Installing the Application Load Balancer Ingress controller

To balance the load and distribute traffic between Kubernetes applications, use an Yandex Application Load Balancer Ingress controller. It runs the L7 load balancer and the required auxiliary resources when the user creates an Ingress resource in a Managed Service for Kubernetes cluster.

Getting startedGetting started

1. If you do not have the Yandex Cloud command line interface yet, install and initialize it.

   The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

2. Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

   Make sure you have configured the security groups required for Application Load Balancer as well.

   Warning

   The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

3. Create a service account for the Ingress controller to run and assign the following folder roles to it:

   • alb.editor: To create the required Application Load Balancer resources.
   • vpc.publicAdmin: To manage external network connectivity.
   • certificate-manager.certificates.downloader: To use certificates registered in Yandex Certificate Manager.
   • compute.viewer: To use Managed Service for Kubernetes cluster nodes in the L7 load balancer target groups.
   • smart-web-security.editor: (Optional) To connect your Yandex Smart Web Security security profile to a virtual host of the L7 load balancer.

4. Create an authorized access key for the service account in JSON format and save it to the sa-key.json file:

   yc iam key create \
     --service-account-name <name_of_service_account_for_Ingress_controller> \
     --output sa-key.json
   

Installation using Yandex Cloud MarketplaceInstallation using Yandex Cloud Marketplace

1. Go to the folder page and select Managed Service for Kubernetes.

2. Click the name of the cluster you need and select the Marketplace tab.

3. Under Application available for installation, select ALB Ingress Controller and click Go to install.

4. Configure the application:

   • Namespace: Select a namespace or create a new one.

   • Application name: Specify the app name.

   • Folder ID: Specify a folder ID.

   • Cluster ID: Specify a cluster ID.

   • Service account key: Paste the contents of the sa-key.json file.

   • Enable default health checks: Select this option to install the DaemonSet resource in the node group network for application health checks.

     The resource adds pods with traffic monitoring agents to each node. As a result, node and namespace isolation does not affect monitoring, which means you get accurate traffic monitoring info. DaemonSet adds or removes monitoring agents as the number of cluster nodes goes up or down, respectively.

     You can omit this option if you do not need to run cluster health checks or if you are using your own checks. For more information on setting up health checks manually, see Health checking your applications in a Yandex Managed Service for Kubernetes cluster with the Yandex Application Load Balancer Ingress controller.

5. Click Install.

6. Wait for the application to change its status to Deployed.

Installation using a Helm chartInstallation using a Helm chart

1. Install Helm v3.8.0 or higher.

2. Install kubectl and configure it to work with the created cluster.

3. Install the jq utility for stream processing of JSON files:

   sudo apt update && sudo apt install jq
   

4. To install a Helm chart with the Ingress controller, run this command:

   cat sa-key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \
   helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/yc-alb-ingress/yc-alb-ingress-controller-chart \
     --version v0.2.11 \
     --untar && \
   helm install \
     --namespace <namespace> \
     --create-namespace \
     --set folderId=<folder_ID> \
     --set clusterId=<cluster_ID> \
     --set enableDefaultHealthChecks=<true_or_false> \
     --set-file saKeySecretKey=sa-key.json \
     yc-alb-ingress-controller ./yc-alb-ingress-controller-chart/
   

   Note

   If you are using a Helm version below 3.8.0, append the export HELM_EXPERIMENTAL_OCI=1 && \ string to the command to enable Open Container Initiative (OCI) support in the Helm client.

   The enableDefaultHealthChecks parameter enables health checks for applications in a cluster. To do this, the Ingress controller installs the DaemonSet resource in the node group network.

   The resource adds pods with traffic monitoring agents to each node. As a result, node and namespace isolation does not affect monitoring, which means you get accurate traffic monitoring info. DaemonSet adds or removes monitoring agents as the number of cluster nodes goes up or down, respectively.

   You can omit this option if you do not need to run cluster health checks or if you are using your own checks. For more information on setting up health checks manually, see Health checking your applications in a Yandex Managed Service for Kubernetes cluster with the Yandex Application Load Balancer Ingress controller.

Use casesUse cases

• Application Load Balancer Ingress controller configuration tutorial.
• Application Load Balancer Ingress controller logging configuration tutorial.

See alsoSee also

• Description of Ingress controllers in the documentation:
  • Kubernetes.
  • Application Load Balancer.
• Restrictions when updating the ALB Ingress Controller.