1.IngressClass("alb", {
metadata: {
name: "alb",
},
spec: {
controller: "ingress.k8s.aws/alb",
parameters: {
apiGroup: "elbv2.k8s.aws",
kind: "IngressClassParams",
name: "alb-params",
},
},
});
// Traefik Ingress Class
const traefikIngressClass = new k8s.networking.v1.IngressClass("traefik", {
metadata: {
name: "traefik",
},
spec: {
controller: "traefik.io/ingress-controller",
},
});NetworkPolicy (networking/v1)
NetworkPolicy specifies how groups of pods are allowed to communicate with each other and other network endpoints.
class NetworkPolicy extends pulumi.CustomResource {
constructor(name: string, args?: NetworkPolicyArgs, opts?: pulumi.CustomResourceOptions)
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): NetworkPolicy
// Output properties
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1">;
public readonly kind!: pulumi.Output<"NetworkPolicy">;
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
public readonly spec!: pulumi.Output<outputs.networking.v1.NetworkPolicySpec>;
}
interface NetworkPolicyArgs {
apiVersion?: pulumi.Input<"networking.k8s.io/v1">;
kind?: pulumi.Input<"NetworkPolicy">;
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
spec?: pulumi.Input<inputs.networking.v1.NetworkPolicySpec>;
}NetworkPolicy Types
// Policy types that can be specified
type PolicyType = "Ingress" | "Egress";
// Protocol types for network rules
type Protocol = "TCP" | "UDP" | "SCTP";NetworkPolicy Usage Examples
// Deny all ingress traffic (default deny)
const denyAllIngress = new k8s.networking.v1.NetworkPolicy("deny-all-ingress", {
spec: {
podSelector: {}, // Empty selector matches all pods in namespace
policyTypes: ["Ingress"],
// No ingress rules specified = deny all
},
});
// Allow specific ingress traffic to web pods
const webIngressPolicy = new k8s.networking.v1.NetworkPolicy("web-ingress", {
spec: {
podSelector: {
matchLabels: {
app: "web",
},
},
policyTypes: ["Ingress"],
ingress: [{
from: [
// Allow traffic from pods with specific label
{
podSelector: {
matchLabels: {
role: "frontend",
},
},
},
// Allow traffic from specific namespace
{
namespaceSelector: {
matchLabels: {
name: "production",
},
},
},
// Allow traffic from specific IP blocks
{
ipBlock: {
cidr: "10.0.0.0/16",
except: ["10.0.1.0/24"],
},
},
],
ports: [{
protocol: "TCP",
port: 80,
}, {
protocol: "TCP",
port: 443,
}],
}],
},
});
// Database access policy (ingress and egress)
const databasePolicy = new k8s.networking.v1.NetworkPolicy("database-policy", {
spec: {
podSelector: {
matchLabels: {
app: "database",
},
},
policyTypes: ["Ingress", "Egress"],
ingress: [{
from: [{
podSelector: {
matchLabels: {
role: "api-server",
},
},
}],
ports: [{
protocol: "TCP",
port: 5432,
}],
}],
egress: [
// Allow DNS resolution
{
to: [{
namespaceSelector: {
matchLabels: {
name: "kube-system",
},
},
podSelector: {
matchLabels: {
"k8s-app": "kube-dns",
},
},
}],
ports: [{
protocol: "UDP",
port: 53,
}],
},
// Allow backup to external storage
{
to: [{
ipBlock: {
cidr: "0.0.0.0/0",
},
}],
ports: [{
protocol: "TCP",
port: 443, // HTTPS for cloud storage
}],
},
],
},
});
// Microservices communication policy
const microservicesPolicy = new k8s.networking.v1.NetworkPolicy("microservices-policy", {
spec: {
podSelector: {
matchLabels: {
tier: "backend",
},
},
policyTypes: ["Ingress", "Egress"],
ingress: [{
from: [{
podSelector: {
matchLabels: {
tier: "frontend",
},
},
}, {
podSelector: {
matchLabels: {
tier: "backend",
},
},
}],
ports: [{
protocol: "TCP",
port: 8080,
}],
}],
egress: [
// Allow communication to other backend services
{
to: [{
podSelector: {
matchLabels: {
tier: "backend",
},
},
}],
},
// Allow access to external APIs
{
to: [{
ipBlock: {
cidr: "0.0.0.0/0",
},
}],
ports: [{
protocol: "TCP",
port: 443,
}, {
protocol: "TCP",
port: 80,
}],
},
],
},
});Advanced Networking Resources (networking/v1alpha1, v1beta1)
IPAddress (networking/v1beta1)
IPAddress represents a single IP address allocation.
