Samarthya

All right, it has been sometime since I last wrote my blog, and it has been disappointing not to have found enough time to collate and put my thoughts in a simple worded doc; better late then never. So, here I am trying to reignite the pursuit of writing at least once a week.

Topic for the day: Ingress

https://kubernetes.io/docs/concepts/services-networking/ingress/

Till now I had only exposed services (HTTP/HTTPS) using NodePort or ClusterIP but as the security tightens and K8S evolves (current version 1.22.1) I had to try out ingress, but that meant few things.

• Identifying the current version which in my case was 1.19 and after repeated attempts to kubeadm upgrade plan failed, I created a fresh cluster.
• The fresh install was simple, I just had to reset and upgrade the binaries which were reporting the version skew.

> k version
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.1", GitCommit:"632ed300f2c34f6d6d15ca4cef3d3c7073412212", GitTreeState:"clean", BuildDate:"2021-08-19T15:45:37Z", GoVersion:"go1.16.7", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.0", GitCommit:"c2b5237ccd9c0f1d600d3072634ca66cefdf272f", GitTreeState:"clean", BuildDate:"2021-08-04T17:57:25Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}

I will try to expose a simple echoservice : jmalloc/echo-server over ingress

k describe svc echo-service
Name:              echo-service
Namespace:         default
Labels:            <none>
Annotations:       <none>
Selector:          run=echo
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.106.39.121
IPs:               10.106.39.121
Port:              http  80/TCP
TargetPort:        8080/TCP
Endpoints:         172.16.217.198:80
Session Affinity:  None
Events:            <none>

The code is references below

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: echo
  name: echo
spec:
  replicas: 1
  selector:
    matchLabels:
      run: echo
  template:
    metadata:
      labels:
        run: echo
    spec:
      containers:
      - name: echo
        image: jmalloc/echo-server
        ports:
        - containerPort: 8080
        readinessProbe:
          httpGet:
            path: /
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
          successThreshold: 1
---
apiVersion: v1
kind: Service
metadata:
    name: echo-service
spec:
    selector:
      run: echo
    ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8080

What is Ingress?

Rules are used to control the incoming traffic.

An Ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type 

• Service.Type=NodePort or 
• Service.Type=LoadBalancer

Before ingress can be created you need the cluster to have an ingress controller, in my case I deployed HAProxy as the controller

helm install kubernetes-ingress haproxytech/kubernetes-ingress --set controller.logging.level=debug

I have enabled logging by using instructions available here

helm ls

NAME                    NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                           APP VERSION
kubernetes-ingress      default         1               2021-08-24 06:10:34.409376867 +0000 UTC deployed        kubernetes-ingress-1.16.2       1.6.5

Pods currently running in my system have the ingress controller and the echo-service

NAME                                                      READY   STATUS    RESTARTS   AGE
pod/echo-67b86c4c99-8xt8t                                 1/1     Running   0          26h
pod/kubernetes-ingress-6f5b6f789c-5l56m                   1/1     Running   0          69m
pod/kubernetes-ingress-6f5b6f789c-66kpk                   1/1     Running   0          69m
pod/kubernetes-ingress-default-backend-759ccc6c98-2shlv   1/1     Running   0          69m
pod/kubernetes-ingress-default-backend-759ccc6c98-ddsnt   1/1     Running   0          69m

Services exposed are aas under

NAME                                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                     AGE
service/echo-service                         ClusterIP   10.106.39.121    <none>        80/TCP                                      26h
service/kubernetes                           ClusterIP   10.96.0.1        <none>        443/TCP                                     4d23h
service/kubernetes-ingress                   NodePort    10.109.251.254   <none>        80:30462/TCP,443:31125/TCP,1024:32696/TCP   69m
service/kubernetes-ingress-default-backend   ClusterIP   None             <none>        8080/TCP                                    69m

You can see the NodePort service for ingress exposed over 30462

Let’s write the ingress for the echo service

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: echo-ingress
  annotations:
    haproxy.org/path-rewrite: "/"
    haproxy.org/ingress.class: "haproxy"

spec:
  rules:
    - http:
        paths:
        - path: /echo
          pathType: Prefix
          backend:
            service:
              name: echo-service
              port:
                number: 80

Once you save this file ingress.yaml and apply it using kubectl apply -f ingress.yaml you can see the resource created

NAME           CLASS    HOSTS   ADDRESS          PORTS   AGE
echo-ingress   <none>   *       10.109.251.254   80      69m

You can check the logs of the haproxy pod to see if the route has been updated

k logs kubernetes-ingress-6f5b6f789c-5l56m

2021/08/24 06:13:46 DEBUG   service/service.go:121 Ingress 'default/echo-ingress': new backend 'default-echo-service-http', reload required
2021/08/24 06:13:46 DEBUG   service/service.go:148 Ingress 'default/echo-ingress': backend 'default-echo-service-http' updated, reload required
2021/08/24 06:13:46 DEBUG   service/endpoints.go:133 Server slots in backend 'default-echo-service-http' scaled to match scale-server-slots value: 42, reload required
2021/08/24 06:13:46 DEBUG   haproxy/rules.go:199 New HAProxy rule 'REQ_PATH_REWRITE' created, reload required
2021/08/24 06:13:46 DEBUG   haproxy/rules.go:199 New HAProxy rule 'REQ_PATH_REWRITE' created, reload required
2021/08/24 06:13:46 DEBUG   haproxy/maps.go:116 Map file 'path-exact' updated, reload required
2021/08/24 06:13:46 DEBUG   haproxy/maps.go:116 Map file 'path-prefix' updated, reload required
2021/08/24 06:13:46 DEBUG   haproxy/rules.go:199 New HAProxy rule 'REQ_PATH_REWRITE' created, reload required
2021/08/24 06:13:46 DEBUG   haproxy/rules.go:199 New HAProxy rule 'REQ_PATH_REWRITE' created, reload required
2021/08/24 06:13:46 INFO    controller.go:235 HAProxy reloaded

So the ingress is now working and available for incoming traffic, let’s give it a try

curl http://10.80.120.148:30462/echo

Request served by echo-67b86c4c99-8xt8t

HTTP/1.1 GET /

Host: 10.80.120.148:30462
User-Agent: curl/7.29.0
Accept: */*
X-Forwarded-For: 172.16.217.192

Help

• You can refer to the official documentation
• kubectl create ing --help
• https://kubernetes.io/docs/concepts/services-networking/service/
• https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/
• https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#service-v1-core
• https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#ingress-v1-networking-k8s-io
• https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#ingressrule-v1-networking-k8s-io
• https://www.haproxy.com/documentation/kubernetes
• https://www.haproxy.com/documentation/kubernetes/latest/usage/logging/