kube-nftlb is a Kubernetes Pod made by two containers (client and daemon) able to communicate the Kubernetes API Server, using a Debian image with nftlb / nftables installed.
This project can request information from the API Server such as new, updated or deleted Services/Endpoints, and make rules in nftables accordingly.
- Docker
- Docker-machine
- Minikube v0.30.0 (already started with
--kubernetes-version="v1.12.0") - Golang
client-gonftablesandnftlbinstalled in the host or VM
... Or you can run debian_tools_installer.sh as root after a fresh Debian Testing install in a virtualized environment.
You must only do these steps if you have NOT done it before, and if you meet the specified conditions mentioned in each point. Otherwise, you can skip this section.
The first thing you have to do is clone the project on your machine:
root@pc: git clone https://github.com/David-concejero/kube-nftlb
- This is a mandatory step if you started Minikube with
--vm-driver=none, and you mustn't do it if that's not your case.corednswon't be able to resolve external hostnames unless you run this command:
root@pc: cd kube-nftlb
root@pc: kubectl apply -f yaml/give_internet_access_to_pods.yaml
- The cluster needs a
kube-nftlbprivileged rol, because in order to usekube-nftlbfor communicating the API Server, it needs to be recognised and authenticated by the API Server. Run this command:
root@pc: kubectl apply -f yaml/authentication_system_level_from_pod.yaml
- The project will be available locally following the above steps. But first,
nftablesrules need to be monitorized in order to notice the changes that are being made. Run these commands and hide the terminal for later:
user@pc: su
root@pc: watch -n 1 nft list table nftlb
- Open another terminal. To get inside the project directory, run these commands:
user@pc: su
root@pc: cd ~/David-concejero/kube-nftlb/
- The script
build.shwill compilemain.goand will build a Docker container to put it inside the cluster. Before running it, you MUST read the script. And be careful, allnftablesrules you may have set could be flushed. Once you have read it and adapted it to your use case, run:
root@pc: sh build.sh
- Once the script has finished, the
kube-nftlbPod will be made as DaemonSet. Insideyamlthere's a file ready for this, apply it to the cluster by running this:
root@pc: kubectl apply -f yaml/create_nftlb_as_daemonset.yaml
Notice how rules are made in the first terminal you opened.
- The test will be made with a Ghost instance, exposing, editing and deleting a Service. Run this command:
root@pc: kubectl create deployment ghost --image=ghost
- The
ghostPod will be exposed through a Service with this command:
root@pc: kubectl expose deployment ghost --port=2368
Notice how ghost rules are made in the first terminal you opened.
- Update the Service with this command, changing the port from 2368 to 2369, and save the file:
root@pc: kubectl edit service ghost
Notice how ghost port has changed in the first terminal you opened.
- Delete the Service with this command:
root@pc: kubectl delete service ghost
Notice how ghost rules are deleted in the first terminal you opened.
- I've done everything already, how can I stop watching
nftablesrules?
Press Control + C.
- I have followed the guide and I've got no errors. But, how can I delete the
kube-nftlbPod to test the project again from the start?
Run this command as root:
root@pc: kubectl delete -f yaml/create_nftlb_as_daemonset.yaml
- How can I also delete the
ghostPod? The guide explains how to delete its Service, but not its Pod.
Run this command as root:
root@pc: kubectl delete deployment ghost