I'm new to Kubernetes and trying to build a secure setup on my home server. I want to create a virtual cluster with three VMs for high availability, running basic services with HTTPS and a domain. I plan to use a port forward rule on my router for traffic. Coming from a bare metal background, I want to set up a virtual router to manage firewall settings and other network tasks. I've explored different options, such as using MetalLB for load balancing and FRRouting but I have some questions. Should my ingress controller reside within the Kubernetes cluster, or can I set it up externally? Additionally, how do I effectively manage traffic to services across nodes without getting bogged down? I'm also curious about certificate management—is it better to handle it at the gateway level? What's the recommended approach for a self-hosted setup?
2 Answers
In my production experience, I recommend having your ingress controller within the Kubernetes cluster. It simplifies things since you'll need fault tolerance for any external VMs. MetalLB is a great tool, and if your router supports BGP, go ahead and use that. Assign a LoadBalancer IP to your ingress controller and route everything through that. If you want, you can set taints and tolerations to dedicate specific nodes for ingress, which can enhance performance. Plus, using a tool like Cert-manager will make handling TLS certificates much easier.
Exactly! It centralizes your traffic handling and simplifies your security model.
There are a couple of ways to handle your setup. You can go with static or dynamic methods. By default, any Kubernetes node can accept traffic and redirect it correctly. For a static setup, consider creating a NodePort service and forwarding traffic from your router directly to that. Alternatively, by exposing your ingress via a LoadBalancer service, Kubernetes can configure nodes to accept an external IP. For a dynamic approach, using MetalLB or Cilium to announce the LoadBalancer IP via BGP could be a solid choice,
That sounds like a solid plan! Just keep in mind that having the ingress controller inside Kubernetes might lead to better management of your services.