Author

Author


Rajesh Kumar

Rajesh Kumar

DevOps@RajeshKumar.xyz

DevOps@RajeshKumar.xyz

Support my work @Patron! Support my work @Patron!

Contents


Ingress

Exercise 10.1: Advanced Service Exposure

Configure an Ingress Controller

With such a fast changing project, it is important to keep track of updates. The main place to find documentation of the current version is https://kubernetes.io/.

  1. If you have a large number of services to expose outside of the cluster, or to expose a low-number port on the host node you can deploy an ingress controller or a service mesh. While nginx and GCE have controllers officially supported by Kubernetes.io, the Traefik ingress controller is easier to install. At the moment. 
    
	student@lfs458-node-1a0a:~$ kubectl create deployment secondapp \
		--image=nginx
  2. Find the labels currently in use by the deployment. We will use them to tie traffic from the ingress controller to the proper service. 
    
	student@lfs458-node-1a0a:~$ kubectl get deployments secondapp -o yaml |grep label -A2
	labels:
		app: secondapp
	name: secondapp
	--
			labels:
			app: secondapp
		spec:
  3. Expose the new server as a NodePort. 
    
	student@lfs458-node-1a0a:~$ kubectl expose deployment secondapp \
		--type=NodePort --port=80
  4. As we have RBAC configured we need to make sure the controller will run and be able to work with all necessary ports, endpoints and resources. Create a YAML file to declare a clusterrole and a clusterrolebinding. 
    
	student@lfs458-node-1a0a:~$ vim ingress.rbac.yaml
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
		name: traefik-ingress-controller
	rules:
		- apiGroups:
			- ""
		resources:
			- services
			- endpoints
			- secrets
		verbs:
			- get
			- list
			- watch
			- apiGroups:
			- extensions
		resources:
			- ingresses
		verbs:
			- get
			- list
			- watch
	---
	
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
		name: traefik-ingress-controller
	roleRef:
		apiGroup: rbac.authorization.k8s.io
		kind: ClusterRole
		name: traefik-ingress-controller
	subjects:
	- kind: ServiceAccount
		name: traefik-ingress-controller
		namespace: kube-system
  5. Create the new role and binding. 
    
	student@lfs458-node-1a0a:~$ kubectl create -f ingress.rbac.yaml
	clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
	clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created
  6. Create the Traefik controller. We will use a script directly from their website. This URL has a shorter version below: 
    
	https://raw.githubusercontent.com/containous/traefik/master/\examples/k8s/traefik-ds.yaml
	student@lfs458-node-1a0a:~$ wget https://tinyurl.com/yawpexdt -O traefik-ds.yaml
  7. We need to take out some security context settings, such that the diff output between the new and old would be true. Add the hostNetwork line and remove the securityContext lines. The indentation for hostNetwork should line up with the containers: line 
    
	student@lfs458-node-1a0a:~$ vim traefik-ds.yaml
	diff traefik-ds.yaml.1 ds/traefik-ds.yaml
	23a24 ## Add this line
	> hostNetwork: true
	34,39d34 ## Remove these lines
	< securityContext:
	< capabilities:
	< drop:
	< - ALL
	< add:
	< - NET_BIND_SERVICE
  8. Then create the ingress controller using kubectl create 
    
	student@lfs458-node-1a0a:~$ kubectl create -f traefik-ds.yaml
	serviceaccount "traefik-ingress-controller" created
	daemonset.extensions "traefik-ingress-controller" created
	service "traefik-ingress-service" created
  9. Now that there is a new controller we need to pass some rules, so it knows how to handle requests. Note that the host mentioned is www.example.com, which is probably not your node name. We will pass a false header when testing. Also the service name needs to match the secondapp label we found in an earlier step. 
    
	student@lfs458-node-1a0a:~$ vim ingress.rule.yaml
	apiVersion: extensions/v1beta1
	kind: Ingress
	metadata:
		name: ingress-test
		annotations:
			kubernetes.io/ingress.class: traefik
	spec:
		rules:
			- host: www.example.com
				http:
					paths:
					- backend:
						serviceName: secondapp
						servicePort: 80
					path: /
  10. Now ingest the rule into the cluster. 
    
