Ingress controller for Managed Service for Kubernetes

The ingress controller is an Application Load Balancer tool for creating and managing load balancers in Yandex Managed Service for Kubernetes clusters.

Once you install an ingress controller in your cluster, it will automatically deploy L7 load balancers with all required Application Load Balancer components configured according to your Ingress resource specifications.

For more detials about configuring Application Load Balancer ingress controller resources, see the following sections:

• Ingress: Traffic routing and controller configuration.
• HttpBackendGroup and GrpcBackendGroup: Combining backends into groups.
• IngressClass: Managing multiple ingress controllers in a Kubernetes cluster.
• Service: Description of Kubernetes services used as backends.

Configuration exampleConfiguration example

Below you can see an abbreviated Ingress resource configuration example describing a load balancer that receives HTTPS requests and routes them to one of two service backends based on their URI paths.

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-demo-tls
spec:
  tls:
    - hosts:
        - <domain_name>
      secretName: yc-certmgr-cert-id-<certificate_ID>
  rules:
    - host: <domain_name>
      http:
        paths:
          - path: /app1
            pathType: Prefix
            backend:
              service:
                name: alb-demo-1
                port:
                  number: 80
          - path: /app2
            pathType: Prefix
            backend:
              service:
                name: alb-demo-2
                port:
                  number: 80
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-2
                port:
                  name: http

In ALB ingress controllers version 0.2.0, this Ingress configuration maps backend groups to the backend.service specification, while in versions 0.1.x, backend groups are defined through field combinations: host, http.paths.path, and http.paths.pathType. It may result in collisions during the ALB ingress controller upgrade. To avoid them, check the upgrade restrictions applying to your infrastructure.

Installation and requirementsInstallation and requirements

To install the Application Load Balancer ingress controller, you need:

• Managed Service for Kubernetes cluster.
• Cluster node group.
• Cluster namespace to store your service account key.

To learn how to install the ingress controller, see this guide.

Logging settingsLogging settings

To set up logging for an L7 load balancer created via the Application Load Balancer ingress controller in a Managed Service for Kubernetes cluster, configure its ingress group settings in the IngressGroupSettings resource, specifying their name in the new ingress.alb.yc.io/group-settings-name annotation. For more information, see Ingress resource annotations.

Yandex Smart Web Security integrationYandex Smart Web Security integration

In the ingress controller, you can enable Yandex Smart Web Security, including DDoS protection, WAF, and resource overload protection.

This service checks HTTP requests sent to the protected resource through the L7 load balancer virtual host. Depending on check results, it forwards the requests to the protected resource, blocks them, or sends them to Yandex SmartCaptcha for additional verification.

To enable this service, specify the Smart Web Security security profile ID in the Ingress annotation:

ingress.alb.yc.io/security-profile-id: <security_profile_ID>

This profile contains validation conditions and actions performed on incoming HTTP requests following the check results.

If you do not have a security profile, create one.

Traffic routing using multiple ingress controllersTraffic routing using multiple ingress controllers

You can deploy multiple ingress controllers, e.g., Application Load Balancer and NGINX, for a single application. For proper traffic routing isolation, define a dedicated IngressClass resource for each ingress controller. Specify the Ingress resource’s IngressClass in its spec.ingressClassName field. See a GitHub example for configuring Ingress resources and routing traffic across multiple ingress controllers.

See alsoSee also

• Controller operating principles.
• Security group configuration for a Kubernetes cluster and a load balancer.
• Service account to support controller operation.
• ALB ingress Controller in Yandex Cloud Marketplace.