Slide 1

Slide 1 text

Kubernetes Ingress What, How & Caveats

Slide 2

Slide 2 text

Who am I? Vincent De Smet vincentdesmet so0k I LIKE KUBERNETES

Slide 3

Slide 3 text

What is ingress? ● Revisit Kubernetes service Service: - clusterIP: 10.100.x.y - selector: - app: my-app - version: 1.0

Slide 4

Slide 4 text

● Revisit Kubernetes service 10.100.x.y What is ingress? Service: - nodePort: 3200Z - selector: - app: my-app - version: 1.0 3200Z 3200Z 3200Z

Slide 5

Slide 5 text

● Revisit Kubernetes service What is ingress? Service: - loadBalancer - selector: - app: my-app - version: 1.0 10.100.x.y 3200Z 3200Z 3200Z lb.cloud.com 80

Slide 6

Slide 6 text

DNS ● Revisit Kubernetes service What is ingress? Service: - loadBalancer - selector: - app: my-app - version: 1.0 10.100.x.y 3200Z 3200Z 3200Z lb.cloud.com 80 foo.com

Slide 7

Slide 7 text

DNS ● Revisit Kubernetes service What is ingress? Service: - loadBalancer - selector: - app: my-app - version: 1.0 10.100.x.y 3200Z 3200Z 3200Z lb.cloud.com 80 foo.com bar.com 10.100.a.b lb.cloud.com 80 3200C 3200C 3200C

Slide 8

Slide 8 text

What is Ingress? ● Services of type Load Balancer Reduced failure domain per service Cost ● Ingress - added in kube 1.1 A way to route requests to services based on the request host or path, centralizing a number of services into a single entrypoint. - Jay Gorrel

Slide 9

Slide 9 text

Web 101 - Simple times bar foo DNS foo.com bar.com 80 80

Slide 10

Slide 10 text

Web 201 - Containers bar foo DNS foo.com bar.com ??

Slide 11

Slide 11 text

Reverse Proxies - Containers - Reverse Proxy - nginx - haproxy - ... vhost: bar vhost: foo DNS foo.com bar.com 80 nginx

Slide 12

Slide 12 text

Reverse Proxies with Kubernetes - Static Configuration? vhost: bar vhost: foo DNS foo.com bar.com 80 nginx vhost: baz vhost: qux vhost: ...

Slide 13

Slide 13 text

- Dynamic configuration ← INGRESS CONTROLLERS ingress: rules: - host: foo.com http: paths: - path: / backend: serviceName: foo servicePort: 80 - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 Kubernetes Ingress vhost: bar vhost: foo DNS foo.com bar.com nginx vhost: baz vhost: qux vhost: ... nginx-ingress-controller 80

Slide 14

Slide 14 text

Reverse Proxies with Kubernetes - Dynamic configuration ← INGRESS CONTROLLERS vhost: bar vhost: foo DNS foo.com bar.com nginx vhost: baz vhost: qux vhost: ... ingress: rules: - host: foo.com http: paths: - path: / backend: serviceName: foo servicePort: 80 ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 nginx-ingress-controller 80

Slide 15

Slide 15 text

Reverse Proxies with Kubernetes - Dynamic configuration ← INGRESS CONTROLLERS vhost: bar vhost: foo DNS foo.com bar.com haproxy vhost: baz vhost: qux vhost: ... ingress: rules: - host: foo.com http: paths: - path: / backend: serviceName: foo servicePort: 80 ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 haproxy-ingress-controller 80

Slide 16

Slide 16 text

Ingress controllers ... ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 proxy-controller

Slide 17

Slide 17 text

Ingress controllers ... ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 DNS bar.com proxy-controller dns-controller

Slide 18

Slide 18 text

Ingress controllers ... ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 DNS bar.com proxy-controller dns-controller cert-controller

Slide 19

Slide 19 text

Ingress controllers ... ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 DNS bar.com proxy-controller dns-controller cert-controller lb-controller

