Contact UsGet started

Setting up the Yandex Application Load Balancer Ingress controller

Written by
Updated at November 5, 2024

The Yandex Application Load Balancer service is designed for load balancing and traffic distribution across applications. To use it for managing ingress traffic of applications running in a Managed Service for Kubernetes cluster, you need an Ingress controller.

To set up access to the applications running in your Managed Service for Kubernetes cluster via Application Load Balancer:

  1. Set up the Ingress controller and test applications.
  2. (Optional) Configure the Ingress resource group.
  3. Make sure the Managed Service for Kubernetes cluster applications are accessible via Application Load Balancer.

For full configuration of the resources for the Application Load Balancer Ingress controller, see the following sections:

  • Ingress: Backend traffic distribution and Ingress controller configuration rules.
  • HttpBackendGroup: Combining backends into groups.
  • IngressClass: Managing multiple Ingress controllers in a Kubernetes cluster.
  • Service: Description of Kubernetes services used as backends.

Getting started

  1. Register a public domain zone and delegate your domain.

  2. If you already have a certificate for the domain zone, add its details to the Yandex Certificate Manager service. Alternatively, you can add a new Let's Encrypt® certificate.

  3. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    Also configure the security groups required for Application Load Balancer.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  4. Create a Managed Service for Kubernetes cluster. When creating it, specify the security groups prepared in advance.

    If you intend to use your cluster within the Yandex Cloud network, there is no need to allocate a public IP address to it. To allow connections from outside the network, assign a public IP address to the cluster.

  5. Create a node group. Allocate it a public IP address to provide internet access and allow pulling Docker images and components. Specify the security groups prepared in advance.

  6. Install the Application Load Balancer Ingress controller.

  7. (Optional) Install ExternalDNS with the plugin for Yandex Cloud DNS to automatically create a DNS record in Yandex Cloud DNS when creating an Ingress controller.

  8. Install kubectl and configure it to work with the created cluster.

    If a cluster has no public IP address assigned and kubectl is configured via the cluster's private IP address, run kubectl commands on a Yandex Cloud VM that is in the same network as the cluster.

Set up the Ingress controller and test applications

The Ingress controller's workload can include Kubernetes services or backend groups, such as Application Load Balancer target groups or Yandex Object Storage buckets.

Before getting started, get the ID of the previously added TLS certificate:

yc certificate-manager certificate list

Command result:

+----------------------+-----------+----------------+---------------------+----------+--------+
|          ID          |   NAME    |    DOMAINS     |      NOT AFTER      |   TYPE   | STATUS |
+----------------------+-----------+----------------+---------------------+----------+--------+
| fpq8diorouhp******** | sert-test |    test.ru     | 2022-01-06 17:19:37 | IMPORTED | ISSUED |
+----------------------+-----------+----------------+---------------------+----------+--------+

