Ingress

Introduction to Kubernetes Ingress

Route external HTTP(S) traffic to internal Kubernetes services
Enable browser-based access using domain names and HTTPS
Provide a more production-ready solution compared to exposing node ports

Basic Architecture and Flow

Without Ingress

External service type: LoadBalancer
Access via:
- http://<node-ip>:<node-port>
Use case: Quick testing, not ideal for production

With Ingress

Flow:
- Request hits Ingress (via domain name)
- Ingress routes to internal service
- Service forwards to the pod
Key Components:
- Ingress resource (YAML)
- Internal service (ClusterIP)
- Corresponding pod
- Ingress controller (must be installed)

Ingress YAML Structure

Key Attributes

kind: Ingress
spec.rules[]
- host: Domain name (e.g., myapp.com)
- http.paths[]
  - path: URL suffix (e.g., /analytics)
  - backend.service.name: Internal service name
  - backend.service.port.number: Internal port (e.g., 80)

⚠ Note: The HTTP block in rules refers to Kubernetes routing, not incoming request protocol.

Internal vs External Services

External (LoadBalancer)

Type: LoadBalancer
Exposes:
- Node port (30xxx)
- External IP address (cloud provided or manually assigned)

Internal (ClusterIP)

Type: ClusterIP
No external access by default
Used with Ingress for controlled exposure

DNS & Domain Mapping

You must map domain names to IP addresses:
- Node IP or external proxy server IP
Done via:
- Public DNS record (in production)
- /etc/hosts file (for local testing)

Ingress Controller

Required for Ingress rules to work
Processes and routes incoming requests per rules
Types:
- Kubernetes NGINX Ingress (common)
- Other third-party controllers available
Functionality:
- Evaluates all rules in the cluster
- Routes each request to the correct backend

Cluster Entry Point Design

Cloud Environment

Use cloud provider’s load balancer (e.g., AWS ELB)
Flow:
- Request → Cloud LB → Ingress Controller → Service → Pod

Bare Metal

Requires self-managed entry point:
- Example: External proxy server (HAProxy, NGINX)
- Assign public IP, open ports
- Acts as external gateway for all traffic

Demo: Ingress on Minikube

Steps

Enable Ingress controller: minikube addons enable ingress
Verify controller: kubectl get pods -n kube-system → Look for nginx ingress controller
Create Ingress rule (example for Kubernetes Dashboard):
- Host: dashboard.com
- Path: /
- Backend service: kubernetes-dashboard
- Port: 80
Apply rule:
```
kubectl apply -f dashboard-ingress.yaml
```
Add host mapping in /etc/hosts:
```
<INGRESS_IP> dashboard.com
```
Access in browser: http://dashboard.com

Default Backend

Fallback behavior:
- Used if no Ingress rule matches
- Can configure a custom 404 page or redirect
Configuration:
- Create a default-backend service and pod to handle unmapped routes

Advanced Use Cases

Multiple Paths for Same Host

Example:

Host: myapp.com
  /analytics → analytics-service
  /shopping  → shopping-service

Use case:
- Single domain with multiple sub-applications

Multiple Subdomains

Example:

Host: analytics.myapp.com → analytics-service
Host: shopping.myapp.com  → shopping-service

Use case:
- Clean subdomain structure for different services

Configuring HTTPS (TLS)

TLS in Ingress YAML

Add tls: section:

tls:
  - hosts:
      - myapp.com
    secretName: tls-secret

Requirements:
- secretName must reference a Secret of type kubernetes.io/tls
- The Secret must contain:
  - tls.crt: Base64-encoded certificate
  - tls.key: Base64-encoded private key
- Must reside in the same namespace as the Ingress

Key Points

Ingress provides domain-based, layer 7 routing for HTTP/HTTPS traffic
Requires:
- Ingress rules
- Ingress controller
- Internal services
Supports:
- Path-based and subdomain-based routing
- TLS termination with certificate secrets
Entry point design differs by environment:
- Cloud = external LB
- Bare metal = proxy server
Flexible, centralized management of external access to apps in Kubernetes

