User access
User access
How do users access the containerized services?
Remember container networking
Containers are not accessible by default
Same challenges for Kubernetes
XXX
Ingress Controller
Responsible for routing requests to containers
Maintains rules for matching hosts and paths
Option 1: Host ports
Host port is directly forwarded to container
One port per host per port
Typical for self-hosted clusters without load balancer
Option 2: Node ports
kube-proxy opens port >30.000 on all nodes…
…and forwards requests to a service
Typical for hosted clusters with hosted load balancer
Ingress resource
Ingress defines rule to match requests and how to route them
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
spec:
rules:
- host: inmylab.de
http:
paths:
- pathType: Prefix
path: "/foo"
backend:
service:
name: foo-service
port:
number: 5678
Request matching
Wildcard host names are allowed
Match paths using Exact or Prefix
Target service
Can be backed by multiple pods
Service takes care of load balancing
Demo: Ingress (controller)
Using nginx-based ingress controller
Backend
Two pods foo and bar and…
…accompanying services
Request matching
Match host inmylab.de
Match path prefix /foo and forward to service foo-service
Match path prefix /bar and forward to service bar-service
Infrastructure-as-Code
Manage user access automatically
Define as code
Concepts
DNS records route requests to hosts running the ingress controller (managed by external-dns)
Connections are secured using TLS (certificates managed by cert-manager)
Use more flexible ingress controller, e.g. traefik and many others
Shortcomings of Ingress resource: focused on HTTP(S), annotations for advanced features
Solved by custom resources in some ingress controllers, e.g. IngressRoute in traefik