Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ingress at Swatmobile

Ingress at Swatmobile

What is Kubernetes Ingress? What flavours are available? how do these make our life easier? What are some of the caveats we have to watch out for? As we've been experimenting with several different set ups both at Swat and at previous startup(s), mostly from a functionality and operational perspective, we share our experience and also our thoughts on how we see this evolving. In this talk there is less focus on performance benchmarks and cover more conceptually the topic of ingress.

March 2019 - Kubernetes Singapore meetup

vincentdesmet

March 15, 2019
Tweet

More Decks by vincentdesmet

Other Decks in Technology

Transcript

  1. What is ingress? • Revisit Kubernetes service Service: - clusterIP:

    10.100.x.y - selector: - app: my-app - version: 1.0
  2. • Revisit Kubernetes service 10.100.x.y What is ingress? Service: -

    nodePort: 3200Z - selector: - app: my-app - version: 1.0 3200Z 3200Z 3200Z
  3. • Revisit Kubernetes service What is ingress? Service: - loadBalancer

    - selector: - app: my-app - version: 1.0 10.100.x.y 3200Z 3200Z 3200Z lb.cloud.com 80
  4. DNS • Revisit Kubernetes service What is ingress? Service: -

    loadBalancer - selector: - app: my-app - version: 1.0 10.100.x.y 3200Z 3200Z 3200Z lb.cloud.com 80 foo.com
  5. DNS • Revisit Kubernetes service What is ingress? Service: -

    loadBalancer - selector: - app: my-app - version: 1.0 10.100.x.y 3200Z 3200Z 3200Z lb.cloud.com 80 foo.com bar.com 10.100.a.b lb.cloud.com 80 3200C 3200C 3200C
  6. What is Ingress? • Services of type Load Balancer Reduced

    failure domain per service Cost • Ingress - added in kube 1.1 A way to route requests to services based on the request host or path, centralizing a number of services into a single entrypoint. - Jay Gorrel
  7. Reverse Proxies - Containers - Reverse Proxy - nginx -

    haproxy - ... vhost: bar vhost: foo DNS foo.com bar.com 80 nginx
  8. Reverse Proxies with Kubernetes - Static Configuration? vhost: bar vhost:

    foo DNS foo.com bar.com 80 nginx vhost: baz vhost: qux vhost: ...
  9. - Dynamic configuration ← INGRESS CONTROLLERS ingress: rules: - host:

    foo.com http: paths: - path: / backend: serviceName: foo servicePort: 80 - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 Kubernetes Ingress vhost: bar vhost: foo DNS foo.com bar.com nginx vhost: baz vhost: qux vhost: ... nginx-ingress-controller 80
  10. Reverse Proxies with Kubernetes - Dynamic configuration ← INGRESS CONTROLLERS

    vhost: bar vhost: foo DNS foo.com bar.com nginx vhost: baz vhost: qux vhost: ... ingress: rules: - host: foo.com http: paths: - path: / backend: serviceName: foo servicePort: 80 ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 nginx-ingress-controller 80
  11. Reverse Proxies with Kubernetes - Dynamic configuration ← INGRESS CONTROLLERS

    vhost: bar vhost: foo DNS foo.com bar.com haproxy vhost: baz vhost: qux vhost: ... ingress: rules: - host: foo.com http: paths: - path: / backend: serviceName: foo servicePort: 80 ingress: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 haproxy-ingress-controller 80
  12. Ingress controllers ... ingress: rules: - host: bar.com http: paths:

    - path: / backend: serviceName: bar servicePort: 80 proxy-controller
  13. Ingress controllers ... ingress: rules: - host: bar.com http: paths:

    - path: / backend: serviceName: bar servicePort: 80 DNS bar.com proxy-controller dns-controller
  14. Ingress controllers ... ingress: rules: - host: bar.com http: paths:

    - path: / backend: serviceName: bar servicePort: 80 DNS bar.com proxy-controller dns-controller cert-controller
  15. Ingress controllers ... ingress: rules: - host: bar.com http: paths:

    - path: / backend: serviceName: bar servicePort: 80 DNS bar.com proxy-controller dns-controller cert-controller lb-controller
  16. Ingress controllers ... ingress: rules: - host: bar.com http: paths:

    - path: / backend: serviceName: bar servicePort: 80 heptio/contour external-dns DNS bar.com jetstack/cert-manager kube-ingress-aws-controller
  17. Tips & Caveats - Run multiple ingress controllers - ingress.class

    - Ingress status - Failure domains - Reverse proxy config - Failed Let's Encrypt requests - Annotation overload - Cloud Native proxies - SIGHUP - Observability
  18. Tips & Caveats - Run multiple ingress controllers - ingress.class

    Ingress: kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 Ingress: kind: Ingress metadata: annotations: kubernetes.io/ingress.class: contour spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80
  19. Tips & Caveats - Run multiple ingress controllers - ingress.class

    - custom annotations Ingress: kind: Ingress metadata: annotations: kubernetes.io/ingress.class: contour-int zalando.org/aws-load-balancer-scheme: internal spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 Ingress: kind: Ingress metadata: annotations: kubernetes.io/ingress.class: contour-ext spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80
  20. Tips & Caveats - Ingress status Ingress: kind: Ingress metadata:

    annotations: ... spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 status: loadBalancer: { … } DNS bar.com
  21. Tips & Caveats - Ingress status Ingress: kind: Ingress metadata:

    annotations: external-dns.alpha.kubernetes.io/target: lb.cloud.com spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 status: loadBalancer: { } DNS bar.com
  22. Tips & Caveats - External DNS: Custom filter Ingress: kind:

    Ingress metadata: annotations: external-dns.swatmobile.io/enable: "true" spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 status: loadBalancer: { … }
  23. Tips & Caveats - Failure domain - Reverse proxy config

    Ingress: kind: Ingress metadata: annotations: external-dns.swatmobile.io/enable: "true" spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 status: loadBalancer: { … }
  24. Tips & Caveats - Failure domain - Reverse proxy config

    - Watch out: Failed Let's Encrypt requests Ingress: kind: Ingress metadata: annotations: kubernetes.io/tls-acme: "true" spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 tls: - secretName: bar-com-tls hosts: - bar.com status: loadBalancer: { … }
  25. Tips & Caveats - Plan for failed Let's Encrypt request:

    - Run multiple ingress to reduce failure domain - Decouple Cert request from ingress Ingress: kind: Ingress metadata: annotations: kubernetes.io/tls-acme: "true" spec: rules: - host: bar.com http: paths: - path: / backend: serviceName: bar servicePort: 80 tls: - secretName: bar-com-tls hosts: - bar.com status: loadBalancer: { … }
  26. Tips & Caveats - Annotation overload - https://github.com/heptio/contour/blob/master/docs/ingressroute.md - Ambassador

    - Istio - ... - Balance CRD vs Annotation Ingress Annotations more mature (for now)
  27. Kops - Edge Nodes Why? - Compliance requirements (WAF) How?

    - Dedicated nodePool / instanceGroup - AWS LB limited to edge nodes
  28. Kops - Edge Nodes AWS LB limited to edge nodes:

    Problem: - Kubernetes service type LoadBalancer (targets all worker nodes) Solution: - https://github.com/zalando-incubator/kube-ingress-aws-controller CUSTOM_FILTERS