Usually, we place internal services such as databases or applications in private subnets. These machines cannot be accessed directly through a public IP. Instead, we use load balancers (ALB, ELB) to redirect traffic to the internal machines. This setup protects our services from external attacks and only allows access to services that truly need to be exposed externally.
Recently, our company switched to using Nginx ingress controller with a L4 Load Balancer to handle incoming traffic, replacing the previous use of Application Gateway. During deployment, I discovered that the official default setting for ExternalTrafficPolicy on the Service is set to Local (Ingress-nginx Azure deploy.yaml), as mentioned in the AKS documentation. It was also noted that if we want to preserve the client's source IP address, this configuration is necessary.
After some exploration, it was found that this is related to how Kube-proxy handles incoming traffic, which helped address the implementation issues I had with K8S Service. This article aims to document my findings. 🎉
最近發現我們在 Azure Kubernetes Service (AKS) 上的 Pod 很容易被驅逐,查了一下才發現原來我們不能用盡 Node 上的所有資源,這篇文章就來看看我們必須留下多少資源給系統吧。
Cluster Autoscaler (以下簡稱 CA) 是 Kubernetes 官方出的一個工具,讓你的 Cluster 依照需求伸縮,簡單來說就是幫你開/關雲端上的機器。通常會配合上 Horizontal Pod Autoscaler (以下簡稱 HPA) 一起使用,當 Pod 記憶體/CPU 或其他指標達到一定標準後,擴展 Pod,當沒有足夠的機器 (Node) 來執行 Pod 時,CA 就會幫你擴展機器。相反的需求下降時,HPA 降低 Pod 數量,CA 也會關閉不需要的機器,如此一來就可以節省成本又可以達到同樣的運算能力。