Das Blinken Lichten

Kubernetes Networking 101 – Ingress resources

May 2, 2017 8:41 pm in docker, Google, Kubernetes, Linux | 4 comments

I called my last post ‘basic’ external access into the cluster because I didn’t get a chance to talk about the ingress object. Ingress resources are interesting in that they allow you to use one object to load balance to different back-end objects. This could be handy for several reasons and allows you a more fine-grained means to load balance traffic. Let’s take a look at an example of using the Nginx ingress controller in our Kubernetes cluster.

To demonstrate this we’re going to continue using the same lab that we used in previous posts but for the sake of level setting we’re going to start by clearing the slate. Let’s delete all of the objects in the cluster and then we’ll start by build them from scratch so you can see every step of the way how we setup and use the ingress.

kubectl delete deployments --all
kubectl delete pods --all
kubectl delete services --all

kubectl delete deployments --all

kubectl delete pods --all

kubectl delete services --all

Since this will kill our net-test pod, let’s start that again…

kubectl run net-test --image=jonlangemak/net_tools

1	kubectl run net-test --image=jonlangemak/net_tools

Recall that we used this pod as a testing endpoint so we could simulate traffic originating from a pod so it’s worth keeping around.

Alright – now that we have an empty cluster the first thing we need to do is build some things we want to load balance to. In this case, we’ll define two deployments. Save this definition as a file called back-end-deployment.yaml on your Kubernetes master…

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: deploy-test-1
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: web-front-end
        version: v1
    spec:
      containers:
      - name: tiny-web-server-1
        image: jonlangemak/web1_8080
        ports:
        - containerPort: 8080
          name: web-port
          protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: deploy-test-2
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: web-front-end
        version: v2
    spec:
      containers:
      - name: tiny-web-server-2
        image: jonlangemak/web1_9090
        ports:
        - containerPort: 9090
          name: web-port
          protocol: TCP

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

spec:

replicas: 2

template:

metadata:

labels:

app: web-front-end

version: v1

spec:

containers:

- name: tiny-web-server-1

image: jonlangemak/web1_8080

ports:

- containerPort: 8080

protocol: TCP

---

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

spec:

replicas: 2

template:

metadata:

labels:

app: web-front-end

version: v2

spec:

containers:

- name: tiny-web-server-2

image: jonlangemak/web1_9090

ports:

- containerPort: 9090

protocol: TCP

Notice how we defined two deployments in the same file and separated the definitions with a ---. Next we want to define a service that can be used to reach each of these deployments. Save this service definition as back-end-service.yaml…

apiVersion: v1
kind: Service
metadata:
  name: backend-svc-1
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: web-port
  selector:
    app: web-front-end
    version: v1
---
apiVersion: v1
kind: Service
metadata:
  name: backend-svc-2
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: web-port
  selector:
    app: web-front-end
    version: v2

apiVersion: v1

kind: Service

metadata:

spec:

ports:

- port: 80

protocol: TCP

targetPort: web-port

selector:

app: web-front-end

version: v1

---

apiVersion: v1

kind: Service

metadata:

spec:

ports:

- port: 80

protocol: TCP

targetPort: web-port

selector:

app: web-front-end

version: v2

Notice how the service selectors are looking the specific labels that match each pod. In this case, we’re looking for app and version with the version differing between each deployment. We can now deploy these definitions and ensure everything is created as expected…

I created a new folder called ingress to store all these definitions in.

user@ubuntu-1:~/ingress$ kubectl create -f back-end-deployment.yaml
deployment "deploy-test-1" created
deployment "deploy-test-2" created
user@ubuntu-1:~/ingress$
user@ubuntu-1:~/ingress$ kubectl get deployments
NAME            DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deploy-test-1   2         2         2            2           11s
deploy-test-2   2         2         2            2           11s
net-test        1         1         1            0           50s
user@ubuntu-1:~/ingress$
user@ubuntu-1:~/ingress$ kubectl get pods -o wide
NAME                             READY     STATUS    RESTARTS   AGE       IP            NODE
deploy-test-1-1702481282-568d6   1/1       Running   0          20s       10.100.1.20   ubuntu-3
deploy-test-1-1702481282-z6nx7   1/1       Running   0          20s       10.100.3.31   ubuntu-5
deploy-test-2-2194066824-3d47q   1/1       Running   0          20s       10.100.0.25   ubuntu-2
deploy-test-2-2194066824-8dx3w   1/1       Running   0          20s       10.100.2.28   ubuntu-4
net-test-645963977-6216t         1/1       Running   0          2m        10.100.3.33   ubuntu-5
user@ubuntu-1:~/ingress$
user@ubuntu-1:~/ingress$ kubectl create -f back-end-service.yaml
service "backend-svc-1" created
service "backend-svc-2" created
user@ubuntu-1:~/ingress$ kubectl get services -o wide
NAME            CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE       SELECTOR
backend-svc-1   10.11.12.117           80/TCP    8s        app=web-front-end,version=v1
backend-svc-2   10.11.12.164           80/TCP    8s        app=web-front-end,version=v2
kubernetes      10.11.12.1             443/TCP   23m       
user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl create -f back-end-deployment.yaml

deployment "deploy-test-1" created

deployment "deploy-test-2" created

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get deployments

NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE

deploy-test-1 2 2 2 2 11s

deploy-test-2 2 2 2 2 11s

net-test 1 1 1 0 50s

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get pods -o wide

NAME READY STATUS RESTARTS AGE IP NODE

deploy-test-1-1702481282-568d6 1/1 Running 0 20s 10.100.1.20 ubuntu-3

deploy-test-1-1702481282-z6nx7 1/1 Running 0 20s 10.100.3.31 ubuntu-5

deploy-test-2-2194066824-3d47q 1/1 Running 0 20s 10.100.0.25 ubuntu-2

deploy-test-2-2194066824-8dx3w 1/1 Running 0 20s 10.100.2.28 ubuntu-4

net-test-645963977-6216t 1/1 Running 0 2m 10.100.3.33 ubuntu-5

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl create -f back-end-service.yaml

service "backend-svc-1" created

service "backend-svc-2" created

user@ubuntu-1:~/ingress$ kubectl get services -o wide

NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR

backend-svc-1 10.11.12.117 80/TCP 8s app=web-front-end,version=v1

backend-svc-2 10.11.12.164 80/TCP 8s app=web-front-end,version=v2

kubernetes 10.11.12.1 443/TCP 23m

user@ubuntu-1:~/ingress$

These deployments and services represent the pods and services that we’ll be doing the actual load balancing to. They appear to have deployed successfully so let’s move onto the next step.