PreviousMongoDB Deployment NextNetworking

Last updated 28 days ago

Ingress

Introduction to Kubernetes Ingress

Route external HTTP(S) traffic to internal Kubernetes services
Enable browser-based access using domain names and HTTPS
Provide a more production-ready solution compared to exposing node ports

Basic Architecture and Flow

Without Ingress

External service type: LoadBalancer
Access via:
- http://<node-ip>:<node-port>
Use case: Quick testing, not ideal for production

With Ingress

Flow:
- Request hits Ingress (via domain name)
- Ingress routes to internal service
- Service forwards to the pod
Key Components:
- Ingress resource (YAML)
- Internal service (ClusterIP)
- Corresponding pod
- Ingress controller (must be installed)

Ingress YAML Structure

Key Attributes

kind: Ingress
spec.rules[]
- host: Domain name (e.g., myapp.com)
- http.paths[]
  - path: URL suffix (e.g., /analytics)
  - backend.service.name: Internal service name
  - backend.service.port.number: Internal port (e.g., 80)

⚠ Note: The HTTP block in rules refers to Kubernetes routing, not incoming request protocol.

Internal vs External Services

External (LoadBalancer)

Type: LoadBalancer
Exposes:
- Node port (30xxx)
- External IP address (cloud provided or manually assigned)

Internal (ClusterIP)

Type: ClusterIP
No external access by default
Used with Ingress for controlled exposure

DNS & Domain Mapping

You must map domain names to IP addresses:
- Node IP or external proxy server IP
Done via:
- Public DNS record (in production)
- /etc/hosts file (for local testing)

Ingress Controller

Required for Ingress rules to work
Processes and routes incoming requests per rules
Types:
- Kubernetes NGINX Ingress (common)
- Other third-party controllers available
Functionality:
- Evaluates all rules in the cluster
- Routes each request to the correct backend

Cluster Entry Point Design

Cloud Environment

Use cloud provider’s load balancer (e.g., AWS ELB)
Flow:
- Request → Cloud LB → Ingress Controller → Service → Pod

Bare Metal

Requires self-managed entry point:
- Example: External proxy server (HAProxy, NGINX)
- Assign public IP, open ports
- Acts as external gateway for all traffic

Demo: Ingress on Minikube

Steps

Enable Ingress controller: minikube addons enable ingress
Verify controller: kubectl get pods -n kube-system → Look for nginx ingress controller
Create Ingress rule (example for Kubernetes Dashboard):
- Host: dashboard.com
- Path: /
- Backend service: kubernetes-dashboard
- Port: 80
Apply rule:
```
kubectl apply -f dashboard-ingress.yaml
```
Add host mapping in /etc/hosts:
```
<INGRESS_IP> dashboard.com
```
Access in browser: http://dashboard.com

Default Backend

Fallback behavior:
- Used if no Ingress rule matches
- Can configure a custom 404 page or redirect
Configuration:
- Create a default-backend service and pod to handle unmapped routes

Advanced Use Cases

Multiple Paths for Same Host

Example:

Host: myapp.com
  /analytics → analytics-service
  /shopping  → shopping-service

Use case:
- Single domain with multiple sub-applications

Multiple Subdomains

Example:

Host: analytics.myapp.com → analytics-service
Host: shopping.myapp.com  → shopping-service

Use case:
- Clean subdomain structure for different services

Configuring HTTPS (TLS)

TLS in Ingress YAML

Add tls: section:

tls:
  - hosts:
      - myapp.com
    secretName: tls-secret

Requirements:
- secretName must reference a Secret of type kubernetes.io/tls
- The Secret must contain:
  - tls.crt: Base64-encoded certificate
  - tls.key: Base64-encoded private key
- Must reside in the same namespace as the Ingress

Key Points

Ingress provides domain-based, layer 7 routing for HTTP/HTTPS traffic
Requires:
- Ingress rules
- Ingress controller
- Internal services
Supports:
- Path-based and subdomain-based routing
- TLS termination with certificate secrets
Entry point design differs by environment:
- Cloud = external LB
- Bare metal = proxy server
Flexible, centralized management of external access to apps in Kubernetes

PreviousMongoDB Deployment NextNetworking

Last updated 28 days ago