Installing an Application Load Balancer Ingress controller for Managed Service for Kubernetes

To balance the load and distribute traffic between Kubernetes applications, you can use an Yandex Application Load Balancer ingress controller. It will launch the L7 load balancer and its auxiliary resources when you create an Ingress resource in a Managed Service for Kubernetes cluster.

Getting startedGetting started

1. If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

   By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

2. Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

   Make sure you have configured security groups for Application Load Balancer as well.

   Warning

   The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

3. Create an ingress controller service account and assign it the following roles for the folder:

   • alb.editor: To create Application Load Balancer resources.
   • vpc.publicAdmin: To manage external network connectivity.
   • certificate-manager.certificates.downloader: To use certificates registered in Yandex Certificate Manager.
   • compute.viewer: To use Managed Service for Kubernetes cluster nodes in the L7 load balancer target groups.
   • smart-web-security.editor: To connect your Yandex Smart Web Security security profile to the L7 load balancer virtual host. This is an optional setting.

4. Create an authorized access key for the service account in JSON format and save it to the sa-key.json file:

   yc iam key create \
     --service-account-name <name_of_service_account_for_ingress_controller> \
     --output sa-key.json
   

Installation from Yandex Cloud MarketplaceInstallation from Yandex Cloud Marketplace

1. Navigate to the folder dashboard and select Managed Service for Kubernetes.

2. Click the name of the cluster you need and select the Marketplace tab.

3. Under Application available for installation, select ALB ingress controller and click Go to install.

4. Configure the application:

   • Namespace: Create a new namespace, e.g., alb-ingress-controller-space. If you leave the default namespace, the ALB ingress controller may work incorrectly.

   • Application name: Specify the application name.

   • Folder ID: Specify the folder ID.

   • Cluster ID: Specify the cluster ID.

   • Service account key: Paste the contents of the sa-key.json file.

   • Enable default health checks: Select this option to install DaemonSet in the node group network for application health checks.

     DaemonSet adds pods with traffic monitoring agents to each node. As a result, node and namespace isolation does not affect monitoring process, which means you get accurate traffic monitoring data. If the number of cluster nodes scales up or down, DaemonSet adds or removes monitoring agents, respectively.

     You can skip this option if you do not need to run cluster health checks or if you are using your own health check solution. For more information on configuring health checks manually, see Health checking applications in a Yandex Managed Service for Kubernetes cluster via a Yandex Application Load Balancer.

5. Click Install.

6. Wait for the application to change its status to Deployed.

Installation using a Helm chartInstallation using a Helm chart

1. Install Helm v3.8.0 or higher.

2. Install kubect and configure it to work with the new cluster.

3. Install jq for stream processing of JSON files:

   sudo apt update && sudo apt install jq
   

4. To install a Helm chart with an ingress controller, run this command:

   cat sa-key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \
   helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/yc-alb-ingress/yc-alb-ingress-controller-chart \
     --version v0.2.26 \
     --untar && \
   helm install \
     --namespace <namespace> \
     --create-namespace \
     --set folderId=<folder_ID> \
     --set clusterId=<cluster_ID> \
     --set enableDefaultHealthChecks=<true_or_false> \
     --set-file saKeySecretKey=sa-key.json \
     yc-alb-ingress-controller ./yc-alb-ingress-controller-chart/
   

   Note

   If you are using a Helm version below 3.8.0, append the export HELM_EXPERIMENTAL_OCI=1 && \ string to the command to enable Open Container Initiative (OCI) support in the Helm client.

   If you set namespace to the default namespace, the ALB ingress controller may work incorrectly. We recommend specifying a value different from all the existing namespaces, e.g., alb-ingress-controller-space.

   The enableDefaultHealthChecks option enables application health checks in a cluster. With this option selected, the ALB ingress controller installs DaemonSet in the node group network.

   DaemonSet adds pods with traffic monitoring agents to each node. As a result, node and namespace isolation does not affect monitoring process, which means you get accurate traffic monitoring data. If the number of cluster nodes scales up or down, DaemonSet adds or removes monitoring agents, respectively.

   You can skip this option if you do not need to run cluster health checks or if you are using your own health check solution. For more information on configuring health checks manually, see Health checking applications in a Yandex Managed Service for Kubernetes cluster via a Yandex Application Load Balancer.

Use casesUse cases

• Setting up an Application Load Balancer ingress controller.
• Logging settings for Application Load Balancer ingress controllers.

See alsoSee also

• Check information about ingress controllers in these guides:
  • Kubernetes.
  • Application Load Balancer.
• Restrictions when updating the ALB Ingress Controller