Running a Kubernetes Cluster Using Proxmox and Rancher

(Part 2)

Congratulations! We spun up a Kubernetes cluster on Proxmox! Now we want to host some services. In order to self host workloads and make them accessible outside of our home network, we are going to have to set up a reverse proxy. Enter Traefik and MetalLB.

Traefik is a reverse proxy that runs inside our cluster. Different from a typical proxy, a reverse proxy does exactly what it sounds.

In this very simplified diagram, we can see two users making two different requests. One user is hitting demo.com while the other is hitting test.com. As you can see in the cluster, these web sites are being host on different workloads in Kubernetes (this diagram shows different nodes, but you need to think more along the lines of different pods). Traefik sees the request to demo.com and directs the traffic to the correct Kubernetes service which is connected to the web server pod or workload for demo.com. In the same way traefik sees the request to test.com and directs the traffic to the correct Kubernetes service which is connected to the web server pod or workload for test.com.

This is a closer look at what happens when a specific URL is requested. Traefik gets a request to demo.com, the request gets sent to the correct service (by something called an ingress-route), and the service sends the request to the pod which it is connected to.

Zooming out even more, we can now see the full picture:

1. User hits demo.com or test.com

2. The public IP (in this case 102.420.69) has a public DNS A or CNAME record points to that URL (defined in cloudflare in my case).

3. Traefik has an internal IP (in this case 10.0.0.100) which has been port forwarded on the router. The request gets redirected from the public IP to the private internal IP that traefik is running on.

4. Traefik sends the request to the correct service.

5. The service sends the request to the correct pod.

6. The pod answers and the cycle reverses.

The reason why it’s called a reverse proxy is because it acts as a proxy for incoming requests from outside the network. A normal proxy, like Squid or MS ISA, acts as a proxy for outgoing requests from within the network.

What about MetalLB?

MetalLB is the tool that we use to create internal IP’s for loadbalancer services on our local cluster. If we were to use OCI OKE (oracle Kubernetes engine) for example, a loadbalancer would be provisioned using the loadbalancer service in oracle. Since we do not have our own loadbalancer service on our server, and since it does not come native with Kubernetes, we need to add one.

Remember that internal IP that we showed above in the traefik diagrams? That internal IP was provisioned by MetalLB. In my current home lab, I have allotted 10 internal IPs to MetalLB which are outside of my subnet. One of these is used by traefik.

Now, let’s get started by first installing MetalLB.

1. Apply the following manifests:

   kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.12.1/manifests/namespace.yaml
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.12.1/manifests/metallb.yaml

2. Create a configmap in rancher by importing the following:

   apiVersion: v1

   kind: ConfigMap

   metadata:

   namespace: metallb-system

   name: config

   data:

   config: |

   address-pools:

   - name: default

   protocol: layer2

   addresses:

   - <YOUR INTERNAL SUBNET IP> - <YOUR INTERNAL SUBNET IP>

   Make sure to block out some IPs that are not being used already in your subnet (example: 192.168.1.240-192.168.1.250)

3. You’re done with installing MetalLB!

Let’s move onto traefik.

1. Navigate to ( Apps & Marketplace > Repositories ) in the Rancher GUI and click Create.

2. Input the following information and click create.

3. Go to ( Apps & Marketplace > Charts ) and filter to only show the traefik repository. After you see the following, click on the traefik box.

4. Click install

5. Choose the namespace you want to install traefik into (default is fine but I use the traefik namespace), Check the box marked “Customize Helm Options” if you would like to change any variables in the helm chart (most likely not necessary). And finally, click next.

6. Make sure all the options are checked and hit install.

You will see the deployment process through several steps including mounting a persistent volume claim, creating a loadbalancer, and starting the traefik pod.

Once you see “SUCCESS” you have successfully installed traefik!

Congratulations!Now what?

In order to expose your workloads to the public, you will have to do a few more things. You will have to add your public IP to cloudflare or another DNS hosting service (cloudflare is the best).

As you can see here, I use cloudflare to host my public services (stuff blurred out for privacy).

You will also need to create ingress-routes for traefik to figure out how to direct incoming traffic to the correct pod.

I have some demo ingress-routes on my GitHub which you can access here.

I won’t be going over exactly how to set these up, but it is pretty self explanatory and traefik also has great documentation.

That’s all for today!

Thanks

Comments

[Jack Roby]

Hello great work!! I followed your steps and i was able to create my cluster. The only problem is i cant find your demo ingress-routes on your GitHub to continue and deploy my first app. Is there any place i can find them?

Thanks.

[Robert Howard]

So where do you do the install of metalLB? you say "Now, let’s get started by first installing MetalLB.

Apply the following manifests:

is this done inside the Rancher Gui or ssh in one of the vms?