loadbalancer | A sticky load balancer optimized for realtime apps

I have a k8 setup that looks like this

ingress -> headless service (k8 service with clusterIp: none) -> statefulsets ( 2pods)

Fqdn looks like this:

I'm experimenting with kubernetes and a minio deployment. I have a k3s 4 node cluster, each one with 4 50GB disk. Following the instructions here I have done this:

1. First I installed krew in order to install the minio and the directpv operators.

2. I installed those two without a problem.

3. I formatted every Available hdd in the node using kubectl directpv drives format --drives /dev/vd{b...e} --nodes k3s{1...4}

4. I then proceed to make the deployment, first I create the namespace with kubectl create namespace minio-tenant-1, and then I actually create the tenant with:

   kubectl minio tenant create minio-tenant-1 --servers 4 --volumes 8 --capacity 10Gi --storage-class direct-csi-min-io --namespace minio-tenant-1

5. The only thing I need to do then is expose the port to access, which I do with: kubectl port-forward service/minio 443:443 (I'm guessing it should be a better way to achieve this, as the last command isn't apparently permanent, maybe using a LoadBalancer or NodePort type services in the kubernetes cluster).

So far so good, but I'm facing some problems:

• When I try to create an alias to the server using mc the prompt answer me back with:

mc: Unable to initialize new alias from the provided credentials. Get "https://127.0.0.1/probe-bucket-sign-9aplsepjlq65/?location=": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

I can surpass this with simply adding the --insecure option, but I don't know why it throws me this error, I guess is something how k3s manage the TLS auto-signed certificates.

• Once created the alias (I named it test) of the server with the --insecure option I try to create a bucket, but the server always answer me back with:

  mc mb test/hello

  mc: Unable to make bucket \test/hello. The specified bucket does not exist.

So... I can't really use it... Any help will be appreciated, I need to know what I'm doing wrong.

I am following this official k8 ingress tutorial. However I am not able to curl the minikube IP address and access the "web" application.

I have two fargate tasks running in two different clusters, the first one is running on port 3000 and can receive requests from anyone, the second one is running on port 8080 and can be accessed only by the first one. Both are in the same Security Group and VPC.

I created an inbound rule to allow public access for the first one, then I tried to create other inbound rule to enable the access for the second through security group ingress. But when the first service tries to access the second, I receive an Timeout Error.

When I allow the public access to the second service, the communication works properly, but I cannot allow it for forever.

Each service has a loadbalancer configured, but I already tried to access the service by his task public ip without success too.

Anyone has any idea what I am doing wrong?? The inbound rules for the security group can be checked in this image

I have multiple containers/images such as admin(django),nginx(httpserver)

my system is here below.

port80-> nginx -> port8011 -> admin

I want to deploy these on fargate.

However I'm still confused.

Two Image, Two Container,Two task difinition,two loadbalancer it's ok.

However one public IP to only nginx?

How can I connect between container?

Currently my source code is like this below.

I am familiar with docker-compose, but not for aws fargate.

Any help appreciated.

I'm trying to deploy a HA Keycloak cluster (2 nodes) on Kubernetes (GKE). So far the cluster nodes (pods) are failing to discover each other in all the cases as of what I deduced from the logs. Where the pods initiate and the service is up but they fail to see other nodes.

Components

• PostgreSQL DB deployment with a clusterIP service on the default port.
• Keycloak Deployment of 2 nodes with the needed ports container ports 8080, 8443, a relevant clusterIP, and a service of type LoadBalancer to expose the service to the internet

Logs Snippet:

I've been trying to get over this but I'm out of ideas for now hence I'm posting the question here.

I'm experimenting with the Oracle Cloud Infrastructure (OCI) and I wanted to create a Kubernetes cluster which exposes some service.

The goal is:

• A running managed Kubernetes cluster (OKE)
• 2 nodes at least
• 1 service that's accessible for external parties

The infra looks the following:

• A VCN for the whole thing
• A private subnet on 10.0.1.0/24
• A public subnet on 10.0.0.0/24
• NAT gateway for the private subnet
• Internet gateway for the public subnet
• Service gateway
• The corresponding security lists for both subnets which I won't share right now unless somebody asks for it
• A containerengine K8S (OKE) cluster in the VCN with public Kubernetes API enabled
• A node pool for the K8S cluster with 2 availability domains and with 2 instances right now. The instances are ARM machines with 1 OCPU and 6GB RAM running Oracle-Linux-7.9-aarch64-2021.12.08-0 images.
• A namespace in the K8S cluster (call it staging for now)
• A deployment which refers to a custom NextJS application serving traffic on port 3000

And now it's the point where I want to expose the service running on port 3000.

I have 2 obvious choices:

• Create a LoadBalancer service in K8S which will spawn a classic Load Balancer in OCI, set up it's listener and set up the backendset referring to the 2 nodes in the cluster, plus it adjusts the subnet security lists to make sure traffic can flow
• Create a Network Load Balancer in OCI and create a NodePort on K8S and manually configure the NLB to the ~same settings as the classic Load Balancer

The first one works perfectly fine but I want to use this cluster with minimal costs so I decided to experiment with option 2, the NLB since it's way cheaper (zero cost).

Long story short, everything works and I can access the NextJS app on the IP of the NLB most of the time but sometimes I couldn't. I decided to look it up what's going on and turned out the NodePort that I exposed in the cluster isn't working how I'd imagine.

The service behind the NodePort is only accessible on the Node that's running the pod in K8S. Assume NodeA is running the service and NodeB is just there chilling. If I try to hit the service on NodeA, everything is fine. But when I try to do the same on NodeB, I don't get a response at all.

That's my problem and I couldn't figure out what could be the issue.

What I've tried so far:

• Switching from ARM machines to AMD ones - no change
• Created a bastion host in the public subnet to test which nodes are responding to requests. Turned out only the node responds that's running the pod.
• Created a regular LoadBalancer in K8S with the same config as the NodePort (in this case OCI will create a classic Load Balancer), that works perfectly
• Tried upgrading to Oracle 8.4 images for the K8S nodes, didn't fix it
• Ran the Node Doctor on the nodes, everything is fine
• Checked the logs of kube-proxy, kube-flannel, core-dns, no error
• Since the cluster consists of 2 nodes, I gave it a try and added one more node and the service was not accessible on the new node either
• Recreated the cluster from scratch

Edit: Some update. I've tried to use a DaemonSet instead of a regular Deployment for the pod to ensure that as a temporary solution, all nodes are running at least one instance of the pod and surprise. The node that was previously not responding to requests on that specific port, it still does not, even though a pod is running on it.

Edit2: Originally I was running the latest K8S version for the cluster (v1.21.5) and I tried downgrading to v1.20.11 and unfortunately the issue is still present.

Edit3: Checked if the NodePort is open on the node that's not responding and it is, at least kube-proxy is listening on it.

I am trying to setup a certificate for a locally running react app on a virtual host local.example.com. This has to just work locally on docker setup. After going through some articles, I came up with this docker-compose.yml:

If we need static IP address in AWS for Load balancer then we have to go for Network Loadbalancer forwarding requests to Application Loadbalancer.

Now since ALB only supports HTTP and HTTPS protocols And NLB only supports TCP protocol

How does this communication actually work?

The client like browser will send the request in HTTP or HTTPS. How does this communication happens ?