  1. In a separate folder, create the demo-app-1.yaml and demo-app-2.yaml application files:

    demo-app-1.yaml
    apiVersion: v1
kind: ConfigMap
metadata:
  name: alb-demo-1
data:
  nginx.conf: |
    worker_processes auto;
    events {
    }
    http {
      server {
        listen 80 ;
        location = /_healthz {
          add_header Content-Type text/plain;
          return 200 'ok';
        }
        location / {
          add_header Content-Type text/plain;
          return 200 'Index';
        }
        location = /app1 {
          add_header Content-Type text/plain;
          return 200 'This is APP#1';
        }
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: alb-demo-1
  labels:
    app: alb-demo-1
    version: v1
spec:
  replicas: 2
  selector:
    matchLabels:
      app: alb-demo-1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  template:
    metadata:
      labels:
        app: alb-demo-1
        version: v1
    spec:
      terminationGracePeriodSeconds: 5
      volumes:
        - name: alb-demo-1
          configMap:
            name: alb-demo-1
      containers:
        - name: alb-demo-1
          image: nginx:latest
          ports:
            - name: http
              containerPort: 80
          livenessProbe:
            httpGet:
              path: /_healthz
              port: 80
            initialDelaySeconds: 3
            timeoutSeconds: 2
            failureThreshold: 2
          volumeMounts:
            - name: alb-demo-1
              mountPath: /etc/nginx
              readOnly: true
          resources:
            limits:
              cpu: 250m
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
---
apiVersion: v1
kind: Service
metadata:
  name: alb-demo-1
spec:
  selector:
    app: alb-demo-1
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
      nodePort: 30081
    demo-app-2.yaml
    apiVersion: v1
kind: ConfigMap
metadata:
  name: alb-demo-2
data:
  nginx.conf: |
    worker_processes auto;
    events {
    }
    http {
      server {
        listen 80 ;
        location = /_healthz {
          add_header Content-Type text/plain;
          return 200 'ok';
        }
        location / {
          add_header Content-Type text/plain;
          return 200 'Add app#';
        }
        location = /app2 {
          add_header Content-Type text/plain;
          return 200 'This is APP#2';
        }
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: alb-demo-2
  labels:
    app: alb-demo-2
    version: v1
spec:
  replicas: 2
  selector:
    matchLabels:
      app: alb-demo-2
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  template:
    metadata:
      labels:
        app: alb-demo-2
        version: v1
    spec:
      terminationGracePeriodSeconds: 5
      volumes:
        - name: alb-demo-2
          configMap:
            name: alb-demo-2
      containers:
        - name: alb-demo-2
          image: nginx:latest
          ports:
            - name: http
              containerPort: 80
          livenessProbe:
            httpGet:
              path: /_healthz
              port: 80
            initialDelaySeconds: 3
            timeoutSeconds: 2
            failureThreshold: 2
          volumeMounts:
            - name: alb-demo-2
              mountPath: /etc/nginx
              readOnly: true
          resources:
            limits:
              cpu: 250m
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
---
apiVersion: v1
kind: Service
metadata:
  name: alb-demo-2
spec:
  selector:
    app: alb-demo-2
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
      nodePort: 30082

  2. In the same directory, create a file named ingress.yaml and specify in it the previously delegated domain name, certificate ID, and settings for Application Load Balancer:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-demo-tls
  annotations:
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/external-ipv4-address: <IP_address_assignment_method>
    ingress.alb.yc.io/group-name: my-ingress-group
spec:
  tls:
    - hosts:
        - <domain_name>
      secretName: yc-certmgr-cert-id-<TLS_certificate_ID>
  rules:
    - host: <domain_name>
      http:
        paths:
          - path: /app1
            pathType: Prefix
            backend:
              service:
                name: alb-demo-1
                port:
                  number: 80
          - path: /app2
            pathType: Prefix
            backend:
              service:
                name: alb-demo-2
                port:
                  number: 80
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-2
                port:
                  name: http

    Where:

    • ingress.alb.yc.io/subnets: One or more subnets that Application Load Balancer will work with.

    • ingress.alb.yc.io/security-groups: One or more security groups for Application Load Balancer. If you skip this parameter, the default security group will be used. At least one of the security groups must allow an outgoing TCP connection to port 10501 in the Managed Service for Kubernetes node group subnet or its security group.

    • ingress.alb.yc.io/external-ipv4-address: Providing public online access to Application Load Balancer. Enter the previously obtained IP address or set auto to get a new IP address automatically.

      If you set auto, deleting the Ingress controller will also delete the IP address from the cloud. To avoid this, use an existing reserved IP address.

    • ingress.alb.yc.io/group-name: Group name. Kubernetes Ingress resources are grouped together, each group served by a separate Application Load Balancer instance.

      You can replace my-ingress-group with any group name you like. Make sure it meets the naming requirements.

