Understanding Ingress Controllers
🌐
Internet
External Traffic
🛡️
Ingress Controller
L7 Load Balancer
📋
Ingress Rules
Routing Config
🎯
Services
Backend Apps
Why Ingress Controllers?
🔒
SSL/TLS Termination
Centralized HTTPS handling with automatic certificate management and secure connections.
🚦
Path-based Routing
Route requests based on URL paths, enabling microservice architectures with single entry point.
🌍
Virtual Hosting
Host multiple domains on the same cluster with intelligent host-based routing.
⚖️
Load Balancing
Distribute traffic across backend services with health checks and failover capabilities.
🔄
URL Rewriting
Transform and manipulate URLs before forwarding to backend services.
🛡️
Rate Limiting
Protect against DDoS attacks with configurable rate limiting and throttling.
Core Ingress Concepts
Basic Ingress Resource
Simple HTTP Routing
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: simple-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: app.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 80Path Types Explained
- Exact: Matches the exact path only
- Prefix: Matches based on URL prefix
- ImplementationSpecific: Depends on the Ingress Controller
paths:
- path: /api/v1/users
pathType: Exact
- path: /api/
pathType: Prefix
- path: /legacy
pathType: ImplementationSpecificNGINX Ingress Controller
Installation
Install NGINX Ingress with Helm
# Add NGINX Ingress repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
# Install NGINX Ingress Controller
helm install nginx-ingress ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.service.type=LoadBalancer \
--set controller.metrics.enabled=true
# Verify installation
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginxAdvanced NGINX Features
Rate Limiting & Security
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: secure-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/limit-rps: "100"
nginx.ingress.kubernetes.io/limit-connections: "10"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: SAMEORIGIN";
more_set_headers "X-Content-Type-Options: nosniff";
spec:
ingressClassName: nginx
tls:
- hosts:
- secure.example.com
secretName: secure-tls
rules:
- host: secure.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-service
port:
number: 80Canary Deployments
# Main Production Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: production-ingress
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-stable
port:
number: 80
---
# Canary Ingress (10% traffic)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: canary-ingress
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "10"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-canary
port:
number: 80Traefik Ingress Controller
Installation & Configuration
Install Traefik with Helm
# Add Traefik repository
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
# Install Traefik
helm install traefik traefik/traefik \
--namespace traefik \
--create-namespace \
--set dashboard.enabled=true \
--set service.type=LoadBalancer
# Access Dashboard (port-forward)
kubectl port-forward -n traefik \
$(kubectl get pods -n traefik --selector "app.kubernetes.io/name=traefik" -o name) \
9000:9000Traefik IngressRoute
IngressRoute with Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingressroute
spec:
entryPoints:
- web
- websecure
routes:
- match: Host(`app.example.com`) && PathPrefix(`/api`)
kind: Rule
services:
- name: api-service
port: 8080
middlewares:
- name: api-stripprefix
- name: rate-limit
- match: Host(`app.example.com`)
kind: Rule
services:
- name: frontend-service
port: 80
tls:
certResolver: letsencryptTraefik Middlewares
# Strip Prefix Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: api-stripprefix
spec:
stripPrefix:
prefixes:
- /api
---
# Rate Limiting Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 100
burst: 50
---
# Security Headers
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security-headers
spec:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: trueSSL/TLS Configuration
Automatic HTTPS with cert-manager
Let's Encrypt Certificate
# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
# ClusterIssuer for Let's Encrypt
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
---
# Ingress with automatic TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- app.example.com
secretName: app-tls
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80Advanced Patterns
Blue-Green Deployments
Blue-Green with Ingress Switching
# Blue Environment (Current)
apiVersion: v1
kind: Service
metadata:
name: app-blue-service
spec:
selector:
app: myapp
version: blue
ports:
- port: 80
---
# Green Environment (New)
apiVersion: v1
kind: Service
metadata:
name: app-green-service
spec:
selector:
app: myapp
version: green
ports:
- port: 80
---
# Ingress (Switch service name for deployment)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-blue-service # Change to app-green-service
port:
number: 80API Gateway Pattern
Microservices API Gateway
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-gateway
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/auth-url: "http://auth-service.default.svc.cluster.local/verify"
spec:
ingressClassName: nginx
tls:
- hosts:
- api.example.com
secretName: api-tls
rules:
- host: api.example.com
http:
paths:
- path: /api/v1/users
pathType: Prefix
backend:
service:
name: user-service
port:
number: 8080
- path: /api/v1/products
pathType: Prefix
backend:
service:
name: product-service
port:
number: 8080
- path: /api/v1/orders
pathType: Prefix
backend:
service:
name: order-service
port:
number: 8080Controller Comparison
| Feature | NGINX Ingress | Traefik | HAProxy Ingress |
|---|---|---|---|
| Performance | Excellent | Good | Excellent |
| Configuration | Annotations | CRDs/Annotations | Annotations |
| Dashboard | None (3rd party) | Built-in | Basic stats |
| Let's Encrypt | Via cert-manager | Built-in | Via cert-manager |
| Canary Deployments | Native support | Weighted routing | Limited support |
| Best For | High-performance, mature | Dynamic config, modern | Enterprise, complex LB |
⚠️ Security Best Practices
- Always use TLS/SSL in production environments
- Implement rate limiting to prevent abuse and DDoS attacks
- Use Web Application Firewall (WAF) for additional protection
- Regular security updates for Ingress Controllers
- Implement proper authentication and authorization
- Monitor and log all ingress traffic for security analysis