Map Services

[Margaret Sigars]

Localstate, and federal government websites often end in .gov. Commonwealth of Pennsylvania government websites and email systems use "pennsylvania.gov" or "pa.gov" at the end of the address. Before sharing sensitive or personal information, make sure you're on an official state website.

Our mission is to assist Pennsylvanians in leading safe, healthy, and productive lives through equitable, trauma-informed, and outcome-focused services while being an accountable steward of commonwealth resources.

Most children are automatically eligible for SUN Bucks and do not need to apply. To determine if your child is eligible and whether you need to apply, use the Eligibility Navigator or learn more about Sun Bucks.

Whether you're looking for compute power, database storage, content delivery, or other functionality, AWS has the services to help you build sophisticated applications with increased flexibility, scalability, and reliability

A key aim of Services in Kubernetes is that you don't need to modify your existingapplication to use an unfamiliar service discovery mechanism.You can run code in Pods, whether this is a code designed for a cloud-native world, oran older app you've containerized. You use a Service to make that set of Pods availableon the network so that clients can interact with it.

If you use a Deployment to run your app,that Deployment can create and destroy Pods dynamically. From one moment to the next,you don't know how many of those Pods are working and healthy; you might not even knowwhat those healthy Pods are named.Kubernetes Pods are created and destroyedto match the desired state of your cluster. Pods are ephemeral resources (you should notexpect that an individual Pod is reliable and durable).

Each Pod gets its own IP address (Kubernetes expects network plugins to ensure this).For a given Deployment in your cluster, the set of Pods running in one moment intime could be different from the set of Pods running that application a moment later.

This leads to a problem: if some set of Pods (call them "backends") providesfunctionality to other Pods (call them "frontends") inside your cluster,how do the frontends find out and keep track of which IP address to connectto, so that the frontend can use the backend part of the workload?

The Service API, part of Kubernetes, is an abstraction to help you expose groups ofPods over a network. Each Service object defines a logical set of endpoints (usuallythese endpoints are Pods) along with a policy about how to make those pods accessible.

If your workload speaks HTTP, you might choose to use anIngress to control how web trafficreaches that workload.Ingress is not a Service type, but it acts as the entry point for yourcluster. An Ingress lets you consolidate your routing rules into a single resource, sothat you can expose multiple components of your workload, running separately in yourcluster, behind a single listener.

The Gateway API for Kubernetesprovides extra capabilities beyond Ingress and Service. You can add Gateway to your cluster -it is a family of extension APIs, implemented usingCustomResourceDefinitions -and then use these to configure access to network services that are running in your cluster.

If you're able to use Kubernetes APIs for service discovery in your application,you can query the API serverfor matching EndpointSlices. Kubernetes updates the EndpointSlices for a Servicewhenever the set of Pods in a Service changes.

A Service is an object(the same way that a Pod or a ConfigMap is an object). You can create,view or modify Service definitions using the Kubernetes API. Usuallyyou use a tool such as kubectl to make those API calls for you.

Port definitions in Pods have names, and you can reference these names in thetargetPort attribute of a Service. For example, we can bind the targetPortof the Service to the Pod port in the following way:

This works even if there is a mixture of Pods in the Service using a singleconfigured name, with the same network protocol available via differentport numbers. This offers a lot of flexibility for deploying and evolvingyour Services. For example, you can change the port numbers that Pods exposein the next version of your backend software, without breaking clients.

Services most commonly abstract access to Kubernetes Pods thanks to the selector,but when used with a corresponding set ofEndpointSlicesobjects and without a selector, the Service can abstract other kinds of backends,including ones that run outside the cluster.

Because this Service has no selector, the corresponding EndpointSlice (andlegacy Endpoints) objects are not created automatically. You can map the Serviceto the network address and port where it's running, by adding an EndpointSliceobject manually. For example:

When you create an EndpointSlice object for a Service, you canuse any name for the EndpointSlice. Each EndpointSlice in a namespace must have aunique name. You link an EndpointSlice to a Service by setting thekubernetes.io/service-name labelon that EndpointSlice.

