Understanding Kubernetes Ingress and its Importance for Application Expose and Load Balancing
Kubernetes Ingress is required for service discovery and practical implementation may be challenging.
- Ingress helps in understanding service discovery and why it is required for Kubernetes.
- Practical implementation of Ingress can be challenging, but the video provides a detailed explanation and a practical demo for setting it up.
Ingress helps solve practical problems with load balancing in Kubernetes.
- Kubernetes without Ingress relied on creating a deployment and service to expose applications within or outside the cluster.
- However, users realized practical issues with this approach, as they were migrating from legacy systems that used load balancers like engine X or fi load balancer.
- Ingress provides an alternative solution to manage load balancing within Kubernetes.
Kubernetes Ingress: Simple, but lacks important features and incurs heavy charges for static load balancing IP addresses
- Kubernetes lacks important features offered by commercial or Enterprise load balancers, such as web application firewall and TLS configuration.
- Cloud providers charge heavily for static load balancing IP addresses, which can be a problem when deploying thousands of microservices or services on Kubernetes.
Two key problems with traditional load balancers
- Problem 1: Missing enterprise and TLS load balancing capabilities (sticky sessions, HTTPS based load balancing, path-based load balancing, host-based load balancing, etc.)
- Problem 2: Exposing multiple IP addresses and incurring additional charges
Kubernetes introduced Ingress for load balancer management
- Kubernetes users can create an Ingress resource to manage load balancers
- Ingress controller decides which load balancer to use
Kubernetes uses Ingress controller for path based routing
- Ingress controller is created by the user and deployed on the Kubernetes cluster
- Developer or DevOps engineers create Ingress resource using Ingress controller for path based routing
The main purpose of Ingress is to solve the problems of lack of load balancing capabilities and expensive IP addresses in Kubernetes.
- DevOps engineers need to choose an Ingress controller and load balancer for their deployments.
- Ingress resources can be written once and handle multiple services using paths.
Ingress controllers are necessary for Ingress resources to work
- Without an Ingress controller, creating Ingress resources has no effect
- Ingress controllers act as load balancers and provide required capabilities
Ingress controller allows you to route traffic for your applications or pods.
- You can create an Ingress resource to define how to route the traffic.
- You can use path-based load balancing, SSL offloading, and pass-through.
To enable domain-based routing with Ingress, an Ingress controller needs to be installed.
- Without an Ingress controller, the Ingress created will have empty address field and won't work.
- Popular Ingress controller options include nginx, HaProxy, and Apache.
To install an Ingress controller like Ambassador, search for its official product documentation and follow the installation steps.
- For production clusters, use Helm to install Ambassador Ingress controller.
- For MiniCube, enable Ingress add-on using 'MiniCube add-ons enable Ingress' command.
The Ingress resource created is synced with the nginx load balancer configuration.
- It updates the Ingress related configuration for the load balancer.
- This allows accessing the Ingress resource on food.bar.com using the Ingress controller.
Mocking the behavior of a domain in a non-production setting.
- In a non-production use case, you can mimic the behavior of a domain by assigning it a specific IP address.
- In a production setting, you can simply provide the actual domain name without the need for IP address assignment.
Ingress can allow access to HTTP and HTTPS requests
- Ingress provides the ability to access resources using different protocols, such as HTTPS
XLI. Kubernetes Service, Ingress with TLS and Ingress Controllers with Live coding
Explanation of Kubernetes services and how they can be used to avoid downtime when accessing pods with dynamic IP addresses.
Kubernetes services and Ingress Controllers
- Kubernetes services are used to avoid downtime and dynamic IP address issues
- Ingress Controllers are used to expose applications outside the cluster and have advantages over NodePort and LoadBalancer services
Ingress resources allow for routing and management of multiple services using a single IP address.
- Ingress resources define routing rules for services.
- Ingress controllers are necessary to use Ingress resources and there are many supported controllers available.
Ingress controllers watch for ingress resources and update/load balance accordingly.
- Ingress controllers can be officially supported or custom implementations.
- Load balancers may sit inside or outside the Kubernetes cluster.
Ingress classes are used to bifurcate resources for multiple ingress controllers.
- Ingress controllers can be used for path-based routing.
- Ingress controller configuration files can be used to debug and understand issues.
Using ingress for wildcard and basic authentication
- Wildcard ingress can be used to provide access to multiple services under a single domain
- Basic authentication can be added to ingress to restrict access to authorized users
Load balancer pass-through mode has security drawbacks and can cause latency issues
- Pass-through mode does not decrypt packets, leaving servers vulnerable to attacks
- SSL offloading can alleviate latency issues, but compromises security
- SSL bridging is a more secure alternative to pass-through mode
Load balancers decrypt, read, and re-encrypt packets for secure communication.
- Load balancers perform additional tasks like path-based routing.
- SSL offloading is recommended for applications that don't require high security.
Routes and Ingress in OpenShift
- Routes can be used for SSL offloading and termination, but storing TLS certificates in secrets is not supported
- Ingress can be used for SSL termination and supports storing TLS certificates in secrets
Different load balancers have different implementations for the same resource type
- Load balancers compete with each other and have different ways of implementing resources like ingress and routes
- Some load balancers allow storing secrets in routes while others do not