    In ALB Ingress Controller versions prior to 0.2.0, each backend group corresponds to a bundle of host, http.paths.path, and http.paths.pathType parameters. In versions 0.2.0 and later, the backend group corresponds to the backend.service parameter. This may cause collisions when updating the ALB Ingress Controller. To avoid them, find out whether upgrade restrictions apply to your infrastructure.

    (Optional) Enter the advanced settings for the controller:

    Additional settings

    • ingress.alb.yc.io/group-settings-name: Name for the Ingress resource group settings to be described in the optional IngressGroupSettings resource. For more information, see Configure the Ingress resource group.

    • ingress.alb.yc.io/internal-ipv4-address: Provide internal access to Application Load Balancer. Enter the internal IP address or use auto to obtain the IP address automatically.

      Note

      You can only use one type of access to Application Load Balancer at a time: ingress.alb.yc.io/external-ipv4-address or ingress.alb.yc.io/internal-ipv4-address.

    • ingress.alb.yc.io/internal-alb-subnet: Subnet for hosting the Application Load Balancer internal IP address. This parameter is required if the ingress.alb.yc.io/internal-ipv4-address parameter is selected.

    • ingress.alb.yc.io/protocol: Connection protocol used between the load balancer and backends:

      • http: HTTP/1.1. Default.
      • http2: HTTP/2.
      • grpc: gRPC.

    • ingress.alb.yc.io/transport-security: Encryption protocol for connections between the load balancer and backends.

      Warning

      In ALB Ingress Controller version 0.2.0 and later, you can only use an annotation in the Service object.

      If you annotate Ingress resources that use a single service with the same settings for backend groups, such annotation will apply correctly. However, this mechanism is obsolete and will not be supported going forward.

      The valid value is tls: TLS with no certificate challenge.

      If no annotation is specified, the load balancer connects to the backends with no encryption.

    • ingress.alb.yc.io/prefix-rewrite: Replace the path for the specified value.

    • ingress.alb.yc.io/upgrade-types: Valid values of the Upgrade HTTP header, e.g., websocket.

    • ingress.alb.yc.io/request-timeout: Maximum period for which a connection can be established.

    • ingress.alb.yc.io/idle-timeout: Maximum connection keep-alive time without data transmission.

      The request-timeout and idle-timeout values must be specified with units of measurement, e.g., 300ms or 1.5h. Valid units of measurement:

      • ns, nanoseconds
      • us, microseconds
      • ms, milliseconds
      • s, seconds
      • m, minutes
      • h, hours

    • ingress.alb.yc.io/security-profile-id: Support for Yandex Smart Web Security that allows you to get protected against DDoS attacks and bots, plus enable WAF and limit the load on the resource you are protecting.

      To enable support for Yandex Smart Web Security, specify the previously created Smart Web Security security profile in the Ingress annotation:

      ingress.alb.yc.io/security-profile-id: <security_profile_ID>

      Note

      To connect your security profile to an Application Load Balancer virtual host, the service account used to operate the Ingress controller must have the smart-web-security.editor role for the folder hosting Application Load Balancer and Smart Web Security resources. For more information, see Assigning a role to a service account.

    • ingress.alb.yc.io/use-regex: Support for RE2 regular expressions when matching the request path. If the true string is provided, the support is enabled. Only applies if the pathType parameter is set to Exact.

    Note

    The settings only apply to the hosts of the given controller rather than the entire Ingress group.

    If you use several Ingress controllers, create an IngressClass resource for each of them. In the Ingress configuration, specify the IngressClass you need in the spec.ingressClassName field.

    For more information about the Ingress resource settings, see Ingress resource fields and annotations.

  3. Create an Ingress controller and applications:

    kubectl apply -f .

