Many people believe that since Ingress is the default way that traffic is allowed into a Kubernetes cluster and it CAN do layer 4 and layer 7 that automatically Traefik/HAProxy/Istio as Ingress should be the primary entry point to the outside world. But can an Instance of Traefik be placed in front solely as Load4 balancer even though it can do much more. In other worlds does it make sense to have a level 4 load balancer layer followed by an Ingress layer or does this upset the http/grpc connections? This way primary entry point can be on a machine in DMZ layer rather than exposing a cluster IP address and port. So for example:
Client --> Traefik Level 4 --> Traefik Level 7 (Ingress) --> Service?
Hi @hanoisteve, yes it' totally doable https://github.com/jlevesy/k3s-offline/blob/master/docker-compose.yml#L17, an example of Traefik v2.0 - because Traefik v1.x is Layer 7 only- in front of a kubernetes cluster (k3s is a ligthweight but compliant Kubernetes implementation).
Be aware that you must have 2 instances of Traefik running, one for each feature (feature 1 is external to internal routing at layer 4 or under, feature 2 is internal only - aka ingress capability).
You might be interested in using https://metallb.universe.tf/ and installing the ingressTraefik with a Service of type Load-Balancer, because it would harness Kubernetes capabilities for managing the MetalLB service, it would separate concerns, and external LB would be Layer 2 (or BGP).
Sounds good. One thing I am trying to figure out is that I normally in the classic load balancer scenario the load balancer sits outside in a DMZ and neither ip nor ports of the cluster where the application resides would be exposed. How does that fit with metallb and traefik or nginx running as a load balancer service inside the cluster?
The ingress controller (aka. the inside Traefik/Nginx) is not on the DMZ. It's the "Kubernetes Service of type LoadBalancer" that should be outside the cluster.
The DMZ pattern is one of the multiple pattern that exist for the external/internal. It's not a mandatory thing, even for security. In the case of MetalLB, it depends if you plan to use the layer-2 Virtual IP (based on VRPP protocol) or BGP. Advantage is that manging the service MetalLB using Kubernetes primitive helps a lot. DMZ part can be managed at Layer 2 with Ip filtering, virtual interfaces, or with BGP routing: these are different concerns than what Traefik should manage at Layer 4 or Layer 7.