Next we’ll start building the actual ingress. To start with we need to define what’s referred to as a default back-end. Default back-ends serve as the default endpoint that the ingress will send traffic to in the event it doesn’t match any other rules. In our case the default back-end will consist of a deployment and a service that matches the deployed pods to make them easily reachable. First define the default back-end deployment. Save this as a file called default-back-end-deployment.yaml…

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: default-http-backend
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: default-http-backend
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - name: default-http-backend
        # Any image is permissable as long as:
        # 1. It serves a 404 page at /
        # 2. It serves 200 on a /healthz endpoint
        image: gcr.io/google_containers/defaultbackend:1.0
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        ports:
        - containerPort: 8080
        resources:
          limits:
            cpu: 10m
            memory: 20Mi
          requests:
            cpu: 10m
            memory: 20Mi

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

spec:

replicas: 2

template:

metadata:

labels:

app: default-http-backend

spec:

terminationGracePeriodSeconds: 60

containers:

- name: default-http-backend

# Any image is permissable as long as:

# 1. It serves a 404 page at /

# 2. It serves 200 on a /healthz endpoint

image: gcr.io/google_containers/defaultbackend:1.0

livenessProbe:

httpGet:

path: /healthz

port: 8080

scheme: HTTP

initialDelaySeconds: 30

timeoutSeconds: 5

ports:

- containerPort: 8080

resources:

limits:

cpu: 10m

memory: 20Mi

requests:

cpu: 10m

memory: 20Mi

Next lets define the service that will match the default back-end. save this file as default-back-end-service.yaml…

apiVersion: v1
kind: Service
metadata:
  name: default-http-backend
spec:
  type: ClusterIP
  ports:
  - port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: default-http-backend

apiVersion: v1

kind: Service

metadata:

spec:

type: ClusterIP

ports:

- port: 80

protocol: TCP

targetPort: 8080

selector:

app: default-http-backend

Now let’s deploy both the definition for the default back-end deployment as well as the service…

user@ubuntu-1:~/ingress$ kubectl create -f default-back-end-deployment.yaml
deployment "default-http-backend" created
user@ubuntu-1:~/ingress$ kubectl create -f default-back-end-service.yaml
service "default-http-backend" created
user@ubuntu-1:~/ingress$
user@ubuntu-1:~/ingress$ kubectl get deployments
NAME                   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
default-http-backend   2         2         2            2           14s
deploy-test-1          2         2         2            2           14m
deploy-test-2          2         2         2            2           14m
net-test               1         1         1            0           2m
user@ubuntu-1:~/ingress$
user@ubuntu-1:~/ingress$ kubectl get pods -o wide
NAME                                    READY     STATUS    RESTARTS   AGE       IP            NODE
default-http-backend-4080621718-fmn8q   1/1       Running   0          20s       10.100.3.32   ubuntu-5
default-http-backend-4080621718-psm04   1/1       Running   0          20s       10.100.0.26   ubuntu-2
deploy-test-1-1702481282-568d6          1/1       Running   0          15m       10.100.1.20   ubuntu-3
deploy-test-1-1702481282-z6nx7          1/1       Running   0          15m       10.100.3.31   ubuntu-5
deploy-test-2-2194066824-3d47q          1/1       Running   0          15m       10.100.0.25   ubuntu-2
deploy-test-2-2194066824-8dx3w          1/1       Running   0          15m       10.100.2.28   ubuntu-4
net-test-645963977-6216t                1/1       Running   0          4m        10.100.3.33   ubuntu-5
user@ubuntu-1:~/ingress$
user@ubuntu-1:~/ingress$ kubectl get services
NAME                   CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
backend-svc-1          10.11.12.117   <none>        80/TCP    4m
backend-svc-2          10.11.12.164   <none>        80/TCP    4m
default-http-backend   10.11.12.88    <none>        80/TCP    21s
kubernetes             10.11.12.1     <none>        443/TCP   28m
user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl create -f default-back-end-deployment.yaml

deployment "default-http-backend" created

user@ubuntu-1:~/ingress$ kubectl create -f default-back-end-service.yaml

service "default-http-backend" created

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get deployments

NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE

default-http-backend 2 2 2 2 14s

deploy-test-1 2 2 2 2 14m

deploy-test-2 2 2 2 2 14m

net-test 1 1 1 0 2m

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get pods -o wide

NAME READY STATUS RESTARTS AGE IP NODE

default-http-backend-4080621718-fmn8q 1/1 Running 0 20s 10.100.3.32 ubuntu-5

default-http-backend-4080621718-psm04 1/1 Running 0 20s 10.100.0.26 ubuntu-2

deploy-test-1-1702481282-568d6 1/1 Running 0 15m 10.100.1.20 ubuntu-3

deploy-test-1-1702481282-z6nx7 1/1 Running 0 15m 10.100.3.31 ubuntu-5

deploy-test-2-2194066824-3d47q 1/1 Running 0 15m 10.100.0.25 ubuntu-2

deploy-test-2-2194066824-8dx3w 1/1 Running 0 15m 10.100.2.28 ubuntu-4

net-test-645963977-6216t 1/1 Running 0 4m 10.100.3.33 ubuntu-5

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get services

NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE

backend-svc-1 10.11.12.117 <none> 80/TCP 4m

backend-svc-2 10.11.12.164 <none> 80/TCP 4m

default-http-backend 10.11.12.88 <none> 80/TCP 21s

kubernetes 10.11.12.1 <none> 443/TCP 28m

user@ubuntu-1:~/ingress$

Great! This looks just like we’d expect but let’s do some extra validation from our net-test pod to make sure the pods and services are working as expected before we get too far into the ingress configuration…

If you aren’t comfortable with services see my post on them here.

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t curl http://backend-svc-1
This is Web Server 1 running on 8080!
user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t curl http://backend-svc-2
This is Web Server 1 running on 9090!
user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t curl http://default-http-backend
default backend - 404
user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t curl http://backend-svc-1

This is Web Server 1 running on 8080!

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t curl http://backend-svc-2

This is Web Server 1 running on 9090!

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t curl http://default-http-backend

default backend - 404

user@ubuntu-1:~/ingress$

As expected pods can resolve the services by DNS name and we can successfully reach each service. In the case of the default back-end we get a 404. Since all of the back end pods are reachable we can move on to defining the ingress itself. The Nginx ingress controller comes in the form of a deployment. The deployment definition looks like this…

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
spec:
  replicas: 1
  revisionHistoryLimit: 3
  template:
    metadata:
      labels:
        app: nginx-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: nginx-ingress-controller
          image: gcr.io/google_containers/nginx-ingress-controller:0.8.3
          imagePullPolicy: Always
          readinessProbe:
            httpGet:
              path: /healthz
              port: 18080
              scheme: HTTP
          livenessProbe:
            httpGet:
              path: /healthz
              port: 18080
              scheme: HTTP
            initialDelaySeconds: 10
            timeoutSeconds: 5
          args:
            - /nginx-ingress-controller
            - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
            - --nginx-configmap=$(POD_NAMESPACE)/nginx-ingress-controller-conf
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - containerPort: 80
            - containerPort: 18080

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

spec:

replicas: 1

revisionHistoryLimit: 3

template:

metadata:

labels:

app: nginx-ingress-lb

spec:

terminationGracePeriodSeconds: 60

containers:

- name: nginx-ingress-controller

image: gcr.io/google_containers/nginx-ingress-controller:0.8.3

imagePullPolicy: Always

readinessProbe:

httpGet:

path: /healthz

port: 18080

scheme: HTTP

livenessProbe:

httpGet:

path: /healthz

port: 18080

scheme: HTTP

initialDelaySeconds: 10

timeoutSeconds: 5

args:

- /nginx-ingress-controller

- --default-backend-service=$(POD_NAMESPACE)/default-http-backend

- --nginx-configmap=$(POD_NAMESPACE)/nginx-ingress-controller-conf

env:

- name: POD_NAME

valueFrom:

fieldRef:

fieldPath: metadata.name

- name: POD_NAMESPACE

valueFrom:

fieldRef:

fieldPath: metadata.namespace

ports:

