K
Q

Kubernetes ingress same path multiple ports

2/13/2019

After much googling and searching (even here), I'm not able to find a definitive answer to my question. So I hope someone here might be able to point me in the right direction.

I have a Kube Service definition that's already working for me, but right now I've simply exposed it with just a LoadBalancer. Here's my current Service yaml:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: namespace1
  labels:
    app: my-service
spec:
  type: LoadBalancer
  selector:
    app: my-service
    tier: web
  ports:
  - name: proxy-port
    port: 8080
    targetPort: 8080
  - name: metrics-port
    port: 8082
    targetPort: 8082
  - name: admin-port
    port: 8092
    targetPort: 8092
  - name: grpc-port
    port: 50051
    targetPort: 50051

This is obviously only TCP load-balanced. What I want to do is secure this with Mutual TLS, so that the server will only accept connections from my client with the authorized certificate.

From all I can tell in Kube land, what I need to do that is an Ingress definition. I've been researching all the docs I can find on kind:Ingress and I can't seem to find anything where it allows me to create a single Ingress with multiple ports on the same path!

Am I missing something here? Is there no way to create a K8s Ingress that simply has the same functionality as the above Service definition?

-- Jacomoman
kubernetes-ingress

Similar Questions

How to access PersistentVolume files on docker-for-desktop?
Relation between preStop hook and terminationGracePeriodSeconds
Storing list of values in the environment variable in declarative Jenkins pipeline
How to list all kubernetes objects with specific label using client-go

1 Answer

2/14/2019

To my knowledge you cannot use custom ports (e.g 8080) for HTTPS LoadBalancer backed with Ingress Controller (e.g. NGINX HTTP(S) Proxy), as currently the port of an Ingress is implicitly :80 for http and :443 for https, as official doc reference for IngressRule explains.

I think the workaround would be to use different host per service, like with this example of Ingress resource:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: name-virtual-host-ingress
spec:
  rules:
  - host: proxy.foo.com
    http:
      paths:
      - backend:
          serviceName: proxy-svc
          servicePort: 8080
  - host: metrics.foo.com
    http:
      paths:
      - backend:
          serviceName: metrics-svc
          servicePort: 8082
  - host: admin.foo.com
    http:
      paths:
      - backend:
          serviceName: admin-svc
          servicePort: 8092
  - host: grpc.foo.com
    http:
      paths:
      - backend:
          serviceName: grpc-svc
          servicePort: 50051
-- Nepomucen
Source: StackOverflow