2

I have bare metal Kubernetes cluster with haproxy ingress controller (daemon set) on external ip. Is it possible to restrict kube-proxy to route to local haproxy ingress pod?

To be more specific, I have 2 pods of haproxy ingress controller and use one external ip for them. As per my understanding, kube-proxy will be routing in round-robin to the pods. I didn't find any way to restrict this particular behaviour.

NightOwl19
  • 419
  • 5
  • 24
domino player
  • 21
  • 2
  • What you mean is you don't want pods to bind on port from external IP ? – Kartoch May 15 '20 at 09:15
  • To be more specific. I have 2 pods of haproxy ingress controller and use one external ip for them. As I understood kube-proxy will be routing in roundrobin to them. I didn't find any way to restrict that behaviour to local pod. – domino player May 15 '20 at 09:35
  • I think you mean each node has one instance of haproxy ingress controller as daemonset exposed as NodePort, so each HaProxy has an external IP and a port > 30000. So if your want roundrobin to access haproxy ingress controllers, you need a load balancer. – Kartoch May 15 '20 at 10:06
  • No, I'm using external ip in service. I Have real ports like 80 443. – domino player May 15 '20 at 10:48

1 Answers1

3

Set externalTrafficPolicy: Local in the NodePort Service.

This will make it so that traffic going to a node X will only go to the pod in node X. If there is no pod in node X the traffic will be dropped (but this should not be an issue since you're using a DaemonSet).

Another benefit is that this preserves the true source IP that haproxy sees. Without externalTrafficPolicy, it is possible that haproxy sees the source IP of another node instead of the original one, since nodes can proxy traffic.

More info here

Dirbaio
  • 2,921
  • 16
  • 15