Expose hostNetwork customization

[rbtr]

Opening issue for discussion as requested in #49.

I want to be able to run Traefik in the host network namespace when I deploy it with this chart for the following potential scenarios:

• I don't want to use a cloud provider load balancer in front of Traefik due to cost or redundancy.
• I want to run Traefik on bare metal and don't have the option of fronting it with another load balancer.
• I need my Traefik pods to have the Node IP as the Pod IP (to use with, for example, https://github.com/kubernetes-sigs/external-dns which will automatically create a DNS record pointing to that IP)

For any or all of these use cases, I need to be able to run my Traefik pod in the host network because:

• binding to port 80/443 is restricted (by default k8s only allows NodePort > 3000)

As noted in the Traefik Team reply here and included in my original PR, this will also require some anti-affinity rules to be added to force Traefik pods to spread out among the nodes.

@mmatur do you have any questions about this?

[dtomcej]

Hello @rbtr,

Thanks for opening this proposal. This is a topic that comes up fairly often, and there are definitely use cases where using hostNetwork/hostPort is useful.

The first issue is that hostPort and hostNetwork configurations are discouraged, and usually not supported in production environments due to the issues they cause. The kubernetes best practices guide explicitly states this: https://kubernetes.io/docs/concepts/configuration/overview/#services

I will respond to your scenarios one at a time to hopefully give some more insight:

I don't want to use a cloud provider load balancer in front of Traefik due to cost or redundancy.

Reducing cost shouldn't be a reason to add risk-introducing features.

I want to run Traefik on bare metal and don't have the option of fronting it with another load balancer.

If you are running on bare metal, you should be looking at metalLB or other solutions, because you will need to get traffic into your cluster in a reliable way, with failover taken into account.

I need my Traefik pods to have the Node IP as the Pod IP (to use with, for example, https://github.com/kubernetes-sigs/external-dns which will automatically create a DNS record pointing to that IP)

Again, if you are using something like metalLB, you don't need this, as your DNS records would be based on your fronting LB, instead of the pods running behind it.

binding to port 80/443 is restricted (by default k8s only allows NodePort > 3000)

Solutions like MetalLB do handle this, and don't run into the issues with daemonsets that Traefik does.

Hopefully this gives some more insight as to why we are extremely hesitant to add hostNetworking to this chart.

[rbtr]

I hear what you're saying about it being discouraged, but it is still an option. The Traefik helm chart could pass on that choice to the end user, and do a helpful thing in applying an anti-affinity if the user opted to use the host network.

I can lay out my use case if you like, but I typed it out a few times and the wall of text is 👎
Suffice to say, I tried lots of ways to build a spaceship out of the lego available to me and running Traefik in the hostnetwork is the best solution - I will continue to do that, and I think it's a valuable enough usage that it should be an option in the official helm chart. Also I really don't want to have to maintain a fork for my env with only this change 🙂

[gaui]

I think this would be very useful. NGINX Ingress already has this option.

[Art3mK]

yeah, stable/traefik chart also have that option. My use case is external load balancer, which is controlled outside of k8s. So I could create LB with terraform for example, and point it to specific ports, exposed on worked nodes by traefik & hostport. And I don't want to use any nodePorts because of kube-proxy routing requests from nodes, where traefik is not even running to actual pods. So it's 👍 from me!

[SantoDE]

Thanks for all your feedback. We have reopend #49

[rbtr]

Appreciate you all considering this and all the work you do on the project 🙂
I updated my linked PR with the feedback here