0

I've different deployments over different namespaces and I would like to expose some of them to the Internet, even if I don't have a static and public IP available. The different services are deployed on Rancher k3s and every service which should be publicly accessible has an Ingress defined in the same namespace.

I was trying to follow Rancher - How to expose my services publicly?, but I didn't really get what I've to do and, moreover:

  • Why do we need to define a LoadBalancer? It seems to me that the IngressController used by k3s (Traefik?) already creates one. If this is a must (or a good way to go), how it should the service defined exactly?
  • I don't have any Rancher UI in my environment. Therefore, is there a way to achieve what described in that link in a declarative way?
  • Is there a way to use services like No-IP or FreeDNS for the final hostname?
cdprete
  • 53
  • 1
  • 9

1 Answers1

0

If I get it right, you deployed Kubernetes manually on barebone/vms nodes and now you want to reach you deployments running inside that cluster.

  • There is two level of loadbalancing in this setup, the one managed by your ingress controller, sounds like it is traefik in your case, and it is recommanded to run a second L4 load balancer in front of your workers to reach the ingress pods that are usually deployed on multiple/all nodes. Traefik, or other lb controllers, will load balancer traffic inside the k8s cluster without issue even if you don't have a L4 load balancer, but it is not recommanded as if you loose this node, no traffic can reach the kubernetes cluster anymore. You "just" need to have your dns resolution pointing at your public ip and routed to one of your worker, or the LB in front of it. However, if you don't have a L4 LB, you'll need to have your ingress pods listening on ports 80 and/or 443.
  • Most things that you do in Rancher UI is just an easier way to see your k8s objects, all ingress configuration can be achieved via kubectl, k9s (strongly recommand thatone!), lens or other methods. However k8s objects are still k8s objects. In this case, you need to have your services exposed with ClusterIP that are then reachable by the ingress pods.
  • I've never used such a solution natively from k8s, but when I had too the internet router was able to do this part, once you're there, it is internal routing.

I hope this helps. Ingress can definitely be a tough one to grasp!

2o1o0
  • 91
  • 2
  • 8
  • Hi @2o1o0 - for what I've understood, the (Traefik) IngressController provided by k3s is already listening on the ports 80/443, in fact I can access the services by using the port 80 (the Ingress itself defines 8080 as port; the same exposed by the ClusterIP service it forwards the requests to) - I also agree that everything should be doable with k8s objects, but how to map the `Automatically generate a .xip.io hostname` exactly? What should I define and how? – cdprete Feb 23 '22 at 19:57
  • If you can already reach your service, then you should be fine with the ingress object definition otherwise the traefik lb wouldn't be able to route traffic to it. Now you need to create the record in your dns provider, or configure your router (or external service/device, or might exist for k8s) to resolve and route to your dynamic ip. – 2o1o0 Feb 23 '22 at 20:24
  • can you maybe provide an example? If I use something like FreeDNS, what kind of record should I define? Also, which IP should I use? The one coming from the LB, or the one from the router? – cdprete Feb 24 '22 at 23:19
  • You should get a mysubdomain.freedns.comm that resolve to your router public ip. Your router should route calls on ports 80/443 to your kubernetes cluster/node. You can then either use that raw subdomain for your app, or expose the app on a path to have multiple sites on one free domain, or get another DNS resolving to it via CNAME records. Please keep in mind that this will expose your network so you should keep security best practices in mind aswell (auth, namespaces, updates...). – 2o1o0 Feb 27 '22 at 09:49
  • Somehow this doesn't seem to work from outside the local network. I did create an account on NoIP (i.e. foo.bar.sites) and mapped it to the public IP of the router. In the cluster, I've 2 Ingress using path mapping (i.e. /foo and /bar). When I try to access the app from outside the local network (i.e. http://foo.bar.sites/foo/something) then the connection just hangs until it goes in timeout. I've also tried exposing the port 80 on the router, but with no luck. – cdprete Feb 27 '22 at 11:52