Kubernetes - Ingress Networking âī¸
Description đ
Ingress is a collection of rules that allow external traffic to reach services running in a Kubernetes cluster. Ingress can provide load balancing, SSL termination and name-based virtual hosting. Think of Ingress as a layer seven (application layer) load balancer. It sits in front of your services and routes traffic to the service that matches the Ingress rule. Ingress can be configured to give services externally-reachable URLs, load balance traffic, terminate SSL, offer name based virtual hosting, and more.The solution you deploy is called the Ingress controller. The set of rules you use to configure Ingress are called Ingress resources.
A Kubernetes cluster is not set up with an Ingress controller by default.
Basic Commands đ
-
view details of
ingressobjectskubectl describe ingress <ingress-object-name> -
imperatively create an
ingressobjectkubectl create ingress <ingress-object-name> --rule=<host/path=service:port> --backend=<backend>
Examples đ§Š
-
IngressControllers đŽ-
sample
ingresscontroller definitionapiVersion: apps/v1 kind: Deployment metadata: name: nginx-ingress-controller spec: replicas: 1 selector: matchLabels: app: nginx-ingress template: metadata: labels: app: nginx-ingress spec: containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0 args: - /nginx-ingress-controller - --default-backend-service=$(POD_NAMESPACE)/default-http-backend # create a config map object as a pass through to the nginx-controller for custom configuration - --configmap=$(POD_NAMESPACE)/nginx-configuration # you MUST pass the POD_NAME and POD_NAMESPACE as an env variables to the nginx-ingress-controller env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # specify the ports used by the nginx-ingress-controller ports: - name: http containerPort: 80 - name: https containerPort: 443-
sample
ConfigMap, needed for theingresscontrollercontainerargsapiVersion: v1 kind: ConfigMap metadata: name: nginx-configuration data: # put your custom nginx configuration here
-
-
then create a service to expose the
ingresscontroller to the external worldapiVersion: v1 kind: Service metadata: name: nginx-ingress spec: type: NodePort ports: - port: 80 targetPort: 80 protocol: TCP name: http - port: 443 targetPort: 443 protocol: TCP name: https selector: app: nginx-ingress-
the
ingresscontroller will need the right set of permissions to take advantage of the additional intelligence, aservice accountis requiredapiVersion: v1 kind: ServiceAccount metadata: name: nginx-ingress-serviceaccount
-
Nginx Ingress Controllershave additional intelligence built into them to monitor theKubernetescluster foringressresources. -
-
IngressResources đ§ąAn
Ingressresource is a set of rules used to configure theIngress controllerto route traffic to theservicesthat match theIngress rules.Ingressresources are namespaced and can be created in anynamespacethat you want to expose yourservicesfrom.-
sample
ingressresource definitionapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-wear-watch namespace: app-space spec: rules: - http: paths: - backend: service: name: wear-service port: number: 8080 path: /wear pathType: Prefix - backend: service: name: video-service port: number: 8080 path: /watch pathType: Prefix- to route domain names users must define a
hostin theingressresourcespec.rulessection
- to route domain names users must define a
-
create
ingressresource imperativelykubectl create ingress ingress-test --rule="wear.my-online-store.com/wear*=wear-service:80" -
video
serviceapiVersion: v1 kind: Service metadata: name: video-service namespace: app-space spec: clusterIP: 10.96.151.193 clusterIPs: - 10.96.151.193 ports: - port: 8080 protocol: TCP targetPort: 8080 selector: app: webapp-video sessionAffinity: None type: ClusterIP -
wear
serviceapiVersion: v1 kind: Service metadata: name: wear-service namespace: app-space spec: clusterIP: 10.102.76.86 clusterIPs: - 10.102.76.86 ports: - port: 8080 protocol: TCP targetPort: 8080 selector: app: webapp-wear sessionAffinity: None type: ClusterIP -
default backend
serviceapiVersion: v1 kind: Service metadata: name: default-backend-service namespace: app-space spec: type: ClusterIP clusterIP: 10.104.209.223 clusterIPs: - 10.104.209.223 ports: - port: 80 protocol: TCP targetPort: 8080 selector: app: default-backend -