class IPAddress extends pulumi.CustomResource {
constructor(name: string, args?: IPAddressArgs, opts?: pulumi.CustomResourceOptions)
// Output properties
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1beta1">;
public readonly kind!: pulumi.Output<"IPAddress">;
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
public readonly spec!: pulumi.Output<outputs.networking.v1beta1.IPAddressSpec>;
}ServiceCIDR (networking/v1beta1)
ServiceCIDR defines a range of IP addresses for Services.
class ServiceCIDR extends pulumi.CustomResource {
constructor(name: string, args?: ServiceCIDRArgs, opts?: pulumi.CustomResourceOptions)
// Output properties
public readonly apiVersion!: pulumi.Output<"networking.k8s.io/v1beta1">;
public readonly kind!: pulumi.Output<"ServiceCIDR">;
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
public readonly spec!: pulumi.Output<outputs.networking.v1beta1.ServiceCIDRSpec>;
}Extension Resources (extensions/v1beta1)
Ingress (Legacy - extensions/v1beta1)
Legacy Ingress resource from extensions API (deprecated).
// Note: Use networking/v1 Ingress instead
import { Ingress as LegacyIngress } from "@pulumi/kubernetes/extensions/v1beta1";Common Networking Patterns
Complete Web Application Setup
// 1. Ingress Class
const nginxClass = new k8s.networking.v1.IngressClass("nginx-class", {
metadata: {
name: "nginx",
annotations: {
"ingressclass.kubernetes.io/is-default-class": "true",
},
},
spec: {
controller: "k8s.io/ingress-nginx",
},
});
// 2. Network Policies
const webNetworkPolicy = new k8s.networking.v1.NetworkPolicy("web-network-policy", {
spec: {
podSelector: {
matchLabels: {
app: "web-app",
},
},
policyTypes: ["Ingress", "Egress"],
ingress: [{
from: [{}], // Allow all ingress for web frontend
ports: [{
protocol: "TCP",
port: 80,
}],
}],
egress: [{
to: [{
podSelector: {
matchLabels: {
app: "api-server",
},
},
}],
ports: [{
protocol: "TCP",
port: 8080,
}],
}],
},
});
// 3. Ingress Resource
const appIngress = new k8s.networking.v1.Ingress("app-ingress", {
metadata: {
annotations: {
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
"nginx.ingress.kubernetes.io/rate-limit": "100",
"nginx.ingress.kubernetes.io/rate-limit-window": "1m",
},
},
spec: {
ingressClassName: "nginx",
tls: [{
hosts: ["myapp.example.com"],
secretName: "app-tls-cert",
}],
rules: [{
host: "myapp.example.com",
http: {
paths: [{
path: "/",
pathType: "Prefix",
backend: {
service: {
name: "web-service",
port: { number: 80 },
},
},
}],
},
}],
},
});Resource Variants
All networking resources include the following variants:
List Resources
IngressList,NetworkPolicyList,IngressClassList
Patch Resources
IngressPatch,NetworkPolicyPatch,IngressClassPatch
// Example patch operation
const ingressPatch = new k8s.networking.v1.IngressPatch("update-ingress", {
metadata: {
name: "existing-ingress",
annotations: {
"nginx.ingress.kubernetes.io/rate-limit": "200", // Update rate limit
},
},
});Best Practices
Network Policy Best Practices
- Start with Deny All: Create default deny policies and explicitly allow required traffic
- Namespace Isolation: Use namespace selectors to isolate environments
- Principle of Least Privilege: Only allow minimum required network access
- DNS Access: Always allow DNS resolution for pods that need it
- Monitoring: Monitor network policy violations and adjust as needed
Ingress Best Practices
- Use IngressClass: Always specify ingress class for predictable behavior
- TLS Termination: Use TLS for production traffic with proper certificates
- Path Types: Choose appropriate path types for your routing requirements
- Resource Limits: Set appropriate rate limiting and resource constraints
- Health Checks: Configure proper health checks for backend services
The Networking API groups provide comprehensive traffic management and security capabilities for modern Kubernetes applications, enabling secure and efficient communication patterns.
Install with Tessl CLI
npx tessl i tessl/npm-pulumi--kubernetes