IKS Deployment Patterns #2: Multi-Zone Cluster, App exposed via ALB / Ingress Controller

How should I deploy my applications in my cluster(s) with an IBM Cloud Kubernetes Service (IKS) ALB?
How can I preserve the source IP address of the clients connecting through the ALB?

Example Deployment Pattern

In this article we are going to go through the steps to deploy an example application with the following deployment pattern bellow:

Steps

  1. Sign up and create a multi-zone IKS cluster using the IBM Cloud Console. Documentation on deploying a cluster and specifically how multi-zone clusters work. Important: you have to use the paid tier in order to use ALBs.
  2. Check if everything came up and the ALBs are running fine. Useful commands on the IKS Ingress/ALB Cheat sheets.
  3. Download, edit and apply the the following example Deployment and Ingress resource yaml, which will expose the echoserver application via the ALB / Ingress controller on both port 80(http) and 443(https). 
    $ kubectl apply -f iks_single_or_multi-zone_cluster_app_via_ALB.yaml Note: do not forget to edit theHost and secretName part.
  4. To test load the host you specified in your browser or initiate curl commands (like my example): 
    $ curl https://echoserver.arpad-ipvs-test-aug14.us-south.containers.appdomain.cloud/
  5. You shall see a response like the following
Response to a successful curl delivered via the IKS ALB

Notice in the x-forwarded-for and x-real-ip header your see the IP address of the worker node. This happens because kube-proxy is doing source NAT within the Kubernetes cluster and masks the original source IP of the client.

If you want to enable source IP preservation, you have to patch the IKS ALB (you can find further documentation about this step here). To set up source IP preservation for all public ALBs in your cluster, run the following command:

$ kubectl get svc -n kube-system |grep alb | awk '{print $1}' |grep "^public" |while read alb; do kubectl patch svc $alb -n kube-system -p '{"spec": {"externalTrafficPolicy":"Local"}}'; done

Once patch applied you shall see the original source IP address of the client showing up in the x-forwarded-for and x-real-ip header:

Summary

As you learn more about your workload you can adjust and even switch between patters as needed. Different applications will require different patterns; please let us help you with your pattern! To read about other patterns follow this link to the IBM Cloud Blog or this on Medium.com.

Contact us

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.