more â
serviceandingressresources-
pay
serviceapiVersion: v1 kind: Service metadata: name: pay-service namespace: critical-space spec: clusterIP: 10.102.93.253 clusterIPs: - 10.102.93.253 ipFamilies: - IPv4 ports: - port: 8282 protocol: TCP targetPort: 8080 selector: app: webapp-pay type: ClusterIP -
pay
ingressapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-pay namespace: critical-space annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - http: paths: - backend: service: name: pay-service port: number: 8282 path: /pay pathType: Prefix-
ReWrite the
URLwhen a request is passed to applications. Instead of using the same path that user typed in specify therewrite-targetoption. This rewrites theURLby replacing whatever is under rules â http â paths â path.annotations: nginx.ingress.kubernetes.io/rewrite-target: /
-
-
-
Basic Steps đŖ
-
create a namespace for ingress related objects
kubectl create namespace ingress-spaceapiVersion: v1 kind: Namespace metadata: creationTimestamp: "2022-10-23T19:48:00Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:phase: {} manager: kubectl-create operation: Update time: "2022-10-23T19:48:00Z" name: ingress-space resourceVersion: "7557" uid: 4c9214e5-1d83-427e-b93b-12fec40ac3d0 spec: finalizers: - kubernetes status: phase: Active -
create a configmap for the ingress controller in the ingress-space namespace
kubectl create configmap nginx-configuration -n ingress-spaceapiVersion: v1 kind: ConfigMap metadata: creationTimestamp: "2022-10-23T19:48:42Z" name: nginx-configuration namespace: ingress-space resourceVersion: "7614" uid: 9fbd2239-1265-4615-834c-752349e668da -
create a service account for the ingress controller in the ingress-space namespace
kubectl create serviceaccount ingress-serviceaccount -n ingress-spaceapiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2022-10-23T19:49:18Z" name: ingress-serviceaccount namespace: ingress-space resourceVersion: "7659" uid: ca003d54-4978-4e40-aaad-99c522c14f5d secrets: - name: ingress-serviceaccount-token-nrm2r -
create roles and role-bindings for the service account ingress-serviceaccount
-
ingress-roleapiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx name: ingress-role namespace: ingress-space rules: - apiGroups: - "" resources: - configmaps - pods - secrets - namespaces verbs: - get - apiGroups: - "" resourceNames: - ingress-controller-leader-nginx resources: - configmaps verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resources: - endpoints verbs: - get -
ingress-role-bindingapiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx name: ingress-role-binding namespace: ingress-space roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ingress-role subjects: - kind: ServiceAccount name: ingress-serviceaccount
-
-
create ingress controller deployment
apiVersion: apps/v1 kind: Deployment metadata: name: ingress-controller namespace: ingress-space spec: replicas: 1 selector: matchLabels: name: nginx-ingress template: metadata: labels: name: nginx-ingress spec: serviceAccountName: ingress-serviceaccount containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0 args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration - --default-backend-service=app-space/default-http-backend env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace ports: - name: http containerPort: 80 - name: https containerPort: 443 -
create ingress service to expose nginx ingress controller
apiVersion: v1 kind: Service metadata: name: ingress namespace: ingress-space spec: type: NodePort ports: - port: 80 targetPort: 80 protocol: TCP nodePort: 30080 name: http - port: 443 targetPort: 443 protocol: TCP name: https selector: name: nginx-ingress -
create ingress resource
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-wear-watch namespace: app-space annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/ssl-redirect: "false" spec: rules: - http: paths: - backend: service: name: wear-service port: number: 8080 path: /wear pathType: Prefix - backend: service: name: video-service port: number: 8080 path: /watch pathType: Prefix- service definitions are found in the above examples