  4. Wait until the Ingress controller is created and assigned a public IP address. This may take several minutes.

    To track the progress of controller creation and check that it is error-free, open the logs of the pod the controller creation process has been run in:

    1. In the management console, go to the folder page and select Managed Service for Kubernetes.

    2. Click your cluster's name and select Workload in the left-hand panel.

    3. Select one of the alb-demo-*** pods the Ingress controller creation process has been run in:

    4. Go to the Logs tab on the pod page.

      You will see the Ingress controller creation logged, with the logs displayed in real time. Any errors that occur will also be logged.

  5. Make sure the Ingress controller has been created. To do this, run the appropriate command and check that the command output shows the following value in the ADDRESS field:

    kubectl get ingress alb-demo-tls

    Result:

    NAME          CLASS   HOSTS           ADDRESS     PORTS    AGE
alb-demo-tls  <none>  <domain_name>  <IP_address>  80,443  15h

    Based on the Ingress controller configuration, an L7 load balancer will be automatically deployed.

To set up a backend group, use the HttpBackendGroup CustomResourceDefinition. As a backend, you can use an Application Load Balancer target group or an Object Storage bucket.

To configure Application Load Balancer to work with a backend group:

  1. Create a backend group with a bucket:

    1. Create a public bucket in Object Storage.
    2. Configure the website home page and error page.

  2. Create a configuration file named demo-app-1.yaml for your application:

    demo-app-1.yaml
    apiVersion: v1
kind: ConfigMap
metadata:
  name: alb-demo-1
data:
  nginx.conf: |
    worker_processes auto;
    events {
    }
    http {
      server {
        listen 80 ;
        location = /_healthz {
          add_header Content-Type text/plain;
          return 200 'ok';
        }
        location / {
          add_header Content-Type text/plain;
          return 200 'Index';
        }
        location = /app1 {
          add_header Content-Type text/plain;
          return 200 'This is APP#1';
        }
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: alb-demo-1
  labels:
    app: alb-demo-1
    version: v1
spec:
  replicas: 2
  selector:
    matchLabels:
      app: alb-demo-1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  template:
    metadata:
      labels:
        app: alb-demo-1
        version: v1
    spec:
      terminationGracePeriodSeconds: 5
      volumes:
        - name: alb-demo-1
          configMap:
            name: alb-demo-1
      containers:
        - name: alb-demo-1
          image: nginx:latest
          ports:
            - name: http
              containerPort: 80
          livenessProbe:
            httpGet:
              path: /_healthz
              port: 80
            initialDelaySeconds: 3
            timeoutSeconds: 2
            failureThreshold: 2
          volumeMounts:
            - name: alb-demo-1
              mountPath: /etc/nginx
              readOnly: true
          resources:
            limits:
              cpu: 250m
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
---
apiVersion: v1
kind: Service
metadata:
  name: alb-demo-1
spec:
  selector:
    app: alb-demo-1
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
      nodePort: 30081

  3. In a separate directory, create a file named http-group.yaml with the HttpBackendGroup object settings:

    apiVersion: alb.yc.io/v1alpha1
kind: HttpBackendGroup
metadata:
  name: example-backend-group
spec:
  backends: # List of backends.
    - name: alb-demo-1
      weight: 70 # Backend relative weight when distributing traffic. The load will be distributed in proportion to the weights of the group's other backends. Specify the weight even if you have only one backend in the group.
      service:
         name: alb-demo-1
         port:
           number: 80
    - name: bucket-backend
      weight: 30
      storageBucket:
        name: <bucket_name>

    (Optional) Enter the advanced settings for the controller:

    • spec.backends.useHttp2: HTTP/2 mode.
    • spec.backends.tls: Certificate from the certificate authority the load balancer will trust when establishing a secure connection with backend endpoints. Specify the certificate contents in the trustedCa field in plain text.

    For more information, see Backend groups.

