How does traffic get routed to an ingress controller?

Question

The following questions are about an on-prem K3S setup.

1] How does HTTP/S traffic reach an ingress controller in say K3S?

When I hit any of my nodes on HTTPS port 443 I get the traefik ingress controller. This must be "magic" though because:

• There is no process on the host listening on 443 (according to lsof)
• The actual nodePort on the traefik service (of type LoadBalancer) is 30492

2] Where is the traefik config located inside the ingress controller pod? When I shell into my traefik pods I cannot find the config anywhere - /etc/traefik does not even exist. Is everything done via API (from Ingress resource definitions) and not persisted?

3] Is ingress possible without any service of type LoadBalancer? I.e. can I use a nodePort service instead by using an external load balancer (like F5) to balance traffic between nodes and these nodeports?

4] Finally, how do the traefik controller pods "know" when a node is down and stop sending/balancing traffic to pods which no longer exist?

Answer 1

1. Port-forwarding is responsible for traffic getting mapped to traefik ingress controller by hitting on port 443 and NodePort is generally in between this range 30000-32767 only.

Refer this documentation for more information on port forwarding.

3. Yes, An Ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer.

Refer this documentation for more information on ingress.

4. Kubernetes has a health check mechanism to remove unhealthy pods from Kubernetes services (cf readiness probe). As unhealthy pods have no Kubernetes endpoints, Traefik will not forward traffic to them. Therefore, Traefik health check is not available for kubernetesCRD and kubernetesIngress providers.

Refer this documentation for more information on Health check.