What is Kubernetes Ingress? How does it implement external access to services within the cluster?

Kubernetes Ingress is an API object that manages rules for external access to services within the cluster, typically HTTP and HTTPS routing. Ingress provides routing based on domain names and paths, TLS termination, and other features.

Purpose of Ingress

1. Routing Rules: Routes traffic to different Services based on domain names and paths

2. Load Balancing: Distributes traffic across multiple Service instances

3. SSL/TLS Termination: Handles HTTPS at the Ingress layer, simplifying backend configuration

4. Name-based Virtual Hosting: Supports multiple domain names pointing to the same cluster

5. Path Rewriting: Supports URL path rewriting

Ingress Controller

The Ingress Controller is the component that implements Ingress functionality. It monitors changes to Ingress resources and configures the load balancer.

Common Ingress Controllers

1. NGINX Ingress Controller:

   • The most popular Ingress Controller
   • Based on NGINX/OpenResty
   • Rich features and excellent performance
   • Supports advanced routing, rate limiting, authentication, etc.

2. Traefik:

   • Cloud-native design
   • Automatic service discovery
   • Supports Let's Encrypt automatic certificates
   • Simple configuration

3. HAProxy Ingress:

   • Based on HAProxy
   • High performance
   • Supports advanced load balancing algorithms

4. Istio Gateway:

   • Part of the service mesh
   • Supports advanced traffic management
   • Integrated with mTLS, traffic mirroring, etc.

5. AWS ALB Ingress Controller:

   • Designed specifically for AWS
   • Uses AWS Application Load Balancer
   • Native integration with AWS services

Ingress Resource Examples

Basic Routing

yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simple-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /app1
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              number: 80
      - path: /app2
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              number: 80

TLS Configuration

yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-ingress
spec:
  tls:
  - hosts:
    - secure.example.com
    secretName: tls-secret
  rules:
  - host: secure.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: secure-service
            port:
              number: 443

Default Backend

yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: default-backend-ingress
spec:
  defaultBackend:
    service:
      name: default-service
      port:
        number: 80
  rules:
  - host: example.com
    http:
      paths:
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 80

Ingress Annotations

Annotations are used to configure specific behaviors of the Ingress Controller.

Common NGINX Ingress Controller Annotations

1. Rewrite Path:

yaml
nginx.ingress.kubernetes.io/rewrite-target: /$2

1. Enable SSL Redirect:

yaml
nginx.ingress.kubernetes.io/ssl-redirect: "true"

1. Rate Limiting Configuration:

yaml
nginx.ingress.kubernetes.io/limit-rps: "10"
nginx.ingress.kubernetes.io/limit-connections: "5"

1. CORS Configuration:

yaml
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"

1. Authentication Configuration:

yaml
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth

1. Custom Error Pages:

yaml
nginx.ingress.kubernetes.io/custom-http-errors: "404,503"

Ingress vs Service

Feature	Ingress	Service
Protocol	HTTP/HTTPS	TCP/UDP
Routing	Based on domain and path	Based on port
Load Balancing	L7 (Application Layer)	L4 (Transport Layer)
SSL Termination	Supported	Not supported
Use Case	Web applications	General services

Ingress vs LoadBalancer

Feature	Ingress	LoadBalancer
Cost	Low (shared IP)	High (one IP per Service)
Routing Capability	Strong (domain, path)	Weak (port only)
SSL Termination	Supported	Partially supported
Use Case	Multiple HTTP/HTTPS services	Few services or non-HTTP services

Deploying Ingress Controller

Deploy NGINX Ingress Controller

bash
# Add Helm repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

# Install
helm install ingress-nginx ingress-nginx/ingress-nginx \
  --namespace ingress-nginx \
  --create-namespace

Verify Installation

bash
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx

Best Practices

1. Use Namespace Isolation: Deploy the Ingress Controller in a separate namespace

2. Configure Resource Limits: Set reasonable CPU and memory limits for the Ingress Controller

3. Enable Monitoring: Monitor performance metrics of the Ingress Controller

4. Use TLS: Configure TLS certificates for production environments

5. Configure Health Checks: Ensure health checks for backend Services are working properly

6. Optimize with Annotations: Configure appropriate annotations based on application requirements

7. Backup Configuration: Regularly backup Ingress configuration

8. Version Management: Track version updates of the Ingress Controller

Troubleshooting

1. View Ingress Status:

bash
kubectl get ingress
kubectl describe ingress <ingress-name>

1. View Ingress Controller Logs:

bash
kubectl logs -n ingress-nginx <pod-name>

1. Test DNS Resolution:

bash
nslookup example.com

1. Check Service and Endpoint:

bash
kubectl get svc
kubectl get endpoints

1. Verify Certificate:

bash
kubectl get secret tls-secret -o yaml