Kubernetes_ingress
Kubernetes Ingress
Section titled “Kubernetes Ingress”Overview
Section titled “Overview”Ingress is a Kubernetes resource that provides HTTP/HTTPS routing to services within a cluster. It acts as an entry point for external traffic, enabling load balancing, SSL termination, and name-based virtual hosting.
Why Ingress?
Section titled “Why Ingress?”Without Ingress, you would need to expose each service using a NodePort or LoadBalancer, which has limitations:
- NodePort: Limited port range (30000-32767), no SSL support, manual load balancing
- LoadBalancer: Requires cloud provider support, expensive (one per service), no path-based routing
Ingress solves these issues by providing:
- Path-based and host-based routing
- SSL/TLS termination
- Single entry point for multiple services
- Load balancing across service endpoints
Ingress Architecture
Section titled “Ingress Architecture” ┌─────────────────────────────────────────┐ │ Ingress Controller │ │ (e.g., nginx, Traefik, HAProxy) │ └───────────────┬─────────────────────────┘ │ ┌─────────────────────────┼─────────────────────────┐ │ │ │ ▼ ▼ ▼┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐│ Service A │ │ Service B │ │ Service C ││ (api) │ │ (web) │ │ (admin) │└─────────────────┘ └─────────────────┘ └─────────────────┘The Ingress Controller is responsible for fulfilling Ingress resources. Popular options include:
- NGINX Ingress Controller: Most popular, feature-rich
- Traefik: Dynamic configuration, automatic service discovery
- HAProxy: High performance, enterprise-grade
- AWS ALB Ingress Controller: For AWS environments
Installing NGINX Ingress Controller
Section titled “Installing NGINX Ingress Controller”Using Helm (Recommended)
Section titled “Using Helm (Recommended)”# Add the ingress-nginx repositoryhelm repo add ingress-nginx https://kubernetes.github.io/ingress-nginxhelm repo update
# Install the NGINX Ingress Controllerhelm install ingress-nginx ingress-nginx/ingress-nginx \ --namespace ingress-nginx \ --create-namespace \ --set controller.publishService.enabled=trueUsing kubectl
Section titled “Using kubectl”# Apply the manifestkubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.9.4/deploy/static/provider/cloud/deploy.yaml
# Verify the installationkubectl get pods -n ingress-nginxkubectl get svc -n ingress-nginxBasic Ingress Resource
Section titled “Basic Ingress Resource”Create a simple Ingress to route traffic based on paths:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: my-app-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: /spec: ingressClassName: nginx rules: - host: myapp.example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 - path: /web pathType: Prefix backend: service: name: web-service port: number: 80Key fields:
ingressClassName: Specifies which Ingress controller to userules: Defines routing rules for incoming requestspath: URL path to matchpathType: How to match the path (Exact, Prefix, ImplementationSpecific)backend: Target service and port
Host-Based Routing
Section titled “Host-Based Routing”Route traffic based on the Host header:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: multi-host-ingressspec: ingressClassName: nginx rules: - host: api.example.com http: paths: - path: / pathType: Prefix backend: service: name: api-service port: number: 80 - host: web.example.com http: paths: - path: / pathType: Prefix backend: service: name: web-service port: number: 80TLS/SSL Configuration
Section titled “TLS/SSL Configuration”Secure your ingress with TLS certificates:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: tls-ingressspec: ingressClassName: nginx tls: - hosts: - secure.example.com secretName: tls-secret rules: - host: secure.example.com http: paths: - path: / pathType: Prefix backend: service: name: secure-service port: number: 80---apiVersion: v1kind: Secretmetadata: name: tls-secrettype: kubernetes.io/tlsdata: # Base64 encoded certificate (use cert-manager for production) tls.crt: LS0tLS1CRUdJTiBDRVJUSUZ... tls.key: LS0tLS1CRUdJTiBQUklWQVRF...Using cert-manager for Automatic TLS
Section titled “Using cert-manager for Automatic TLS”Install cert-manager for automatic certificate management:
# Install cert-managerkubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
# Create a ClusterIssuer for Let's Encryptkubectl apply -f - <<EOFapiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: name: letsencrypt-prodspec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: admin@example.com privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginxEOFThen annotate your Ingress:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: tls-ingress annotations: cert-manager.io/cluster-issuer: letsencrypt-prodspec: ingressClassName: nginx tls: - hosts: - secure.example.com secretName: tls-secret rules: - host: secure.example.com http: paths: - path: / pathType: Prefix backend: service: name: secure-service port: number: 80Path Rewriting
Section titled “Path Rewriting”Handle URL path transformations:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: rewrite-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: /$2 nginx.ingress.kubernetes.io/use-regex: "true"spec: ingressClassName: nginx rules: - host: myapp.example.com http: paths: - path: /api(/|$)(.*) pathType: ImplementationSpecific backend: service: name: api-service port: number: 80Common annotations:
nginx.ingress.kubernetes.io/rewrite-target: Rewrite the matched URInginx.ingress.kubernetes.io/use-regex: Enable regex path matchingnginx.ingress.kubernetes.io/app-root: Redirect root path to specific path
Rate Limiting
Section titled “Rate Limiting”Protect your services from abuse:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: rate-limited-ingress annotations: nginx.ingress.kubernetes.io/limit-rps: "100" nginx.ingress.kubernetes.io/limit-connections: "50" nginx.ingress.kubernetes.io/limit-rpm: "1000"spec: ingressClassName: nginx rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: my-service port: number: 80Ingress Controllers
Section titled “Ingress Controllers”NGINX Ingress Controller
Section titled “NGINX Ingress Controller”Most widely used, production-proven:
# Common annotationsannotations: nginx.ingress.kubernetes.io/proxy-connect-timeout: "30" nginx.ingress.kubernetes.io/proxy-read-timeout: "30" nginx.ingress.kubernetes.io/proxy-send-timeout: "30" nginx.ingress.kubernetes.io/proxy-body-size: "50m" nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/cors-allow-origin: "*"Traefik
Section titled “Traefik”Dynamic, Kubernetes-native:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: traefik-ingress annotations: traefik.ingress.kubernetes.io/router.entrypoints: web,websecurespec: ingressClassName: traefik rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: my-service port: number: 80Default Backend
Section titled “Default Backend”Configure a default backend for unmatched requests:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: default-backend-ingressspec: ingressClassName: nginx defaultBackend: service: name: default-backend port: number: 80Monitoring and Debugging
Section titled “Monitoring and Debugging”Check Ingress status:
# Describe Ingress for detailskubectl describe ingress my-app-ingress
# Get Ingress external IPkubectl get ingress -o wide
# View Ingress controller logskubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
# Check Ingress controller podskubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginxBest Practices
Section titled “Best Practices”- Use IngressClass: Always specify
ingressClassNameinstead of annotations - Enable SSL: Use TLS for all production traffic
- Set appropriate timeouts: Configure proxy timeouts for long-running requests
- Implement rate limiting: Protect services from DoS attacks
- Use health checks: Configure readiness/liveness probes for backend services
- Monitor ingress traffic: Set up metrics and logging
- Use secrets for certificates: Never embed certificates in Ingress resources
Summary
Section titled “Summary”Ingress is essential for exposing Kubernetes services to the outside world. It provides:
- HTTP/HTTPS routing with path and host-based rules
- TLS/SSL termination with automatic certificate management
- Load balancing across service endpoints
- Rate limiting and access control
- URL rewriting and redirection
Choose an Ingress controller based on your requirements:
- NGINX: Feature-rich, widely supported
- Traefik: Dynamic, easy configuration
- AWS ALB: Native AWS integration