I'm trying to set up an ingress controller in Kubernetes that will give me strict alternation between two (or more) pods running in the same service.
My testing setup is a single Kubernetes node, with a deployment of two nginx pods.
The deployment is then exposed with a NodePort service.
I've then deployed an ingress contoller (I've tried both Kubernetes Nginx Ingress Controller and Nginx Kubernetes Ingress Controller, separately) and created an ingress rule for the NodePort service.
I edited index.html on each of the nginx pods, so that one shows "SERVER A" and the other "SERVER B", and ran a script that then curls the NodePort service 100 times. It greps "SERVER x" each time, appends it to an output file, and then tallies the number of each at the end.
As expected, curling the NodePort service itself (which uses kube-proxy), I got completely random results-- anything from 50:50 to 80:20 splits between the pods.
Curling the ingress controller, I consistently get something between 50:50 and 49:51 splits, which is great-- the default round-robin distribution is working well.
However, looking at the results, I can see that I've curled the same server up to 4 times in a row, but I need to enforce a strict alternation A-B-A-B. I've spent quite a researching this and trying out different options, but I can't find a setting that will do this. Does anyone have any advice, please?
I'd prefer to stick with one of the ingress controllers I've tried, but I'm open to trying a different one, if it will do what I need.

Nginx default behaviour is like strict round-robin only. You can use it to perform most tests on Nginx ingress with different config tweaks if required.
There is also other options like you can use the Istio service mesh.
You can Load balance the traffic as you required by changing the config only
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
name: bookinfo-ratings
host: ratings.prod.svc.cluster.local
simple: LEAST_CONN
- name: testversion
version: v3
Read more at : https://istio.io/latest/docs/reference/config/networking/destination-rule/
& https://istio.io/latest/docs/reference/config/networking/destination-rule/#LoadBalancerSettings
however, i would suggest going with service mesh only when there is a large cluster implementing for 2-3 services better use the Nginx ingress or haproxy-ingress also good option.


Route annotations from yml file was not working in openshift

We are using openshift for the deployment where we have 3 pods running with same service
To achieve load balancing we are trying to create a annotations in the route.
Adding annotations in Route from console it is working fine
But the same is not working if I configured from yml file.
Is anyone facing the same issue or any available fix for this
apiVersion: v1
kind: Route
haproxy.router.openshift.io/balance : roundrobin
haproxy.router.openshift.io/disable_cookies: true
name: frontend
host: www.example.com
path: "/test"
kind: Service
name: frontend
This annotation doesnt work like this. This is used when route is distributing traffic among many services not just one as in your case.
Service in OpenShift or Kubernetes is nothing but a kube-proxy which works at TCP L4 level and provides default round robin load balancing to backend pods.

Within a k8s cluster Should I always call the Ingress Rule Or Node Port Service Name?

