This article shows you how to setup a Kubernetes Cluster with Load Balancer and Firewall in Xelon HQ. Kubernetes or k8s is basically an open-source container-orchestration system for automating all the server components including provisioning of the networks and making applications auto scalable, based on set metrics. There are different ways to do that, in this article we will setup a Kubernetes Cluster on the Platform Xelon HQ.
First of all, create an account to Xelon HQ or login to your current Account. If you don’t have an Account so far, you can register for free here.
3. To create a new cluster, please click on “Create Kubernetes Cluster”
4. The wizards starts now with some basic information you have to define.
5. Further nodes and pools can be configured based on the web application that will be used. Usually for running any k8s cluster we suggest a minimum of 3 nodes. One cluster will operate as the master node and the other 2 are worker nodes.
6. Accordingly, the CPU cores, disk size (HDD/SDD) and RAM can be chosen:
7. To complete the wizard, please click “Save Cluster”
After few mins the cluster will be successfully created and deployed on Xelon HQ.
To start please download the cluster config file and replace it with the your own saved path in below commands. To show the nodes and cluster information, please use the commands below:
kubectl --kubeconfig=~/config-741d40707520.yaml get-nodes kubectl --kubeconfig=~/.kube/config-741d40707520.yaml cluster-info
This article has multiple configurations included. First we will take care about the firewall configuration and second we will take care of the load balancer service.
Once you click on “All Networks” you can see the list of all currently configured networks. Alternatively you can also use the direct URL: https://vdc.xelon.ch/networking.
The shared network means that the parent organization can share the existing network with the child organization.
External IP addresses will be exposed publicly and the internal resources can be reached directly.
Internal Network with private IP addresses which are assigned to each of the devices you create. For example, any web app hosted on CentOS machine usually has a private LAN IP address.
DMZ is short for a demilitarized zone. This is a network (physical or logical) used to connect hosts that provide an interface to an untrusted external network – usually the internet.
In this case we decide for a WAN network:
4. Click on Add WAN to finish the wizard.
On the same way, you can also add LAN or DMZ. Usually you need a firewall in front of your infrastructure to restrict internal and external traffic. So any external traffic can be restricted on 5 tuples methods:
To proceed on our way to configure Kubernetes Cluster with Load Balancer and Firewall, we now go on with the firewall first!
For listing created firewalls or adding new firewall please click in Xelon HQ on Firewalls or visit https://vdc.xelon.ch/networking/firewall.
Example shown in the image here:
In the above rule, we are allowing any HTTP traffic from any source ip address to the an internal app.
At the same time we are allowing any HTTPS traffic to go outside without any restrictions.
Note: Here CentOS machine is the Linux server on which inbound and outbound rules are applied.
Example: Lets say you have a web app which is Laravel based including NGINX in front of it and consider that we are using k8s cluster firewall. In such a case we want to allow HTTP/HTTPS traffic from all the source IPs and target them to the web app port. So the flow will be k8s cluster to node (usually more than 2) to pods to Laravel container images. We use port 9000 for Laravel, port 8080 for NGINX and port 3306 for MySQL. The Laravel container will listen on port 9000.
So based on the above use case, we apply the firewall on any of the multiple nodes of the specific cluster chosen and have 2 inbound rules to allow HTTP/HTTPS 80/443 traffic to be internally translated to 8080 on which NGINX service is running. From NGINX configuration, the traffic is further routed internally to our Laravel app and port 9000.
The server firewall works similarly. The only difference is that we don’t have a k8s cluster, and we apply rules directly to the public server having external IPs.
So now the traffic goes as:
External IP → Internal network → Source port → Destination
(Machines may be Laravel in this case). In case of using a server firewall, the destination is usually the virtual machine or any such device with OS installed.
In case of Kubernetes firewall, the destination is one of the nodes that are configured while creating new cluster above.
The last part of our article how to configure Kubernetes Cluster with Load Balancer and Firewall, we proceed with the load balancer.
There are two types of load balancer. On one hand we have network level load balancer and on the other we have application level load balancer.
Also in the k8s cluster we do have ingress traffic and external traffic load balancers.
External load balancer balances the traffic across multiple services configured in k8s cluster.
For applying to server we further have 2 ways:
Example:
The above rules load balances traffic coming to the web URL https://example.com/api among the 2 destination nodes for which the IP address can be added as shown in the image.
As shown below, the 80 port traffic is forwarded to HTTPS 443 port on CentOS Linux machine.
For applying load balancer at k8s cluster:
So basically a simple use case of HTTP → HTTPS redirection.
The rule above can be applied to any dropdown list of cluster names (Apply to…in image).
Click save load balancer and you are done.
The most powerful way to have k8s load balancer configured is to use ingress controller service. Ingress is the load-balancing method of choice. Since it is essentially internal to Kubernetes, operating as a pod-based controller, it is widely used at enterprise level.
For k8s cluster we usually have below ingress rules created for load balancing The sample YAML file for the same.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: laravel
port:
number: 9000
So internally the ingress load balancers work as: k8s → traffic > ingress → one of the 3 services → pod → Laravel images.
Now coming back to our Xelon dashboard, we can have either one or multiple devices on which forwarding rules can be applied.
If you still have any question How to setup a Kubernetes Cluster with Load Balancer and Firewall please let us know! Contact our DevOps free of charge!