4.3 KiB
Static IPs
This example demonstrates how to assign a static-ip to an Ingress on GCE.
Prerequisites
You need a TLS cert and a test HTTP service for this example. You will also need to make sure you Ingress targets exactly one Ingress controller by specifying the ingress.class annotation, and that you have an ingress controller running in your cluster.
Acquiring a static IP
In GCE, static IP belongs to a given project until the owner decides to release it. If you create a static IP and assign it to an Ingress, deleting the Ingress or tearing down the GKE cluster will not delete the static IP. You can check the static IPs you have as follows
$ gcloud compute addresses list --global
NAME REGION ADDRESS STATUS
test-ip 35.186.221.137 RESERVED
$ gcloud compute addresses list
NAME REGION ADDRESS STATUS
test-ip 35.186.221.137 RESERVED
test-ip us-central1 35.184.21.228 RESERVED
Note the difference between a regional and a global static ip. Only global static-ips will work with Ingress. If you don't already have an IP, you can create it
$ gcloud compute addresses create test-ip --global
Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/global/addresses/test-ip].
---
address: 35.186.221.137
creationTimestamp: '2017-01-31T10:32:29.889-08:00'
description: ''
id: '9221457935391876818'
kind: compute#address
name: test-ip
selfLink: https://www.googleapis.com/compute/v1/projects/kubernetesdev/global/addresses/test-ip
status: RESERVED
Assigning a static IP to an Ingress
You can now add the static IP from the previous step to an Ingress,
by specifying the kubernetes.io/global-static-ip-name annotation,
the example yaml in this directory already has it set to test-ip
$ kubectl create -f gce-static-ip-ingress.yaml
ingress "static-ip" created
$ gcloud compute addresses list test-ip
NAME REGION ADDRESS STATUS
test-ip 35.186.221.137 IN_USE
test-ip us-central1 35.184.21.228 RESERVED
$ kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
static-ip * 35.186.221.137 80, 443 1m
$ curl 35.186.221.137 -Lk
CLIENT VALUES:
client_address=10.180.1.1
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://35.186.221.137:8080/
...
Retaining the static IP
You can test retention by deleting the Ingress
$ kubectl delete -f gce-static-ip-ingress.yaml
ingress "static-ip" deleted
$ kubectl get ing
No resources found.
$ gcloud compute addresses list test-ip --global
NAME REGION ADDRESS STATUS
test-ip 35.186.221.137 RESERVED
Promote ephemeral to static IP
If you simply create a HTTP Ingress resource, it gets an ephemeral IP
$ kubectl create -f gce-http-ingress.yaml
ingress "http-ingress" created
$ kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
http-ingress * 35.186.195.33 80 1h
$ gcloud compute forwarding-rules list
NAME REGION IP_ADDRESS IP_PROTOCOL TARGET
k8s-fw-default-http-ingress--32658fa96c080068 35.186.195.33 TCP k8s-tp-default-http-ingress--32658fa96c080068
Note that because this is an ephemeral IP, it won't show up in the output of
gcloud compute addresses list.
If you either directly create an Ingress with a TLS section, or modify a HTTP Ingress to have a TLS section, it gets a static IP.
$ kubectl patch ing http-ingress -p '{"spec":{"tls":[{"secretName":"tls-secret"}]}}'
"http-ingress" patched
$ kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
http-ingress * 35.186.195.33 80, 443 1h
$ gcloud compute addresses list
NAME REGION ADDRESS STATUS
k8s-fw-default-http-ingress--32658fa96c080068 35.186.195.33 IN_USE