Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Ingress controller for Managed Service for Kubernetes

Written by
Updated at August 30, 2024

Application Load Balancer provides the Application Load Balancer Ingress controller — a tool you can use to create and manage load balancers in Yandex Managed Service for Kubernetes clusters.

The Ingress controller installed in the cluster will automatically deploy L7 load balancers with all the required Application Load Balancer resources based on the configuration of the Ingress resources you created.

For full configuration of the resources for the Application Load Balancer Ingress controller, see the following sections:

  • Ingress: Backend traffic distribution and Ingress controller configuration rules.
  • HttpBackendGroup: Combining backends into groups.
  • IngressClass: Managing multiple Ingress controllers in a Kubernetes cluster.
  • Service: Description of Kubernetes services used as backends.

Sample configuration

Below is an abbreviated sample configuration for an Ingress resource. It will be used to create a load balancer to receive HTTPS traffic and to distribute it to two services based on the URI request path.

Example
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-demo-tls
spec:
  tls:
    - hosts:
        - <domain_name>
      secretName: yc-certmgr-cert-id-<certificate_ID>
  rules:
    - host: <domain_name>
      http:
        paths:
          - path: /app1
            pathType: Prefix
            backend:
              service:
                name: alb-demo-1
                port:
                  number: 80
          - path: /app2
            pathType: Prefix
            backend:
              service:
                name: alb-demo-2
                port:
                  number: 80
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-2
                port:
                  name: http

Where secretName is the ID of the certificate from Yandex Certificate Manager.

With this Ingress resource configuration in ALB Ingress Controller version 0.2.0 and later, the backend groups correspond to the backend.service parameter. Versions 0.1.x use other parameters: host, http.paths.path, and http.paths.pathType. As a result, collisions may occur when updating the ALB Ingress Controller. To avoid them, find out whether upgrade restrictions apply to your infrastructure.

Installation and requirements

To install the Application Load Balancer Ingress controller, you need:

  • Managed Service for Kubernetes cluster.
  • Cluster node group.
  • Cluster namespace to store the service account key.

To learn how to install the Ingress controller, see this guide.

Logging settings

To set up logging for an L7 load balancer created using the Application Load Balancer Ingress controller in your Managed Service for Kubernetes cluster, add the ingress.alb.yc.io/group-settings-name annotation with a name for the Ingress resource group settings and specify the settings in the additional IngressGroupSettings resource. For more information, see Ingress resource annotations.

Integration with Yandex Smart Web Security

In the Ingress controller, you can enable support for Yandex Smart Web Security that allows you to get protected against DDoS attacks and bots, as well as use a WAF and reduce the load on the resource being protected.

The service checks HTTP requests sent to the protected resource via the virtual host of the L7 load balancer. Depending on the results of the check, the service sends requests to the virtual host, blocks them, or sends them to Yandex SmartCaptcha for additional verification.

To enable support for the service, specify the Smart Web Security security profile ID in the Ingress annotation:

ingress.alb.yc.io/security-profile-id: <security_profile_ID>

The profile contains a list of verification conditions and actions applied to incoming HTTP requests based on verification results.

If you do not have a security profile, create one.

Traffic routing using multiple Ingress controllers

For a single application, you can use multiple Ingress controllers, such as Application Load Balancer and NGINX. To correctly route traffic in such infrastructure, create an IngressClass resource for each Ingress controller. In the Ingress resource, specify the IngressClass your Ingress resource refers to in the spec.ingressClassName field. On GitHub, you can find an example of how to configure Ingress resources and route traffic using multiple Ingress controllers.

See also

Previous
Overview
Next
How it works