Skip to content

Private/Public LoadBalancer Service

This document describes the configurable options for a Kubernetes Service to create a LoadBalancer and provides example Service-manifests that can be used to create LoadBalancers.

There are 2 types of LoadBalancer's supported by onMetal:

  1. Public/External LoadBalancer - exposed to the public internet
  2. Private/Internal LoadBalancer - exposed only within a certain network boundary

Static IP address allocation

When creating a service of type LoadBalancer with a public IP, the IP address is assigned dynamically. Currently, there is no option to assign a static IP to this service. Because the IP is dynamically allocated, it may change under certain conditions, such as when Istio is restarted. If your use case requires a stable IP, consider using alternative solutions, using a DNS-based approach to manage service accessibility.

Prerequisite

  • Access to Shoot cluster

Accessing the Shoot cluster is documented here

Create Public/External LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: public-lb-service
spec:
  type: LoadBalancer
  ports:
    - name: http
      protocol: TCP
      port: 8081

By default a public LoadBalancer will be created for each Kubernetes Service of type LoadBalancer.

Once this service is created on the Shoot cluster, onMetal will create the corresponding public LoadBalancer for this service in onMetal Environment and patch service status with the public IP.

Create Private/Internal LoadBalancer

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/onmetal-load-balancer-internal: "true"
  name: internal-lb-service
spec:
  type: LoadBalancer
  ports:
    - name: http
      protocol: TCP
      port: 8081

Once this service gets created on the Shoot cluster, onMetal will create the corresponding internal LoadBalancer for this service in onMetal Environment and patch service status with the internal IP from the node CIDR range.

Warning

The node network must have enough IP's available.

You can check Shoot cluster's CIDR size on Garden cluster level by executing following command:

kubectl get shoots \
  -n garden-<project-name> \
  -o custom-columns='SHOOT NAME:.metadata.name,NODE CIDR:.spec.networking.nodes,SERVICE CIDR:.spec.networking.services,POD CIDR:.spec.networking.pods'

Command Details

  • kubectl get shoots -n garden-<project-name> - gets shoot clusters from the project namespace
  • -o custom-columns='' - allows to specify a comma-delimited list of column name mapped to a jsonpath value, e.g. 'NAMESPACE:.metadata.namespace'

with example output:

SHOOT NAME  NODE CIDR       SERVICE CIDR    POD CIDR
shoot1      XX.X.XXX.XX/YY  XX.X.XXX.XX/YY  XX.X.XXX.XX/YY
shoot2      XX.X.XXX.XX/YY  XX.X.XXX.XX/YY  XX.X.XXX.XX/YY
...         ...             ...             ...
shootN      XX.X.XXX.XX/YY  XX.X.XXX.XX/YY  XX.X.XXX.XX/YY

The YY shows the size of network, then 2^(32-YY)-X where X stands for number of Shoot cluster nodes. The result is the number of available IPs in the Shoot cluster local node network you can use for internal LoadBalancer.

Switch LoadBalancer type

A user can switch LoadBalancer type from Public to Private by adding Internal LoadBalancer annotation service.beta.kubernetes.io/onmetal-load-balancer-internal: true in Service.

You can also switch LoadBalancer type from Private to Public by changing Internal LoadBalancer annotation to service.beta.kubernetes.io/onmetal-load-balancer-internal: false or by removing Internal LoadBalancer annotation in Service.