HomeArchitecture / Kubernetes Traffic Routing

Kubernetes Traffic Routing

Post read time 1 min read
Share this post on:

Today, I would like to share an approach for wildcard cluster routing for homelab environments with you. I recently switched back from IPv6 to IPv4, which changed a lot in traffic management. IPv6 has dedicated ports per host for exposure, while IPv4 requires mapping on FritzBox level. A huge difference. The same is with DNS resolution and routing as DNS for IPv6 is different from IPv4. Especially as most corporates – till today – do not provide IPv6 DNS, making you simply unavailable. This is due to ISO 27.000 certifications, which required traffic security, which gets very complex in IPv6 scenarios.

Let’s take a look for the IPv4 scenario and how to route generic traffic – lets say *.example.com – into a cluster. First, we need wildcard DNS entry pointing to your FrizBox as CNAME record. Next, you need to route your Port 80 and 443 traffic to your Cluster. You might take an internal LoadBalancer IP, which you might get with an internal MetalLB application, or NodePort. Behind it you can setup a reverse proxy (behind next-gen firewalls etc.) for central TLS offloading (e.g. via cert-manager) and placing security guardrails. The proxy can call your internal services via Istio Ingress-Gateway; either way: HTTPS or HTTP (as some dont support reverse proxies by lacking configuration options).

For your reverse proxy, e.g. nginx, you can set security settings, such as limit_req and limit_conn against overload-scenarios and request spam. Your proxy also require necessary X-Forwarded-* headers for your services to know who was originally calling and which protocol was used. Later ones also need to be reflected in your Virtual Services, in case you do TLS offloading and proceed with HTTP (delegating encryption to Istio):

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: example-vs
  namespace: ds-example-d
  labels:
    app.kubernetes.io/name: "argocd"
    docker-service.de/customer: "example.com"
spec:
  hosts:
  - app1.example.com
  gateways:
  - istio-ingress/application-gw
  http:
  - match:
    - uri:
        prefix: "/"
    route:
    - destination:
        port:
          number: 80
        host: frontend.ds-example-d.cluster.local
    headers:
      request:
        set:
          x-forwarded-proto: https

Author: fabiansc

View all posts by fabiansc >

Related Posts

Image Placeholder
Electricity Hardware IoT Network Sensor
Smart Metering
Image Placeholder
DevSecOps Monitoring Security Usermanagement Vulnerability Management
Social Engineering powered by Social Media
Image Placeholder
AI DNS Monitoring Network Palo Alto SaaS Security Service Operations
Corporate DNS protection

Leave a Reply