I have been using the GCLB Ingress Controller to forward outside traffic to my in-cluster services, and this has been working great so far.
But, is there a way that based on a route/path match, traffic could be forwarded to outside of cluster resource. From the documentation, I can't seem to find anything and I don't think it can be achieved using GCLB Ingress Controller; but I haven't yet tried the NGINX Ingress Controller.
Is this a behavior that can be achieved using any of these 2 controllers? I would prefer using the native gcloud one, the GCLB but the other one works too.
Hope this can help you kubernates external service
Related
I am learning ingress and ingress controller. So I understand that I have to do the following tasks-
ingress controller deployment
create service account
ingress controller service nodeport expose
create ingress resources to attach services.
Now my question is why we need a service account?? And what role should I attach with that service account and how do I use that service account?
What you are asking is very generic and may change a lot, depending on which is your setup (microk8s, minikube, bare-metal and so on) there are a lot of considerations to make.
The Nginx Ingress Controller installation guide for example can help you see how much things change between different environments.
It is also a good idea to simply use the installation resources provided in such guides instead of creating your own resources.. simply because the guide is more complete and ready-to-use basically.
With this said, the reason for the ServiceAccount is that the Ingress Controller Pod needs to be able to access Kubernetes API. Specifically, it needs to watch for resources such as Ingress (obviously), Services, Pods, Endpoints and more.
Imagine that the user (you) creates (or updates, or delete) a Ingress resource, the Ingress Controller needs to notice, parse it, understand what is declared and configure itself to serve the required Services at the configured domains and so on. Similarly, if something changes in the cluster, it may change how the controller needs to serve things.
For example, if you take a look at the Bare-Metal raw YAML definitions of the Nginx Ingress Controller and search for Role you will notice what it needs and also how it is attached to the other resources.
Lastly, serving the Ingress Controller from a NodePort service may not be the most resilient way to do it, it's okay for tests and such, but usually what you want is to have the Ingress Controller Pod to be served at a Load Balanced IP address, so that it is resilient to a single node of your cluster going down.
The Nginx Controller Bare-Metal considerations explains it very well.
I have 3 different services and their service types LoadBalancer. Each one has different external ip. However I want to use one ip address for every one but different ports as external ip. Is it possible?
The only way you can have the same IP across different services that I am aware of, is to use an Ingress. But depending on the controller implementation, you may only be able to use ports 80/443.
You can implement it using ingress.
Let you applications deployed using the Deployment type workload
Expose your deployments using services
Install ingress controller (you can use nginx ingress controller)
Create your ingress resource to route your request based on a particualr context to a particular service.
Here is the reference from the kubernetes documentation which clearly elaborates on it - https://kubernetes.io/docs/concepts/services-networking/ingress/#simple-fanout
I have a Kubernetes cluster on a private cloud based on the OpenStack. My service is required to be exposed on a specific port. I am able to do this using NodePort. However, if I try to create another service similar to the first one, I am not able to expose it since I have to use the same port and it is already occupied by the first one.
I've noticed that I can use LoadBalancer in public clouds for this, but I assume this is not possible in OpenStack?
I also tried to use Ingress Controller of Kubernetes but it did not worked. However, I am not sure if I went through a correct way to do it.
Is there any other way else than LoadBalancer or Ingress to do this? (My first assumption was that if I dedicate my pods to specific nodes, then I should be able to expose each of services on the same port on different nodes, but this approach also did not worked.)
Please let me know if you have any thoughts on this.
You have to setup the OpenStack Cloud Provider: basically, this Deployment will watch for LoadBalancer Service and will provide an {internal,external} IP address you can use to interact with your application, even at L4 and not only (sic) L7 like many Ingress Controller resources.
If you want to only expose one port then the only answer to the best of my knowledge is an ingress-controller. The two most famous ones are Nginx and Traefik. I agree that setting up ingress-controller can be difficult and I had problems with them before but you have to solve them one by one.
Another thing you can do is you can build your own ingress controller. What I mean is to use a reverse proxy such as Nginx, configure it to reroute the traffic based on your topology then just expose this reverse proxy so all the traffic goes through this custom reverse proxy but this should be done just if you need something very customized.
It's possible to make an Ingress Controller, or anything else (preferably something already done, not needing to code a service per say), to send traffic to an external IP?
Why: I have an application which will interact with my k8s cluster from the outside, I already know that I can use an Ingress Controller to make its connection to the cluster, but what if the other applications need to reach this external application? Is there a way to do this?
It depends on the controller, but most will work with an ExternalName type Service to proxy to an arbitrary IP even if that's outside the cluster.
I'd like to implement a sticky-session Ingress controller. Cookies or IP hashing would both be fine; I'm happy as long as the same client is generally routed to the same pod.
What I'm stuck on: it seems like the Kubernetes service model means my connections are going to be proxied randomly no matter what. I can configure my Ingress controller with session affinity, but as soon as the the connection gets past the that and hits a service, kube-proxy is just going to route me randomly. There's the sessionAffinity: ClientIP flag on services, but that doesn't help me -- the Client IP will always be the internal IP of the Ingress pod.
Am I missing something? Is this possible given Kubernetes' current architecture?
An ingress controller can completely bypass kube-proxy. The haproxy controller for example, does this and goes straight to endpoints. However it doesn't use the Ingress in the typical sense.
You could do the same with the nginx controller, all you need to lookup endpoints and insert them instead of the DNS name it currently uses (i.e swap this line for a pointer to an upstream that contains the endpoints).
I evaluated the haproxy controller but could not get it running reliably with session affinity. After some research I discovered Nginx Ingress Controller which since version 0.61 also includes the nginx-sticky-module-ng module and is now running reliably since a couple of days in our test environment. I created a Gist that sets up the required Kubernetes pieces since some important configuration is a bit hard to locate in the existing documentation. Good luck!