  4. Create a file named ingress-http.yaml and specify in it the previously delegated domain name, certificate ID, and settings for Application Load Balancer:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-demo-tls
  annotations:
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/external-ipv4-address: <IP_address_assignment_method>
    ingress.alb.yc.io/group-name: my-ingress-group
spec:
  tls:
    - hosts:
      - <domain_name>
      secretName: yc-certmgr-cert-id-<TLS_certificate_ID>
  rules:
    - host: <domain_name>
      http:
        paths:
          - path: /app1
            pathType: Exact
            backend:
              resource:
                apiGroup: alb.yc.io
                kind: HttpBackendGroup
                name: example-backend-group

    Where:

    • ingress.alb.yc.io/subnets: One or more subnets that Application Load Balancer will work with.

    • ingress.alb.yc.io/security-groups: One or more security groups for Application Load Balancer. If you skip this parameter, the default security group will be used. At least one of the security groups must allow an outgoing TCP connection to port 10501 in the Managed Service for Kubernetes node group subnet or its security group.

    • ingress.alb.yc.io/external-ipv4-address: Providing public online access to Application Load Balancer. Enter the previously obtained IP address or set auto to get a new IP address automatically.

      If you set auto, deleting the Ingress controller will also delete the IP address from the cloud. To avoid this, use an existing reserved IP address.

    • ingress.alb.yc.io/group-name: Group name. Kubernetes Ingress resources are grouped together, each group served by a separate Application Load Balancer instance.

      You can replace my-ingress-group with any group name you like. Make sure it meets the naming requirements.

    (Optional) Enter the advanced settings for the controller:

    • ingress.alb.yc.io/group-settings-name: Name for the Ingress resource group settings to be described in the optional IngressGroupSettings resource. For more information, see Configure the Ingress resource group.

    • ingress.alb.yc.io/internal-ipv4-address: Provide internal access to Application Load Balancer. Enter the internal IP address or use auto to obtain the IP address automatically.

      Note

      You can only use one type of access to Application Load Balancer at a time: ingress.alb.yc.io/external-ipv4-address or ingress.alb.yc.io/internal-ipv4-address.

    • ingress.alb.yc.io/internal-alb-subnet: Subnet for hosting the Application Load Balancer internal IP address. This parameter is required if the ingress.alb.yc.io/internal-ipv4-address parameter is selected.

    • ingress.alb.yc.io/protocol: Connection protocol used between the load balancer and backends:

      • http: HTTP/1.1. Default.
      • http2: HTTP/2.
      • grpc: gRPC.

    • ingress.alb.yc.io/prefix-rewrite: Replace the path for the specified value.

    • ingress.alb.yc.io/upgrade-types: Valid values of the Upgrade HTTP header, e.g., websocket.

    • ingress.alb.yc.io/request-timeout: Maximum period for which a connection can be established.

    • ingress.alb.yc.io/idle-timeout: Maximum connection keep-alive time without data transmission.

      The request-timeout and idle-timeout values must be specified with units of measurement, e.g., 300ms or 1.5h. Valid units of measurement:

      • ns, nanoseconds
      • us, microseconds
      • ms, milliseconds
      • s, seconds
      • m, minutes
      • h, hours

    • ingress.alb.yc.io/security-profile-id: Support for Yandex Smart Web Security that allows you to get protected against DDoS attacks and bots, plus enable WAF and limit the load on the resource you are protecting.

      To enable support for Yandex Smart Web Security, specify the previously created Smart Web Security security profile in the Ingress annotation:

      ingress.alb.yc.io/security-profile-id: <security_profile_ID>

      Note

      To connect your security profile to an Application Load Balancer virtual host, the service account used to operate the Ingress controller must have the smart-web-security.editor role for the folder hosting Application Load Balancer and Smart Web Security resources. For more information, see Assigning a role to a service account.

    • ingress.alb.yc.io/use-regex: Support for RE2 regular expressions when matching the request path. If the true string is provided, the support is enabled. Only applies if the pathType parameter is set to Exact.

    Note

    The settings only apply to the hosts of the given controller rather than the entire Ingress group.

    For more information about the Ingress resource settings, see Ingress resource fields and annotations.

