https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# general
a
This message was deleted.
c
the kubernetes service only listens on 443 inside the cluster. Outside the cluster it is on 6443. How exactly did you manage to conflict with a cluster service address?
are you sure you didn’t conflict with traefik? the traefik loadbalancer service uses 80 and 443 on the nodes.
h
No, I’m totally not sure! lol. I’m like two weeks into Kubernetes so please tell me if Im saying totally incorrect stuff. So.. tell me if I’m understanding this right; I run 
kubectl get nodes -n default
Which (according to my kubeconfig) reaches to https://rancher-url.domain.com:443 and then internally rancher passes the request to cluster1:443. ?
c
You’re talking to rancher through the ingress controller on whatever cluster Rancher is running in.
So the full path is kubectl -> ingress controller on rancher cluster -> rancher -> cattle-cluster-agent on downstream cluster -> apiserver on downstream cluster
h
Right right.. but using kubectl, when your kubeconfig is for a secondary cluster. Goes to rancher then to the cluster right?
Like I’ve got cluster1 which is hosting rancher. then cluster2 is my haproxy area
c
cattle-cluster-agent talks to kubernetes on the downstream cluster using the in-cluster kubernetes service endpoint. the thing you see if you do 
kubectl get service -n default kubernetes
h
Ahh ok good, good. So by changing the kubernetes service from 443 to 4433 my kubectl link was broken
c
yeah don’t do that…
h
So what happened was, I browsed to node1_ip:443 (using openssl to grab cert info) and was handed the SS treafik cert. That led me to thinking that perhaps it was conflicting with the HAP service on 443
(my hap services are nodePort)
So I went looking then for traefik related pieces that I don;t need/want to use. There is nothing at all under this namespace related to traefik. Which is confusing as to where this traefik cert is coming from
I have a conflict.. somewhere
c
everything is deployed to kube-system. kubernetes is always in the default namespace for historical reasons.
It sounds like you want to disable traefik, or make it a ClusterIP service instead of LoadBalancer, or change the service ports?
h
TBH I’m not 100% on what traefik would be used for if not a deployment/service/daemonset I choose to use it as the ingress.
c
The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443, advertises the LoadBalancer Service’s External IPs in the Status of Ingress resources it manages.
By default, ServiceLB will use all nodes in the cluster to host the Traefik LoadBalancer Service, meaning ports 80 and 443 will not be usable for other HostPort or NodePort pods, and Ingress resources’ Status will show all cluster members’ node IPs.
h
I missed a checkbox when I created this cluster I bet..
c
if you’re not deploying anything the uses Ingress you probably don’t need an ingress controller and could just disable traefik
h
Nice that’s the ticket
So the big picture thing here is I’m testing kube to try to replicate a VM running haproxy routing external traffic to some webservers. So the test is how to configure a cluster to accept externally sourced traffic then route it to resources outside the cluster. This being the Rancher slack I won’t try to segway to any questions not related to Rancher but just so you’re not left wondering wth I’m trying to do.
I believe I have all the parts.. the networking and Rancher bits were a bit confusing
Oh almost forgot, Thanks Brandon!
👍 1
Open in Slack
PreviousNext
Powered by