	student@lfs458-node-1a0a:~$ kubectl create -f ingress.rule.yaml
	ingress.extensions "ingress-test" created
  11. We should be able to test the internal and external IP addresses, and see the nginx welcome page. The loadbalancer would present the traffic, a curl request in this case, to the externally facing interface. Use ip a to find the IP address of the interface which would face the loadbalancer. In this example the interface would be ens4, and the IP would be 10.128.0.7. 
    
	student@lfs458-node-1a0a:~$ ip a
	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
	link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
	inet 127.0.0.1/8 scope host lo
	valid_lft forever preferred_lft forever
	inet6 ::1/128 scope host
	valid_lft forever preferred_lft forever
	2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc mq state UP group default qlen 1000
	link/ether 42:01:0a:80:00:03 brd ff:ff:ff:ff:ff:ff
	inet 10.128.0.7/32 brd 10.128.0.3 scope global ens4
	valid_lft forever preferred_lft forever
	<output_omitted>
	student@lfs458-node-1a0a:~$ curl -H "Host: www.example.com" http://10.128.0.7/
	<!DOCTYPE html>
	<html>
	<head>
	<title>Welcome to nginx!<title>
	<style>
	
	student@lfs458-node-1a0a:~$ curl -H "Host: www.example.com" http://35.193.3.179
	<!DOCTYPE html>
	<html>
	<head>
	<title>Welcome to nginx!<title>
	<style>
	<output_omitted>
  12. At this point we would keep adding more and more web servers. Well configure one more, which would then be a process continued as many times as desired.
    Begin by deploying another nginx server. Give it a label and expose port 80. 
    
	student@lfs458-node-1a0a:~$ kubectl create deployment thirdpage --image=nginx
	deployment.apps/thirdpage created
  13. Find the label for the new deployment. Look for the name:, which would be thirdpage in this example. 
    
	student@lfs458-node-1a0a:~$ kubectl get deployment thirdpage -o yaml |grep -A2 Label
		labels:
			app: thirdpage
		name: thirdpage
	--
			labels:
				app: thirdpage
			spec:
  14. Expose the new server as a NodePort. 
    
	student@lfs458-node-1a0a:~$ kubectl expose deployment \
		thirdpage --type=NodePort --port=80
	service/thirdpage exposed
  15. Now we will customize the installation. Run a bash shell inside the new pod. Your pod name will end differently. Install vim inside the container then edit the index.html file of nginx so that the title of the web page will be Third Page 
    
	student@lfs458-node-1a0a:~$ kubectl exec -it thirdpage-5cf8d67664-zcmfh -- /bin/bash
	
	root@thirdpage-5cf8d67664-zcmfh:/# apt-get update
	<output_omitted>
	root@thirdpage-5cf8d67664-zcmfh:/# apt-get install vim -y
	<output_omitted>
	
	root@thirdpage-5cf8d67664-zcmfh:/# vim /usr/share/nginx/html/index.html
	<!DOCTYPE html>
	<html>
	<head>
	<title>Welcome to nginx!<title>
	<style>
	<output_omitted>
  16. Edit the ingress rules to point the thridpage service. Use the serviceName we found in an earlier step of thirdpage. 
    
	student@lfs458-node-1a0a:~$ kubectl edit ingress ingress-test
	<output_omitted>
		- host: www.example.com
		http:
		paths:
		- backend:
		serviceName: secondapp
		servicePort: 80
		path: /
		- host: thirdpage.org
		http:
		paths:
		- backend:
		serviceName: thirdpage
		servicePort: 80
	path: /
	status:
	<output_omitted>
  17. Test the second hostname using curl locally as well as from a remote system 
    
	student@lfs458-node-1a0a:~$ curl -H "Host: thirdpage.org" http://10.128.0.7/
	
	<!DOCTYPE html>
	<html>
	<head>
	<title>Welcome to nginx!<title>
	<style>
	<output_omitted>

Avail Rajesh Kumar as trainer at 50% Discount
Puppet Online Training
Puppet Classroom TrainingEnroll Now