- containerPort: 80

- containerPort: 18080

Go ahead and save this file as nginx-ingress-controller-deployment.yaml on your server. However – before we can deploy this definition we need to deploy a config-map. Config-maps are a Kubernetes construct that are used to handle non-private configuration information. Since the Nginx ingress controller above expects a config-map, we need to deploy that before we can deploy the ingress controller…

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-ingress-controller-conf
  labels:
    app: nginx-ingress-lb
    group: lb
data:
  enable-vts-status: 'true'

apiVersion: v1

kind: ConfigMap

metadata:

labels:

app: nginx-ingress-lb

group: lb

data:

enable-vts-status: 'true'

In this case, we’re using a config-map to pass service level parameters to the pod. In this case, we’re passing the enable-vts-status: 'true' parameter which is required for us to see the VTS page of the Nginx load balancer. Save this as nginx-ingress-controller-config-map.yaml on your server and then deploy both the config-map and the Nginx ingress controller deployment…

user@ubuntu-1:~/ingress$ kubectl create -f nginx-ingress-controller-config-map.yaml
configmap "nginx-ingress-controller-conf" created
user@ubuntu-1:~/ingress$ kubectl create -f nginx-ingress-controller-deployment.yaml
deployment "nginx-ingress-controller" created
user@ubuntu-1:~/ingress$
user@ubuntu-1:~/ingress$ kubectl get deployments nginx-ingress-controller
NAME                       DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
nginx-ingress-controller   1         1         1            1           26s
user@ubuntu-1:~/ingress$ 
user@ubuntu-1:~/ingress$ kubectl get pods -o wide
NAME                                        READY     STATUS    RESTARTS   AGE       IP            NODE
default-http-backend-4080621718-fmn8q       1/1       Running   0          33m       10.100.3.32   ubuntu-5
default-http-backend-4080621718-psm04       1/1       Running   0          33m       10.100.0.26   ubuntu-2
deploy-test-1-1702481282-568d6              1/1       Running   0          48m       10.100.1.20   ubuntu-3
deploy-test-1-1702481282-z6nx7              1/1       Running   0          48m       10.100.3.31   ubuntu-5
deploy-test-2-2194066824-3d47q              1/1       Running   0          48m       10.100.0.25   ubuntu-2
deploy-test-2-2194066824-8dx3w              1/1       Running   0          48m       10.100.2.28   ubuntu-4
net-test-645963977-6216t                    1/1       Running   0          30m       10.100.3.33   ubuntu-5
nginx-ingress-controller-2003317751-r0807   1/1       Running   0          43s       10.100.3.34   ubuntu-5
user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl create -f nginx-ingress-controller-config-map.yaml

configmap "nginx-ingress-controller-conf" created

user@ubuntu-1:~/ingress$ kubectl create -f nginx-ingress-controller-deployment.yaml

deployment "nginx-ingress-controller" created

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get deployments nginx-ingress-controller

NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE

nginx-ingress-controller 1 1 1 1 26s

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get pods -o wide

NAME READY STATUS RESTARTS AGE IP NODE

default-http-backend-4080621718-fmn8q 1/1 Running 0 33m 10.100.3.32 ubuntu-5

default-http-backend-4080621718-psm04 1/1 Running 0 33m 10.100.0.26 ubuntu-2

deploy-test-1-1702481282-568d6 1/1 Running 0 48m 10.100.1.20 ubuntu-3

deploy-test-1-1702481282-z6nx7 1/1 Running 0 48m 10.100.3.31 ubuntu-5

deploy-test-2-2194066824-3d47q 1/1 Running 0 48m 10.100.0.25 ubuntu-2

deploy-test-2-2194066824-8dx3w 1/1 Running 0 48m 10.100.2.28 ubuntu-4

net-test-645963977-6216t 1/1 Running 0 30m 10.100.3.33 ubuntu-5

nginx-ingress-controller-2003317751-r0807 1/1 Running 0 43s 10.100.3.34 ubuntu-5

user@ubuntu-1:~/ingress$

Alright – so we’re still looking good here. The pod generated from the deployment is running. If you want to perform another quick smoke test at this point you can try connecting to the Nginx controller pod directly from the net-test pod. Doing so should result in landing at the default back-end since we have not yet told the ingress what it should do…

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t curl http://10.100.3.34
default backend - 404
user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t curl http://10.100.3.34

default backend - 404

user@ubuntu-1:~/ingress$

Excellent! Next we need to define the ingress policy or ingress object. Doing so is just like defining any other object in Kubernetes, we use a YAML definition like the one below…

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
spec:
  rules:
  - host: website8080.com
    http:
      paths:
      - backend:
          serviceName: backend-svc-1
          servicePort: 80
  - host: website9090.com
    http:
      paths:
      - backend:
          serviceName: backend-svc-2
          servicePort: 80
  - host: website.com
    http:
      paths:
      - path: /eightyeighty
        backend:
          serviceName: backend-svc-1
          servicePort: 80
      - path: /ninetyninety
        backend:
          serviceName: backend-svc-2
          servicePort: 80
      - path: /nginx_status
        backend:
          serviceName: nginx-ingress
          servicePort: 18080

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

spec:

rules:

- host: website8080.com

http:

paths:

- backend:

serviceName: backend-svc-1

servicePort: 80

- host: website9090.com

http:

paths:

- backend:

serviceName: backend-svc-2

servicePort: 80

- host: website.com

http:

paths:

- path: /eightyeighty

backend:

serviceName: backend-svc-1

servicePort: 80

- path: /ninetyninety

backend:

serviceName: backend-svc-2

servicePort: 80

- path: /nginx_status

backend:

serviceName: nginx-ingress

servicePort: 18080

The rules defined in the ingress will be read by the Nginx ingress controller and turned into Nginx load balancing rules. Pretty slick right? In this case, we define 3 rules. Let’s walk through the rules one at a time from top to bottom.

Is looking for http traffic headed to the host website8080.com. If it receives traffic matching this host it will load balance it to the pods that match the selector for the service backend-svc-1
Is looking for http traffic headed to the host website9090.com. If it receives traffic matching this host it will load balance it to the pods that match the selector for the service backend-svc-2
Is looking for traffic destined to the host website.com on multiple different paths…
1. Is looking for http traffic matching a path of /eightyeighty. If it receives traffic matching this path it will load balance it to the pods that match the selector for the service back-end-svc-1
2. Is looking for http traffic matching a path of /ninetyninety. If it receives traffic matching this path it will load balance it to the pods that match the selector for the service back-end-svc-2
3. Is looking for http traffic matching a path of /nginx_status. If it receives traffic matching this path it will load balance it to the pods that match the selector for the service nginx-ingress (not yet defined)

Those rules are pretty straight forward and things we’re used to dealing with on traditional load balancing platforms. Let’s go ahead and save this definition as nginx-ingress.yaml and deploy it to the cluster…

user@ubuntu-1:~/ingress$ kubectl create -f nginx-ingress.yaml
ingress "nginx-ingress" created
user@ubuntu-1:~/ingress$ 
user@ubuntu-1:~/ingress$ kubectl get ingress
NAME            HOSTS                                         ADDRESS         PORTS     AGE
nginx-ingress   website8080.com,website9090.com,website.com   192.168.50.75   80        41s

user@ubuntu-1:~/ingress$ kubectl create -f nginx-ingress.yaml

ingress "nginx-ingress" created

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get ingress

NAME HOSTS ADDRESS PORTS AGE

nginx-ingress website8080.com,website9090.com,website.com 192.168.50.75 80 41s

We can see that the ingress has been created successfully. If we would have been watching the logs of the Nginx ingress controller pod as we deployed the ingress we would have seen these log entries shortly after defining the ingress resource in the cluster…