Slide 20

Slide 20 text

Ingress controllers ... ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 heptio/contour external-dns DNS bar.com jetstack/cert-manager kube-ingress-aws-controller

Slide 21

Slide 21 text

Tips & Caveats - Run multiple ingress controllers - ingress.class - Ingress status - Failure domains - Reverse proxy config - Failed Let's Encrypt requests - Annotation overload - Cloud Native proxies - SIGHUP - Observability

Slide 22

Slide 22 text

Tips & Caveats - Run multiple ingress controllers - ingress.class Ingress: kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 Ingress: kind: Ingress metadata: annotations: kubernetes.io/ingress.class: contour spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80

Slide 23

Slide 23 text

Tips & Caveats - Run multiple ingress controllers - ingress.class - custom annotations Ingress: kind: Ingress metadata: annotations: kubernetes.io/ingress.class: contour-int zalando.org/aws-load-balancer-scheme: internal spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 Ingress: kind: Ingress metadata: annotations: kubernetes.io/ingress.class: contour-ext spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80

Slide 24

Slide 24 text

Tips & Caveats - Ingress status Ingress: kind: Ingress metadata: annotations: ... spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 status: loadBalancer: { … } DNS bar.com

Slide 25

Slide 25 text

Tips & Caveats - Ingress status Ingress: kind: Ingress metadata: annotations: external-dns.alpha.kubernetes.io/target: lb.cloud.com spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 status: loadBalancer: { } DNS bar.com

Slide 26

Slide 26 text

Tips & Caveats - External DNS: Custom filter Ingress: kind: Ingress metadata: annotations: external-dns.swatmobile.io/enable: "true" spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 status: loadBalancer: { … }

Slide 27

Slide 27 text

Tips & Caveats - Failure domain - Reverse proxy config Ingress: kind: Ingress metadata: annotations: external-dns.swatmobile.io/enable: "true" spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 status: loadBalancer: { … }

Slide 28

Slide 28 text

Tips & Caveats - Failure domain - Reverse proxy config - Watch out: Failed Let's Encrypt requests Ingress: kind: Ingress metadata: annotations: kubernetes.io/tls-acme: "true" spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 tls: - secretName: bar-com-tls hosts: - bar.com status: loadBalancer: { … }

Slide 29

Slide 29 text

Tips & Caveats - Plan for failed Let's Encrypt request: - Run multiple ingress to reduce failure domain - Decouple Cert request from ingress Ingress: kind: Ingress metadata: annotations: kubernetes.io/tls-acme: "true" spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 tls: - secretName: bar-com-tls hosts: - bar.com status: loadBalancer: { … }

Slide 30

Slide 30 text

Tips & Caveats - Annotation overload - https://github.com/heptio/contour/blob/master/docs/ingressroute.md - Ambassador - Istio - ... - Balance CRD vs Annotation Ingress Annotations more mature (for now)

Slide 31

Slide 31 text

Tips & Caveats - Cloud Native proxies - SIGHUP - Observability

Slide 32

Slide 32 text

Kops - Edge Nodes Why? - Compliance requirements (WAF) How? - Dedicated nodePool / instanceGroup - AWS LB limited to edge nodes

Slide 33

Slide 33 text

Kops - Edge Nodes Dedicated nodePool / instanceGroup:

Slide 34

Slide 34 text

Kops - Edge Nodes AWS LB limited to edge nodes: Problem: - Kubernetes service type LoadBalancer (targets all worker nodes) Solution: - https://github.com/zalando-incubator/kube-ingress-aws-controller CUSTOM_FILTERS

Slide 35

Slide 35 text

Kops - Edge Nodes AWS LB limited to edge nodes:

Slide 36

Slide 36 text

Kops - Edge Nodes AWS LB limited to edge nodes:

Slide 37

Slide 37 text

Thank you Questions?