Kubernetes Ingress Controller Deep Dive
Table of Contents
1. Introduction #
Kubernetes Ingress1 is an API object that manages external access to services in a cluster, typically HTTP and HTTPS traffic. It is managed by the Ingress Controller2, that watches and controls the Ingress resources. There are multiple well-known Ingress Controller Types:
- Cloud-native Controllers: Provision and integrate with cloud-provider specific load balancers, like Network Load Balancers in AWS, etc.
- Software-based Controllers: Provision software load balancers and reverse proxies, like nginx, traefik, envoy, etc.
2. Architecture #
2.1. Components #
Ingress controllers run as k8s pods and implement the following control loop:
- Watch loop: watches for changes to Ingress, Service, and Endpoints resources
- Configuration sync: Translates Kubernetes resources into load balancer configuration
- Health Management: Monitors backend pod health and updates routing accordingly
2.2. Config Map Management #
The controller dynamically updates nginx.conf based on Ingress resources. Go templating is utilized to generate nginx config on the fly, and SIGHUP3.
2.3. Service Discovery #
Controllers discover backend pods through multiple mechanisms, like Endpoints API, EndpointSlices, and DNS Resolution.
3. Request Flow #
4. Cloud Provider Integration #
Cloud provider ingress controllers automatically configure some default settings, such as:
- Security groups and Network ACLs
- Health checks
- Backend configuration: Services as registered as load balancer targets
- Multi-AZ target distribution
5. Advanced features #
5.1. Path-based Routing #
Ingress controllers support sophisticated routing patterns, like:
- Exact Path Matching: Like matching
/api/v1/users
touser-service
. - Path Prefix Matching
- Regex Patterns: specific to nginx
5.2. Load Balancing Algorithms #
Multiple load balancing algorithms are also supported:
- Round Robin (Default): evenly distributed traffic to all pods
- Least Connections: more traffic routed to pods with fewer connections
- IP Hash (Session Affinity): a hash of multiple parameters, like source IP, source port, etc are computed and then mapped to a target.
- Weighted Distribution: user-defined priorities for different IPs
5.3. More advanced features #
- cert-manager integration for automatic certificate provisioning and renewal
- Session affinity: like cookie-based using nginx, or IP-based.
- Rate limiting
- WAF (Web App Firewall) integration
- Multi-zone deployments
6. What Next #
I enjoyed this deep dive into ingress controllers. Next, I want to explore how Kubernetes controllers work in general and learn how to build custom controllers.
-
Ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/ ↩︎
-
Ingress Controller: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ ↩︎
-
Signal Hang Up: linux signal used to disconnect from a session, also used to trigger config reloads. ↩︎
This article is part of the series: "Kubernetes"
- Part 1: Kubernetes ClusterIP Resilience During Availability Zone Failures
- Part 2: Kubernetes Ingress Controller Deep Dive (this article)