I0501 20:56:20.040242       1 event.go:216] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"nginx-ingress", UID:"a085ce3e-2eb0-11e7-ac2c-000c293e4951", APIVersion:"extensions", ResourceVersion:"4355820", FieldPath:""}): type: 'Normal' reason: 'CREATE' default/nginx-ingress
I0501 20:56:20.042062       1 controller.go:491] Updating loadbalancer default/nginx-ingress with IP 192.168.50.75
I0501 20:56:20.045410       1 event.go:216] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"nginx-ingress", UID:"a085ce3e-2eb0-11e7-ac2c-000c293e4951", APIVersion:"extensions", ResourceVersion:"4355822", FieldPath:""}): type: 'Normal' reason: 'UPDATE' default/nginx-ingress
I0501 20:56:20.045870       1 event.go:216] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"nginx-ingress", UID:"a085ce3e-2eb0-11e7-ac2c-000c293e4951", APIVersion:"extensions", ResourceVersion:"4355820", FieldPath:""}): type: 'Normal' reason: 'CREATE' ip: 192.168.50.75
I0501 20:56:27.368794       1 controller.go:420] updating service backend-svc-1 with new named port mappings
I0501 20:56:27.380260       1 controller.go:420] updating service backend-svc-2 with new named port mappings
W0501 20:56:27.385636       1 controller.go:829] service default/nginx-ingress does not exists
W0501 20:56:27.386426       1 controller.go:777] upstream default-nginx-ingress-18080 does not have any active endpoints. Using default backend

I0501 20:56:20.040242 1 event.go:216] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"nginx-ingress", UID:"a085ce3e-2eb0-11e7-ac2c-000c293e4951", APIVersion:"extensions", ResourceVersion:"4355820", FieldPath:""}): type: 'Normal' reason: 'CREATE' default/nginx-ingress

I0501 20:56:20.042062 1 controller.go:491] Updating loadbalancer default/nginx-ingress with IP 192.168.50.75

I0501 20:56:20.045410 1 event.go:216] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"nginx-ingress", UID:"a085ce3e-2eb0-11e7-ac2c-000c293e4951", APIVersion:"extensions", ResourceVersion:"4355822", FieldPath:""}): type: 'Normal' reason: 'UPDATE' default/nginx-ingress

I0501 20:56:20.045870 1 event.go:216] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"nginx-ingress", UID:"a085ce3e-2eb0-11e7-ac2c-000c293e4951", APIVersion:"extensions", ResourceVersion:"4355820", FieldPath:""}): type: 'Normal' reason: 'CREATE' ip: 192.168.50.75

I0501 20:56:27.368794 1 controller.go:420] updating service backend-svc-1 with new named port mappings

I0501 20:56:27.380260 1 controller.go:420] updating service backend-svc-2 with new named port mappings

W0501 20:56:27.385636 1 controller.go:829] service default/nginx-ingress does not exists

W0501 20:56:27.386426 1 controller.go:777] upstream default-nginx-ingress-18080 does not have any active endpoints. Using default backend

The ingress controller is constantly watching the API server for ingress configuration. Directly after defining the ingress policy, the controller started building the configuration in the Nginx load balancer. Now that it’s defined, we should be able to do some preliminary testing within the cluster. Once again from our net-test pod we can run the following tests…

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -q http://10.100.3.34
default backend - 404
user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website8080.com http://10.100.3.34
This is Web Server 1 running on 8080!
user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website9090.com http://10.100.3.34
This is Web Server 1 running on 9090!
user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website.com http://10.100.3.34
default backend - 404
user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website.com http://10.100.3.34/eightyeighty
This is Web Server 1 running on 8080!
user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website.com http://10.100.3.34/ninetyninety
This is Web Server 1 running on 9090!
user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -q http://10.100.3.34

default backend - 404

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website8080.com http://10.100.3.34

This is Web Server 1 running on 8080!

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website9090.com http://10.100.3.34

This is Web Server 1 running on 9090!

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website.com http://10.100.3.34

default backend - 404

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website.com http://10.100.3.34/eightyeighty

This is Web Server 1 running on 8080!

user@ubuntu-1:~/ingress$ kubectl exec -it net-test-645963977-6216t -- curl -H Host:website.com http://10.100.3.34/ninetyninety

This is Web Server 1 running on 9090!

user@ubuntu-1:~/ingress$

We can run tests from within the cluster by connecting directly to the pod IP address of the Nginx ingress controller which in this cases is 10.100.3.34. You’ll notice the first test fails and we end up at the default back-end. This is because we didnt pass a host header. In the second example we pass the website8080.com host header and get the correct response. In the third example we pass the website9090.com host header and also receive the response we’re expecting. In the fourth example we attempt to connect to website.com and receive once again the default back-end response of 404. If we then try the appropriate paths we’ll see we once again start getting the correct responses.

The last piece that’s missing is external access. In our case, we need to expose the ingress to the upstream network. Since we’re not running in a cloud environment, the best option for that would be with a nodePort type service like this…

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress
spec:
  type: NodePort
  ports:
    - port: 80
      nodePort: 30000
      name: http
    - port: 18080
      nodePort: 32767
      name: http-mgmt
  selector:
    app: nginx-ingress-lb

apiVersion: v1

kind: Service

metadata:

spec:

type: NodePort

ports:

- port: 80

nodePort: 30000

- port: 18080

nodePort: 32767

selector:

app: nginx-ingress-lb

I used a nodePort service here but you certainly could have also used the externalIP construct as well. That would allow you to access the URLs on their normal port.

Notice that this is looking for pods that match the selector nginx-ingress-lb and provides service functionality for two different ports. The first will be port 80 which we’re asking it provide on the host’s interface on port (nodePort) 30000. This will service the actual inbound requests to the websites. The second port is 18080 and we’re asking it to provide that on nodePort 32767. This will let us view the Nginx VTS monitoring page of the load balancer. Let’s save this definition as nginx-ingress-controller-service.yaml and deploy it to our cluster….

user@ubuntu-1:~/ingress$ kubectl create -f nginx-ingress-controller-service.yaml
service "nginx-ingress" created
user@ubuntu-1:~/ingress$ 
user@ubuntu-1:~/ingress$ kubectl get services nginx-ingress -o wide
NAME            CLUSTER-IP     EXTERNAL-IP   PORT(S)                        AGE       SELECTOR
nginx-ingress   10.11.12.214   <nodes>       80:30000/TCP,18080:32767/TCP   15s       app=nginx-ingress-lb
user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl create -f nginx-ingress-controller-service.yaml

service "nginx-ingress" created

user@ubuntu-1:~/ingress$

user@ubuntu-1:~/ingress$ kubectl get services nginx-ingress -o wide

NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR

nginx-ingress 10.11.12.214 <nodes> 80:30000/TCP,18080:32767/TCP 15s app=nginx-ingress-lb

user@ubuntu-1:~/ingress$

Now we should be able to reach all of our URLs from outside of the cluster either by passing the host header manually as we did above, or by creating DNS records to resolve the names to a Kubernetes node. If you want to access the Nginx VTS monitoring page through a web browser you’ll need to go the DNS route. I created local DNS zones for each domain to test and was then successful in reaching the website from my workstation’s browser…

