How to configure nginx ingress rules without "host" - kubernetes

I have installed nginx ingress in kubernetes from official documenation. But while configuring the rules without mentioning the "host". I am getting the below erros.
error
++++++
spec.rules[0].host: Required value
Is it possible to configure it without host as I want to access it using only IP address
and I also found the below deployment file with which I am able to apply rules without "host". But not sure is this is safe to use. Please guide me here
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/cloud/deploy.yaml

Do you mean to configure the ingress? The ingress controller is different from ingress itself. If you are configuring ingress, then host is completely optional. If host is omitted, all the http traffic is directed through IP address by default. Refer to this documentation for more info https://kubernetes.io/docs/concepts/services-networking/ingress/

Related

Is it necessary to set up a reverse proxy in front of a kubernetes cluster?

I have set up a kubernetes cluster using kubeadm on a server, which is using an ingress controller (nginx) and this is working as intended. However, I used to deploy a nginx reverse proxy when I was using docker and to forward traffic to the containers. I have read that the ingress controller embarks a reverse proxy but I am not sure if it is sufficient and how to configure it (like IP ban when too many requests are sent in 1 s, ...).
I am aware that it can be done by modifying the port of the cluster and forwarding the traffic from the reverse proxy to the ingress controller but I don't know if it has any utility.
If you have more control over your inbound traffic, you can test multiple ingresses, not only Nginx. It will depend on the purpose of your requirement, although Nginx supports rate-limit. I suggest test others ingresses but try to install metal-lb firstly. So you can assign a specific Loadbalancer IP for each ingress.

How do I make Traefik pass on the x-forwarded-proto header?

I am deploying Traefik on my EKS cluster via the default Traefik Helm chart and I am also using the AWS Load Balancer Controller.
Traefik deploys fine and routes traffic to my services. However, one of the customers services has a requirement for the x-forwarded-proto header to passed to it. This is so it knows whether user originally came in via http or https.
The AWS ALB is sending in the header but Traefik doesn't forward it on. Anybody know how to make Traefik do this?
How I install Traefik:
helm install traefik traefik/traefik --values=values.yaml
With traefik, you have to trust external proxies addresses, to preserve their X-Forwarded-For header.
This would be done adding an argument such as --entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,W.X.Y.Z/32
Using Helm, you should be able to use:
helm install .... "--set=additionalArguments=['--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.42.0.0/16']"`
... or write your own values file.
WARNING: by default the Chart would not use configure hostNetwork, and rather expose your ingress using a LoadBalancer service (actually based on a NodePort).
The NodePort behavior is to NAT the connection entering the SDN. As such, Traefik would see some internal SDN address -- depending on which SDN you are using, it could be the first usable address of an host subnet, the network address of that host subnet, the IP for your kubernetes node out of the SDN, ... You would have to figure out which IP to trust, depending on your setup.

Kubernetes ingress controller expose to specific port

My institution has firewall settings that block most of the external ports, currently, I have internal Linux virtual machine, for example, http://abc.xyz:5555 (this link can only be accessed in the internal network), and a Netscaler is set up by the admin so that the internal link is forward to a publicly available link: https://def.edu.
Now I have multiple web servers that use ports like 5556,5557,5558. I want to set up Kubernetes ingress that all traffic goes into the ingress controller first, and the ingress will forward traffic to my multiple web services. Typically as the below image shows.
I only have port 5555 available, but all tutorials of Ingress seem only to support HTTP 80 and HTTPS 443 port. My question is, can I set up the Ingress controller host as http://abc.xyz:5555? Or I should go for other approaches, like this said: An Ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer., if so, what terms/techniques should I use?
I suggest to use an ingress, since each loadbalancer gets an own external ip assigned. You can specify a custom port and protocols (tcp,udp,http). I worked with nginx, but the documentation seemed outdated (last checked last week). So we are currently using Traefik. The web dashboard was also a big help in debugging it.
How we solved it:
Install traefik via helm with custom values, so it listens to other ports besides 80 and 443; Add custom entrypoints in your values.yaml and install traefik with:
helm install --values values.yaml stable/traefik
Install your ingress http/tcp/udp routes
Forward your web dashboard and go to http://localhost:9000/dashboard
Please see the official docs for more detailed steps: https://docs.traefik.io/getting-started/install-traefik/#use-the-helm-chart

nginx ingress controller on Google Kubernetes Engine firewall rules

I have installed the nginx ingress controller on GKE from
https://github.com/kubernetes/ingress-nginx via helm chart
it does create the controller and also an firewall rule. The rule is open for all public ips.
Is there a way to restrict this via the helm chart ?
if not any way go get the auto generated firewall rule via terraform and adjust ?
the name of the firewall rule looks like this: k8s-fw-a8301409696934895b9facd9232892dc
Thanks
nginx ingress creates a loadBalancer service to expose it on GKE. You can define the spec.loadBalancerSourceRanges field in the service definition with the IPs you would like to allow access, all other IPs will be filtered. The default value for this field is 0.0.0.0 and the GCE firewall rules are created based on this field.
Note that you can also leverage the Nginx ingress controller to limit which IPs can connect, however, this still allows alls traffic to reach the node.

Create an Ingress resource in Minikube

Im new to Ingress(k8s) and studying via documentation. Here is the
official documentation - Ingress Minikube. Under Create and ingress resource, I've already done steps 1-3 with no problem but I can't seem to do what step 4 asks. I have located the file inside the ingress-nginx-controller pod: /etc/hosts; but I can't seem to have any idea on how to edit it. I can't install vim-tiny or any other editing tools due to permission being denied. Sudo does not work. I just want to edit the /etc/hosts file.
This particular step (#4) should be done at your localhost, not inside ingress-controller pod. It`s just for mapping of hostname to IP addresses, so that you can verify if you can reach your application from outside exposed by Ingress resource.
that is ip address or step is to setup DNS A record which expose your application to outside netwrok kubernetes cluster.
ingress > service > POD