Continental Innovates with Rancher and Kubernetes
Kubernetes provides a powerful networking model for microservices. One of the pillars of this model is that each pod has its own IP address and is directly addressable within the cluster. As a consequence, each Kubernetes cluster usually has a flat virtual network that external hosts can’t reach directly. That means routing traffic from clients outside the cluster to services deployed inside the cluster requires some additional work. There are various strategies for routing traffic into a Kubernetes cluster – the most common approach is to use an ingress controller.
An ingress controller routes traffic from outside the cluster, and is responsible for routing traffic to individual services inside the cluster. An ingress controller gets its name from the fact that it can process Ingress resources, which are a special type of Kubernetes resource that specify these routing rules.
Ingress controllers are built on proxies such as HAProxy, NGINX, Traefik, and, most recently, Envoy Proxy. Originally written and deployed at Lyft, Envoy Proxy today is a Cloud Native Computing Foundation (CNCF) project with dozens of organizations contributing, including Amazon, Airbnb, Google, Pinterest and VMware.
K3s is a lightweight Kubernetes distribution that runs in resource-constrained environments, such as IoT or edge devices and development laptops. Rancher is a complete software stack for teams deploying containers built on Kubernetes. Both K3s and Rancher support a variety of ingress controllers, with different capabilities.
In this post, we’ll walk through how to deploy Ambassador on K3s. Ambassador is an open source ingress controller and API Gateway built on Envoy Proxy. Ambassador exposes many of Envoy Proxy’s core features to Kubernetes users, including zero-downtime reloads, advanced traffic management, service mesh integrations (with support for Consul, Linkerd and Istio), observability, TLS termination and flexible APIs for rate limiting and authentication. Ambassador has been extensively tuned for maximum performance on Kubernetes and is designed to run with minimal resources.
By default, K3s deploys with Traefik as an ingress controller. To use Ambassador and Envoy Proxy, follow these steps. (These steps assume you’ve installed K3s already; if you haven’t, this quick start will get you going.)
Start K3s with the --disable traefik option. You can do this by editing /etc/systemd/system/k3s.service and editing the ExecStart line:
--disable traefik \
sudo systemctl daemon-reload
sudo systemctl restart k3s.service
Install Ambassador by applying the standard Ambassador Kubernetes manifests. (Ambassador also supports Helm).
kubectl apply -f https://www.getambassador.io/yaml/ambassador/ambassador-crds.yaml
kubectl apply -f https://www.getambassador.io/yaml/ambassador/ambassador-rbac.yaml
kubectl apply -f https://www.getambassador.io/yaml/ambassador/ambassador-service.yaml
Now we’ll deploy a sample service. Save the below Kubernetes YAML into a file called quote.yaml.
- name: http
- name: backend
- name: http
Deploy the quote service to K3s: kubectl apply -f quote.yaml
kubectl apply -f quote.yaml
Ambassador supports the standard Kubernetes ingress resource for routing. Ingress resources are monolithic objects that include both configuration for the ingress itself (e.g., TLS configuration) as well as routes. The official ingress standard is fairly limited, however, so most Ambassador users rely on a Mapping, which is an Ambassador-specific Custom Resource Definition. Mapping resources are fully decoupled from Ambassador deployment, enabling Mapping resources just to describe request routes. Save the below YAML configuration into a file called quote-mapping.yaml.
Apply the configuration to the cluster: kubectl apply -f quote-mapping.yaml
kubectl apply -f quote-mapping.yaml
Get the IP address of the Ambassador LoadBalancer service:
$ sudo kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 60m
ambassador-admin NodePort 10.43.134.74 <none> 8877:31032/TCP 5m15s
ambassador LoadBalancer 10.43.61.86 10.128.0.111 80:31347/TCP 89s
quote ClusterIP 10.43.129.249 <none> 80/TCP 31s
Copy the IP address, and test the configuration: curl http://<IP address>/give-me-a-quote/:
curl http://<IP address>/give-me-a-quote/:
$ curl 10.128.0.111/give-me-a-quote/
"quote": "A small mercy is nothing at all?",
Congratulations! You’ve successfully used Ambassador to route an HTTP request to the quote service.
Ambassador provides a broad set of capabilities, including authentication, rate limiting and broad protocol support (e.g., TCP, WebSockets, gRPC, HTTP). Ambassador also has a set of tested integrations with other cloud-native infrastructures, such as monitoring systems and service mesh. Together, K3s and Ambassador are a powerful lightweight Kubernetes solution for both development and production.