Bare Metal Kubernetes Series - Part 1: Network setup

To properly expose your cluster to the internet, you want to get a router that supports firewall rules and grouping its ports into virtual local area networks (VLANs). That way we can create what is called a demilitarized zone (DMZ), exposing certain parts of our network, while leaving the rest hidden.

I got the Cisco RV160W a decision I regret. If I would have read some reviews first it would have been obvious that this small business router is sub par in quality and quite buggy. For me the biggest problem is that it's internal DNS resolves only 8/10 times, resulting in all kinds of crashes.

As a workaround I have to set the DNS Servers manually to something else on each device in my network (there are no router settings for configuring the DHCP to communicate different DNS Servers, only for settings internal which doesn't resolve the problem).

The physical setup

  • Modem - Router
    • Port 1 - Switch - Cluster Nodes 1-3
    • Port 2-4 - PCs on my local network

Virtual local are network setup

  • Port 1: VLAN 2 (DMZ)
  • Port 2-4: VLAN 1 (home network)

Firewall config

In the firewall we enable full access from the WAN (wide area network in this case the world wide web) on our VLAN 2. This way people can connect to any public IP that is on VLAN 2 while my main home network VLAN 1 is still protected.

Floating IPs and keepalived

Keepalived is a service that allows us to dynamically share IP addresses between multiple machines. Dynamically in a sense that these machines talk to each other about what machine will claim what IP. Once a machine goes down, the others will notice it and claim all IP addresses that the failed machine was holding.

IPs managed in that way are called "floating" IPs, because they float in a sense between the machines and aren't bound to any specific machine.

We will install keepalived in the next part.

IPv4 forwarding

Sadly it's almost impossible to acquire multiple IPv4 addresses without a business internet contract. If you are lucky you provider will you a single static IPv4 address for free. If you have such an IP the router picks it up per default and assigns it to itself.

To now use this IP in our cluster, we will forward all traffic that hits our router to a floating IP withing the address range of our VLAN 2 - 10.0.0.80. This IP is also managed by keepalived between the nodes.

IPv6

IPv6 addresses on the other hand providers hand out like candy. And although not every network supports IPv6 requests, you still will be able to have most people reach you with just IPv6.

Here another lingo term comes in "prefix", which in this context essential means subnet. My provider gave me an /56 IPv6 prefix, meaning the last 56 bits of an address are associated with my internet box (1111:1111:1111:11/56 would go from 1111:1111:1111:1100:0000:0000:0000:0000 to 1111:1111:1111:11FF:FFFF:FFFF:FFFF:FFFF). Any request that goes out for an IP in that range will be delegated to my router.

Next up

Series Overview

©
Tobias Hübner