Set up external access

In order to provide external access to our applications running in Kubernetes we need something to act as the ingress controller, that is something that controls incoming traffic to our Kubernetes Cluster. For this we will be using Traefik.

Traefik is an open source edge router that allows us to easily configure external access. The diagram below shows how Traefik works with Kubernetes -- see the top-left section inside the yellow cloud for how it integrates with the cluster.

k3d includes Traefik in a cluster by default when it's created. However because k3d is a containerized cluster we need to specifically tell it to open a port and match to the host. We cannot do this after the fact so unfortunately we are going to have to delete our cluster and create it again.

k3d cluster delete localk8s
k3d cluster create localk8s -p "8080:80@loadbalancer"

We now have mapped port 8080 on the Docker host to TCP port 80 in the container. You might be asking yourself, why did we choose port 80?

Like I mentioned before Traefik is included with k3d. Traefik has a LoadBalancer service which is set to accept web traffic through port 80 via the TCP protocol. You can verify this by running:

kubectl get services -n kube-system
NAME             TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
kube-dns         ClusterIP      10.43.0.10     <none>        53/UDP,53/TCP,9153/TCP       14m
metrics-server   ClusterIP      10.43.200.52   <none>        443/TCP                      14m
traefik          LoadBalancer   10.43.29.68    172.21.0.3    80:30455/TCP,443:31917/TCP   13m

Now that we have the port opened up on our docker host we can add an ingress resource. But first let's add everything we added previously. The sandbox has our manifests from the previous lessons ready to go:

kubectl apply -f ./nginx-deployment.yaml -f ./nginx-service.yaml

Here we have an ingress resource:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-service
            port:
              number: 80

Let's go over what this resource is doing. We are telling the ingress controller (traefik) that we would like to define an ingress resource by specifying rules. The rule says that for http traffic going to the root path / we want to internally route traffic to the backend service named nginx-service we are also saying that the http traffic will be routed to port 80 on that service.

Note: The Kubernetes Ingress resource is feature-frozen. The newer Gateway API is the future direction for Kubernetes networking. The concepts here still apply -- Gateway API just offers a more expressive model.

Apply the ingress: kubectl apply -f ./web-ingress.yaml

Verify everything is in place with kubectl get ingress and kubectl get services. On a real cluster, you could now access your application at http://localhost:8080.

That's it, now you have an application running inside Kubernetes and you are able to route traffic to it. Next we are going to look into how to scale your Kubernetes applications.