Gwin controller for Yandex Managed Service for Kubernetes
Yandex Application Load Balancer introduces Gwin, a tool for creating and managing load balancers in Yandex Managed Service for Kubernetes clusters.
The Gwin controller installed in a cluster automatically deploys L7 load balancers based on the configuration of the Kubernetes resources you created.
The controller supports the Ingress and Gateway API specifications. There is a policy mechanism to configure additional Application Load Balancer features beyond the Kubernetes specification. Such policies are managed by CustomResourceDefinitions or annotations. Additional features include autoscaling, logging, and integration with Yandex Smart Web Security.
Supported Kubernetes resources:
- Ingress: Standard Kubernetes resource, its capabilities enhanced by annotations.
- IngressPolicy: Provides additional capabilities for all Application Load Balancer resources.
- IngressBackendGroup: Allows configuring backend groups.
- ServicePolicy: Allows configuring target groups.
- Service: Contains a description of Kubernetes services used as backends.
- Gateway: Contains rules for accepting and routing incoming traffic.
- GatewayPolicy: Provides additional capabilities for load balancers, routers, and listeners.
- HTTPRoute: Contains rules for routing HTTP and HTTPS traffic across backends.
- GRPCRoute: Contains rules for routing gRPC traffic across backends.
- TLSRoute: Contains rules for routing TLS traffic across backends.
- RoutePolicy: Provides additional capabilities for virtual hosts and routes.
- YCStorageBucket: Corresponds to a Yandex Object Storage bucket.
- YCCertificate: Corresponds to a Yandex Certificate Manager certificate.
Here is how the Gwin controller works:
To learn how to install the Gwin controller, see this guide.
Tip
You can use an existing Application Load Balancer infrastructure for Kubernetes resources via Gwin using the attachment mechanism.
Configuration examples
Below are two configuration examples: one using Gateway API resources and the other, Ingress resources. Both examples create an Application Load Balancer that:
- Automatically gets a dynamic public IP address.
- Accepts HTTP traffic on port
80. - Accepts HTTPS traffic on port
443using a certificate in Certificate Manager. - Sends GET requests to a test service named
example-service.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: example-gateway
namespace: example-ns
spec:
gatewayClassName: gwin-default
listeners:
- name: http
protocol: HTTP
port: 80
hostname: "example.com"
allowedRoutes:
namespaces:
from: Same
- name: https
protocol: HTTPS
port: 443
hostname: "example.com"
allowedRoutes:
namespaces:
from: Same
tls:
certificateRefs:
- group: gwin.yandex.cloud
kind: YCCertificate
name: example-certificate
addresses:
- type: gwin.yandex.cloud/autoIPv4
value: auto
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: example-redirect-httproute
namespace: example-ns
spec:
hostnames:
- "example.com"
parentRefs:
- name: example-gateway
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: example-httproute
namespace: example-ns
spec:
hostnames:
- "example.com"
parentRefs:
- name: example-gateway
sectionName: https
rules:
- matches:
- path:
value: /api
type: PathPrefix
method: GET
backendRefs:
- kind: Service
name: example-service
port: 80
---
apiVersion: gwin.yandex.cloud/v1
kind: YCCertificate
metadata:
name: example-certificate
namespace: example-ns
spec:
certificateRef:
certificateID: "<certificate_ID>"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
namespace: example-ns
annotations:
gwin.yandex.cloud/groupName: example
gwin.yandex.cloud/externalIPv4Address: auto
gwin.yandex.cloud/rules.allowedMethods: "GET"
spec:
ingressClassName: gwin-default
rules:
- host: example.com
http:
paths:
- pathType: Prefix
path: "/api"
backend:
service:
name: example-service
port:
number: 80
tls:
- hosts:
- example.com
secretName: "yc-certmgr-cert-id-<certificate_ID>"