Health checking your apps in a Yandex Managed Service for Kubernetes cluster using a Yandex Application Load Balancer L7 load balancer
You can use the Application Load Balancer Ingress controller to automatically health check your applications deployed in a Managed Service for Kubernetes cluster.
An Ingress controller installed in the cluster deploys an L7 load balancer with all the required Application Load Balancer resources based on the configuration of the Ingress and HttpBackendGroup resources you created.
The L7 load balancer automatically health checks the application in this cluster. Depending on the results, the L7 load balancer allows or denies external traffic to the backend (Service resource). For more information, see Health checks.
By default, the Application Load Balancer Ingress controller receives application health check requests from the L7 load balancer on TCP port 10501
and health checks the kube-proxy
In this tutorial, you will configure your own application health checks using the HttpBackendGroup resource parameters and open a dedicated port on cluster nodes for these checks in the NodePort
type Service resource parameters.
You can view health check results in the management console
Note
You can also configure application health checks using the ingress.alb.yc.io/health-checks annotation of the Service resource.
To deploy an application in a Managed Service for Kubernetes cluster and configure access to it and health checks via an Application Load Balancer L7 load balancer:
- Prepare your cloud.
- Create a Docker image.
- Deploy a test application.
- Prepare an address for the L7 load balancer.
- Create the Ingress and HttpBackendGroup resources.
- Check the result.
If you no longer need the resources you created, delete them.
Prepare your cloud
Prepare the infrastructure
-
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Also configure the security groups required for Application Load Balancer.
The application will be available on the Managed Service for Kubernetes cluster nodes on port
30080
. Application health checks will be available on port30081
. Make sure these ports are open for the L7 load balancer in the node group's security group. You can also make these ports internet-accessible.Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a Managed Service for Kubernetes cluster. When creating it, specify the security groups prepared in advance.
If you intend to use your cluster within the Yandex Cloud network, there is no need to allocate a public IP address to it. To allow connections from outside the network, assign a public IP address to the cluster.
-
Create a node group. Allocate it a public IP address to provide internet access and allow pulling Docker images and components. Specify the security groups prepared in advance.
-
Create a registry in Yandex Container Registry.
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it
. -
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download the k8s-custom-health-checks.tf
configuration file to the same working directory.This file describes:
- Network.
- Subnet.
- Security groups required for the Managed Service for Kubernetes cluster, node group, and the Application Load Balancer load balancer.
- Service account required for the Kubernetes cluster.
- Kubernetes cluster.
- Kubernetes node group.
- Registry in Yandex Container Registry.
-
Specify the following in the
k8s-custom-health-checks.tf
file:folder_id
: Cloud folder ID, same as in the provider settings.k8s_version
: Kubernetes version. Available versions are listed in Release channels.
-
Check that the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
Install the Application Load Balancer Ingress controller
Use this guide to install the ALB Ingress Controller application in a separate yc-alb
namespace. Later on, all the required Kubernetes resources will be created in this namespace.
Install additional dependencies
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Install kubectl
and configure it to work with the created cluster.If a cluster has no public IP address assigned and
kubectl
is configured via the cluster's private IP address, runkubectl
commands on a Yandex Cloud VM that is in the same network as the cluster. -
Authenticate in Yandex Container Registry using a Docker credential helper.
Create a Docker image
The source files for a Docker image reside in the yc-mk8s-alb-ingress-health-checks
The Docker image will be created from app/Dockerfile
and will contain test application code from the app/healthchecktest.go
file. You will use this Docker image to deploy the application in your Managed Service for Kubernetes cluster.
The application will respond to HTTP requests as follows depending on the pod port:
80
: Return request path parameters in the response body, e.g.,/test-path
. This is the main functionality of the application that will be available via the L7 load balancer.8080
: Return anOK
message in the response body. This functionality will be used to perform application health checks.
Successful requests will return the 200 OK
HTTP code.
To create a Docker image:
-
Clone the
yc-mk8s-alb-ingress-health-checks
repository:git clone git@github.com:yandex-cloud-examples/yc-mk8s-alb-ingress-health-checks.git
-
In the terminal, go to the root of the repository directory.
-
Get the Container Registry registry ID. You can request it with a list of registries in the folder.
-
In the environment variable, add the name of the Docker image to create:
export TEST_IMG=cr.yandex/<registry_ID>/example-app1:latest
-
Build the Docker image:
docker build -t ${TEST_IMG} -f ./app/Dockerfile .
The command specifies the path for the repository's root directory.
-
Push the Docker image to the registry:
docker push ${TEST_IMG}
If you fail to push the image, follow these steps:
- Make sure you authenticate in Container Registry using a Docker credential helper.
- Configure registry access. Grant the PUSH permission for your computer's IP address to allow pushing Docker-images.
Deploy a test application
Build a test application from the created Docker image and the app/testapp.yaml
The file contains the description of Kubernetes resources: Deployment
and Service
of the NodePort
type.
The Service
resource contains the description of ports used to access the application on your cluster's nodes:
spec.ports.name: http
: Port to access the main functionality of the application,80
on the pod and30080
on the host.spec.ports.name: health
: Port for application health checks,8080
on the pod and30081
on the host.
