Ingress-nginx: Bare-metal Ingress HA using keepalived

Created on 25 Nov 2016  路  9Comments  路  Source: kubernetes/ingress-nginx

bare-metal ingress is not HA. Our team implement a keepalived-vip side car container for Ingress. Which could be deployed with ingress-controller container to provide HA. For example, first create a Ingress Replicaset with the keep-alived-vip side car:

apiVersion: v1
kind: ReplicationController
metadata:
  namespace: "kube-system"
  name: "ingress-test1"
  labels:
    run: "ingress"
spec:
  replicas: 2
  selector:
    run: "ingress"
  template:
   metadata:
    labels:
      run: "ingress"
   spec:
    hostNetwork: true
    containers:
      - image: "ingress-keepalived-vip:v0.0.1"
        imagePullPolicy: "Always"
        name: "keepalived-vip"
        resources:
          limits:
            cpu: 50m
            memory: 100Mi
          requests:
            cpu: 10m
            memory: 10Mi
        securityContext:
          privileged: true
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: SERVICE_NAME
            value: "ingress"
      - image: "ingress-controller:v0.0.1"
        imagePullPolicy: "Always"
        name: "ingress-controller"
        resources:
          limits:
            cpu: 200m
            memory: 200Mi
          requests:
            cpu: 200m
            memory: 200Mi

Then create a Service named "ingress" pointing to the Ingress ReplicaSet, and assign a vip to the service using annotation. 

apiVersion: v1
kind: Service
metadata:
  name: ingress
  namespace: kube-system
  annotations:
    "ingress.alpha.k8s.io/ingress-vip": "192.168.10.1"
spec:
  type: ClusterIP
  selector:
    - run: "ingress"
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80

keepalived-vip side car container will watch the "ingress" Service and update keepalived's config. Thus make Ingress Pod be HA. user should access in-cluster service by the Ingress VIP.

The keepalived approache is first describe in https://github.com/kubernetes/kubernetes/pull/34013

see implementation here: https://github.com/mqliang/contrib/tree/ingress-admin/ingress-admin/ingress-keepalived-vip

picture mqliang

All 9 comments

We'd like contribute the keepalived-vip side car to community. Is here the right place? @bprashanth

mqliang picture mqliang on 25 Nov 2016

@mqliang what's the difference with https://github.com/kubernetes/contrib/tree/master/keepalived-vip?

aledbf picture aledbf on 25 Nov 2016

@aledbf The idea is same: using keepalived for HA. The difference is :

mqliang picture mqliang on 25 Nov 2016

provide HA for NodePort type service, deployed as DaemonSet

that's not true. It will expose any service type and daemonset is not a requirement.

my keepalived side car aims at: provide HA for Ingress-controller on bare-metal, deployed as a side-car with the ingress-container (in the same Pod).

I think this should not run as a sidecar because you are coupling the keepalived to the controller

aledbf picture aledbf on 25 Nov 2016

@aledbf
IIUC, https://github.com/kubernetes/contrib/tree/master/keepalived-vip approache: put a HA IPVS cluster at the front of Ingress? So, request need first reach the keepalived-vip pod, then the keepalived-vip pod forward the request to the ingress-controller pod using IPVS?

mqliang picture mqliang on 25 Nov 2016

and my approache is: put the keepalived-vip container as a side car, together with ingress-controller container, in one pod. And the pod are runnning using hostNetwork. So the Ingress controller Pod itself is HA. This also prevent the double hop.

Another reason I want run keepalived-vip container as a sidecar is: it dramatically simplify Ingress creation and deployment, since in this way the Ingress controller itself is HA, the only requirements is:

  • run Ingress controller pod using host network
  • ensure Ingress Pod of the same Service run on different node, which is not hard to do with Anti-affinity feature.

I think this should be considered a complement, not a replacement for https://github.com/kubernetes/contrib/tree/master/keepalived-vip

mqliang picture mqliang on 25 Nov 2016
👍1

@aledbf we'll put together a repo of what we did and how it went about ingress ha, hope that will make things more clear.

ddysher picture ddysher on 18 Jan 2017
👍1

@ddysher am i right the above repo you mentioned is https://github.com/caicloud/ingress-admin/pull/1 ? so i can subscribe and keep track ;)

DanyC97 picture DanyC97 on 5 Mar 2017

Sure, we'll sort it out ASAP. Feel free to subscribe :)

ddysher picture ddysher on 5 Mar 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bashofmann picture bashofmann  路  3Comments
c-mccutcheon picture c-mccutcheon  路  3Comments
kfox1111 picture kfox1111  路  3Comments
smeruelo picture smeruelo  路  3Comments
whereisaaron picture whereisaaron  路  3Comments