All Products
Search
Document Center

Container Service for Kubernetes:Configure an Ingress controller to use an internal-facing SLB instance

Last Updated:Aug 08, 2023

You can configure Container Service for Kubernetes (ACK) clusters to allow access from the Internet and access from other services in the same virtual private cloud (VPC). This topic describes how to configure an Ingress controller to use an internal-facing Server Load Balancer (SLB) instance.

Prerequisites

  • An ACK cluster is created. For more information, see Create an ACK managed cluster.

  • You are connected to a master node by using SSH if you use an ACK dedicated cluster. For more information, see Use SSH to connect to the master nodes of an ACK dedicated cluster.

    Note

    The master nodes of an ACK dedicated cluster are created and maintained by users. To facilitate cluster maintenance and management, ACK allows you to connect to the master nodes of an ACK dedicated cluster by using SSH.

Background information

When you create an ACK cluster by using the ACK console, the system automatically deploys an NGINX Ingress controller in the cluster and associates it with an Internet-facing SLB instance during cluster initialization.1

Configure an internal-facing SLB instance

You can modify the configuration of the NGINX Ingress controller to make the cluster accessible to only services that are deployed in the same VPC.1

  1. Create an internal-facing SLB instance. For more information, see Create and manage a CLB instance.

    Note

    Create an SLB instance in the same VPC as the cluster. Choose the instance type based on your requirements.

  2. Configure the NGINX Ingress controller.

    After you create an internal-facing SLB instance, configure the NGINX Ingress controller to use the SLB instance with the following annotations. For more information, see Use annotations to configure load balancing.

    # nginx ingress slb service
    apiVersion: v1
    kind: Service
    metadata:
      name: nginx-ingress-lb
      namespace: kube-system
      labels:
        app: nginx-ingress-lb
      annotations:
        # Specify that the SLB instance uses an internal IP address. 
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet
        # Specify the ID of the created internal-facing SLB instance. 
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: <YOUR_INTRANET_SLB_ID>
        # Specify whether to automatically create listeners, which overwrite existing listeners. You can also manually create listeners. 
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: 'true'
    spec:
      type: LoadBalancer
      # route traffic to other nodes
      externalTrafficPolicy: "Cluster"
      ports:
      - port: 80
        name: http
        targetPort: 80
      - port: 443
        name: https
        targetPort: 443
      selector:
        # select app=ingress-nginx pods
        app: ingress-nginx

    After the configuration is applied, the NGINX Ingress controller (kube-system/nginx-ingress-lb) uses the specified internal-facing SLB instance.

Use an internal-facing SLB instance and an Internet-facing SLB instance together

In some scenarios, you may want the cluster to allow access from the Internet and access from other services in the same VPC at the same time. To do this, you need to only deploy another NGINX Ingress controller (for example, kube-system/nginx-ingress-lb-intranet) in the cluster.1

Note

By default, the kube-system/nginx-ingress-lb Ingress controller is created during cluster initialization. This Ingress controller uses an Internet-facing SLB instance.

  1. Create an internal-facing SLB instance. For more information, see Create and manage a CLB instance.

    Note

    Create an SLB instance in the same VPC as the cluster. Choose the instance type based on your requirements.

  2. Create a new NGINX Ingress controller.

    After you create an internal-facing SLB instance, use the following YAML file to create the kube-system/nginx-ingress-lb-intranet Service.

    # intranet nginx ingress slb service
    apiVersion: v1
    kind: Service
    metadata:
      # Set the Service name to nginx-ingress-lb-intranet. 
      name: nginx-ingress-lb-intranet
      namespace: kube-system
      labels:
        app: nginx-ingress-lb-intranet
      annotations:
        # Specify that the SLB instance uses an internal IP address. 
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet
        # Specify the ID of the created internal-facing SLB instance. 
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: <YOUR_INTRANET_SLB_ID>
        # Specify whether to automatically create listeners, which overwrite existing listeners. You can also manually create listeners. 
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: 'true'
    spec:
      type: LoadBalancer
      # route traffic to other nodes
      externalTrafficPolicy: "Cluster"
      ports:
      - port: 80
        name: http
        targetPort: 80
      - port: 443
        name: https
        targetPort: 443
      selector:
        # select app=ingress-nginx pods
        app: ingress-nginx

After the kube-system/nginx-ingress-lb-intranet Service is created, run the kubectl -n kube-system get svc | grep nginx-ingress-lb command and verify that two NGINX Ingress controllers are running. One controller is associated with an Internet-facing SLB instance, and the other controller is associated with an internal-facing SLB instance.

 kubectl -n kube-system get svc | grep nginx-ingress-lb
nginx-ingress-lb            LoadBalancer   172.1*.*.**    47.96.2**.**   80:31456/TCP,443:30016/TCP   5h
nginx-ingress-lb-intranet   LoadBalancer   172.19.*.***   192.16*.*.**   80:32394/TCP,443:31000/TCP   7m

When you expose Services through Ingresses, you can allow Internet access through the Internet-facing SLB instance and also access from other services in the same VPC through the internal-facing SLB instance.