K
Q

How can we expose Kubernetes services to the public in AWS without using LoadBalancers?

2/11/2019

I'm Running a Kubernetes cluster on AWS using Kops for the first time and I need some help in exposing the services to the public with an AWS managed domain name and an SSL certificate.

The cluster is running in a private VPC and I can access it through a bastion instance.

Right now I'm exposing the services to the public using LoadBalancer service type as follow:

apiVersion: v1
kind: Service
metadata:
  name: my-gateway-service
  namespace: {{ .Values.nameSpace }}
  labels:
    app: gateway
    tier: backend
  annotations:
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'
      service.beta.kubernetes.io/aws-load-balancer-ssl-port: '{{ .Values.services.sslPort }}'
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: '{{ .Values.services.sslCert }}'
spec:
  type: LoadBalancer
  selector:
    app: gateway
    tier: backend
  ports:
  - name: http
    port: 80
    targetPort: {{ .Values.applications.nodeAppPort }}
  - name: https
    port: 443
    targetPort: {{ .Values.applications.nodeAppPort }}

as you can see I'm passing the SSL certificate using annotations then I will just point the domain name to loadBalancer public ingress and done.

The Problem: This Project is a micro-services project and requires a lot of services to be exposed to the public in different environments which means a lot of AWS LoadBalancers and a lot of Money $$.

I've tried NodePort and ExternalName services but none of them worked because of the private VPC.

Any suggestions to overcome this problem?

-- Adel Bachene
amazon-web-services
aws-load-balancer
devops
kops
kubernetes

Similar Questions

kuberctl not work with remote cluster on windows
Nginx reverse proxy URL getting rewritten
multiple Gateways on different ports of the same istio-proxy deployment not working as expected
This container service is in a failed state

2 Answers

2/11/2019

Look into Ingress Controllers. It's basically an nginx instance that's configured programmatically via annotations. There are several others available too (e.g., kong)

-- Curtis Mattoon
Source: StackOverflow
2/11/2019

To solve this, you can point your LoadBalancer to a "reverse-proxy" service such as an NGINX instance or Istio's Gateway (https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Gateway), the Ingress controller and other options.

That way when you hit https://[your_service_url]/[path] you can build rules which route to the correct internal service in Kubernetes based on the actual values of your_service_url or path.

That way you only pay for 1 Load Balancer, but can host many services in the cluster.

-- Paul Annetts
Source: StackOverflow