Understanding Ingress with Kubernetes

The kubernetes traffic controller

Welcome to [ between the brackets ] Saturday Edition! Today I’ll be talking about Ingress with Kubernetes - a pivotal aspect of deploying any service with Kubernetes.

Weekly Reading

A collection of Go readings and interviews, curated by @goinggodotnet

Briefly, Ingress is a Kubernetes resource that allows you to route external traffic into your Kubernetes cluster. If you want to expose your Kubernetes services to the outside world, you'll need to use ingress.

If you aren’t already taking weekly programming deep dives with me, subscribe below!

Ingress Basics

At a basic level, ingress sits in front of your Kubernetes services and acts as a reverse proxy and load balancer. It receives external requests and forwards them to the appropriate services in your cluster based on configured routing rules.

Key ingress concepts:

  • Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.

  • Traffic routing is controlled by rules defined on ingress resources.

  • Ingress can provide load balancing, SSL/TLS termination, and name-based virtual hosting.

  • You need an ingress controller like NGINX to actually handle the ingress rules and route traffic.

Here's a simple example ingress resource:

apiVersion: networking.k8s.io/v1

kind: Ingress 

metadata:
  name: my-ingress

spec:
  rules:
  - http:
      paths:
      - path: /foo
        pathType: Prefix
        backend:
          service:
            name: foo-service
            port: 80

      - path: /bar 
        pathType: Prefix
        backend:
          service:
            name: bar-service
            port: 80

This ingress routes requests to /foo to the foo-service, and requests to /bar to the bar-service. The ingress controller will handle routing the external traffic properly based on these rules.

Name-based Virtual Hosting

Ingress supports name-based virtual hosting, which allows routing requests to multiple hostnames at a single IP address. For example:

spec:
  rules:
  - host: foo.mydomain.com
    http:
      paths:
      - backend:
          serviceName: foo-service
          servicePort: 80
  - host: bar.mydomain.com
    http:
      paths:
      - backend:
          serviceName: bar-service
          servicePort: 80

TLS Termination

Ingress can terminate TLS so you don't have to handle SSL certificates on your backend services. Specify a secret with certificate and key in your ingress definition:

spec:
  tls:
   - secretName: my-tls-secret

Load Balancing

An ingress controller will provision a load balancer to route traffic to your services. Many ingress controllers support advanced load balancing techniques like:

  • Session persistence - same client is routed to same pod

  • Dynamic weighting - distribute more traffic to higher capacity pods

  • Health checks - route traffic only to healthy pods

Ingress Controllers

Popular ingress controllers include:

  • NGINX

  • Contour

  • HAProxy

  • Traefik

These controllers will handle the actual load balancing and SSL termination for your ingress rules.

Advanced Ingress

Ingress can become pretty involved, with some more advanced topics being:

  • Path Matching: Ingress paths support exact, prefix, and regular expression matching.

  • Custom 404 Pages: Specify custom 404 error page handling.

  • Rewrite Rules: Regex or fixed prefix-based rewrite rules to manipulate request URLs.

  • Custom Timeouts/Limits: Set timeouts for connections, requests, reads/writes.

  • Canary Deployments: Shift traffic in increments to test new versions.

  • Blue-Green Deployments: Switch between two production versions.

  • Authentication: OAuth2, basic auth, external auth, JWT, and more.

In summary, ingress is a powerful way to expose your Kubernetes services and handle all your external traffic. You can reap the benefits with a basic setup to begin with, then leverage more advanced capabilities as your applications and infrastructure grow.

[ Zach Coriarty ]