I have a number of restful services within our system
Some are our within the kubernetes cluster
Others are on legacy infrasture and are hosted on VM's
Many of our restful services make synchronous calls to each other (so not asynchronously using message queues)
We also have a number of UI's (fat clients or web apps) that make use of these services
We might define a simple k8s manifest file like this
apiVersion: v1
kind: Pod
name: "orderManager"
- name: "orderManager"
image: "gitlab-prem.com:5050/image-repo/orderManager:orderManager_1.10.22"
apiVersion: v1
kind: Service
name: "orderManager-service"
type: NodePort
app: "orderManager"
- protocol: TCP
port: 50588
targetPort: 50588
apiVersion: networking.k8s.io/v1
kind: Ingress
name: orderManager-ingress
nginx.ingress.kubernetes.io/rewrite-target: /
- http:
- path: /orders
pathType: Prefix
name: "orderManager-service"
number: 50588
I am really not sure what the best way for restful services on the cluster to talk to each other.
It seems like there is only one good route for callers outside the cluster which is use the url built by the ingress rule
Two options within the cluster
This might illustrate it further with an example
Example Url
On Cluster
The UI would use the cluster ip and the ingress rule to reach the order manager
Service off cluster
On Cluster
Just like the UI
On Cluster
On Cluster
Could use ingress rule like the above approach
On Cluster
On Cluster
Could use the service name and port directly
I write cluster ip a few times above but in real life we put something top so there is a friendly name like http://mycluster/orders
So when caller and reciever are both on cluster is it either
Use the ingress rule which is also used by services and apps outside the cluster
Use the nodeport service name which is used in the ingress rule
Or perhaps something else!
One benefit of using nodeport service name is that you do not have to change your base URL.
The ingress rule appends an extra elements to the route (in the above case orders)
When I move a restful service from legacy to k8s cluster it will increase the complexity
It depends on whether you want requests to be routed through your ingress controller or not.
Requests sent to the full URL configured in your Ingress resource will be processed by your ingress controller. The controller itself โ€” NGINX in this case โ€” will proxy the request to the Service. The request will then be routed to a Pod.
Sending the request directly to the Serviceโ€™s URL simply skips your ingress controller. The request is directly routed to a Pod.
The trade offs between the two options depend on your setup.
Sending requests through your ingress controller will increase request latency and resource consumption. If your ingress controller does nothing other than route requests, I would recommend sending requests directly to the Service.
However, if you use your ingress controller for other purposes, like authentication, monitoring, logging, or tracing, then you may prefer that the controller process internal requests.
For example, on some of my clusters I use the NGINX ingress controller to measure request latency and track HTTP response statuses. I route requests between apps running in the same cluster through the ingress controller in order to have that information available. I pay the cost of increased latency and resource usage in order to have improved observability.
Whether the trade offs are worth it in your case depends on you. If your ingress controller does nothing more that basic routing, then my recommendation is to skip it entirely. If it does more, then you need to weigh the pros and cons of routing requests through it.

Can Ingress Controllers use Selector based rules?

I have deployed a statefulset in AKS - My goal is to load balance traffic to my statefulset.
From my understanding I can define a LoadBalancer Service that can route traffic based on Selectors, something like this.
apiVersion: v1
kind: Service
name: nginx
app: nginx
type: LoadBalancer
- port: 80
name: web
app: nginx
However I don't want to necessarily go down the LoadBalance route and I would prefer Ingress doing this work for me, My question is can any of the ingress controller support routing rules which can do Path based routing to endpoints based on selectors? Instead of routing to another service.
To elaborate more on the scenario - Each pod in my statefulset is a stateless node doing data processing of a HTTP feed. I want my ingress service to be able to load balance traffic across these statefulset pods ( honoring keep-alives etc), however given the nature of statefulsets in k8s they are currently exposed through a headless service. I am not sure if a headless service can load balance traffic to my statefulsets?
Update 2
Quick search reveals headless service does not loadbalance
Sometimes you don't need load-balancing and a single Service IP. In this case, you can create what are termed "headless" Services, by explicitly specifying "None" for the cluster IP (.spec.clusterIP).
As much i know it's not possible to do the selector-based routing with ingress.
selector based routing is mostly used during a Blue-green deployment or canary deployment you can only achieve this by using the service mesh. You can use any of the service mesh like istio or APP mesh and you can do the selector base routing.
I have deployed a statefulset in AKS - My goal is to load balance
traffic to my statefulset.
if your goal is to just load balance traffic you can use the ingress controller maybe still not sure about scenrio you are trying to explain.
By default kubernetes service also Load balance the traffic across the PODs.
Flow will be something like DNS > ingress > ingress controller > Kubernetes service (Load balancing here) > any of statefulset
+1 to Harsh Manvar's answer but let me add also my 3 cents.
My question is can any of the ingress controller support routing rules
which can do Path based routing to endpoints based on selectors?
Instead of routing to another service.
To the best of my knowledge, the answer to your question is no, it can't as it doesn't even depend on a particular ingress controller implementation. Note that various ingress controllers, no matter how different they may be when it comes to implementation, must conform to the general specification of the ingress resource, described in the official kubernetes documentation. You don't have different kinds of ingresses, depending on what controller is used.
Ingress and Service work on a different layer of abstraction. While Service exposes a set of pods using a selector e.g.:
apiVersion: v1
kind: Service
name: my-service
app: MyApp ๐Ÿ‘ˆ
path-based routing performed by Ingress is always done between Services:
apiVersion: networking.k8s.io/v1
kind: Ingress
name: minimal-ingress
nginx.ingress.kubernetes.io/rewrite-target: /
- http:
- path: /testpath
pathType: Prefix
name: test ๐Ÿ‘ˆ
number: 80
I am not sure if a headless service can load balance traffic to my statefulsets?
The first answer is "no". Why?
k8s Service is implemented by the kube-proxy. Kube-proxy itself can work in two modes:
iptables (also known as netfilter)
ipvs (also known as LVS/Linux Virtual Server)
load balancing in case of iptables mode is a NAT iptables rule: from ClusterIP address to the list of Endpoints
load balancing in case of ipvs mode is a VIP (LVS Virtual IP) with the Endpoints as upstreams
So, when you create k8s Service with clusterIP set to None you are exactly saying:
"I need this service WITHOUT load balancing"
Setting up the clusterIP to None causes kube-proxy NOT TO CREATE NAT rule in iptables mode, VIP in ipvs mode. There will be nothing for traffic load balancing across the pods selected by this particular Service selector
The second answer is "it could be". Why?
You are free to create headless Service with desired pods selector. DNS query to this Service will return the list of DNS A records for selected pods. Then you can use this data to implement load balancing YOUR way

