GKE - Global ingress in practice on Google Container Engine - Part 1- Discussion

In this article I’ll cover a variety of challenges I faced and solutions I figured out when deploying a real app to a Global Federated cluster using GCE ingress controller. In part 1 I’ll discuss the concepts, and in part 2 we’ll do an end to end deployment with real code.

Contents:

  • Simple Example
  • Variations
  • Global IP
  • Annotations
  • Health Checks
  • Node port type and port
  • Path contexts
  • Cluster balancing

Having multiple deployed services respond under one domain name is a common practice in larger applications. With Kubernetes you can expose Deployments as independent Services, using ClusterIPs, NodePort and LoadBalancers. You can also expose multiple Services as a single virtual entity using Ingress resources.

In theory Ingress resources are straight forward and easy to use, but in practice there can be a steeper learning curve. In this article we’ll review the basics of creating an Ingress resources and some quirks you’ll encounter in real life.

Simple Example

There are three main resources involved with this process: the deployment, it’s service and the ingress itself. Lets review a simple Hello World ingress.

From the Kubernetes documentation for Ingress resource we can see many of the key elements

Ingress Example Yaml from docs

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
    ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: foo.bar.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: s1
          servicePort: 80
      - path: /bar
        backend:
          serviceName: s2
          servicePort: 80

Just covering whats here, any requests to host foo.bar.com will be processed by the rules contained in that block. foo.bar.com/foo will route to service s1 on port 80, requests to foo.bar.com/bar will route to service s2 on port 80.

Variations not explicitly listed in the docs

All Hosts

If you don’t want to deal with the hostname, you can remove the host value and just the path rules will be evaluated for any and all hosts / IPs.

Here’s an example with that

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
    ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: s1
          servicePort: 80
      - path: /bar
        backend:
          serviceName: s2
          servicePort: 80

Default Backend

The docs discuss a Single Service Ingress option and without rules. You can combine this with the path rules to define both your own default backend with additional rules. Heres an example for that.



apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
    ingress.kubernetes.io/rewrite-target: /
spec:
  backend:
    serviceName: testsvc
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: s1
          servicePort: 80
      - path: /bar
        backend:
          serviceName: s2
          servicePort: 80

Here any request to this ingress with /foo with go to service s1, any requests for /bar will route to s2, and all others will route to testsvc

Its important to note that if you don’t define a default backend, Kubernetes will create one for you behind the scenes. Also the backend created for you exists only in one cluster You’ll see this when looking at the load balancer backends create in GCP later.

Global IP

This is another important point for the global ingress. You’ll need to explicitly create and use a Global IP from google. The default ephemeral IPs created are only regional and won’t be able to support backend services from different regions.

I spent a very long time with this one, DON’T MISS IT

From the command line create a global IP

gcloud compute addresses create ingress-ip --global

Then in your ingress.yaml reference it as an annotation like so:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
    kubernetes.io/ingress.global-static-ip-name: ingress-ip      
    ingress.kubernetes.io/rewrite-target: /
spec:
  backend:
    serviceName: testsvc
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: s1
          servicePort: 80
      - path: /bar
        backend:
          serviceName: s2
          servicePort: 80

Ingress Annotations

In the metadata section of the Ingress definition various annotations can be provided to help kubernetes understand your intentions better.

Ingress Controller

Depending on where and how you deploy kubernetes you may choose what will actually execute on the ingress yaml definition you provide. Many of the documents refer to nginx as the ingress controller, but for this example I’ll be showing how to use native GCE.

While not required, its a good practice to add an annotation noting which controller you’re intending to use. This is helpful if there are multiple options within a given environment as an example

Because I want to use GCE for this ingress controller I’ll specify it explicitly using the kubernetes.io/ingress.class: “gce” annotation


apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
  	  kubernetes.io/ingress.class: "gce"
    ingress.kubernetes.io/rewrite-target: /
spec:
  backend:
    serviceName: testsvc
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: s1
          servicePort: 80
      - path: /bar
        backend:
          serviceName: s2
          servicePort: 80

Health Checks

By default the ingress will setup loadblancer health checks by pinging the root of your service. This is important to know in case you choose not to route “/“ on your service. To ensure your app registers its health correctly either provide a “/“ route or Configure Liveness and Readiness Probes for your needs.

I ended up just leaving the root context in the app for simplicity

NodePort

Here’s another item that made complete sense after working through it. First off using the GCE ingress controller requires a service exposed with NodePort, it can’t be just ClusterIP. Secondly, when deploying in a federated cluster, the node ports for your container need to be the same in all clusters so we need to define it explicitly. By default each container would provide a random port for type NodePort, but in a federated model, we need them to be the same so the health check is accurate. Once up and running you’ll see the health check polling the same port on all nodes for your app.

To define this, on the service definition for our deployment we’ll specify the exact values we want. Here’s an example

apiVersion: v1
kind: Service
metadata:
  name: s1
  labels:
    app: app1
spec:
  type: NodePort
  ports:
  - port: 80
    nodePort: 30041
  selector:
    app: app1

You’ll need to define a different node port for each service so there are no collisions

Path Contexts

This was probably the most annoying issue I faced and only reared it’s head with a real app. So far all the demos and hello world apps have worked fine. /foo routes to svc1, and /bar to svc2. When I deployed a real app however things weren’t as clear. I would get the main page for my services but everything else would revert to the default load balancer. Come to find out there is a quirk with ingress in that Nginx and GCE ingress controllers don’t work the same.

Basically on Nginx /foo is looking for anything with a prefix of /foo where the gce controller see it as an explicit mapping. To fix this we need to add * mappings to our rule paths in the ingress yaml as follows:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
  	  kubernetes.io/ingress.class: "gce"
    ## ingress.kubernetes.io/rewrite-target: /
spec:
  backend:
    serviceName: testsvc
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: s1
          servicePort: 80
      - path: /foo/*
        backend:
          serviceName: s1
          servicePort: 80
      - path: /bar
        backend:
          serviceName: s2
          servicePort: 80
	     - path: /bar/*
        backend:
          serviceName: s2
          servicePort: 80

By adding the additional mappings any requests for /foo or /foo/baz/bar will correctly route to service s1 and requests for /bar or /bar/baz/foo will route to service s2

Cluster Balancing

For the most part kubernetes will try to balance the clusters so apps are evenly distributed across clusters, but you reflect your intentions using the federation.kubernetes.io/deployment-preferences: annotation as follows

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: app1
spec:
  replicas: 4
  template:
    metadata:
      annotations:
        federation.kubernetes.io/deployment-preferences: |
          {
            "rebalance": true,
            "clusters": {
              "east-cluster": {
                  "minReplicas": 1
              },
              "west-cluster": {
                  "minReplicas": 1
              }
            }
          }
      labels:
        app: app1
    spec:
      containers:
        - name: app1
          image: myrepo/appi:v7
          ports:
            - containerPort: 80
          resources:
            requests:
              cpu: 100m
              memory: 100Mi

The annotations above are asking kubernetes to rebalance and keep a minimum of one replica in east and a minimum of one replica in west.

Conclusion

Kubernetes ingress controllers are a powerful tool. With little extra insight they become a simple resource to manage as well. Utilizing the GCE controller type allows you to implement ingress quickly and easily on Google Container Engine with no additional resources needed.

I hope this was helpful and come back soon for the end to end demo.