If you added the DNS records you should also be able to reach the VTS monitoring page of the Nginx ingress controller as well…

When I first saw this, I was immediately surprised by something. Does anything look strange to you? I was surprised to see that the upstream pools listed the actual pod IP addresses. Recall when we defined our ingress policy we listed the destinations as the Kubernetes services. My initial assumption was that the Nginx ingress controller would then simply be resolving the service name to an IP address and using the single service IP as it’s pool. That is – the ingress controller was just load balancing to a normal Kubernetes service. Turns out that’s not the case. The ingress controller relies on the services to keep track of the pods but doesn’t actually use the service construct to get traffic to the pods. Since Kubernetes is keeping track of which pods are in a given service the ingress controller can just query the API server to get a list of pods that are currently alive and match the selector for the service. In this manner, traffic is load balanced directly to a pod rather than through a service construct. If we mapped out a request to one of our test websites through the Nginx ingress controller it would look something like this…

If you arent comfortable with how nodePort services work check out my last post.

In this case, I’ve pointed the DNS zones for website.com, website8080.com, and website9090.com to the host ubuntu-2. The diagram above shows a client session headed to website9090.com. Note that the client still believes that it’s TCP session (orange line) is with the host ubuntu-2 (10.20.30.72). The nodePort service is doing it’s job and sending the traffic over to the Nginx ingress controller. In doing so, the host hides the traffic behind it’s own source IP address to ensure the traffic returns successfully (blue line). This is entirely nodePort service functionality. What’s new is that when the Nginx pod talks to the back end pool, in this case 10.100.2.28, it does so directly pod to pod (green line).

As you can see – the ingress is allowing us to handle traffic to multiple different back ends now. The ingress policy can be changed by editing the object using kubectl edit ingress nginx-ingress. So for instance, let’s say that we wanted to move the website8080.com to point to the pods that are selected by backend-svc-2 rather than backend-svc-1. Simply edit the ingress to look like this…

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  creationTimestamp: 2017-05-01T20:56:20Z
  generation: 1
  name: nginx-ingress
  namespace: default
  resourceVersion: "4355822"
  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/nginx-ingress
  uid: a085ce3e-2eb0-11e7-ac2c-000c293e4951
spec:
  rules:
  - host: website8080.com
    http:
      paths:
      - backend:
          serviceName: backend-svc-2
          servicePort: 80
  - host: website9090.com
    http:
      paths:
      - backend:
          serviceName: backend-svc-2
          servicePort: 80
  - host: website.com
    http:
      paths:
      - backend:
          serviceName: backend-svc-1
          servicePort: 80
        path: /eightyeighty
      - backend:
          serviceName: backend-svc-2
          servicePort: 80
        path: /ninetyninety
      - backend:
          serviceName: nginx-ingress
          servicePort: 18080
        path: /nginx_status
status:
  loadBalancer:
    ingress:
    - ip: 192.168.50.75

# Please edit the object below. Lines beginning with a '#' will be ignored,

# and an empty file will abort the edit. If an error occurs while saving this file will be

# reopened with the relevant failures.

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

creationTimestamp: 2017-05-01T20:56:20Z

generation: 1

namespace: default

resourceVersion: "4355822"

selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/nginx-ingress

uid: a085ce3e-2eb0-11e7-ac2c-000c293e4951

spec:

rules:

- host: website8080.com

http:

paths:

- backend:

serviceName: backend-svc-2

servicePort: 80

- host: website9090.com

http:

paths:

- backend:

serviceName: backend-svc-2

servicePort: 80

- host: website.com

http:

paths:

- backend:

serviceName: backend-svc-1

servicePort: 80

path: /eightyeighty

- backend:

serviceName: backend-svc-2

servicePort: 80

path: /ninetyninety

- backend:

serviceName: nginx-ingress

servicePort: 18080

path: /nginx_status

status:

loadBalancer:

ingress:

- ip: 192.168.50.75

Then save the configuration and try to reconnect to website8080.com once again…

The Nginx ingress controller watches for changes in configuration on the API server and then implements those changes. If we would have been watching the logs on the Nginx ingress controller container we would have seen something like this in the log entries after we made our change…

I0502 23:29:27.406603       1 command.go:76] change in configuration detected. Reloading...

1	I0502 23:29:27.406603 1 command.go:76] change in configuration detected. Reloading...

The ingress controller is also watching for changes to the service. For instance, if we now scaled our deploy-test-2 deployment we could see the Nginx pool size increase to account for the new pods. Here’s what VTS looks like before the change…

Then we can scale the deployment up with this command…

user@ubuntu-1:~$ kubectl scale --replicas=4 deployment/deploy-test-2
deployment "deploy-test-2" scaled
user@ubuntu-1:~$

user@ubuntu-1:~$ kubectl scale --replicas=4 deployment/deploy-test-2

deployment "deploy-test-2" scaled

user@ubuntu-1:~$

And after a couple of seconds VTS will show the newly deployed pods as part of the pool…

We can also modify properties of the controller itself by modifying the configMap that the controller is reading for it’s configuration. One of the more interesting options we can enable on the Nginx ingress controller is sticky sessions. Since the ingress is load balancing directly to the pods rather than to a service it’s possible for it to maintain sessions between the back-end pool members. We can enable this by editing the config map. kubectl edit configmap nginx-ingress-controller-conf and then add the highlighted line to the configMap…

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  enable-vts-status: "true"
  enable-sticky-sessions: 'true'
kind: ConfigMap
metadata:
  creationTimestamp: 2017-05-01T20:38:45Z
  labels:
    app: nginx-ingress-lb
    group: lb
  name: nginx-ingress-controller-conf
  namespace: default
  resourceVersion: "4354268"
  selfLink: /api/v1/namespaces/default/configmaps/nginx-ingress-controller-conf
  uid: 2c21c076-2eae-11e7-ac2c-000c293e4951

# Please edit the object below. Lines beginning with a '#' will be ignored,

# and an empty file will abort the edit. If an error occurs while saving this file will be

# reopened with the relevant failures.

apiVersion: v1

data:

enable-vts-status: "true"

enable-sticky-sessions: 'true'

kind: ConfigMap

metadata:

creationTimestamp: 2017-05-01T20:38:45Z

labels:

app: nginx-ingress-lb

group: lb

namespace: default

resourceVersion: "4354268"

selfLink: /api/v1/namespaces/default/configmaps/nginx-ingress-controller-conf

uid: 2c21c076-2eae-11e7-ac2c-000c293e4951

Once again, the Nginx ingress controller will detect the change and reload it’s configuration. Now if we access website8080.com repeatedly from the same host we should see the load is sent to the same pod. In this case the pod 10.100.0.25…

The point of this post was just to show you basics of how the ingress worked from a network perspective. There are many other uses cases for them and many other ingress controllers to choose from besides Nginx. Take a look at the official documentation for them as well as these other posts that I found helpful during my research…

