Kubernetes how to load balance EXTERNAL persistent tcp connections?

Question

I'm having an issue with load balancing persistent tcp connections to my kubernetes replicas.

I have Unity3D clients outside of the kubernetes cluster.

My cluster is a baremetal cluster with metallb installed composed out of 3 nodes: 1 master and 2 workers.

As I have read there are two approaches:

1) client connects to all replicas and each time it needs to send a request it will do so on a random connection out of those that it has previously established. Periodically, it refreshes connections (in case autoscale happened or some of the persistent connections died).

The problem here is, I'm not sure how to access all replicas externally, headless services cannot be exposed externally.

2) service mesh ? I have vaguely read/understood that they might establish persistent tcp on your behalf. So something like this :

unity3d client <----persistent connection ---> controller <---persistent connection----> replicas

However, I'm not sure how to accomplish this and I'm not sure what will happen if the controller itself fails, will all the clients get their connections dropped ? As I see it, it will come down to the same issue as the one from 1), which is allowing a client to connect to multiple different replicas at the same time with a persistent TCP connection.

Part of question comes as a complement to this : https://learnk8s.io/kubernetes-long-lived-connections

Answer 1

In order to enable external traffic to your cluster you need an Ingress Gateway. Your ingress gateway could be the standard nginx Ingress, a gateway provided by a mesh like the Istio Gateway or a more specialized edge gateway like ambassador, traefik, kong, gloo, etc.

There are at least two ways you can perform load balancing in K8s:

1. Using a Service resource which is just a set of iptables rules managed by the kube-proxy process. This is L4 load balancing only. No L7 application protocols like HTTP2 or gRPC are supported. Depending on your case, this type of LB might not be ideal for long lived connections as connections will rarely be closed.

2. Using the L7 load balancing offered by any of the ingress controllers which will skip the iptables routing (using a headless Service) and allow for more advanced load balancing algorithms.

In order to benefit from the latter case you still need to ensure that connections are eventually terminated which is often done from the client to the proxy (while reusing connections from the proxy to the upstream). I'm not familiar with Unity3D connections but if terminating them is not an option you won't be able to do much load balancing after all.

When the controller fails, connections will be dropped and your client could either graciously re-attempt the connection or panic. It depends on how you code it.