Understanding Ingress

An Ingress resource defines rules for routing external HTTP/HTTPS traffic to services within your Kubernetes cluster. When using an Ingress controller, you can leverage Kubernetes-native Ingress resources to manage external access to your services.

An Ingress controller serves as the entry point that translates Ingress rules into routing configurations, allowing external clients to access your services securely.

Prerequisites

Before configuring Ingress, ensure you have:

• A functioning Kubernetes cluster
• Kubectl configured to access your cluster
• Services deployed that you want to expose
• (Optional) TLS certificates if you need HTTPS

These components form the foundation for your Ingress configuration. Having them ready will streamline the setup process.

Installing an Ingress Controller

There are several Ingress controllers available for Kubernetes. Here's how to install the popular NGINX Ingress Controller:

# Using Helm
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install nginx-ingress ingress-nginx/ingress-nginx

# Alternatively, using kubectl
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml

The installation method might vary based on your cloud provider or if you're running Kubernetes on-premises. Check the official documentation for provider-specific instructions.

Creating a Basic Ingress Resource

Create a file named basic-ingress.yaml with the following content:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: basic-ingress
  namespace: your-service-namespace
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-service
            port:
              number: 8080

Apply the Ingress resource to your cluster:

kubectl apply -f basic-ingress.yaml

This basic Ingress configuration routes requests for myapp.example.com to a service named myapp-service on port 8080. The annotation kubernetes.io/ingress.class: "nginx" ensures this Ingress is processed by the NGINX Ingress Controller.

Adding TLS/HTTPS Support

To enable HTTPS for your Ingress, update your Ingress configuration with TLS settings:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: secure-ingress
  namespace: your-service-namespace
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - myapp.example.com
    secretName: myapp-tls-secret
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-service
            port:
              number: 8080

Create a TLS secret from your certificate files:

kubectl create secret tls myapp-tls-secret \
  --cert=path/to/cert.pem \
  --key=path/to/key.pem \
  -n your-service-namespace

The tls section references a Kubernetes Secret named myapp-tls-secret that contains your TLS certificate and private key. This enables HTTPS for the specified host.

Configuring Advanced Routing

For more complex routing scenarios, you can configure multiple paths and hosts:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: multi-service-ingress
  namespace: your-service-namespace
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 8080
      - path: /app
        pathType: Prefix
        backend:
          service:
            name: frontend-service
            port:
              number: 80
  - host: admin.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: admin-service
            port:
              number: 3000

This configuration routes traffic based on both the hostname and path. Requests to /api and /app on myapp.example.com go to different services, while admin.example.com routes to a separate admin service.

Adding Controller-Specific Annotations

Different Ingress controllers support additional functionality through annotations. Here are some common NGINX Ingress Controller annotations:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: configured-ingress
  namespace: your-service-namespace
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "30"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, PUT, POST, DELETE, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://allowed-origin.com"
    nginx.ingress.kubernetes.io/rate-limit-rps: "10"
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-service
            port:
              number: 8080

These controller-specific annotations enable additional features like: - Setting timeouts - Enabling Cross-Origin Resource Sharing (CORS) - Configuring rate limiting for API protection

Verifying Ingress Configuration

After applying your Ingress resource, verify it was created correctly:

kubectl get ingress -n your-service-namespace

Check the Ingress controller logs for any issues:

kubectl logs -n ingress-nginx deployment/nginx-ingress-controller

Test your endpoint to confirm traffic is routed correctly:

curl -H "Host: myapp.example.com" http://<ingress-controller-ip>/

These commands help you confirm that your Ingress is correctly configured and functioning as expected.

Troubleshooting Common Issues

If your Ingress isn't working as expected, check these common issues:

1. Incorrect Ingress Class: Ensure the kubernetes.io/ingress.class annotation matches your controller
2. Service Availability: Verify the backend service exists and is running
3. Port Configuration: Confirm the service port in the Ingress matches the actual service port
4. DNS Configuration: Make sure the hostname resolves to your Ingress controller's external IP
5. TLS Issues: Check that the TLS secret exists and contains valid certificate files
6. PathType Configuration: Ensure you're using the correct pathType for your needs (Prefix, Exact, or ImplementationSpecific)

Most Ingress issues stem from misconfiguration in either the Ingress resource itself or the underlying services it routes to.

Ingress Controller Options

There are several Ingress controller options available for Kubernetes:

1. NGINX Ingress Controller: Popular, feature-rich, and widely supported
2. Traefik: Modern HTTP reverse proxy and load balancer with auto-discovery features
3. HAProxy Ingress: Based on the reliable HAProxy load balancer
4. Ambassador: API Gateway built on Envoy Proxy
5. Istio Ingress Gateway: Part of the Istio service mesh for advanced traffic control

Choose an Ingress controller based on your specific requirements for performance, features, and integration with your existing tools.

Next Steps

After successfully configuring your Ingress, consider:

1. Setting up monitoring for your traffic
2. Implementing additional security policies
3. Configuring rate limiting and other protections
4. Setting up logging and analytics for your services
5. Implementing a service mesh for more advanced traffic management

These additional steps will help you secure and optimize your Ingress implementation for production use.