tcp, udp ingress for kubernetes - citrix.com · apps that require tcp/udp load balancing. in the...
TRANSCRIPT
White Paper
Citrix.com
TCP, UDP Ingress for Kubernetes
White Paper
Citrix.com | White Paper 2
In Kubernetes, an Ingress is an object that allows access to the Kubernetes services from outside the Kubernetes cluster. Standard Kubernetes Ingress resources assume that all traffic is HTTP-based and does not cater to TCP, TCP-SSL and UDP load balancing. This means a lot of critical applications based on L7 protocols such as DNS, FTP, LDAP, etc. cannot be exposed to user traffic through standard K8s Ingress.
To expose TCP/UDP based apps, the only solution is to use LoadBalancer service type. However, using LoadBalancer service type is a costly proposition as you’ve to spin up a dedicated cloud load balancer for each service that you want to expose.
Use Citrix Ingress Controller to expose non HTTP applications
Citrix Ingress Controller (CIC) listens to the Kubernetes API server for Ingress resources and configures the Citrix ADC.
TCP Ingress: CIC supports TCP load balancing using the following annotations in Kubernetes standard Ingress resource:
• ingress.citrix.com/insecure-service-type: This annotation allows L4 load balancing with TCP/UDP/ANY as protocol for Citrix ADC.
• ingress.citrix.com/insecure-port: This annotation configures the TCP port and is helpful when microservice access is required on a non-standard port. By default, port 80 is configured. This port will be configured in
Example of Ingress resources for TCP load balancing:
Lack of elegant Ingress solution for TCP, UDP based application
ProblemIn Kubernetes, Ingress exposes only HTTP and HTTPS routes from outside the cluster to services within the cluster. However, there are many applications like Databases, Legacy apps, FTP or DNS based apps that require TCP/UDP load balancing. In the case of legacy apps, app owners need to expose specific TCP ports to avoid re-writing dependent apps.
SolutionTCP, UDP Ingress: Citrix Ingress Controller (CIC) supports configuration of TCP, UDP and TCP-SSL based apps for load balancing in Citrix ADC by leveraging annotations in Ingress resource.
Benefits• Simplifies lifting and shifting of legacy
apps to microservices.• Allows platform administrator to
support multiple types of protocols for Ingress.
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: redis-master-ingress annotations: kubernetes.io/ingress.class: “guestbook” ingress.citrix.com/insecure-service-type: “tcp” ingress.citrix.com/insecure-port: “6379”
spec: backend: serviceName: redis-master-pods servicePort: 6379
White Paper
Citrix.com | White Paper 3
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: udp-ingress annotations: ingress.citrix.com/insecure-service-type: “udp” ingress.citrix.com/insecure-port: “5084”
spec: backend: serviceName: frontend servicePort: 53
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: colddrinks-ingress annotations: kubernetes.io/ingress.class: “colddrink” ingress.citrix.com/insecure-service-type: “ssl_tcp” ingress.citrix.com/secure_backend: ‘{“frontend-colddrinks”:”True”}’
spec: tls: - secretName: “colddrink-secret” backend: serviceName: frontend-colddrinks servicePort: 443
Example of Ingress resources for TCP load balancing:
TCP Ingress with TLS: CIC can configure SSL_TCP load balancing using the ‘ingress.citrix.com/secure-service-type: ssl_tcp’ annotation in Ingress resource.
Example of Ingress resources for TCP load balancing:
White Paper
Citrix.com | White Paper 4
Enterprise Sales
North America | 800 424 8749
Worldwide | 954 267 3000
Locations
Corporate Headquarters | 851 Cypress Creek Road Fort Lauderdale, FL 33309, United States
Silicon Valley | 4988 Great America Parkway, Santa Clara, CA 95054, United States
© 2019 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems,
Inc. and/or one or more of its subsidiaries, and may be registered with the U.S Patent and Trademark Office and in other countries.
All other marks are the property of their respective owner(s)
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: mongodb annotations: NETSCALER_HTTP_PORT: “80” NETSCALER_VIP: “192.168.1.1” ingress.citrix.com/csvserver: ‘{“l2conn”:”on”}’ ingress.citrix.com/lbvserver: ‘{“mongodb-svc”:{“lbmethod”:”SRCIPDESTIPHASH”}}’ ingress.citrix.com/monitor: ‘{“mongodb-svc”:{“type”:”tcp-ecv”}}’spec: rules: - host: mongodb.beverages.com http: paths: - path: / backend: serviceName: mongodb-svc servicePort: 80
Better performance, monitoring of TCP, UDP based apps
Application developers can closely monitor the health of TCP/UDP based apps through rich monitors in Citrix ADC (such as TCP-ECV, UDP-ECV). The ECV (extended content validation) monitors help in checking whether the application is returning expected content or not. Additionally, the application performance can be improved by using persistence methods (such as Source IP). You can use these Citrix ADC features through Smart Annotations in Kubernetes. Here is one such example: