10 videos 📅 2025-06-26 09:00:00 America/New_York
2:14:39
2025-06-26 09:07:32
1:12:32
2025-06-26 09:11:34
6:42
2025-06-26 11:08:41
35:51
2025-06-26 11:24:37
38:41
2025-06-26 13:21:35
20:37
2025-06-26 15:06:35
51:46
2025-06-27 09:06:19
58:45
2025-06-27 09:06:25
36:01
2025-06-27 11:26:09
1:12:38
2025-06-27 13:45:09

Visit the Kubernetes Comprehensive 2-Day course recordings page 

                WEBVTT

00:00:03.280 --> 00:00:14.720
All right. Ready to get started? All right. Lesson six. Exposed applications using ingress.

00:00:15.920 --> 00:00:22.640
An ingress lets you map your traffic to different backends based on rules you define.

00:00:24.480 --> 00:00:32.320
The ingress management is handled through the Kubernetes API. Ingress uses an ingress controller.

00:00:32.320 --> 00:00:37.320
And this is something ingress can be confusing in Kubernetes.

00:00:37.320 --> 00:00:43.320
Kubernetes relied on an ingress API since its beginning.

00:00:43.320 --> 00:00:47.320
But that is now being replaced by the Gateway API.

00:00:47.320 --> 00:00:52.320
So Ingress EngineX, which is the ingress that we'll be using,

00:00:52.320 --> 00:00:58.320
is a type of ingress that uses the Ingress API and Gateway API.

00:00:58.320 --> 00:01:02.300
Its replacement is a type of ingress that uses the

00:01:02.320 --> 00:01:08.720
gateway API. So we have two different APIs, Ingress API, which we don't call Ingress API,

00:01:08.720 --> 00:01:20.240
we just call it Ingress or Ingress EngineX. And then Gateway API is an actual API. So you can see

00:01:20.240 --> 00:01:27.600
here, kind of how an ingress works. We have our client, a load and Ingress managed load

00:01:27.600 --> 00:01:36.300
balancer. We have our ingress, our routing rule, which goes to a service. And so we just

00:01:36.300 --> 00:01:41.680
spent the last section working on services, which in connect the pods. Any questions on

00:01:41.680 --> 00:01:53.860
ingress? All right. Gateway API is the successor to the Ingress API. However, it does not

00:01:53.860 --> 00:02:00.660
include the ingress kind. You must convert all your ingress resources. The Gateway API

00:02:00.660 --> 00:02:08.260
resources when migrating. So it's not a seamless migration. Gateway API requires custom resource

00:02:08.260 --> 00:02:17.300
definitions or CRDs to be installed first before enabling the Gateway API. Gateway API relies on

00:02:17.300 --> 00:02:25.620
on a gateway and HTTP route for the HTTP HTPS traffic.

00:02:25.620 --> 00:02:30.540
Gateway can share many HTTP route here.

00:02:30.540 --> 00:02:31.180
Are you still there?

00:02:33.020 --> 00:02:38.480
Okay, HTTP routes.

00:02:38.480 --> 00:02:42.680
So a gateway can share many HTTP routes.

00:02:45.320 --> 00:02:48.480
Gateway API solutions are typically implemented

00:02:48.480 --> 00:02:50.920
by C&I provider.

00:02:50.920 --> 00:02:54.200
Gateway API provides flexibility,

00:02:54.200 --> 00:02:57.560
standardization, and scalability over in.

00:02:57.560 --> 00:03:01.740
Gateway API has an anticipated upstream implementation date

00:03:01.740 --> 00:03:04.280
for the fall of 2025.

00:03:04.280 --> 00:03:14.660
So I have been using Gateway API for probably two years now.

00:03:14.660 --> 00:03:16.420
And it works great.

00:03:16.420 --> 00:03:18.460
They started with HTTP routes.

00:03:18.480 --> 00:03:24.320
And the final when they're completing is TLS route, which is if you are going to connect through

00:03:24.320 --> 00:03:34.000
the gateway directly to a database. So let's say that you were running a database cluster. It's just

00:03:34.000 --> 00:03:40.320
a database. I mean, you wanted to connect from another cluster. You could connect through with TLS to

00:03:40.320 --> 00:03:47.840
that. However, typically we in modern Kubernetes, we don't do that as much anymore.

00:03:48.480 --> 00:03:52.880
because we have pod-to-pod-pod node-to-node encryption so we would encrypt into the

00:03:53.920 --> 00:03:58.240
gateway and then we would use pod-to-pod no-denode encryption period.

00:03:58.240 --> 00:04:02.640
TLS route was kind of put on the back burner and finishing that up this fall.

00:04:02.640 --> 00:04:06.720
There's one more piece that I requested two years ago from the upstream

00:04:07.920 --> 00:04:11.680
Kubernetes team working on this and that is that if they're

00:04:11.680 --> 00:04:17.360
getting rid of the engine X ingress, we use that to protect management pages

00:04:17.360 --> 00:04:20.600
It has basic off capability.

00:04:20.600 --> 00:04:23.460
And so there needs to be an additional layer of off

00:04:23.460 --> 00:04:28.980
provided for management before they deprecate that

00:04:28.980 --> 00:04:32.600
and remove it from the Kubernetes SIDS.

00:04:32.600 --> 00:04:36.380
So I believe that is being finished up now.

00:04:36.380 --> 00:04:39.420
It's taking them two years since I requested that.

00:04:39.420 --> 00:04:44.360
And it will be, I believe, out this fall.

00:04:44.360 --> 00:04:47.300
And then this date keeps getting pushed,

00:04:47.360 --> 00:04:52.800
it looks like sometime this fall could get pushed to next spring and then gateway API

00:04:52.800 --> 00:04:58.880
should be standard within the Kubernetes cluster so alpha beta for the last two

00:04:58.880 --> 00:05:04.240
right let's compare the two so you can see you have a gateway and HTTP route a

00:05:04.240 --> 00:05:10.880
routing rule and to the service and the pods you can kind of see them overlay there's

00:05:10.880 --> 00:05:17.280
also a load balancer in front of the gateway and so it just doesn't have

00:05:17.360 --> 00:05:18.360
that in this line.

00:05:18.360 --> 00:05:19.360
CINIs.

00:05:19.360 --> 00:05:26.360
Kubernetes lets you use a container network interface or CNI plugin for cluster networking.

00:05:26.360 --> 00:05:33.360
CNI plug-ins are used to manage network and security capabilities in cluster.

00:05:33.360 --> 00:05:37.360
CNIs can be used to deploy the Gateway API.

00:05:37.360 --> 00:05:39.360
So here's an example of a CNI.

00:05:39.360 --> 00:05:44.360
CILM is a networking, observability, and security solution.

00:05:44.360 --> 00:05:52.220
Cillium provides a simple, flat, layer three network with the ability to span multiple clusters with a cluster mesh.

00:05:52.220 --> 00:05:56.420
Cillium can enforce network policies on layer three to layer seven.

00:05:58.240 --> 00:06:06.360
Sillium can act as a replacement for Coup proxy and includes advanced IP address management or IPAM support.

00:06:06.360 --> 00:06:12.360
Cillium can also encrypt node to node and pod to pod traffic.

00:06:14.360 --> 00:06:19.360
includes both ingress API and Gateway API.

00:06:19.360 --> 00:06:23.120
William works well on bare metal with KubeP

00:06:23.120 --> 00:06:25.520
and KubeP cloud provider.

00:06:25.520 --> 00:06:27.900
Metal LB had a bit of a falling out

00:06:27.900 --> 00:06:34.180
with several of the CNI teams a couple of years ago.

00:06:34.180 --> 00:06:38.080
And so you'll see where several of the CNI teams

00:06:38.080 --> 00:06:44.340
that are larger support Kubev and they were not as

00:06:44.360 --> 00:06:50.260
friendly to metal LB and that just gets to the nuances between different engineering teams working

00:06:50.260 --> 00:06:55.300
upstream on how they work with each other sometimes. And one of the things about coup proxy

00:06:55.300 --> 00:07:06.900
replacement, coup proxy fails. So when it fails, it's very inconvenient in the, excuse me, in the

00:07:06.900 --> 00:07:14.340
cluster. So a lot of the modern CNIs have a replacement for.

00:07:14.360 --> 00:07:22.320
group proxy and that will improve the reliability of your cluster once you switch over okay

00:07:22.320 --> 00:07:29.040
we're going to go to the practical application we're going to create an ingress

00:07:30.080 --> 00:07:38.640
so we want to make sure we have a fresh mini-cube profile yeah i think the data center that our

00:07:38.640 --> 00:07:46.800
vms are on is having some issues too not right no so we're going to create an ingress we need to

00:07:46.800 --> 00:07:54.240
to enable the mini-tube ingress. This uses the EngineX ingress by default. So we had the Admission

00:07:54.240 --> 00:08:02.960
Create, which completed, so that was probably a job, right? And then an Ingress admission patch,

00:08:02.960 --> 00:08:10.000
which is probably a job. And in fact, let's look at those. And then an IngenX controller.

00:08:10.560 --> 00:08:16.640
Let's look at all three of those. Describe all three of them. And they're going to be in the Ingress EngineX

00:08:16.640 --> 00:08:22.340
namespace who will describe you probably want to copy and paste each one of those

00:08:22.340 --> 00:08:29.720
names in I don't think it will have to do yeah and then describe pod minus in

00:08:29.720 --> 00:08:36.260
ingress engine X and then paste the pod name in and will be easier to control

00:08:36.260 --> 00:08:44.180
describe and then before you paste it in do the hyphen in and then ingress engine

00:08:44.180 --> 00:08:45.180
Next.

00:08:45.180 --> 00:08:49.180
We're going to cheat here and then paste it.

00:08:49.180 --> 00:08:52.180
Yeah, and we can just delete the last peak.

00:08:52.180 --> 00:08:54.180
Look at this and see what it is.

00:08:54.180 --> 00:08:55.180
Look to the top.

00:08:55.180 --> 00:08:56.180
All right, what is this?

00:08:56.180 --> 00:08:58.180
Admission Create, the web book.

00:08:58.180 --> 00:09:00.180
Let's see here.

00:09:00.180 --> 00:09:02.180
Succeeded.

00:09:02.180 --> 00:09:06.180
All right, let's scroll down a little.

00:09:06.180 --> 00:09:09.180
Ah, I did a search in.

00:09:09.180 --> 00:09:13.180
Okay, keep going.

00:09:13.180 --> 00:09:15.460
What else we have here?

00:09:16.660 --> 00:09:18.500
Interesting.

00:09:18.500 --> 00:09:21.780
It uses Ingress EngineX controller admission.

00:09:23.540 --> 00:09:26.700
Ingress EngineX for the namespace.

00:09:26.700 --> 00:09:28.740
Service.

00:09:28.740 --> 00:09:32.360
And okay, good catch.

00:09:32.360 --> 00:09:35.080
Yeah, that's the next thing I was gonna look at and see.

00:09:35.080 --> 00:09:40.980
And do we have a, do we have a delete in here, a TTL?

00:09:40.980 --> 00:09:43.000
Right, that's what we'd be looking for is a TTL.

00:09:43.180 --> 00:09:46.580
You see a TTO anywhere in there.

00:09:46.580 --> 00:09:48.280
All right, it's not a crone job.

00:09:48.280 --> 00:09:52.680
It's a regular job, so that means that's going to hang around without a TTO.

00:09:52.680 --> 00:09:57.680
So I don't see one in there unless I'm missing it, but that means that'll be in the cluster forever.

00:09:57.680 --> 00:09:58.680
So.

00:09:58.680 --> 00:10:00.680
All right.

00:10:00.680 --> 00:10:03.180
So you can look at the next one.

00:10:03.180 --> 00:10:09.180
You could get pods again and then and then copy that second one.

00:10:09.180 --> 00:10:12.180
Pretty sure that's also a job.

00:10:12.180 --> 00:10:18.900
has a hash at the end like a job would have that's completed but we'll see if it's a job or chrome job

00:10:18.900 --> 00:10:25.940
i've injected a volume with something yep there we go all right then let's look at the controller

00:10:29.960 --> 00:10:35.560
yeah yeah so before ingress engine x we need ingress engine x my hyphen in ingress engine x

00:10:35.560 --> 00:10:43.240
happens a lot i do that easy to do all right see what we have here

00:10:43.720 --> 00:11:15.460
It's a deployment. Looks like you can try to get all in that namespace. So there we go. We've got two jobs. They're completed. Didn't take long. We have a replica set of deployment. We've got two services. One of them is for the admission, the other for the controller. All right. We're going to check that the ingress is enabled because we installed ingress. So now we're going to take.

00:11:15.480 --> 00:11:22.440
checker. Just do cute control get ingress minus a and we'll see what comes out. We enable the

00:11:22.440 --> 00:11:28.780
engine X ingress controller and service, but no external ingress has been loaded yet because that

00:11:28.780 --> 00:11:35.320
uses the ingress A2O. That's deploy in application using the prior engine X app yamil file

00:11:35.320 --> 00:11:43.480
deploy the engine X app. Oh sorry, let's, well do apply my bed. I have an error. Use it with a service.

00:11:43.480 --> 00:11:55.260
All right. Check the pods. There we go. And they're running. Let's deploy a node port service using the prior node port service YAML file.

00:11:55.420 --> 00:12:04.880
deploy the node port service for the engine access. Oh, yeah, let me correct that.

00:12:07.620 --> 00:12:33.770
A second. Yes, you mark. And let's, yeah, we'll check the service. And we have engine X service, node port, no external IP.

00:12:33.830 --> 00:12:56.590
Okay. Let's get all pods and services within the default name space. All right, convenient way to pull up just the pods and the service. All right, we're going to test a node port service with the Engine X app. So MiniCube service, the service name URL. I think it worked, isn't it?

00:12:58.170 --> 00:13:03.810
All right, so we know that that part works. Great. Now we need to create an ingress.

00:13:03.830 --> 00:13:07.830
to create a service ingress YAML file.

00:13:07.830 --> 00:13:12.830
Notice how we've been using different APIs with these that are all on V1.

00:13:12.830 --> 00:13:13.830
Have you noticed?

00:13:13.830 --> 00:13:16.830
We've been using all kinds of different APIs.

00:13:16.830 --> 00:13:17.830
Yep.

00:13:17.830 --> 00:13:21.830
And they have alpha and beta as well.

00:13:21.830 --> 00:13:26.830
If you want to test out different, you know, alpha and beta versions.

00:13:26.830 --> 00:13:29.830
Yeah, it seems to look good.

00:13:29.830 --> 00:13:31.830
We're going to apply.

00:13:31.830 --> 00:13:32.830
All right, now let's wait.

00:13:32.830 --> 00:13:36.590
Let's wait a second, an ingress with a host.

00:13:36.590 --> 00:13:38.590
What is the host FQDN?

00:13:38.590 --> 00:13:39.590
Mm-hmm.

00:13:39.590 --> 00:13:41.590
All right.

00:13:42.590 --> 00:13:46.070
And now we are going to test the FQDN in the browser.

00:13:46.070 --> 00:13:49.390
Okay, we need to create a DNS record.

00:13:49.390 --> 00:13:53.350
So our DNS Resolver inside our cluster said,

00:13:53.350 --> 00:13:57.070
hey, engine X that example, I don't have anything in here.

00:13:57.070 --> 00:13:59.070
I'm listening.

00:13:59.070 --> 00:14:02.350
So when you, your browser typed it, it's going,

00:14:02.350 --> 00:14:09.290
going to the external resolver in that data center that this VM is hosted and we need to grab

00:14:09.290 --> 00:14:14.590
that before it because obviously there is no engine X that example so we're going to point engine

00:14:14.590 --> 00:14:22.110
X that example to the mini QIP so get the mini QIP address and then we're going to use the local

00:14:22.110 --> 00:14:32.270
Ubuntu DNS resolve with the browser now this should work on your host but they yeah they added a few

00:14:32.350 --> 00:14:35.890
things to these VMs to keep viewing.

00:14:35.890 --> 00:14:38.850
I guess, I don't know how much crazy stuff you could do

00:14:38.850 --> 00:14:45.350
while you're in a class, but let's test it with a DNS record.

00:14:45.350 --> 00:14:50.590
NS lookup engine, okay, so NS lookup engine X dot example.

00:14:50.590 --> 00:14:52.970
NS lookup into next dot example.

00:14:52.970 --> 00:14:56.290
Did you see it there when you catted it?

00:14:56.290 --> 00:14:59.910
One on two, oh, it may take it just a minute.

00:14:59.910 --> 00:15:01.370
Let's try again.

00:15:01.370 --> 00:15:02.330
Oh, it's going.

00:15:02.350 --> 00:15:11.150
external so it's trying to go yeah see they pointed this to okay all right on mine it actually

00:15:11.150 --> 00:15:17.790
returned it so that's weird they've changed something in NS lookup and your version on the VM versus

00:15:17.790 --> 00:15:26.670
my version on my own very middle all right now so let it happen okay what would a

00:15:26.670 --> 00:15:32.110
503 imply is that it can't do something can't find something

00:15:32.350 --> 00:15:39.170
server error, right? So let's check on the ingress. I think so. I think you have to do

00:15:39.170 --> 00:15:46.570
engine X service, engine X service minus in engine X service minus in engine X. I'm going to do

00:15:46.570 --> 00:15:52.690
get get get get ingress minus a. See if we can find it first. Oh, we're in coup

00:15:52.690 --> 00:15:59.530
systems. Oh, yeah, but what's the name space? Mm-hmm. Uh-huh. And we have an

00:15:59.530 --> 00:16:04.250
address. So everything's populated. So now for any events, we're going to

00:16:04.270 --> 00:16:10.670
describe the ingress now a coop system right and what do we see and we're looking at our

00:16:11.550 --> 00:16:16.590
at our rules engine X that example and you see up there

00:16:17.550 --> 00:16:22.110
all right let's go take a look at engine X service now the ingress is called

00:16:22.110 --> 00:16:28.110
engine X service but we also have an engine X service for the node board so take a look at that

00:16:28.110 --> 00:16:33.070
and let's describe it the fact that you were able to pull that up without a namespace tells you what

00:16:33.070 --> 00:16:37.850
Okay, so what we're going to do is we're going to fix the ingress by changing the namespace.

00:16:38.930 --> 00:16:40.250
So we're going to delete the ingress.

00:16:40.530 --> 00:16:42.810
Yes, so the ingress works.

00:16:43.150 --> 00:16:49.390
You're hitting the EngineX ingress, but it can't find the service because the service is in the default namespace,

00:16:49.950 --> 00:16:52.750
and the EngineX ingress is in the Coup system namespace.

00:16:52.750 --> 00:16:58.410
You do an ingress per namespace unless you share your namespaces in Gateway API or share,

00:16:58.810 --> 00:17:02.170
you label your namespaces to have a shared gateway API.

00:17:02.330 --> 00:17:03.050
All right, so we delete it.

00:17:03.070 --> 00:17:07.710
that's a delay on these slides. There we go. We're going to modify the namespace to match the

00:17:07.710 --> 00:17:14.430
EngineX service namespace, which is default. Uh, no. Well, it's nice to have because you can,

00:17:14.750 --> 00:17:18.770
yeah, you can easily look at it and go, oh yeah, that's the default names. And we're going to deploy it.

00:17:18.850 --> 00:17:24.350
All right, let's check it. The service is running and it's connected. We verified that the service

00:17:24.350 --> 00:17:32.670
and the deployment are connected together. We have endpoints. It works. Okay, let's look for any

00:17:33.070 --> 00:17:35.070
Now let's go back and check.

00:17:35.070 --> 00:17:39.070
Let's describe ingress again.

00:17:39.070 --> 00:17:40.070
What do we have?

00:17:40.070 --> 00:17:41.070
Inpoints.

00:17:41.070 --> 00:17:43.070
All right, let's test our browser.

00:17:43.070 --> 00:17:45.070
Fingers crossed.

00:17:45.070 --> 00:17:47.070
Yeah, all right.

00:17:47.070 --> 00:17:49.070
All right.

00:17:49.070 --> 00:17:51.070
I'm gonna try and get through this before four.

00:17:51.070 --> 00:17:52.070
What time is?

00:17:52.070 --> 00:17:53.070
We got 10 minutes.

00:17:53.070 --> 00:17:55.070
How many more slides do we hit?

00:17:55.070 --> 00:17:57.070
We might not make it through all of this.

00:17:57.070 --> 00:18:01.070
We'll stop at 5 till

00:18:01.070 --> 00:18:02.070
and do a read.

00:18:02.070 --> 00:18:05.610
and do a review for everything Q&A.

00:18:06.750 --> 00:18:08.990
There's a lot here on the interactive, you know,

00:18:08.990 --> 00:18:10.210
so trying to make it through,

00:18:10.210 --> 00:18:12.010
and we wanna take our time going through it.

00:18:12.010 --> 00:18:14.830
So we go, all right, so let's ensure

00:18:14.830 --> 00:18:17.590
a fresh mini-cube environment,

00:18:17.590 --> 00:18:20.250
and we are going to have some fun with Cillium.

00:18:21.170 --> 00:18:22.910
No, it's been around for years,

00:18:22.910 --> 00:18:26.950
but it has everything out of the box and it's free.

00:18:26.950 --> 00:18:29.710
So some of the other ones that compete with Cillium,

00:18:29.710 --> 00:18:30.950
they charge for it.

00:18:30.950 --> 00:18:38.550
And it's not as complex as using something like an Istio with sidecars and, you know, it's

00:18:38.550 --> 00:18:40.950
very complex using Istio.

00:18:40.950 --> 00:18:44.190
So it's an easy upgrade from traffic.

00:18:44.190 --> 00:18:49.190
So if you're using something like traffic and you go to Cillium, it's a much easier upgrade.

00:18:49.190 --> 00:18:50.830
We need a lot of requests for Istio.

00:18:50.830 --> 00:18:55.070
We can't find anyone in a Kubernetes cluster as an engineer who can work on Istio.

00:18:55.070 --> 00:18:57.710
I'm like, yeah, I used to work on Istio five years ago.

00:18:57.710 --> 00:18:59.710
I don't work on it anymore.

00:18:59.710 --> 00:19:01.710
So yeah, do a stop.

00:19:01.710 --> 00:19:04.710
Yeah, do a stop and I delete.

00:19:04.710 --> 00:19:07.710
And then we'll start, because you probably have a container running in there.

00:19:07.710 --> 00:19:12.710
MiniCube stop is, I assume I haven't seen the code that is just Docker stop.

00:19:12.710 --> 00:19:18.710
And it uses Docker magic to grab the container name.

00:19:18.710 --> 00:19:19.710
There we go.

00:19:19.710 --> 00:19:23.710
All right, let's take just a little welcome.

00:19:23.710 --> 00:19:24.710
All right.

00:19:24.710 --> 00:19:26.710
All right.

00:19:26.710 --> 00:19:28.710
So you can see, we have three nodes.

00:19:28.710 --> 00:19:31.150
three nodes, cillium agent on every node.

00:19:31.150 --> 00:19:33.210
In fact, you can do Cube control Gipods

00:19:33.210 --> 00:19:38.190
minus A minus lowercase O, Y.

00:19:38.190 --> 00:19:38.650
There we go.

00:19:38.650 --> 00:19:40.110
Now we can see what node they're on.

00:19:40.110 --> 00:19:44.810
So you can see we have Cillium 5 is on mini cube three.

00:19:44.810 --> 00:19:47.750
We have Cillium F9 on mini cube.

00:19:47.750 --> 00:19:50.430
Cillium T8 is mini cube two.

00:19:50.430 --> 00:19:53.910
So each one has a Cillium agent.

00:19:53.910 --> 00:19:56.610
And we have a single Cillium operator

00:19:56.610 --> 00:19:58.690
running on mini cube, which is the control.

00:19:58.710 --> 00:20:12.150
playing, right? And then we have three Envoy pops. All right, sure a fresh minicube environment.