0

I'm trying to run an NGINX reverse proxy, which is publicly exposed, without a loadbalancer. I want to curl the VM IP on port 80 with the ingress path specified and see my nginx setup page.

I installed this NGINX controller:

https://kubernetes.github.io/ingress-nginx/deploy/#digital-ocean

Ingress

...
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - backend:
          service:
            name: webserver-srv
            port:
              number: 80
        path: /
        pathType: Prefix

I've modified the externalIP on the ingress controller to point to my VM like so:

(This is what allows the port 80 to open up when I run netcat)

spec:
  externalIPs:
  - my.ip.goes.here

I can successfully validate that the port is open nc -vz <IP> 80, however I just get empty reply from the server.

I have a basic nginx webserver running as the service:

apiVersion: apps/v1
kind: Deployment
metadata:
    name: webserver-depl
spec:
    replicas: 1
    selector:
        matchLabels:
            app: webserver
    template:
        metadata:
            labels:
                app: webserver
        spec:
            containers:
                - name: webserver
                  image: nginx
---
apiVersion: v1
kind: Service
metadata:
    name: webserver-srv
spec:
    selector:
        app: webserver
    type: ClusterIP
    ports:
        - name: webserver
          protocol: TCP
          port: 80
          targetPort: 80

I can curl the clusterIP of the service and it works as expected:

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Ryan
  • 1,102
  • 1
  • 15
  • 30

1 Answers1

1

Don't set Services externalIPs matching one of your nodes addresses (or anything else in your network). Those need to be unique. Although working in a cloud environment (digitalocean) probably serves as a fail-safe, here.

You did not expose your ingress controller outside of your SDN. A ClusterIP Service won't do (exposes in-SDN only). Setting an externalIP that overlaps with something else won't do either.

If you don't want to use a LoadBalancer Service, then you need to chose another way, making that ingress available to clients outside of your SDN.

One of which would be to use hostNetwork. See https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network

SYN
  • 4,476
  • 1
  • 20
  • 22
  • So I can just add this to the controller spec? – Ryan Jul 09 '22 at 20:59
  • short answer, yes, adding some `hostNetwork` on your pods would do. Longer one: such configuration may involve additional configurations (PodSecurityPolicy if you're using those, gatekeeper/OPA, ... depends how secure is your cluster) – SYN Jul 09 '22 at 21:02
  • A bit old, still it might help: https://stackoverflow.com/a/56935143/5607207 – SYN Jul 09 '22 at 21:06
  • so I added host network on the nginx ingress deployment and I see the cluster IP on my ingress. Outside access is blocked. Maybe running a local HAProxy and binding that to 80 is better – Ryan Jul 09 '22 at 21:55
  • Clarify: "outside access is blocked". Why would it work better with haproxy? Ingresses should not show any cluster IP, rather the host addresses where that ingress is hosted. I'm having a hard time following you. At some point, maybe consider using tcpdump and sharing with us what's going on – SYN Jul 10 '22 at 06:00
  • I have this working now with HAProxy, but not with the recommendation you suggested. HAProxy I could simply reroute the backend to the ingress controller internal IP. hostNetwork: true on the deployment didn't expose anything outside the SDN. I could be missing something, but I couldn't get it working (NodeIP on controller with hostNetwork flag) – Ryan Jul 10 '22 at 06:02
  • "I could simply reroute the backend to the ingress controller internal IP" . With hostNetwork, your ingress controller SHOULD NOT have an internal IP. Its only IP is that of the node hosting your controller – SYN Jul 10 '22 at 06:04