ingress

Kubernetes Ingress Lab

This lab guides you through setting up Kubernetes Ingress for routing external traffic to internal services. We will deploy sample applications, install an Nginx Ingress controller, and configure host-based routing and TLS.

1. Prerequisites: Kubernetes Cluster

Ensure you have a running Kubernetes cluster. You can use Minikube, Docker Desktop's Kubernetes, or a cloud-managed cluster. For on-premises setups, projects like Tigera Calico for On-Premises Kubernetes (link from original document) can be helpful, but any conformant cluster will do.

2. Initial Cluster Inspection

List Nodes: Verify your nodes are ready.
```
kubectl get no
```
List Namespaces: See the existing namespaces in your cluster.
```
kubectl get namespaces
```

3. Deploy Sample Applications (app1 & app2)

We'll create two simple Nginx applications, each in its own namespace, and expose them via ClusterIP services.

Create and Deploy app1:

kubectl create ns app1
# The following YAMLs deploy Nginx and expose it via a ClusterIP service named 'my-nginx-clusterip'
kubectl apply -n app1 -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/nginx-deployment.yaml
kubectl apply -n app1 -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/nginx-expose-clusterip.yaml

Create and Deploy app2:

kubectl create ns app2
kubectl apply -n app2 -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/nginx-deployment.yaml
kubectl apply -n app2 -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/nginx-expose-clusterip.yaml

Test app1 and app2 Internally: Verify that the applications are running and their services are up.

kubectl get all -n app1 -o wide
kubectl get all -n app2 -o wide

Test connectivity to the services from within the cluster (e.g., using a temporary pod with siege or curl):

# Test app1's service (my-nginx-clusterip.app1.svc.cluster.local or just my-nginx-clusterip from within app1 ns)
kubectl run siege-app1 -it -n app1 --rm --image dockersec/siege -- siege -c1 -r1 http://my-nginx-clusterip
# Test app2's service
kubectl run siege-app2 -it -n app2 --rm --image dockersec/siege -- siege -c1 -r1 http://my-nginx-clusterip

(Added -c1 -r1 to siege for a quick test.)

4. Install Nginx Ingress Controller

We will use the Nginx Ingress controller.Note: The manifest URL below points to version 0.32.0. For production or newer clusters, always refer to the official Nginx Ingress Controller deployment documentation for the latest recommended version and instructions.

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-0.32.0/deploy/static/provider/baremetal/deploy.yaml

Verify the Ingress controller installation:

kubectl get namespaces # You should see 'ingress-nginx'
kubectl get po -n ingress-nginx -o wide 
kubectl get svc -n ingress-nginx

To simplify access to the Ingress controller via its NodePorts:

# Ensure the service name 'ingress-nginx-controller' is correct for your installation
export WEB_NODE_PORT=$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o=jsonpath='{.spec.ports[?(@.name=="http")].nodePort}')
export HTTPS_NODE_PORT=$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o=jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

# If port names 'http'/'https' are not set, you might need to use port numbers:
# export WEB_NODE_PORT=$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o=jsonpath="{.spec.ports[?(@.port==80)].nodePort}")
# export HTTPS_NODE_PORT=$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o=jsonpath="{.spec.ports[?(@.port==443)].nodePort}")

echo "HTTP NodePort: $WEB_NODE_PORT"
echo "HTTPS NodePort: $HTTPS_NODE_PORT"

(Made variable names more descriptive and robust by checking port names first.)

Test direct access to the Ingress controller's NodePorts (replace YOUR_NODE_IP with the IP of one of your Kubernetes nodes; if using Minikube/Kind, localhost or 127.0.0.1 might work).

# This should return a 404 from the Ingress controller as no Ingress rules are configured yet.
curl -kv http://YOUR_NODE_IP:$WEB_NODE_PORT
# This might fail or show a self-signed certificate error from the Ingress controller.
curl -kv https://YOUR_NODE_IP:$HTTPS_NODE_PORT

(Clarified localhost usage.)

5. Configure Host-Based Routing (app1)

Create app1_ingress.yaml:Note on apiVersion: extensions/v1beta1 for Ingress is deprecated and removed in Kubernetes v1.22+. Use networking.k8s.io/v1. The structure of the backend field also changes.

# app1_ingress.yaml
apiVersion: networking.k8s.io/v1 # UPDATED from extensions/v1beta1
kind: Ingress
metadata:
  name: app1-ingress
  namespace: app1 # Ensure this matches your app's namespace
spec:
  rules:
  - host: app1.dockersec.me
    http:
      paths:
      - path: / # Added path
        pathType: Prefix # Added pathType
        backend:
          service: # UPDATED backend structure
            name: my-nginx-clusterip
            port:
              number: 80

Apply the Ingress resource for app1:

kubectl apply -f app1_ingress.yaml -n app1
# Note: if namespace is in metadata, -n app1 on apply is optional but good practice.
kubectl get ingress -n app1

Test access to app1: (Replace YOUR_NODE_IP with your node's IP or localhost if appropriate.)

curl -kv -H "Host: app1.dockersec.me" http://YOUR_NODE_IP:$WEB_NODE_PORT
# This should now route to app1.
curl -kv -H "Host: app2.dockersec.me" http://YOUR_NODE_IP:$WEB_NODE_PORT
# This should still result in a 404 from the Ingress controller.

