Comment on Multiple Kubernetes Services Using Same Port Without SNI
lemmyng@lemmy.ca 2 months ago
virtual IP addresses
Yeah, metallb.
Comment on Multiple Kubernetes Services Using Same Port Without SNI
lemmyng@lemmy.ca 2 months ago
virtual IP addresses
Yeah, metallb.
wireless_purposely832@lemmy.world 2 months ago
I think I can avoid using metallb since I’m already using Kube-VIP.
I do not think that I am using Virtual IPs correctly as I tried setting it up, but it did not work. I assume the Virtual IP would just become the Load Balancer IP and I would need to configure Traefik and Kube-VIP (as well as my network) to use the Virtual IPs?
lemmyng@lemmy.ca 2 months ago
Yeah, you’d have a LoadBalancer service for Traefik which gets assigned a VIP outside the cluster.
wireless_purposely832@lemmy.world 2 months ago
I’m already doing that, but just for one VIP. I think I just need to get the additional VIPs working.
I know that I will need to update my local network’s DNS so that something like service#1 = git.ssh.local.domain and git.ssh.local.domain = 192.168.50.10 and service#2 = sftp.local.domain and sftp.local.domain = 192.168.50.20. I would setup 192.168.50.10 as the load balancer IP address to Forgejo’s SSH entrypoint and 192.168.50.20 as the load balancer IP address to the SFTP’s entrypoint. However, how would I handle requests/traffic received externally? The router/firewall would receive everything and can port forward port 22 to a single IP address, which would prevent one (or more) service from being used externally, correct?
Findmysec@infosec.pub 2 months ago
Ingress controllers like Traefik come across as LB services to IPAM modules like MetalLB (I’ve never used Kube-VIP but I suppose it’s the same story). These plug-ins assign IP addresses to these LB services.
You can assign a specific IP to an instance of an “outward-facing route” with labels. I don’t remember technical terms relevant to Ingresses because I’ve been messing with the Gateway API recently.
wireless_purposely832@lemmy.world 2 months ago
That all makes sense and tried setting it up that way but could not get it to work. I am not sure if it was an issue with my network, k3s, Kube-VIP, or Traefik (or some combination of them). I will try getting it to work again.
Even if I do though, I would run into an issue if I publicly exposed these services (I understand there are security implications of doing so). How would I route traffic received externally/publicly on port 22 to more than one IP address? I think I would only be able to do this for local/internal traffic by managing the local DNS.
Findmysec@infosec.pub 2 months ago
You’d receive traffic on IP:PORT, that’s segregation right there. Slap on a DNS name for convenience.
I might have my MetalLB config laying around somewhere (it’s super easy, I copied most of it from their website), I can probably paste it here if you’d like.