Ingress expose the service with the type clusterIP

Is it possible to expose the service by ingress with the type of ClusterIP?
apiVersion: v1
kind: Service
name: my-service
app: my-service
- name: my-service-port
port: 4001
targetPort: 4001
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
name: app-ingress
nginx.ingress.kubernetes.io/rewrite-target: /
- host: my.example.com
- path: /my-service
serviceName: my-service
servicePort: 4001
I know the service can be exposed with the type of NodePort, but it may cost one more NAT connection, if someone could show me what's the fastest way to detect internal service from the world of internet in the cloud.
No, clusterIP is only reachable from within the cluster. An Ingress is essentially just a set of layer 7 forwarding rules, it does not handle the layer 4 requirements of exposing the internals of your cluster to the outside world. At least 1 NAT step is required.
For Ingress to work, though, you need to have at least one service involved that exposes your workload externally, so nodePort or loadBalancer. Your ingress controller and the infrastructure of your cluster will determine which of the two services you will need to use.
In the case of Nginx ingress, you need to have a single LoadBalancer service which the ingress will use to bridge traffic from outside the cluster to inside it. After that, you can use clusterIP services for each of your workloads.
In your above example, as long as the nginx ingress controller is correctly configured (with a loadbalancer), then the config you are using should work fine.
In short : YES
Now to the elaborate answer...
First thing first, let's have a look at what the official documentation says :
Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
An Ingress controller is responsible for fulfilling the Ingress, usually with a load balancer...
What's confusing here is the term Load balancer. In the definition above, we are talking about the classic and well known in the web load balancer.
This one has nothing to do with kubernetes !
So back to the definition, to use an Ingress and make it work, we need a kubernetes resource called IngressController. And this resource happen to be a load balancer ! That's it.
However, you have to keep in mind that there is a difference between a load balancer in the outside world and a kubernetes service of type type:LoadBalancer.
So in summary (and in order to redirect the traffic from the outside world to your k8s clusterIp service) :
Do you need a Load balancer to make your kind:Ingress works ? Yes, this is the kind:IngressController kubernetes resource.
Do you need a kubernetes service type:LoadBalancer or type:NodePort to make your kind:Ingress works ? Definitely no ! A service type:ClusterIP works just fine !

Kubernetes architecture

Is it possible to simplify this chain that runs on bare metal:
StatefulSet with replicas count that will change over the time
Nginx-ingress with proxy-next-upstream: "error http_502 timeout invalid_header non_idempotent"
Pod with Nginx for caching and many other things that ingress can't do
Service type: LoadBalancer
Is it possible to simplify this stack?
Yes if you turn nginx into sidecar (deploy in every pod) + remove ingress. Cache is not shared in this case:
StatefulSet with replicas count that will change over the time
Sidecar (means in every replica) with nginx for caching and many other things that ingress can't do, including the ingress settings you used. Proxy pass to localhost in this case.
Service: LoadBalancer
Or if you need a common cache - just throw away the ingress:
ServiceA (pointing to StatefulSet): ClusterIP
nginx with caching and hacks. Proxy pass to ServiceA.namespace.svc.cluster.local
ServiceB (pointing to nginx deployment): LoadBalancer