6. Configure Host-Based Routing (app2)

Create app2_ingress.yaml:

# app2_ingress.yaml
apiVersion: networking.k8s.io/v1 # UPDATED from extensions/v1beta1
kind: Ingress
metadata:
  name: app2-ingress
  namespace: app2 # Ensure this matches your app's namespace
spec:
  rules:
  - host: app2.dockersec.me
    http:
      paths:
      - path: / # Added path
        pathType: Prefix # Added pathType
        backend:
          service: # UPDATED backend structure
            name: my-nginx-clusterip
            port:
              number: 80

Apply the Ingress resource for app2:

kubectl apply -f app2_ingress.yaml -n app2
kubectl get ingress -n app2

Test access to app1 and app2: (Replace YOUR_NODE_IP with your node's IP or localhost.)

curl -kv -H "Host: app1.dockersec.me" http://YOUR_NODE_IP:$WEB_NODE_PORT # Should work
curl -kv -H "Host: app2.dockersec.me" http://YOUR_NODE_IP:$WEB_NODE_PORT # Should also work now

7. Inspect Ingress Controller Configuration (Optional)

You can check the Nginx configuration generated inside the Ingress controller pod to see how it's routing traffic.

# Find the name of your Ingress controller pod
NGINX_INGRESS_POD=$(kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
# Inspect the nginx.conf
kubectl exec -n ingress-nginx "$NGINX_INGRESS_POD" -- cat /etc/nginx/nginx.conf

(Made step 10 into a proper section and added command to get pod name.)

8. Configure TLS for an Ingress Resource

Create a Self-Signed Certificate and Key: For testing, we'll create a self-signed certificate. For production, use certificates from a trusted CA.
```
openssl req -x509 -newkey rsa:2048 -keyout tls.key -out tls.crt -days 365 -nodes \
  -subj "/CN=tlsapp1.dockersec.me"
```

Create a Kubernetes Secret for TLS: Store the certificate and key in a TLS secret in the app1 namespace.

kubectl create secret tls tlscertsapp1 -n app1 --cert=./tls.crt --key=./tls.key
kubectl describe secret -n app1 tlscertsapp1

Create tlsapp1_ingress.yaml:Note on apiVersion: networking.k8s.io/v1beta1 is also deprecated. Use networking.k8s.io/v1.

# tlsapp1_ingress.yaml
apiVersion: networking.k8s.io/v1 # UPDATED from networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: tls-example-ingress
  namespace: app1 # Ensure this matches your app's namespace
spec:
  tls:
  - hosts:
      - tlsapp1.dockersec.me
    secretName: tlscertsapp1
  rules:
  - host: tlsapp1.dockersec.me
    http:
      paths:
      - path: /
        pathType: Prefix # Added pathType
        backend:
          service: # UPDATED backend structure
            name: my-nginx-clusterip
            port:
              number: 80

Apply the TLS Ingress resource:

kubectl apply -f tlsapp1_ingress.yaml -n app1
kubectl get ingress tls-example-ingress -n app1

Update Your /etc/hosts File: To test tlsapp1.dockersec.me locally, you need to map this hostname to an IP address that routes to your Ingress controller (e.g., a Node IP, or 127.0.0.1 if using Minikube/Kind or port-forwarding to a node).
Important: Add the following line to your /etc/hosts file on the machine where you are running curl:
```
YOUR_NODE_IP_OR_LOCALHOST tlsapp1.dockersec.me
```
(Example: 127.0.0.1 tlsapp1.dockersec.me or 192.168.1.100 tlsapp1.dockersec.me)

Test TLS Access: (Replace YOUR_NODE_IP_OR_LOCALHOST with the IP used in /etc/hosts.)

# This command uses the hostname for SNI and connects to the HTTPS NodePort.
# The -k flag is used because the certificate is self-signed.
curl -kv https://tlsapp1.dockersec.me:$HTTPS_NODE_PORT

# Alternative using Host header (less common for HTTPS direct to IP:Port but can work if SNI is primary)
# curl -kv -H "Host: tlsapp1.dockersec.me" https://YOUR_NODE_IP_OR_LOCALHOST:$HTTPS_NODE_PORT

(Clarified curl command for TLS testing.)

Home

Previoushandy_things Nextk8s_cluster_communication

Last updated 6 months ago