Share this page!

Maybe Scrolly?
Daniele Polencic Profile picture
Twitter logo
Jan 16 18 tweets 7 min read
How does the Ingress controller really work in Kubernetes?

I had to find out for myself, so I built one from scratch in bash
1/
Before diving into the code, here is a quick recap on how the ingress controller works

You can think of it as a router that forwards traffic to the correct pods
2/
More specifically, the ingress controller is a reverse proxy that works (mainly) on L7 and lets you route traffic based on domain names, paths, etc
3/
Kubernetes doesn't come with one by default

So you have to install and configure an Ingress controller of choice in your cluster

But it provides a universal manifest (YAML) definition
4/
The exact YAML definition is expected to work regardless of what Ingress controller you use

The critical fields in that file are:

➀ The path
➁ The backend
5/
The backend describes which service should receive the forwarded traffic

But, funny enough, the traffic never reaches it

This is because the controller uses endpoints to route the traffic

What is an endpoint?
6/
When you create a Service, Kubernetes creates a companion Endpoint object

The Endpoint object contains a list of endpoints (ip:port pair)

The IP and ports belong to the Pod
7/
Enough, theory

How does this work in practice if you want to build your own controller?

There are two parts:

➀ Retrieving data from Kubernetes
➁ Reconfiguring the reverse proxy
8/
In 1), the controller has to watch for changes to Ingress manifests and endpoints

If an ingress YAML is created, the controller should be configured

The same happens when the service changes (e.g. a new Pod is added)
9/
In practice, this could be as simple as `kubectl get ingresses` and `kubectl get endpoints `

With this data, you have the following:

- The path of the ingress manifest
- All the endpoints that should receive traffic
10/
With `kubectl get ingresses`, you can get all the ingress manifest and loop through them

I used `-o jsonpath` to filter the rules and retrieve: the path, and the backend service
11/
With `kubectl get endpoint `, you can retrieve all the endpoints (ip:port pair) for a service

Even in this case, I used `-o jsonpath` to filter those down and save them in a bash array
12/
At this point, you can use the data to reconfigure the ingress controller

In my experiment, I used Nginx, so I just wrote a template for the nginx.conf and hot-reloaded the server
13/
In my script, I didn't bother with detecting changes

I decided to recreate the `nginx.conf` in full every second

But you can already imagine extending this to more complex scenarios
14/
The last step was to package the script as a container and set up the proper RBAC rule so that I could consume the API endpoints from the API server

And here it is — it worked!
15/
If you want to play with the code, you can find it here: github.com/learnk8s/bash-…

I plan to write a longer form article on this; if you are interested, you can sign up for the Learnk8s newsletter here: learnk8s.io/newsletter
16/
And if you are unsure what ingress controllers are out there, at @learnk8s we have put together a handy comparison:

docs.google.com/spreadsheets/d…
17/
And finally, if you've enjoyed this thread, you might also like the Kubernetes workshops that we run at Learnk8s learnk8s.io/training or this collection of past Twitter threads

Until next time!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Daniele Polencic

Daniele Polencic Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @danielepolencic

Daniele Polencic Profile picture
Jan 9
THREAD: Isolating a pod for troubleshooting

This technique helps you with debugging running Pods in production

The Pod is detached from the Service (no traffic), and you can troubleshoot it live

Let's get started!
1/
Imagine you have a Deployment with three replicas

Each Pod has an `app=hello` label

A Service routes the traffic to your Pods using the selector `app=hello`
2/
If you want to isolate a Pod you can overwrite the existing label with: `kubectl label pod app=debug --overwrite`

Two things happen next:
Read 12 tweets
Daniele Polencic Profile picture
Jan 3
It's the first day in the office of 2023, and it's time to reflect on my Kubernetes journey in 2022!

What did I achieve?
1/
Let's start with a (very) low note

I co-authored only 4 articles on the Learnk8s blog

The good news is that they were absolutely epic:

➀ Kubernetes workload identities
➁ HA Kafka on Kube
➂ RBAC
➃ Hardcore networking

You can find them here: learnk8s.io/archive
2/
I had several more articles planned, but I was occupied by products, clients & personal matters

This year, I want to publish a post on network troubleshooting and building an ingress controller

I usually pair with other authors. If you'd like to collaborate, get in touch!
Read 14 tweets
Daniele Polencic Profile picture
Oct 25, 2022
In Kubernetes, are there hidden costs to running many cluster nodes?

Let me explain… (spoiler: yes)
1/
Not all CPU and memory in your Kubernetes nodes can be used to run Pods

CPU and memory are divided into:

➀ Operating system
➁ Kubelet, CNI, CRI, CSI (+ system daemons)
➂ Pods
➃ Eviction threshold
2/
If you have a cluster with a 1GiB/1vCPU node, the following resources are reserved for the kubelet + OS:

- 255MiB of mem
- 60m of CPU

On top of that, 100MB is reserved for the eviction threshold

In total, that's 25% of memory and 6% of CPU that you can't use
Read 13 tweets
Daniele Polencic Profile picture
Sep 26, 2022
One of the interesting challenges with Kubernetes is deploying workloads across several regions

Let me show you how I orchestrate workloads across Europe, Asia and North America with Kubernetes, Istio and Karmada Image
1/
While you can technically have a cluster with several nodes located in different regions, this is generally regarded as something you should avoid due to the extra latency

Another popular alternative is to deploy a cluster for each region and find a way to orchestrate them Image
2/
When you orchestrate several clusters, you have to follow several challenges at once:

- How do you decide how to split the workloads?
- How does the networking work across regions?
- What should I do with stateful apps/data? Image
Read 15 tweets
Daniele Polencic Profile picture
Sep 12, 2022
Reducing infrastructure costs boils down to turning apps off when you don't use them

That's easy to do manually, but how to turn them on automatically when you need them?

You can do so with a scale-to-zero strategy

Let me show you how to implement it in Kubernetes
1/
Imagine you are running a reasonably resource-intensive app on the dev cluster

Ideally, it's off when people leave the office and on when they start the day

You could use a CronJob to scale up/down, but what happens during the weekend? And public holidays?
2/
Instead of coming up with an evergrowing list of exceptions, you could scale up your workloads based on traffic:

- When there's traffic → autoscale on usage
- When there is no traffic → turn off the app

And that's the idea behind scaling to zero
Read 15 tweets
Daniele Polencic Profile picture
Jun 7, 2022
The Kubernetes API server handles all of the requests to your Kubernetes cluster

But how does it actually work?
1/
When you type `kubectl apply -f my.yaml`, your YAML is sent to the API and stored in etcd

But what is the API server doing?
2/
The API has a single block in the diagram, but the reality is that several components are involved in processing your request in sequence

The first module is the HTTP handler

This is nothing more than a regular web server
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(