In this blog post, we will talk about kubernetes Ingress, what it is and some of the concepts you need to know to work with it. This post assumes you have a solid understanding of kubernetes.
What is kubernetes ingress?
In simple terms, a kubernetes ingress expose HTTP and HTTPS routes from outside of a kubernetes cluster to services created inside the cluster. In general:
- Traffic routes are controlled by rules defined on the ingress resource.
- Ingress can be setup to give services externally reachable urls, load balance traffic, terminate ssl and offer name based virtual hosting.
- Ingress controllers(More on this later) is responsible for handling the ingress with the help of a load balancer. We can also achieve this with edge router(A router that enforces the firewall policy for the cluster. Can be virtual or physical).
- Ingress does not expose any random port, only HTTP and HTTPS.
Ingress are typically defined with ingress resource. Just like most resources in kubernetes, it needs an apiVersion, Kind and Metadata. An example of a resource looks like this:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: demo-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - http: paths: - path: /demopath backend: serviceName: demo servicePort: 80
There are few things worth pointing out in the manifest above:
- Annotation can be used to configure ingress controller with certain option. e.g rewrite-target which targets URI where the traffic must be redirected for nginx ingress.
- The spec section is where you configure the loadbalancer or proxy server.
The ingress rules are a set of rules used to process incoming traffic to services in the cluster. Using the example above, let’s go over the rules section of the spec.
- First, we specify what we want the rule to apply to. We can use HTTP/S or host based rule(foo.bar.com). In the example above, we are using HTTP as oppose to host based.
- Next, we define the a list of path and the backend service/port to route to. In the above example, demo is the service name with port 80. Note: host and path must match the content of an incoming request before the loadbalancer will direct traffic to the referenced service.
- If a rule is not defined, all traffic will be routed to a default backend that is specified in ingress controller.
Type of Ingress
- Single Service: This allows you to expose a single service just like NodePort for example.
- Simple Fanout: This allows you to route traffic from a single IP to multiple services based on the URI. e.g:
- Name Based Virtual Hosting: This allows you to route traffic to multiple hostnames on the same IP.
To secure an ingress, simply specify in the resource manifest a secret that has a private key and certificate.
An ingress controller has some load balancing policy settings that it applies to all ingress, such as the load balancing algorithm, backend weight scheme.
For ingress resources to work, you must have an ingress controller running. This type of controller is not like other controllers in k8s where it is part of the cluster, but instead a separate entity and has to be deployed separately. Example of an ingress controller is GCE, nginx, istio, and kong to name a few. Refer to k8s documentation to see full list. You can run any number of controller in the cluster as long as they are annotated properly with ingress.class.
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.
See an error or have a suggestion? Please let us know by emailing firstname.lastname@example.org.