NetScaler ingress controller

NetScaler CPX integration with MetalLB in layer 2 mode for on-premises Kubernetes clusters

Kubernetes service of type LoadBalancer support is provided by cloud load balancers in a cloud environment. Cloud service providers enable this support by automatically creates a load balancer and assign an IP address which is displayed as part of the service status. Any traffic destined to the external IP address is load balanced on NodeIP and NodePort by the cloud load balancer.

NetScaler provides different options to support the type LoadBalancer services in an on-premises environment including:

  • Using an external NetScaler VPX or NetScaler MPX as a tier-1 load balancer to load balance the incoming traffic to Kubernetes services.

For more information on such a deployment, see Expose services of type LoadBalancer.

  • Expose applications running in a Kubernetes cluster using the NetScaler CPX daemonset running inside the Kubernetes cluster along with a router supporting ECMP over BGP. ECMP router load balances the traffic to multiple NetScaler CPX instances. NetScaler CPX instances load balances the actual application pods. For more information on such a deployment, see BGP advertisement of external IP addresses for type LoadBalancer services and Ingresses using NetScaler CPX.

  • Expose the NetScaler CPX services as an external IP service with a node external IP address. You can use this option if an external ADC as tier-1 is not feasible, and a BGP router does not exist. In this deployment, Kubernetes routes the traffic coming to the spec.externalIP of the NetScaler CPX service on service ports to NetScaler CPX pods. Ingress resources can be configured using the NetScaler Ingress Controller to perform SSL (Secure Sockets Layer) offloading and load balancing applications. However, this deployment has the major drawback of not being reliable if there is a node failure.

  • Use MetalLB which is a load-balancer implementation for bare metal Kubernetes clusters in the layer 2 mode with NetScaler CPX to achieve ingress capability.

This documentation shows how you can leverage MetalLB along with NetScaler CPX to achieve ingress capability in bare-metal clusters when the other solutions are not feasible. MetalLB in layer 2 mode configures one node to send all the traffic to the NetScaler CPX service. MetalB automatically moves the IP address to a different node if there is a node failure. Thus providing better reliability than the ExternalIP service.

Note: MetalLB is still in the beta version. See the official documentation to know about the project maturity and any limitations.

Perform the following steps to deploy NetScaler CPX integration with MetalLB in layer 2 mode for on-premises Kubernetes clusters.

  1. Install and configure MetalLB
  2. Configure MetalLB configuration for layer 2
  3. Install NetScaler CPX service

Install and configure MetalLB

First, you should install MetalLB in layer 2 mode. For more information on different types of installations for MetalLB, see the MetalLB documentation.

Perform the following steps to install MetalLB:

  1. Create a namespace for deploying MetalLB.

    kubectl apply -f 
  2. Deploy MetalLB using the following command.

    kubectl apply -f 
  3. Perform the following step if you are performing the installation for the first time.

    kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" 
  4. Verify the MetalLB installation and ensure that the speaker and controller is in the running state using the following command:

    kubectl get pods -n metallb-system 

These steps deploy MetalLB to your cluster, under the metallb-system namespace.

The MetalLB deployment YAML file contains the following components:

  • The metallb-system/controller deployment: This component is the cluster-wide controller that handles IP address assignments.

  • The metallb-system/speaker daemonset. This component communicates using protocols of your choice to make the services reachable.

  • Service accounts for the controller and speaker, along with the RBAC permissions that the components need to function.

MetalLB configuration for Layer 2

Once MetalLB is installed, you should configure the MetalLB for layer 2 mode. MetalLB takes a range of IP addresses to be allocated to the type LoadBalancer services as external IP. In this deployment, a NetScaler CPX service acts as a front-end for all other applications. Hence, a single IP address is sufficient.

Create a ConfigMap for MetalLB using the following command where metallb-config.yaml is the YAML file with the MetalLB configuration.

kubectl create –f metallb-config.yaml 

Following is a sample MetalLB configuration for layer2 mode. In this example, is specified as the IP address range.

apiVersion: v1
kind: ConfigMap
  namespace: metallb-system
  name: config
  config: |
    - name: default
      protocol: layer2

NetScaler CPX service installation

Once the metal LB is successfully installed, you can install the NetScaler CPX deployment and a service of type LoadBalancer.

To install NetScaler CPX, you can either use the YAML file or Helm charts.

To install NetScaler CPX using the YAML file, perform the following steps:

  1. Download the NetScaler CPX deployment manifests.

  2. Edit the NetScaler CPX deployment YAML:

    • Set the replica count as needed. It is better to have more than one replica for high availability.
    • Change the service type to LoadBalancer.
  3. Apply the edited YAML file using the Kubectl command.

    kubectl apply –f citrix-k8s-cpx-ingress.yaml 
  4. View the service using the following command:

    kubectl get svc cpx-service -output yaml

    You can see that MetalLB allocates an external IP address to the NetScaler CPX service as follows:

apiVersion: v1
kind: Service
  name: cpx-service
  namespace: default
  externalTrafficPolicy: Cluster
  healthCheckNodePort: 31916
  - name: http
    nodePort: 31528
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    nodePort: 31137
    port: 443
    protocol: TCP
    targetPort: 443
    app: cpx-ingress
  sessionAffinity: None
  type: LoadBalancer
    - ip:


Deploy a sample application

Perform the following steps to deploy a sample application and verify the deployment.

  1. Create a sample deployment using the sample-deployment.yaml file.

    kubectl create –f sample-deployment.yaml
  2. Expose the application with a service using the sample-service.yaml file.

    kubectl create –f sample-service.yaml  
  3. Once the service is created, you can add an ingress resource using the sample-ingress.yaml.

    kubectl create –f sample-ingress.yaml  

You can test the Ingress by accessing the application using a cpx-service external IP address as follows:

   curl -v -H ‘host:’ 

Additional references

For more information on configuration and troubleshooting for MetalLB see the following links:

NetScaler CPX integration with MetalLB in layer 2 mode for on-premises Kubernetes clusters