Jay Gorrell – Kubernetes Ingress

Daemonza – Kubernetes nginx-ingress-controller

Kubernetes networking 101 – (Basic) External access into the cluster

April 25, 2017 7:33 pm in docker, Google, Kubernetes, Linux | 3 comments

In our last post we talked about an important Kubernetes networking construct – the service. Services provide a means for pods running within the cluster to find other pods and also provide rudimentary load balancing capabilities. We saw that services can create DNS entries within Kube-DNS which makes the service accessible by name as well. So now that we know how you can use services to access pods within the cluster it seems prudent to talk about how things outside of the cluster can access these same services. It might make sense to use the same service construct to provide this functionality, but recall that the services are assigned IP addresses that are only known to the cluster. In reality, the service CIDR isnt actually routed anywhere but the Kubernetes nodes know how to interact with service IPs because of the netfilter rules programmed by the kube-proxy. The service network just needs to be unique so that the containers running in the pod will follow their default route out to the host where the netfilter rules will come into play. So really the service network is sort of non-existent from a routing perspective as it’s only locally significant to each host. This means that it can’t really be used by external clients since they wont know how to route to it either. That being said, we have a few other options we can use most of which still rely on the service construct. Let’s look at them one at a time…

ExternalIP

In this mode – you are essentially just assigning a service an external IP address. This IP address can be anything you want it to be but the catch is that you’re on the hook to make sure that the external network knows to send that traffic to the Kubernetes cluster nodes. In other words – you have to ensure that traffic destined to the assigned external IP makes it to a Kubernetes node. From there, the service construct will take care of getting it where it needs to be. To demonstrate this, let’s take a look at our lab where we left it after our last post…

We had two different pod deployments running in the cluster in addition to the ‘net-test’ deployment but we wont need that for this example. We had also defined a service called ‘svc-test-1’ that is currently targeting the pods of the ‘deploy-test-2’ deployment matching the selectors app=web-front-end and version=v2. As we did when we changed the service selector, let’s once again edit the service and add another parameter. To edit the service use this command…

kubectl edit service svc-test-1

1	kubectl edit service svc-test-1

In the editor, add the ‘externalIPs:’ list parameter followed by the IP address of 169.10.10.1 as shown in the highlighted field below…

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: 2017-04-10T16:03:24Z
  name: svc-test-1
  namespace: default
  resourceVersion: "2178729"
  selfLink: /api/v1/namespaces/default/services/svc-test-1
  uid: 39f04a88-1e07-11e7-ac2c-000c293e4951
spec:
  clusterIP: 10.11.12.125
  externalIPs:
  - 169.10.10.1
  ports:
  - port: 80
    protocol: TCP
    targetPort: web-port
  selector:
    app: web-front-end
    version: v2
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

# Please edit the object below. Lines beginning with a '#' will be ignored,

# and an empty file will abort the edit. If an error occurs while saving this file will be

# reopened with the relevant failures.

apiVersion: v1

kind: Service

metadata:

creationTimestamp: 2017-04-10T16:03:24Z

namespace: default

resourceVersion: "2178729"

selfLink: /api/v1/namespaces/default/services/svc-test-1

uid: 39f04a88-1e07-11e7-ac2c-000c293e4951

spec:

clusterIP: 10.11.12.125

externalIPs:

- 169.10.10.1

ports:

- port: 80

protocol: TCP

targetPort: web-port

selector:

app: web-front-end

version: v2

sessionAffinity: None

type: ClusterIP

status:

loadBalancer: {}

When done, save the service definition by closing the file as you typically would (ESC, :wq, ENTER). You should get confirmation that the service was edited when you return to the console. What we just did was told Kubernetes to answer on the IP address of 169.10.10.1 for the service ‘svc-test-1’. To test this out, let’s point a route on our gateway for 169.10.10.0/24 at the host ubuntu-2. Note that ubuntu-2 is the only host that is not currently running a pod that will match the service selector…

This makes ubuntu-2 a strange choice to point the route at but highlights how the external traffic gets handled within the cluster. With our route in place, let’s try to access the 169.10.10.1 IP address from a remote host…

Awesome, so it works! Let’s now dig into how it works. We can assume that since services use netfilter rules, and that the IP was assigned as part of the service, that the externalIP configuration likely also uses it. So let’s start there. For the sake of easily pointing out how the exteralIPs were implemented, I took a ‘iptables-save’ before and after the modification of the service. Afterwards, I diffed the files and these three lines were added to the iptables-save output after the externalIPs were implemented in the service…

-A KUBE-SERVICES -d 169.10.10.1/32 -p tcp -m comment --comment "default/svc-test-1: external IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 169.10.10.1/32 -p tcp -m comment --comment "default/svc-test-1: external IP" -m tcp --dport 80 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-SWP62QIEGFZNLQE7
-A KUBE-SERVICES -d 169.10.10.1/32 -p tcp -m comment --comment "default/svc-test-1: external IP" -m tcp --dport 80 -m addrtype --dst-type LOCAL -j KUBE-SVC-SWP62QIEGFZNLQE7

-A KUBE-SERVICES -d 169.10.10.1/32 -p tcp -m comment --comment "default/svc-test-1: external IP" -m tcp --dport 80 -j KUBE-MARK-MASQ

-A KUBE-SERVICES -d 169.10.10.1/32 -p tcp -m comment --comment "default/svc-test-1: external IP" -m tcp --dport 80 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-SWP62QIEGFZNLQE7

-A KUBE-SERVICES -d 169.10.10.1/32 -p tcp -m comment --comment "default/svc-test-1: external IP" -m tcp --dport 80 -m addrtype --dst-type LOCAL -j KUBE-SVC-SWP62QIEGFZNLQE7

So what do these rules do? The first rule is looking for traffic that is TCP and destined to the IP address of 169.10.10.1 on port 80. This has a target of jump and points to a chain called ‘KUBE-MARK-MASQ’. This chain has the following rules…

-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000

1	-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000

This rule matches all traffic and has a target of ‘MARK’ which is a non-terminating target. The traffic in this case will be marked with a value of ‘0x4000/0x400’. So what do I mean by marked? In this case ‘–set-xmarl’ is setting a marking on the packet that is internal to the host. That is – this marking is only locally significant. Since the MARK target is non-terminating we jump back to the KUBE-SERVICES chain after the marking has occurred. The next line is looking for traffic that is…

Destined to 169.10.10.1
Has a protocol of TCP
Has a destination port of 80
Has not entered through a bridge interface (! –physdev-is-in)
Source of the traffic is not a local interface (! –src-type LOCAL)

The last two rules ensure that this is not traffic that is originated from a POD or the host itself destined to a service.

If the last two rules are foreign to you I suggest you take a look at the MAN page for the IPTables extensions. It’s definitely worth bookmarking.

Since the second rule is a match for our external traffic we follow that JUMP target into the KUBE-SVC-SWP62QIEGFZNLQE7 chain. At that point – the load balancing works just like an internal service. It’s worth pointing out that the masquerade rule is crucial to all of this working. Let’s look at an example of what this might look like if we didn’t have the masquerade rule…

Let’s walk through what will happen without the masquerade rule shown above…

An external user, in this case 192.168.127.50, makes a request to the external IP of 169.10.10.1.
The request reaches the gateway, does a route lookup, and sees that there’s a route for 169.10.10.0/24 pointing at ubuntu-2 (10.20.30.72)
The request reaches the host ubuntu-2 and hits the above mentioned IPTables rules. Without the masquerade rule, the only rule that gets hit is the one for passing the traffic to the service chain KUBE-SVC-SWP62QIEGFZNLQE7. Normal service processing occurs as explained in our last post and a pod out of the service gets selected, in this case the pod 10.100.3.8 on host ubuntu-5.
Traffic is destination NAT’d to 10.100.3.8 and makes it way to the host ubuntu-5.
The pod receives the traffic and attempts to reply to the TCP connection based on the source IP address of the request. The source in this case is unchanged and the host ubuntu-5 attempts to reply directly to the user at 192.168.127.50.
The user making the request receives the reply from 10.100.3.8 and drops the packet since it hasn’t initiated a session to that IP address.

