Installing the Application Load Balancer Ingress controller
To balance the load and distribute traffic between Kubernetes applications, use an Yandex Application Load Balancer Ingress controller. It runs the L7 load balancer and the required auxiliary resources when the user creates an Ingress
resource in a Managed Service for Kubernetes cluster.
Getting started
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.
Make sure you have configured the security groups required for Application Load Balancer as well.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a service account for the Ingress controller to run and assign the following folder roles to it:
- alb.editor: To create the required Application Load Balancer resources.
- vpc.publicAdmin: To manage external network connectivity.
- certificate-manager.certificates.downloader: To use certificates registered in Yandex Certificate Manager.
- compute.viewer: To use Managed Service for Kubernetes cluster nodes in the L7 load balancer target groups.
- smart-web-security.editor: (Optional) To connect your Yandex Smart Web Security security profile to a virtual host of the L7 load balancer.
-
Create an authorized access key for the service account in JSON format and save it to the
sa-key.json
file:yc iam key create \ --service-account-name <name_of_service_account_for_Ingress_controller> \ --output sa-key.json
Installation using Yandex Cloud Marketplace
-
Go to the folder page and select Managed Service for Kubernetes.
-
Click the name of the cluster you need and select the
Marketplace tab. -
Under Application available for installation, select ALB Ingress Controller and click Go to install.
-
Configure the application:
-
Namespace: Select a namespace other than
default
or create a new one. If you select a default namespace, ALB Ingress Controller may run incorrectly. -
Application name: Specify the app name.
-
Folder ID: Specify a folder ID.
-
Cluster ID: Specify a cluster ID.
-
Service account key: Paste the contents of the
sa-key.json
file. -
Enable default health checks: Select this option to install the DaemonSet
resource in the node group network for application health checks.The resource adds pods with traffic monitoring agents to each node. As a result, node and namespace isolation does not affect monitoring, which means you get accurate traffic monitoring info. DaemonSet adds or removes monitoring agents as the number of cluster nodes goes up or down, respectively.
You can omit this option if you do not need to run cluster health checks or if you are using your own checks. For more information on setting up health checks manually, see Health checking your apps in a Yandex Managed Service for Kubernetes cluster using a Yandex Application Load Balancer L7 load balancer.
-
-
Click Install.
-
Wait for the application to change its status to
Deployed
.
Installation using a Helm chart
-
Install Helm
v3.8.0 or higher. -
Install kubectl
and configure it to work with the created cluster. -
Install the
jq
utility for stream processing of JSON files:sudo apt update && sudo apt install jq
-
To install a Helm chart
with the Ingress controller, run this command:cat sa-key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \ helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/yc-alb-ingress/yc-alb-ingress-controller-chart \ --version v0.2.14 \ --untar && \ helm install \ --namespace <namespace> \ --create-namespace \ --set folderId=<folder_ID> \ --set clusterId=<cluster_ID> \ --set enableDefaultHealthChecks=<true_or_false> \ --set-file saKeySecretKey=sa-key.json \ yc-alb-ingress-controller ./yc-alb-ingress-controller-chart/
Note
If you are using a Helm version below 3.8.0, append the
export HELM_EXPERIMENTAL_OCI=1 && \
string to the command to enable Open Container Initiative (OCI) support in the Helm client.If you set the
namespace
parameter todefault
, ALB Ingress Controller may run incorrectly. We recommend that you use other values rather thandefault
.The
enableDefaultHealthChecks
parameter enables health checks for applications in a cluster. To do this, the Ingress controller installs the DaemonSet resource in the node group network.The resource adds pods with traffic monitoring agents to each node. As a result, node and namespace isolation does not affect monitoring, which means you get accurate traffic monitoring info. DaemonSet adds or removes monitoring agents as the number of cluster nodes goes up or down, respectively.
You can omit this option if you do not need to run cluster health checks or if you are using your own checks. For more information on setting up health checks manually, see Health checking your apps in a Yandex Managed Service for Kubernetes cluster using a Yandex Application Load Balancer L7 load balancer.
Use cases
- Application Load Balancer Ingress controller configuration tutorial.
- Application Load Balancer Ingress controller logging configuration tutorial.
See also
- Description of Ingress controllers in the documentation:
- Restrictions when updating the ALB Ingress Controller.