Manually defining VIP IP

[GurdipS5]

Hi,
I want to use my own VIP IP for Kubernetes services. I added this to a service manifest:

loxilb.io/vip: "10.1.3.1"

However, the IP of the service if I check with kubectl, is 10.0.0.0

What am I missing? Is this approach wrong?

[backguynn]

Use loxilb.io/staticIP instead of loxilb.io/vip in the annotations. For the full list of available annotations, refer to: https://github.com/loxilb-io/kube-loxilb/blob/main/README.md.

[GurdipS5]

Ok that worked.

However, I noticed the below. This all looks fine but my endpoint for the one arm test deployment is on an IP of 10.244.5.153

The image below does not reflect this?

[backguynn]

The IP 10.1.255.3 is probably your node's IP. The endpoint visible via the command loxicmd get lb -o wide is the NodePort IP. LoxiLB first load-balances traffic to the NodePort, and then the Kubernetes node forwards it to the pods.

If you want the endpoint to be set directly to the pods, use the annotation: loxilb.io/usepodnetwork: "yes"

[GurdipS5]

Ok I got all that sorted. I do get this error:

curl http://10.1.3.1:55002
curl: (7) Failed to connect to 10.1.3.1 port 55002 after 3070 ms: No route to host

I am not sure why. There is a dns record for this ip and no firewalls. Is there anything I am missing?

[backguynn]

Check if packets reach LoxiLB when using the IP 10.1.3.1.
When you create an LB rule in onearm mode, the external IP is typically added to the lo interface of LoxiLB.

• Can you ping the IP?
• Is there a route entry to deliver packets to LoxiLB?

If these configurations are correct but the issue persists, please share the manifest files for LoxiLB and kube-loxilb.

[GurdipS5]

Yeah I can't ing.
No route entry.

How can I check the packets? Assuming wireshark job...

I guess I am missing some network configuration.

[backguynn]

Can you ping the 10.1.255.0/24 network?

If so, and you want to verify LoxiLB's behavior, try changing your external IP to 10.1.255.254.

If 10.1.255.254 is already in use, change it to another unused IP. Then, test it again.

[GurdipS5]

Yeah I can ping.

So loxilb, and talos, sit in a 10.0.0.0/15 subnet.

I can share the config files a little later on.

[GurdipS5]

Sorry I've been away, will get the config files.

[GurdipS5]

These are the manifests. Let me know if you need me to run any commands:

`apiVersion: v1
kind: Service
metadata:
name: tcp-lb-onearm
annotations:
loxilb.io/liveness: "yes"
loxilb.io/lbmode: "onearm"
spec:
externalTrafficPolicy: Local
loadBalancerClass: loxilb.io/loxilb
selector:
what: tcp-onearm-test
ports:
- port: 55002
targetPort: 80
type: LoadBalancer

apiVersion: v1
kind: Pod
metadata:
name: tcp-onearm-test
labels:
what: tcp-onearm-test
spec:
containers:
- name: tcp-onearm-test
image: ghcr.io/loxilb-io/nginx:stable
ports:
- containerPort: 80
`

`apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:

• name: sec-ctx-vol
  emptyDir: {}
  containers:
• name: sec-ctx-demo
  image: busybox
  resources:
  requests:
  memory: "64Mi"
  cpu: "250m"
  command: [ "sh", "-c", "sleep 1h" ]
  volumeMounts:
  • name: sec-ctx-vol
    mountPath: /data/demo
    securityContext:
    allowPrivilegeEscalation: false`

[GurdipS5]

Btw, my loxilb server is a vm? Is this relavant or physical servers only? https://docs.loxilb.io/latest/standalone/

I am on VSphere.

Also, I am going to try a test.

How do I specify a destination port (or endpoint port when manually creating a VIP in LoxiLB?

Chatgpt gave a command like this:

sudo docker exec -it loxilb loxicmd create lb --proto tcp --sport 80 --dport 8080 --vip 10.1.3.2 --dip 10.104.182.47 --mode external

[TrekkieCoder]

The usage of loxicmd to create a LB rule is as follows -

loxicmd create lb IP [--select=<rr|hash|priority|persist>] [--tcp=<ports>:<targetPorts>] [--udp=<ports>:<targetPorts>] [--sctp=<ports>:<targetPorts>] [--icmp] [--mark=<val>] [--secips=<ip>,] [--sources=<ip>,] [--endpoints=<ip>:<weight>,] [--mode=<onearm|fullnat>] [--bgp] [--monitor] [--inatimeout=<to>] [--name=<service-name>] [--attachEP] [--detachEP] [--security=<https|e2ehttps|none>] [--host=<url>] [--ppv2en] [--egress] [flags]

For example -

loxicmd create lb 192.168.0.200 --tcp=80:32015 --endpoints=10.212.0.1:1,10.212.0.2:1,10.212.0.3:1 --mode=fullnat

The endpoints are in : format. You can specify the weight as 1 unless using WRR load-balancing. For description of modes, you can follow this guide . By default, the load-balancing algorithm is round-robin but you can use 'select" flag to change to one of the other supported algorithms.

[GurdipS5]

Sorry, one more question.
Please excuse my naivety.

I am using kgateway as my ingress.

I noticed this guide - https://docs.loxilb.io/main/gw-api/#tcprouteudproutehttproute - I am just wondering which steps from here are necessary to hook kgateway and loxilb together?

[TrekkieCoder]

All you need to do is enable the CRDs as mentioned in the document and probably use TCPRoute as per your use-case.

[GurdipS5]

Ok so looks like I was indeed missing a few things. I now have an ip address, it's as below.

When I run the below, the ip does not get updated. Is there something else I should do?

Also, does this mean that LoxiLB will handle this as opposed to a third party api gateway, such as kgateway?

Since, Gateway API's HTTPRoute for https will be handled via loxilb-ingress module, we must prepare SSL certificates.

Is there a way to let kgateway handle this? Or am I reading this wrong?

[backguynn]

I’m looking into the question regarding kgateway, but since I’m not very familiar with it, it’s a bit difficult to understand.
However, it seems that kgateway has its own support for the Gateway API.

Therefore, even if you create a TCPRoute in loxilb, it will not apply to kgateway’s configuration.

Wouldn't you need to consider a different architectural approach to integrate the two? Just my opinion.