So as you can see – this just wont work. This is why we need the masquerade rule. When we use the rule, the processing looks like this…

This looks much better. In this example the flows specify the correct source and destination since the host ubuntu-2 is now hiding it’s request to the pod behind it’s own interface. This ensures that the reply from the pod 10.100.3.8 will come back to the hose ubuntu-2. This is an important step because this is the host which performed the initial service DNAT. If the request does not come back to this host, the DNAT to the pod can not be reversed. Reversing the DNAT in this case means changing the source of the packet back to the original pre-DNAT source of 169.10.10.1. So as you can see – the masquerade rule is quite important to ensuring that the externalIP construct works.

NodePort

If you’re not interested in dealing with routing a new subnet to the hosts your other option would be what’s referred to as nodeport. Nodeport works a lot like the original Docker bridge mode for publishing ports. It makes a service available externally on the nodes through a different port. That port is by default in the range of 30000-32767 but can be modified by changing the ‘–service-node-port-range’ configuration flag on the API server. To change out service to nodeport we simply delete the externalips definition we inserted during the previous example and change the service type to nodeport as shown below…

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: 2017-04-10T16:03:24Z
  name: svc-test-1
  namespace: default
  resourceVersion: "3471986"
  selfLink: /api/v1/namespaces/default/services/svc-test-1
  uid: 39f04a88-1e07-11e7-ac2c-000c293e4951
spec:
  clusterIP: 10.11.12.125
  ports:
  - port: 80
    protocol: TCP
    targetPort: web-port
  selector:
    app: web-front-end
    version: v2
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

# Please edit the object below. Lines beginning with a '#' will be ignored,

# and an empty file will abort the edit. If an error occurs while saving this file will be

# reopened with the relevant failures.

apiVersion: v1

kind: Service

metadata:

creationTimestamp: 2017-04-10T16:03:24Z

namespace: default

resourceVersion: "3471986"

selfLink: /api/v1/namespaces/default/services/svc-test-1

uid: 39f04a88-1e07-11e7-ac2c-000c293e4951

spec:

clusterIP: 10.11.12.125

ports:

- port: 80

protocol: TCP

targetPort: web-port

selector:

app: web-front-end

version: v2

sessionAffinity: None

type: NodePort

status:

loadBalancer: {}

After we save the change, we can view the services again with kubectl…

user@ubuntu-1:~$ kubectl get services -o wide
NAME         CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE       SELECTOR
kubernetes   10.11.12.1     <none>        443/TCP        27d       <none>
svc-test-1   10.11.12.125   <nodes>       80:30487/TCP   14d       app=web-front-end,version=v2
user@ubuntu-1:~$

user@ubuntu-1:~$ kubectl get services -o wide

NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR

kubernetes 10.11.12.1 <none> 443/TCP 27d <none>

svc-test-1 10.11.12.125 <nodes> 80:30487/TCP 14d app=web-front-end,version=v2

user@ubuntu-1:~$

Notice that our port column for the service now lists more than one port. The first port is that of the internal service. The second port (30487) is the nodeport, or the port that we can use externally to reach the service. One point about nodeport that I’d like to mention is that it’s an overlay on top of a typical clusterip service. In the externalip example above, notice that we didnt change the type of the service, we just added the externalips to the spec. In the case of nodeport, you need to change the service type. If you’re using a service within the cluster you might be concerned that making this change would remove the clusterip configuration and prevent pods from accessing the service. That is not the case. Nodeport works ontop of the clusterip service configuration so you will always have a clusterip when you configure nodeport.

At this point, we should be able to reach the service by connecting to any Kubernetes node on that given port…

Let’s now do a similar stare and compare with the iptables rules on each host. Once again, I’ll compare the rules in place after the configuration to a copy of the rules I had before we started our work. These are the only lines that were added to get the nodeport functionality working…

-A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-test-1:" -m tcp --dport 30487 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-test-1:" -m tcp --dport 30487 -j KUBE-SVC-SWP62QIEGFZNLQE7

1 2	-A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-test-1:" -m tcp --dport 30487 -j KUBE-MARK-MASQ -A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-test-1:" -m tcp --dport 30487 -j KUBE-SVC-SWP62QIEGFZNLQE7

These lines are pretty straight forward and perform similar tasks to what we saw above with the externalip functionality. The first line is looking for traffic destined to port 30487 which it will then pass to the KUBE-MARK-MASQ chain so that the traffic will be masqueraded. We have to do this for the same reason we explained above. The second line is also looking for traffic destined to port 30487 and when matched will pass the traffic to the specific chain for the service to handle the load balancing. But how do we get to this chain? If we look at the KUBE-SERVICES chain we will see this entry at the bottom of the chain…

-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS

1	-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS

This rule has always been present in the ruleset the chain it references (KUBE-NODEPORTS) just never existed.

Nodeport offers a couple of advantages over externalip. Namely, we can have more than one load balancing target. With externalip, all of the traffic is headed to the same IP address. While you could certainly route that IP to more than one host, letting the network load balance for you, you’d need to worry about how to update the routing when the host failed. With nodeport, it’s reasonable to think about using an external load balancer that referenced a back-end pool of all of the Kubernetes nodes or minions…

The pool could reference a specific port for each service which would be front-ended on the load balancer by a single VIP. In this model, if a node went away the load balancer could have the intelligence (in the form of a health check) to automatically pull that node from the pool. Keep in mind that the destination the load balancer is sending traffic to will not necessarily host the pod that is answering the client request. However – that’s just the nature of Kubernetes services so that’s pretty much table stakes at this point.

Lastly – if it’s more convenient, you can also specify manually the nodeport you wish to use. In this instance, I edited the spec to specify a nodeport of 30000…

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: 2017-04-10T16:03:24Z
  name: svc-test-1
  namespace: default
  resourceVersion: "3472216"
  selfLink: /api/v1/namespaces/default/services/svc-test-1
  uid: 39f04a88-1e07-11e7-ac2c-000c293e4951
spec:
  clusterIP: 10.11.12.125
  ports:
  - nodePort: 30000
    port: 80
    protocol: TCP
    targetPort: web-port
  selector:
    app: web-front-end
    version: v2
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

apiVersion: v1

kind: Service

metadata:

creationTimestamp: 2017-04-10T16:03:24Z

namespace: default

resourceVersion: "3472216"

selfLink: /api/v1/namespaces/default/services/svc-test-1

uid: 39f04a88-1e07-11e7-ac2c-000c293e4951

spec:

clusterIP: 10.11.12.125

ports:

- nodePort: 30000

port: 80

protocol: TCP

targetPort: web-port

selector:

app: web-front-end

version: v2

sessionAffinity: None

type: NodePort

status:

loadBalancer: {}

Simulating latency and packet loss on a Linux host

April 17, 2017 9:29 pm in Linux | 2 comments

Every once and a great while there is a need to simulate bad network behavior. Simulating things like packet loss and high latency are often harder to do than you’d expect. However – if you’re dealing with a Linux host – there’s a simple solution. The ‘tc’ command which comes along with the ‘iproute2’ toolset can help you simulate symptoms of a bad network quite easily.

