Summary of "Kubernetes Service, Ingress with TLS and Ingress Controllers with Live coding || #kubernetes #k8s"

Summary of Video: “Kubernetes Service, Ingress with TLS and Ingress Controllers with Live coding”

Key Technological Concepts & Product Features Covered

1. Kubernetes Services Overview

Services abstract pod IPs which are dynamic and can change, causing connectivity issues between pods (e.g., checkout and payments apps).
Kubernetes Services use labels/selectors to maintain stable network endpoints despite pod IP changes.
Three main types of Kubernetes services:
- ClusterIP: Internal-only access within the cluster.
- NodePort: Exposes service on a static port on each node, accessible externally but with drawbacks like random port allocation and firewall exposure.
- LoadBalancer: Creates an external IP (usually via cloud provider integration like AWS EKS) to expose services externally.

2. Why Use Ingress?

Ingress provides more advanced routing than NodePort or LoadBalancer services.
It enables:
- Managing multiple services under a single external IP.
- Host-based and path-based routing (e.g., routing requests to different services based on URL path or hostname).
- Cost efficiency by avoiding multiple load balancer IPs.
- Additional features like web application firewalls, session-based routing, and authentication.

3. Ingress Controllers

An ingress resource alone is ineffective without an ingress controller.
The ingress controller watches ingress resources and configures the underlying load balancer accordingly.
Examples include NGINX ingress controller, HAProxy, F5 BIG-IP, Citrix ADC, etc.
Controllers may run inside the cluster (e.g., NGINX as pods) or outside the cluster (e.g., enterprise load balancers connected via VXLAN tunnels).
Multiple ingress controllers can coexist, differentiated by ingress class annotations.

4. Ingress Resource Manifest Structure

API version updated to networking.k8s.io (deprecated extensions version).
Define hosts, paths, and backend services in the ingress spec.
Supports host-based and path-based routing rules.
Supports wildcard hosts for domains (e.g., *.bar.com).

5. Ingress Features Demonstrated (Live Coding)

Accessing services based on host header.
Path-based routing directing traffic to different backend services.
Wildcard domain routing.
Basic authentication via ingress annotations to restrict access to authorized users.

6. TLS and Secure Ingress

TLS can be enabled on ingress resources by referencing Kubernetes secrets containing certificates.
TLS termination types explained:
- SSL Passthrough: Load balancer passes encrypted traffic directly to backend without decrypting.
  - Pros: Highly secure, no load balancer interference.
  - Cons: Load balancer cannot inspect or route based on HTTP info; backend bears decryption load; security risks if malicious traffic bypasses load balancer.
- SSL Offloading (Termination): Load balancer decrypts SSL and forwards plain HTTP to backend.
  - Pros: Reduces backend load, faster response times.
  - Cons: Plain HTTP traffic inside network may be vulnerable to man-in-the-middle attacks; less secure.
- SSL Bridging (Re-encryption): Load balancer decrypts incoming traffic, inspects it, then re-encrypts before forwarding to backend.
  - Pros: Combines security and load balancer features (inspection, routing, firewall).
  - Cons: Backend still decrypts traffic; slightly higher complexity.

7. Comparison and Recommendations on TLS Modes

SSL passthrough recommended only for limited use cases (layer 4 load balancing).
SSL offloading not recommended when security is critical but useful when performance is prioritized.
SSL bridging recommended for secure applications needing load balancer features.

8. OpenShift Routes vs Kubernetes Ingress

OpenShift uses “Routes” with terminologies differing slightly:
- Edge termination (SSL offloading), Re-encrypt termination (SSL bridging), Passthrough termination (SSL passthrough).
OpenShift routes require certificates embedded in the route resource, which complicates secret management and GitOps workflows.
Kubernetes ingress allows storing TLS certs in secrets, making it more flexible and preferred by some OpenShift users.
OpenShift supports service serving certificates for internal cluster trust.

9. Debugging and Logs

Ingress controller logs and configuration files (e.g., nginx.conf for NGINX, haproxy.cfg for HAProxy) are crucial for troubleshooting ingress issues.
Example given for Argo CD deployment troubleshooting using ingress and HAProxy logs.

10. Ingress Controller Ecosystem and Competition

Many ingress controllers exist (30-40 officially supported), each with different features and implementations.
Controllers may provide custom resource definitions (CRDs) for advanced routing beyond standard ingress resources, such as “IngressRoute” or “VirtualService” (common in service meshes).
Enterprise load balancers often preferred in production for advanced features.

Guides and Tutorials Included

Brief Kubernetes services overview and their types.
Why and when to use ingress over node port or load balancer services.
How to create and configure a basic ingress resource with host and path-based routing.
Live demo of ingress resource creation and verification via curl with host headers.
Explanation of ingress classes and multiple ingress controllers in a cluster.
TLS setup on ingress using Kubernetes secrets.
Explanation and comparison of SSL passthrough, SSL offloading, and SSL bridging.
OpenShift route vs ingress comparison and practical considerations.
Debugging ingress and load balancer issues using logs.

Main Speakers / Sources

The primary speaker is an experienced Kubernetes practitioner (name not explicitly stated, but references “Abhishek” as an ingress class example).
Mentions of contributions or references to CNCF projects (e.g., MetalLB).
References to cloud providers like AWS EKS and OpenShift platform specifics.
Mentions of Argo CD as an example application used in demonstrations.
Interaction with participants via chat and Q&A at the end.

Overall, the video provides a comprehensive conceptual and practical overview of Kubernetes services, ingress resources, ingress controllers, TLS termination strategies, and OpenShift routes, with live demonstrations and detailed explanations of pros and cons for different architectural choices.