  5. Create an Ingress controller, a HttpBackendGroup object, and a Kubernetes application:

    kubectl apply -f .

  6. Wait until the Ingress controller is created and assigned a public IP address. This may take several minutes.

    To track the progress of controller creation and check that it is error-free, open the logs of the pod the controller creation process has been run in:

    1. In the management console, go to the folder page and select Managed Service for Kubernetes.

    2. Click your cluster's name and select Workload in the left-hand panel.

    3. Select one of the alb-demo-*** pods the Ingress controller creation process has been run in.

    4. Go to the Logs tab on the pod page.

      You will see the Ingress controller creation logged, with the logs displayed in real time. Any errors that occur will also be logged.

  7. Make sure the Ingress controller has been created. To do this, run the appropriate command and check that the command output shows the following value in the ADDRESS field:

    kubectl get ingress alb-demo-tls

    Result:

    NAME          CLASS   HOSTS           ADDRESS     PORTS    AGE
alb-demo-tls  <none>  <domain_name>  <IP_address>  80,443  15h

    Based on the Ingress controller configuration, an L7 load balancer will be automatically deployed.

By default, the Application Load Balancer Ingress controller receives application health check requests from the L7 load balancer at TCP port 10501 and health checks the kube-proxy pods on each cluster node. If kube-proxy is healthy, then, even if an application in a particular pod does not respond, Kubernetes will redirect traffic to a different pod with that application or to a different node.

You can use the HttpBackendGroup resource parameters to customize health checks. For more information, see Health checking your applications in a Yandex Managed Service for Kubernetes cluster with the Yandex Application Load Balancer Ingress controller.

(Optional) Configure the Ingress resource group

If you specified a name for the Ingress resource group settings in the ingress.alb.yc.io/group-settings-name annotation when installing the Ingress controller, you can specify logging settings for the L7 load balancer. To do this, create a custom log group and specify the Ingress resource group settings in the optional IngressGroupSettings resource.

  1. Create a settings.yaml file with your logging settings and the custom log group ID, e.g.:

    apiVersion: alb.yc.io/v1alpha1
kind: IngressGroupSettings
metadata:
  name: <name_for_Ingress_resource_group_settings>
logOptions:
  logGroupID: <user_log_group_ID>
  discardRules:
    - discardPercent: 50
      grpcCodes:
        - OK
        - CANCELLED
        - UNKNOWN
    - discardPercent: 67
      httpCodeIntervals:
        - HTTP_1XX
    - discardPercent: 20
      httpCodes:
        - 200
        - 404

    Where name is the name for the Ingress resource group settings in the ingress.alb.yc.io/group-settings-name annotation.

  2. Apply the settings for the Ingress resource group:

    kubectl apply -f settings.yaml

Make sure the Managed Service for Kubernetes cluster applications are accessible through Application Load Balancer

  1. If you have no ExternalDNS with a plugin for Cloud DNS installed, add an A record to your domain zone. In the Value field, specify the public IP address of the Ingress controller. If you are using ExternalDNS with a plugin for Yandex Cloud DNS, this record will be created automatically.

  2. Test Application Load Balancer:

    Open the application URIs in your browser:

    https://<your_domain>/app1
https://<your_domain>/app2

    Make sure the applications are accessible via Application Load Balancer and return pages with the This is APP#1 and This is APP#2 text, respectively.

    Note

    If the resource is unavailable at the specified URL, make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

    Open the application's URI in your browser:

    https://<your_domain>/app1

    Make sure that the target resources are accessible via Application Load Balancer.

    Note

    If the resource is unavailable at the specified URL, make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

Delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. Delete the Managed Service for Kubernetes cluster.
  2. Delete the Application Load Balancer target groups.
  3. Delete the Object Storage bucket.
Previous
Setting up Gateway API
Next
Logging settings for Application Load Balancer Ingress controllers