Ingress controller for Managed Service for Kubernetes

Application Load Balancer provides the Application Load Balancer Ingress controller — a tool you can use to create and manage load balancers in Yandex Managed Service for Kubernetes clusters.

The Ingress controller installed in the cluster will automatically deploy L7 load balancers with all the required Application Load Balancer resources based on the configuration of the Ingress resources you created.

For full configuration of the resources for the Application Load Balancer Ingress controller, see the following sections:

• Ingress: Backend traffic distribution and Ingress controller configuration rules.
• HttpBackendGroup and GrpcBackendGroup: Combining backends into groups.
• IngressClass: Managing multiple Ingress controllers in a Kubernetes cluster.
• Service: Description of Kubernetes services used as backends.

Sample configurationSample configuration

Below is an abbreviated configuration example for the Ingress resource. It will be used to create a load balancer to receive HTTPS traffic and to distribute it to two services based on the URI request path.

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-demo-tls
spec:
  tls:
    - hosts:
        - <domain_name>
      secretName: yc-certmgr-cert-id-<certificate_ID>
  rules:
    - host: <domain_name>
      http:
        paths:
          - path: /app1
            pathType: Prefix
            backend:
              service:
                name: alb-demo-1
                port:
                  number: 80
          - path: /app2
            pathType: Prefix
            backend:
              service:
                name: alb-demo-2
                port:
                  number: 80
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-2
                port:
                  name: http

If this Ingress resource configuration is used in ALB Ingress Controller version 0.2.0 and later, the backend groups are mapped to the backend.service parameter. Versions 0.1.x use other parameters: host, http.paths.path, and http.paths.pathType. As a result, collisions may occur when updating the ALB Ingress Controller. To avoid them, find out whether upgrade restrictions apply to your infrastructure.

Installation and requirementsInstallation and requirements

To install the Application Load Balancer Ingress controller, you need:

• Managed Service for Kubernetes cluster.
• Cluster node group.
• Cluster namespace to store the service account key.

To learn how to install the Ingress controller, see this guide.

Logging settingsLogging settings

To set up logging for an L7 load balancer created using the Application Load Balancer Ingress controller in a Managed Service for Kubernetes cluster, add the ingress.alb.yc.io/group-settings-name annotation with a name for the Ingress resource group settings and specify the settings in the additional IngressGroupSettings resource. For more information, see Ingress resource annotations.

Integration with Yandex Smart Web SecurityIntegration with Yandex Smart Web Security

In the Ingress controller, you can enable support for Yandex Smart Web Security that allows you to get protected against DDoS attacks and bots, as well as use a WAF and reduce the load on the resource being protected.

This service checks HTTP requests sent to the protected resource through the L7 load balancer virtual host. Depending on check results, it forwards the requests to the protected resource, blocks them, or sends them to Yandex SmartCaptcha for additional verification.

To enable this service, specify the Smart Web Security security profile ID in the Ingress annotation:

ingress.alb.yc.io/security-profile-id: <security_profile_ID>

This profile contains validation conditions and actions performed on incoming HTTP requests following the check results.

If you do not have a security profile, create one.

Traffic routing using multiple Ingress controllersTraffic routing using multiple Ingress controllers

For a single application, you can use multiple Ingress controllers, such as Application Load Balancer and NGINX. To correctly route traffic in such infrastructure, create an IngressClass resource for each Ingress controller. In the Ingress resource, under spec.ingressClassName, specify which IngressClass the Ingress resource belongs to. On GitHub, you can find an example of how to configure Ingress resources and route traffic using multiple Ingress controllers.

See alsoSee also

• Controller operating principles.
• Security group configuration for a Kubernetes cluster and a load balancer.
• Service account to support controller operation.
• ALB Ingress Controller in Yandex Cloud Marketplace.