The tc command offers a lot of functionality but in this post we’re just going to walk through a couple of quick examples of using it in conjunction with the netem (network emulator) included in the Linux kernal . To do this, we’ll use just use two hosts…

To start with – let’s make sure that ‘tc’ is installed and that it’s working…

user@ubuntu-1:~$ sudo tc qdisc show dev ens32
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
user@ubuntu-1:~$

user@ubuntu-1:~$ sudo tc qdisc show dev ens32

qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1

user@ubuntu-1:~$

So what did we just do here? Well we used the tc command to return the current qdisc configuration for our servers physical network interface named ‘ens32’. So what’s a qdisc? Qdisc is shorthand for ‘Queue discipline’ and defines the queuing method assigned to the interface. In our case we can see that this interface is using the ‘pfifo_fast’ queuing methodology. This is a default configuration and you should see something similar on your Linux host.

Side Note: Im doing all of this in a lab. Make sure you know what you’re changing before you change anything. For instance, configuring a high rate of packet loss on an interface you’re using to SSH into the host is likely not a great idea. Common sense rules apply.

Let’s first start a constant ping on our host ubuntu-5 heading toward ubuntu-1. Now let’s head back to ubuntu-1 and configure the following command…

sudo tc qdisc add dev ens32 root netem delay 200ms

1	sudo tc qdisc add dev ens32 root netem delay 200ms

So let’s break this command down. We’re telling tc that we want to work with the interface ens32 and add a delay of 200ms to the root qdisc. The root qdisc is an egress queue and where all the packets will inherently get queued by default. If we go and check the ping on the other server we should see the latency has increased…

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=14 ttl=63 time=0.426 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=15 ttl=63 time=0.356 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=16 ttl=63 time=0.399 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=17 ttl=63 time=0.578 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=18 ttl=63 time=0.619 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=19 ttl=63 time=200 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=20 ttl=63 time=200 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=21 ttl=63 time=200 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=22 ttl=63 time=200 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=14 ttl=63 time=0.426 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=15 ttl=63 time=0.356 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=16 ttl=63 time=0.399 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=17 ttl=63 time=0.578 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=18 ttl=63 time=0.619 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=19 ttl=63 time=200 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=20 ttl=63 time=200 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=21 ttl=63 time=200 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=22 ttl=63 time=200 ms

Great! Now let’s modify the rule with this command…

sudo tc qdisc change dev ens32 root netem delay 200ms 50ms

1	sudo tc qdisc change dev ens32 root netem delay 200ms 50ms

This command tells the rule to include a random deviation of up to 50ms. Once the rule is in, you should start seeing latency number in between 150ms and 250ms…

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=23 ttl=63 time=200 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=24 ttl=63 time=200 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=25 ttl=63 time=211 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=26 ttl=63 time=219 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=27 ttl=63 time=191 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=28 ttl=63 time=189 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=29 ttl=63 time=205 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=30 ttl=63 time=157 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=31 ttl=63 time=195 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=32 ttl=63 time=167 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=33 ttl=63 time=222 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=23 ttl=63 time=200 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=24 ttl=63 time=200 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=25 ttl=63 time=211 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=26 ttl=63 time=219 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=27 ttl=63 time=191 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=28 ttl=63 time=189 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=29 ttl=63 time=205 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=30 ttl=63 time=157 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=31 ttl=63 time=195 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=32 ttl=63 time=167 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=33 ttl=63 time=222 ms

Perfect! Having that random deviation helps make it look like ‘real’ latency. Now let’s delete the rule like so…

sudo tc qdisc del dev ens32 root netem delay 200ms 50ms

1	sudo tc qdisc del dev ens32 root netem delay 200ms 50ms

Its important to keep track of the ‘add|change|del’ keywords. If you try to change a rule that doesnt exist or something similar you’re going to start getting weird errors when you try to work with the rules.

Next up – let’s introduce some packet loss!

sudo tc qdisc add dev ens32 root netem loss 20%

1	sudo tc qdisc add dev ens32 root netem loss 20%

The command is similar to the latency commands but now we’re specifying ‘loss’ instead of ‘delay’. If we send 10 ICMP pings to ubuntu-1 from ubuntu-5 we should see some packet loss…

user@ubuntu-5:~$ ping ubuntu-1 -c 10
PING ubuntu-1.interubernet.local (10.20.30.71) 56(84) bytes of data.
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=1 ttl=63 time=0.222 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=2 ttl=63 time=0.663 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=4 ttl=63 time=0.496 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=5 ttl=63 time=0.303 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=6 ttl=63 time=0.538 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=7 ttl=63 time=0.585 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=8 ttl=63 time=0.456 ms
64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=9 ttl=63 time=0.354 ms

--- ubuntu-1.interubernet.local ping statistics ---
10 packets transmitted, 8 received, 20% packet loss, time 8998ms
rtt min/avg/max/mdev = 0.222/0.452/0.663/0.140 ms
user@ubuntu-5:~$

user@ubuntu-5:~$ ping ubuntu-1 -c 10

PING ubuntu-1.interubernet.local (10.20.30.71) 56(84) bytes of data.

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=1 ttl=63 time=0.222 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=2 ttl=63 time=0.663 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=4 ttl=63 time=0.496 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=5 ttl=63 time=0.303 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=6 ttl=63 time=0.538 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=7 ttl=63 time=0.585 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=8 ttl=63 time=0.456 ms

64 bytes from ubuntu1604-1.interubernet.local (10.20.30.71): icmp_seq=9 ttl=63 time=0.354 ms

--- ubuntu-1.interubernet.local ping statistics ---

10 packets transmitted, 8 received, 20% packet loss, time 8998ms

rtt min/avg/max/mdev = 0.222/0.452/0.663/0.140 ms

user@ubuntu-5:~$

Yep, so 20% packet loss as we expected. When you’re done testing, dont forget to delete the rule…

sudo tc qdisc delete dev ens32 root netem loss 20%

1	sudo tc qdisc delete dev ens32 root netem loss 20%

One interesting thought to point out here is that you could quite easily build a server that acted as a sort of ‘WAN simulator’ to use in your lab. In that case, if the server was inline with two interface you could enact policy in both flow directions by applying specific policy to each interface. Lots of possibilities there!

This is literally just the tip of the iceberg. There are so many more things you can do with tc and netem. If you’re looking for more info here’s a good starting point. Be aware that the in-document hyperlinks don’t appear to work but you can just scroll down to see all of the examples.

Update: Heres another link with better info about TC and NetEm. Thanks John!

« Older entries § Newer entries »

Das Blinken Lichten

Kubernetes Networking 101 – Ingress resources

Kubernetes networking 101 – (Basic) External access into the cluster

ExternalIP

NodePort

Simulating latency and packet loss on a Linux host

Connect w/ Jon Langemak

Follow me on Twitter

Categories

Das Blinken Lichten

Kubernetes Networking 101 – Ingress resources

Share this:

Kubernetes networking 101 – (Basic) External access into the cluster

ExternalIP

NodePort

Share this:

Simulating latency and packet loss on a Linux host

Share this:

Connect w/ Jon Langemak

Follow me on Twitter

Categories

Tags