Mastering Kubernetes 4‑Layer Load Balancing with Ingress and Traefik
This guide walks through the concepts and step‑by‑step procedures for using Kubernetes 4‑layer Service load balancing, configuring Ingress Controllers (nginx, Traefik), generating TLS certificates, deploying Traefik and a Tomcat application, and exposing them via HTTP and HTTPS.
Overview
The article reviews the four‑layer Service load‑balancing flow in Kubernetes (client → nodeIP:port → serviceIP:port → podIP:port) and explains how to replace it with a seven‑layer Ingress Controller for dynamic routing and automatic service discovery.
Ingress Controller
An Ingress Controller operates at layer 7, receiving external requests and reverse‑proxying them to backend pods. Common controllers include nginx (requires manual config reload) and Traefik (auto‑reload). Because pod IPs change, a Service groups pods and the Ingress points to that Service.
Ingress Resource
Ingress is a Kubernetes resource that defines how external HTTP/S traffic should be routed to Services based on hostnames and URL paths. The controller watches the Kubernetes API, updates its configuration when Services or Pods change, and reloads to apply new rules.
Deploying Traefik (Seven‑Layer Controller)
Steps to deploy Traefik on a cluster:
Deploy the Ingress Controller (Traefik) on the master node.
Create a Service to group pods.
Create the application pods.
Create an HTTP Ingress to test plain HTTP access.
Create an HTTPS Ingress to test TLS termination.
Client traffic then follows:
client → NodeIP:port → IngressController → Service → Pod.
Generating TLS Certificates
On the master node, generate a private key and self‑signed certificate, then create a Kubernetes secret to store them:
openssl genrsa -out tls.key 2048openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=tomcat.lucky.comkubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.keySecrets keep sensitive data out of pod specs and images.
Traefik Deployment Manifest
The following YAML defines RBAC roles, a ConfigMap for Traefik settings, a DaemonSet to run the controller, and Services for HTTP, admin, and HTTPS ports.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups: [""]
resources: [services, endpoints, secrets]
verbs: [get, list, watch]
- apiGroups: [extensions]
resources: [ingresses]
verbs: [get, list, watch]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik.toml: |
insecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
hostNetwork: true
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
terminationGracePeriodSeconds: 60
volumes:
- name: ssl
secret:
secretName: ssl
- name: config
configMap:
name: traefik-conf
containers:
- image: k8s.gcr.io/traefik:1.7.9
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
args:
- --configfile=/config/traefik.toml
- -d
- --web
- --kubernetes
volumeMounts:
- mountPath: "/ssl"
name: "ssl"
- mountPath: "/config"
name: "config"
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
- protocol: TCP
port: 443
name: https
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: ingress.multi.io
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80Apply the manifest with kubectl apply -f traefik.yaml and verify pods are running in the kube-system namespace.
Deploying Tomcat Application
Create a Service and Deployment for Tomcat, then expose it via Ingress.
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 80
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: myapp
image: tomcat:8.5-jre8-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009Apply with kubectl apply -f tomcat-deploy.yaml and confirm the pods are running.
Ingress for Tomcat (HTTP)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
rules:
- host: tomcat.lucky.com
http:
paths:
- path: /
backend:
serviceName: tomcat
servicePort: 80Apply with kubectl apply -f ingress-tomcat.yaml.
Ingress for Tomcat (HTTPS)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
tls:
- hosts:
- tomcat.lucky.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.lucky.com
http:
paths:
- path: /
backend:
serviceName: tomcat
servicePort: 80After applying, the Ingress shows both ports 80 and 443. Add an entry to the local /etc/hosts (e.g., 192.168.0.16 tomcat.lucky.com) and access http://tomcat.lucky.com or https://tomcat.lucky.com:443 to verify the TLS setup.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Full-Stack DevOps & Kubernetes
Focused on sharing DevOps, Kubernetes, Linux, Docker, Istio, microservices, Spring Cloud, Python, Go, databases, Nginx, Tomcat, cloud computing, and related technologies.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.