Kubernetes Ingress in Practice

What is Ingress?

Kubernetes ServiceIs L4 control, but Kubernetes Ingressis L7 control.
This is very convenient because you can control path-based routing.

YAML file which we can apply

Please apply in order from the top.

Namespace definition:

apiVersion: v1
kind: Namespace
metadata:
name: ingress-sample

App definition:

apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-deploy-nginx
namespace: ingress-sample
spec:
replicas: 8
selector:
matchLabels:
app: ingress-deploy-nginx
template:
metadata:
labels:
app: ingress-deploy-nginx
spec:
containers:
- name: ingress-deploy-nginx
image: nginx
resources:
limits:
memory: "50Mi"
cpu: "100m"
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-deploy-apache
namespace: ingress-sample
spec:
replicas: 8
selector:
matchLabels:
app: ingress-deploy-apache
template:
metadata:
labels:
app: ingress-deploy-apache
spec:
containers:
- name: ingress-deploy-apache
image: httpd
resources:
limits:
memory: "50Mi"
cpu: "100m"
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-deploy-whoami
namespace: ingress-sample
spec:
replicas: 8
selector:
matchLabels:
app: ingress-deploy-whoami
template:
metadata:
labels:
app: ingress-deploy-whoami
spec:
containers:
- name: ingress-deploy-whoami
image: jwilder/whoami
resources:
limits:
memory: "50Mi"
cpu: "100m"
ports:
- containerPort: 8000

Service definition:

apiVersion: v1
kind: Service
metadata:
name: ingress-svc-nginx
namespace: ingress-sample
spec:
selector:
app: ingress-deploy-nginx
ports:
- port: 80
---
apiVersion: v1
kind: Service
metadata:
name: ingress-svc-apache
namespace: ingress-sample
spec:
selector:
app: ingress-deploy-apache
ports:
- port: 80
---
apiVersion: v1
kind: Service
metadata:
name: ingress-svc-whoami
namespace: ingress-sample
spec:
selector:
app: ingress-deploy-whoami
ports:
- port: 8000

Ingress Service Account:

apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-sample
namespace: ingress-sample
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: ingress-sample-cr
namespace: ingress-sample
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- services
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
- "networkingress.k8s.io"
resources:
- ingressresses
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
- "networkingress.k8s.io"
resources:
- ingressresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBindingress
metadata:
name: ingress-sample-crb
namespace: ingress-sample
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-sample-cr
subjects:
- kind: ServiceAccount
name: ingress-sample
namespace: ingress-sample
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: ingress-sample-role
namespace: ingress-sample
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- get
- update
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBindingress
metadata:
name: ingress-sample-rb
namespace: ingress-sample
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-sample-role
subjects:
- kind: ServiceAccount
name: ingress-sample
namespace: ingress-sample

Secret ingress:

  • Generate crt and key
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=ingress-test.local"
  • Transform crt and key to base64
cat tls.crt | base64 -w0
cat tls.key | base64 -w0
apiVersion: v1
kind: Secret
metadata:
name: ing-sample-secret
namespace: ing-sample
data:
tls.crt: <Base64 encoded certificate>
tls.key: <Base64 encoded key>

Ingress configuration:

Ingress Config Map

kind: ConfigMap
apiVersion: v1
metadata:
name: ingress-sample-cfgmap
namespace: ingress-sample

Ingress Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-deploy-controller
namespace: ingress-sample
spec:
replicas: 3
selector:
matchLabels:
app: ingress-deploy-controller
template:
metadata:
labels:
app: ingress-deploy-controller
spec:
serviceAccountName: ingress-sample
containers:
- name: ingress-deploy-controller
image: nginx/nginx-ingressress:edge
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-configmaps=$(POD_NAMESPACE)/ingress-sample-cfgmap
- -default-server-tls-secret=$(POD_NAMESPACE)/ingress-sample-secret

Ingress Service

apiVersion: v1
kind: Service
metadata:
name: ingress-svc-controller
namespace: ingress-sample
spec:
type: NodePort
selector:
app: ingress-deploy-controller
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
- name: https
protocol: TCP
port: 443
targetPort: 443
externalIPs:
- 10.21.21.230
externalTrafficPolicy: Cluster

Ingress Rule:

apiVersion: extensions/v1beta1
kind: ingressress
metadata:
name: ingress-ingress
namespace: ingress-sample
spec:
rules:
- host: ingress-test.local
http:
paths:
- path: /nginx
backend:
serviceName: ingress-svc-nginx
servicePort: 80
- path: /apache
backend:
serviceName: ingress-svc-apache
servicePort: 80
backend:
serviceName: ingress-svc-whoami
servicePort: 8000
tls:
- hosts:
- ingress-test.local
secretName: ingress-sample-secret

Testing:

If you specify a path that does not exist, it will be transferred to the spec.backendspecified path Service.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store