To build a test application:
-
Specify the value of the
TEST_IMG
environment variable in thespec.template.spec.containers.image
field in theapp/testapp.yaml
file. To get this value, run:printenv TEST_IMG
-
Create the application from the
app/testapp.yaml
file:kubectl apply -f ./app/testapp.yaml --namespace=yc-alb
The command specifies the path for the repository's root directory.
-
Make sure the pods with the application are running:
kubectl get po --namespace=yc-alb
Result:
NAME READY STATUS RESTARTS AGE alb-demo-1-54b95979b4-*** 1/1 Running 0 71s alb-demo-1-54b95979b4-*** 1/1 Running 0 71s yc-alb-ingress-controller-*** 1/1 Running 0 11m yc-alb-ingress-controller-hc-*** 1/1 Running 0 11m
-
Test the application by specifying the IP address of the Managed Service for Kubernetes cluster node in the request. You can find out the IP address of the node in the management console
.-
Main functionality:
curl --include http://<node_IP_address>:30080/test-path
Result:
HTTP/1.1 200 OK Date: Thu, 18 Jul 2024 11:55:52 GMT Content-Length: 10 Content-Type: text/plain; charset=utf-8 /test-path%
-
Application health check:
curl --include http://<node_IP_address>:30081
Result:
HTTP/1.1 200 OK Date: Thu, 18 Jul 2024 12:00:57 GMT Content-Length: 2 Content-Type: text/plain; charset=utf-8 OK%
-
Prepare an address for the L7 load balancer
This address will be used to access the application from the internet.
To prepare an address for the load balancer:
-
Reserve a static public IP address for the Application Load Balancer load balancer.
-
To bind the address to the domain, create an A record for the delegated domain. Specify the reserved IP address as the record value.
-
Make sure the A record is added:
host <domain>
Result:
<domain> has address <IP_address>
-
Place the address-for-k8s-health-checks.tf
configuration file in the same working directory as thek8s-custom-health-checks.tf
file.The
address-for-k8s-health-checks.tf
file describes:- Static public IP address.
- Public DNS zone.
- Type A record for this zone to bind the reserved IP address to the delegated domain.
-
Check that the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
-
Make sure the A record is added:
host <domain>
Result:
<domain> has address <IP_address>
Create the Ingress and HttpBackendGroup resources
Based on the Ingress and HttpBackendGroup resources, the Ingress controller will deploy the L7 load balancer with all the required Application Load Balancer resources.
The ingress.yaml
and httpbackendgroup.yaml
configuration files for the specified resources are located in the yc-mk8s-alb-ingress-health-checks
You can specify the settings for custom application health checks in the HttpBackendGroup
resource in the spec.backends.healthChecks
parameter.
To create resources:
-
In the
ingress.yaml
file, specify the following values for annotations:ingress.alb.yc.io/subnets
: One or more subnets to host the Application Load Balancer L7 load balancer.ingress.alb.yc.io/security-groups
: One or more security groups for the load balancer. If you skip this parameter, the default security group will be used. At least one of the security groups must allow an outgoing TCP connection to port10501
in the Managed Service for Kubernetes node group subnet or to its security group.ingress.alb.yc.io/external-ipv4-address
: Public access to the load balancer from the internet. Specify the previously reserved static public IP address.
-
In the same
ingress.yaml
file, specify the delegated domain in thespec.rules.host
parameter. -
To create the
Ingress
andHttpBackendGroup
resources, run the following command from the root of the repository directory:kubectl apply -f ingress.yaml --namespace=yc-alb && kubectl apply -f httpbackendgroup.yaml --namespace=yc-alb
-
Wait until the resources are created and the load balancer is deployed and assigned a public IP address. This may take a few minutes.
To follow the load balancer's creation and make sure it is error-free, open the logs of the pod the creation process was run in:
-
In the management console
, go to the folder page and select Managed Service for Kubernetes. -
Click your cluster's name and select Workload in the left-hand panel.
-
Select the
yc-alb-ingress-controller-*
pod (notyc-alb-ingress-controller-hc-*
) where the resource creation process is running. -
Go to the Logs tab on the pod page.
The load balancer's creation logs are generated and displayed in real time. Any errors that occur will also be logged.
-
Check the result
-
Make sure the load balancer was created. To do this, run the appropriate command and check that the command output shows the following value in the
ADDRESS
field:kubectl get ingress alb-demo --namespace=yc-alb
Result:
NAME CLASS HOSTS ADDRESS PORTS AGE alb-demo <none> <domain> <IP_address> 80 15h
-
Check that the deployed application is available via the L7 load balancer:
curl --include http://<domain>/test-path
Result:
HTTP/1.1 200 OK date: Thu, 18 Jul 2024 12:23:51 GMT content-length: 10 content-type: text/plain; charset=utf-8 server: ycalb /test-path%
-
Make sure the app health checks are working correctly:
Management console- In the management console
, go to the folder page and select Application Load Balancer. - Click the load balancer name and select Health checks in the left-hand panel.
- Check the target health statuses. The
HEALTHY
status indicates the application is up and running.
- In the management console
Delete the resources you created
Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them:
- Application Load Balancer L7 load balancer
- Application Load Balancer HTTP router
- Application Load Balancer backend groups
- Application Load Balancer target group
- Managed Service for Kubernetes node group
- Managed Service for Kubernetes cluster
- Registry in Container Registry
- Cloud DNS public domain zone
- Virtual Private Cloud security groups
- Virtual Private Cloud static public IP address