0

I have been using K8S on GCP (GKE with their platform provided HTTPS Global Load Balancer) but find the load balancer hard to manage when with hundreds of domains and dozens of unique public backend sites in K8S where each site get it's own backend service definition and is plugged into a single load balancer.

The cluster is not setup with native VPC IP addresses, so every site gets a NodePort service defined for it and that NodePort gets added to a backend service. Because of this the health checks from the load balancer are somewhat wrong as a single pod giving an error response will mean that an entire group will be considered unhealthy when in fact the pod could be somewhere else in the cluster entirely. Similarly due to the NodePort configuration a request may be routed to one group (zone) and get route by the K8S service to another node in another zone to be handled.

If the cluster had native VPC IPs enabled then the sites could be configured with Network Endpoint Groups (NEG) and route directly to the pods, handling the circuitous routing and the health checks. But it wouldn't reduce the complexity of the load balancer.

But adding a gateway to K8S like an Istio gateway, nginx, ambassador, traefik etc. would all provide a layer where layer 7 routing could be configured on K8s would minimize the number of configuration on, and add features missing from, the Google load balancer.

Is this method of adding a layer 7 gateway going to decrease the overall reliability of the application?

buckaroo1177125
  • 1,555
  • 11
  • 22
  • No, it won't, but Istio is way harder then Ingress. In fact, manage lots of backends with an Ingress object on GKE is super easy. – suren Jun 28 '20 at 07:21
  • How do you measure the difficulty of Istio vs the GCLB? – buckaroo1177125 Jun 28 '20 at 20:07
  • 1
    you have to know 3 kubernetes native basic objects versus you have to know 2 kubernetes native basic objects, istio concepts (mesh configuration, peer authentication, authorization policies, etc.) and 2 (or 3) istio objects. – suren Jun 28 '20 at 20:32
  • @suren Your point on Istio being 'harder' is well taken, I've updated the question to include other gateways as the point is not so much Istio as it is having a frontend on the K8S which has more nimble routing and potentially other benefits which you don't currently get GCLB. – buckaroo1177125 Jun 28 '20 at 21:13
  • Well, as mentioned by suren, manage ingress in GKE is easy. If I understood correctly, do you want to move to nginx-ingress to have a single public ip and manage all you hostname and path in it. I'm right? – Mr.KoopaKiller Jun 29 '20 at 09:10
  • @KoopaKiller Yes that's basically the idea (though it's more than one ip on that load balancer). The question had been edited for to add more context. – buckaroo1177125 Jun 29 '20 at 17:27
  • OK, thanks for that. In fact the NodePort is required to GKE LB in this case. nginx-ingress can help with that, but when do you setup a nginx-ingress in GKE, the load-balancer is created in L4 mode and not L7. It meas all your routes/paths must be configured in it. Is it works for you? – Mr.KoopaKiller Jul 01 '20 at 05:47

0 Answers0