How the ingress controller traffic lands on the correct node?

Question

We have a OpenShift 4.8 cluster with 3 master nodes and 10 worker nodes in Azure. All the worker and master nodes are added under the same load balancer. I am a bit confused about how ingress traffic reaches the cluster. When someone accesses the DNS of their application, traffic comes through the load balancer over port 80/443 to any of the cluster nodes(including the master). But the ingress controller pods or running only on one or two nodes. How exactly traffic reaches to the correct ingress controller pods? Also once the traffic reaches the node how exactly it identifies the correct ingress host to forward traffic to? Another question around this is, why both master and worker nodes are added under the same load balancer?

Answer 1

How exactly traffic reaches to the correct ingress controller pods? Also once the traffic reaches the node how exactly it identifies the correct ingress host to forward traffic to?

The ingress controller doesn't need to deploy on every compute node because it knows all the way to your pods which has a route.

How to know which nodes are avaiable

Load Balancer has a health check feature to check port or http request on a node. That helps to know available nodes the ingress pods work on.

How to reach the ingress controller

The ingress opens ports in the pod, not the node. OpenShift in a cloud provider like Azure deploys load balancer service for the ingress. That deploys Load balancer in Azure and binds ports on the node(host) to receive requests from outside OpenShift cluster. Those ports are defined randomly. The load balancer service makes setting up the load balancer in Azure to reach the ports on the nodes. So, you don't need to worry about which ports on nodes are opened.

How to transfer requests to the correct pods

The ingress controller consists of HAProxy which works as L7 proxy mode. A request to the ingress controller should have 'host name' and it should be matched a route you defined. That allows to lead your request to your correct pod.

Another question around this is, why both master and worker nodes are added under the same load balancer?

The ingress controller is a pod so if you don't specify 'Node Selector', the pod can be deployed any nodes in an OpenShift Cluster. Since the pods could be deployed different node accidentally, Load Balancer is prepared for it.

Answer 2

If anyone lands here looking for the answer, there is a iptable rule on the node that forwards the packets to the service

Ingress service has the nodePort 30331. Grep the ip table using the port number

# iptables -t nat -L KUBE-NODEPORTS -n  | column -t | grep "30331"
KUBE-MARK-MASQ             tcp             --   127.0.0.0/8  0.0.0.0/0    /*  ingress/default:https         */  tcp  dpt:30331
KUBE-XLB-MBAZS3WDHL45BPIZ  tcp             --   0.0.0.0/0    0.0.0.0/0    /*  ingress/default:https         */  tcp  dpt:30331

My service ip address is: 172.70.92.82. Grep the ip table using service ip

#  iptables -t nat -L KUBE-SERVICES -n  | column -t | grep "172.70.92.82"
KUBE-SVC-HEVFQXAKPPGAL4BV  tcp            --   0.0.0.0/0    172.70.92.82   /*  ingress/default:http    cluster       IP          */     tcp   dpt:80                                                                          
KUBE-SVC-MBAZS3WDHL45BPIZ  tcp            --   0.0.0.0/0    172.70.92.82   /*  ingress/default:https    cluster      IP          */     tcp   dpt:443