Cross namespace communication in GKE ingress

[ankita-1420]

Hey @liggitt,
We have two different applications deployed in two different namespaces in GKE, I am trying to expose these applications using GKE Ingress which is in the default namespace.
I have SSL certificates for this applications.

The issue we are facing now is external load balancer is not able to communicate with our applications because the namespaces are different.

Referring to issue no #17088 I found that Nginx ingress can be used in this case, but my use-case restricts use of Nginx or any third party tool, Hence can you help me to find a solution or any work-around for this using GKE ingress only.

[athenabot]

/sig network

These SIGs are my best guesses for this issue. Please comment /remove-sig <name> if I am incorrect about one.

🤖 I am a bot run by vllry. 👩‍🔬

[athenabot]

/triage unresolved

Comment /remove-triage unresolved when the issue is assessed and confirmed.

🤖 I am a bot run by vllry. 👩‍🔬

[ashutoshgngwr]

Create the Ingress resources in same namespace as the Service resources and the ingress controller should be able to pick it up. Ingress resources and controller need not be in the same namespace.

https://github.com/kubernetes/ingress-gce/blob/master/docs/faq/README.md#are-ingress-controllers-namespaced

[rikatz]

/assign @bowei

[athenabot]

@bowei
If this issue has been triaged, please comment /remove-triage unresolved.

If you aren't able to handle this issue, consider unassigning yourself and/or adding the help-wanted label.

🤖 I am a bot run by vllry. 👩‍🔬

[bowei]

/remove-triage unresolved

[bowei]

This is by design, the Ingress object can only target services in the same namespace.
We have been exploring changing this in the service-apis work (which is work in the sig on a redesign of Ingress + some aspects of Service).

https://github.com/kubernetes-sigs/service-apis

[bowei]

Reading through your bugs, I want to clarify that "is not able to communicate" means:

1. you can't write a config to do this.
2. you have a config, but the traffic cannot reach your application.

If this is 1. then this is part of the API, if it is the case for 2., then if you can post an anonymized version of your config, it would be great.

[thockin]

Ping @ankita-1420

To echo Bowei - the Ingress API intentionally does not cross namespaces. If you REALLY need to do that, you can maybe use the service-NEG controller and link the NEGs together manually though an HTTP LB directly?

[ashutoshgngwr]

Ping @thockin @bowei

In case someone else wanders here with a similar issue. Another solution could be to create a service of type ExternalName in the same namespace as the ingress resource. The said ExternalName service could point to the FQDN of any service in another namespace.

[Berndinox]

@ashutoshgngwr i was not able to use ExternalName, because:

Translation failed: invalid ingress spec: service "ingress01/ing-web01" is type "ExternalName"
, expected "NodePort

do you have any working examples onto this? Thanks

[ashutoshgngwr]

@Berndinox It was more of a hypothesis than a solution. Looking at the error message, it looks like that I was wrong.

[Berndinox]

Hej, thanks for answering. So that's bad news.
Seems like there is no "clean" solution available yet.

Just:

• Ingress-Controller inside the cluster
• https://gateway-api.sigs.k8s.io/ (not available for gke yet?!)

someone finds another solution?

[bvarga]

gateway-api is in preview for gke, see:

https://cloud.google.com/kubernetes-engine/docs/concepts/gateway-api