Rancher - Load balancing (L7) with ingress between nodes in multiple Data Centers

10/31/2018

Simple question that I can not find the answer to.

If there is a Rancher setup with 2 Nodes in for example 2 separate Data Centers. And we have an app running on both, loadbalanced with ingress on L7 level (SSL is stripped on ingress)

How is data transferred from ingress to a pod and is it secure between multiple Data Centers?

There are three solutions that come to mind:

  1. Ingress is on one node and sends data over HTTP to another (Insecure)
  2. Ingress is on one node but data is tunneled to another (Secure/Slow)
  3. There is an ingress instance on every node and data does not leave node (Secure)
  4. Something else?

Can someone please confirm how rancher is implemented in this aspect.

-- ralic
kubernetes-ingress
load-balancing
rancher

1 Answer

11/5/2018

Based on this thread on Rancher forum

Ingress controller may be on one node and pods can be on another. When using L7 load balancing, SSL is stripped on ingress and traffic is forwarded on a pod without SSL encryption.

Communication between ingress and pods may or may not be tunneled depending on your Rancher configuration for CNI providers (Documentation)

If rancher is setup with Canal then communication between ingress and pods will be tunneled, and so, secure from outside attackers.

However if rancher is setup with Calico it will not be tunneled.

So depending on your setup you may use Canal if your nodes are publicly accessed and someone may sniff your traffic. Or you could use Calico if you have your whole setup on a private network.

Notice

There is a potential security risk that is not mentioned here.

Neither Calico nor Canal may protect you from malicious pods. So if your configuration demands security level where there can be a pod sniffing traffic, you would need to use other needs to secure your infrastructure.

-- ralic
Source: StackOverflow