Kubernetes Ingress with Traefik ingress
As we all know creating a Kubernetes Ingress objects creates a Load Balancer application layer Load Balancer (at least in AWS and GCP). These load balancers can later be used by managed services by their respective Cloud providers, services such as Cloud Armor or WAF, Or these Load Balancers are required in order to achieve a managed certificate in some cases.
However there is a limitation to this ingress that it can only route traffic to the services in its namespace. So if you have several namespaces (which in most is we do) We have to create ingress objects in each namespace.
So to achieve traffic routing across multiple namespaces we use ingress like traefik, nginx, haproxy etc…
The problem then comes down to the type Load Balancers they create in GCP they create a TCP load balancer, It create a Classic Load Balancer in TCP mode in AWS.
Now that we have discussed the limitations let’s discuss the Walkaround.
To achieve Application Layer Load Balancer using an ingress that routes traffic to services in any namespace I am using Kubernetes Ingress in front of traefik ingress, I am using GCP for this walkthrough but same can be used in AWS as well. I have not tried this in any other cloud providers.
We will start by installing traefik
We can use the helm chart to install traefik.
helm repo add traefik https://helm.traefik.io/traefik
helm repo updateOnce we have added helm repo we need to work on values file
The values.yaml file can found here. We will modify this file for our needs. Find and change these lines. (the lines on top will be replaced by the ones on bottom)
fallbackApiVersion: "" #Comment this line
#fallbackApiVersion: ""allowCrossNamespace: false #Comment this line
allowExternalNameServices: false #Comment this line
#allowCrossNamespace: false
#allowExternalNameServices: false#Under the Logs section in "logs:"
level: ERROR #Optional changing log level
level: INFO
#Under the access section in "logs:"
enabled: false #Optional
enabled: true
#Under the headers section in "logs:"
defaultmode: drop #Optional
defaultmode: keep#Under "globalArguments:" section find and comment
- "--global.checknewversion" #Comment this line
- "--global.sendanonymoususage" #Comment this line
# - "--global.checknewversion"
# - "--global.sendanonymoususage"
#Under "web:" Section find and uncomment this
# redirectTo: websecure #Uncomment this line
redirectTo: websecure
#Under the "service:" change this line.
#This done to prevent creating the TCP LoadBalancers
type: LoadBalancer #Change
type: ClusterIP
#Under "service.spec:" change this line
# externalTrafficPolicy: Cluster #Change
externalTrafficPolicy: Local
Now we install traefik using helm
helm install traefik traefik/traefik -f values.yamlWe will now have a service created which is type: ClusterIP instead of load balancer. We will use this service as the target for our kubernetes ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: gce #Optional
kubernetes.io/ingress.global-static-ip-name: $ipname #Optional
networking.gke.io/managed-certificates: $name #Optional
name: kubernetes-ingress
namespace: traefik
spec:
rules:
- http:
paths:
- backend:
service:
name: traefik #name of traefik service created above
port:
number: 443
path: /*
pathType: ImplementationSpecificBonus
Creating ingressroutes. Ingressoutes are defined in the Traefik CRD. We need to create it for path based routing
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: $ingressroute_name #any name
namespace: $any-namespace #namespace you want create this in
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`service.example.com`)
services:
- name: $service #Name of the service to expose
namespace: $service-nameapace #Namespace of the service
port: 80I have only shared what I have done in GCP but please let me know if you are trying this in other clouds and how it going in the comments.