For an EndpointSlice that you create yourself, or in your own code,you should also pick a value to use for the labelendpointslice.kubernetes.io/managed-by.If you create your own controller code to manage EndpointSlices, consider using avalue similar to "my-domain.example/name-of-controller". If you are using a thirdparty tool, use the name of the tool in all-lowercase and change spaces and otherpunctuation to dashes (-).If people are directly using a tool such as kubectl to manage EndpointSlices,use a name that describes this manual management, such as "staff" or"cluster-admins". You shouldavoid using the reserved value "controller", which identifies EndpointSlicesmanaged by Kubernetes' own control plane.

Accessing a Service without a selector works the same as if it had a selector.In the example for a Service without a selector,traffic is routed to one of the two endpoints defined inthe EndpointSlice manifest: a TCP connection to 10.1.2.3 or 10.4.5.6, on port 9376.

Your Kubernetes cluster tracks how many endpoints each EndpointSlice represents.If there are so many endpoints for a Service that a threshold is reached, thenKubernetes adds another empty EndpointSlice and stores new endpoint informationthere.By default, Kubernetes makes a new EndpointSlice once the existing EndpointSlicesall contain at least 100 endpoints. Kubernetes does not make the new EndpointSliceuntil an extra endpoint needs to be added.

Kubernetes limits the number of endpoints that can fit in a single Endpointsobject. When there are over 1000 backing endpoints for a Service, Kubernetestruncates the data in the Endpoints object. Because a Service can be linkedwith more than one EndpointSlice, the 1000 backing endpoint limit onlyaffects the legacy Endpoints API.

In that case, Kubernetes selects at most 1000 possible backend endpoints to storeinto the Endpoints object, and sets anannotation on the Endpoints:endpoints.kubernetes.io/over-capacity: truncated.The control plane also removes that annotation if the number of backend Pods drops below 1000.

The appProtocol field provides a way to specify an application protocol foreach Service port. This is used as a hint for implementations to offerricher behavior for protocols that they understand.The value of this field is mirrored by the correspondingEndpoints and EndpointSlice objects.

For some Services, you need to expose more than one port.Kubernetes lets you configure multiple port definitions on a Service object.When using multiple ports for a Service, you must give all of your ports namesso that these are unambiguous.For example:

The type field in the Service API is designed as nested functionality - each leveladds to the previous. However there is an exception to this nested design. You candefine a LoadBalancer Service bydisabling the load balancer NodePort allocation.

You can specify your own cluster IP address as part of a Service creationrequest. To do this, set the .spec.clusterIP field. For example, if youalready have an existing DNS entry that you wish to reuse, or legacy systemsthat are configured for a specific IP address and difficult to re-configure.

The IP address that you choose must be a valid IPv4 or IPv6 address from within theservice-cluster-ip-range CIDR range that is configured for the API server.If you try to create a Service with an invalid clusterIP address value, the APIserver will return a 422 HTTP status code to indicate that there's a problem.

If you set the type field to NodePort, the Kubernetes control planeallocates a port from a range specified by --service-node-port-range flag (default: 30000-32767).Each node proxies that port (the same port number on every Node) into your Service.Your Service reports the allocated port in its .spec.ports[*].nodePort field.

Using a NodePort gives you the freedom to set up your own load balancing solution,to configure environments that are not fully supported by Kubernetes, or evento expose one or more nodes' IP addresses directly.

For a node port Service, Kubernetes additionally allocates a port (TCP, UDP orSCTP to match the protocol of the Service). Every node in the cluster configuresitself to listen on that assigned port and to forward traffic to one of the readyendpoints associated with that Service. You'll be able to contact the type: NodePortService, from outside the cluster, by connecting to any node using the appropriateprotocol (for example: TCP), and the appropriate port (as assigned to that Service).

If you want a specific port number, you can specify a value in the nodePortfield. The control plane will either allocate you that port or report thatthe API transaction failed.This means that you need to take care of possible port collisions yourself.You also have to use a valid port number, one that's inside the range configuredfor NodePort use.

The policy for assigning ports to NodePort services applies to both the auto-assignment andthe manual assignment scenarios. When a user wants to create a NodePort service thatuses a specific port, the target port may conflict with another port that has already been assigned.

3a8082e126