You can configure Container Service for Kubernetes (ACK) clusters to allow access from the Internet and access from other services in the same virtual private cloud (VPC). This topic describes how to configure an Ingress controller to use an internal-facing Server Load Balancer (SLB) instance.
Prerequisites
An ACK cluster is created. For more information, see Create an ACK managed cluster.
You are connected to a master node by using SSH if you use an ACK dedicated cluster. For more information, see Use SSH to connect to the master nodes of an ACK dedicated cluster.
NoteThe master nodes of an ACK dedicated cluster are created and maintained by users. To facilitate cluster maintenance and management, ACK allows you to connect to the master nodes of an ACK dedicated cluster by using SSH.
Background information
When you create an ACK cluster by using the ACK console, the system automatically deploys an NGINX Ingress controller in the cluster and associates it with an Internet-facing SLB instance during cluster initialization.
Configure an internal-facing SLB instance
You can modify the configuration of the NGINX Ingress controller to make the cluster accessible to only services that are deployed in the same VPC.
Create an internal-facing SLB instance. For more information, see Create and manage a CLB instance.
NoteCreate an SLB instance in the same VPC as the cluster. Choose the instance type based on your requirements.
Configure the NGINX Ingress controller.
After you create an internal-facing SLB instance, configure the NGINX Ingress controller to use the SLB instance with the following annotations. For more information, see Use annotations to configure load balancing.
# nginx ingress slb service apiVersion: v1 kind: Service metadata: name: nginx-ingress-lb namespace: kube-system labels: app: nginx-ingress-lb annotations: # Specify that the SLB instance uses an internal IP address. service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet # Specify the ID of the created internal-facing SLB instance. service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: <YOUR_INTRANET_SLB_ID> # Specify whether to automatically create listeners, which overwrite existing listeners. You can also manually create listeners. service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: 'true' spec: type: LoadBalancer # route traffic to other nodes externalTrafficPolicy: "Cluster" ports: - port: 80 name: http targetPort: 80 - port: 443 name: https targetPort: 443 selector: # select app=ingress-nginx pods app: ingress-nginx
After the configuration is applied, the NGINX Ingress controller (kube-system/nginx-ingress-lb) uses the specified internal-facing SLB instance.
Use an internal-facing SLB instance and an Internet-facing SLB instance together
In some scenarios, you may want the cluster to allow access from the Internet and access from other services in the same VPC at the same time. To do this, you need to only deploy another NGINX Ingress controller (for example, kube-system/nginx-ingress-lb-intranet) in the cluster.
By default, the kube-system/nginx-ingress-lb Ingress controller is created during cluster initialization. This Ingress controller uses an Internet-facing SLB instance.
Create an internal-facing SLB instance. For more information, see Create and manage a CLB instance.
NoteCreate an SLB instance in the same VPC as the cluster. Choose the instance type based on your requirements.
Create a new NGINX Ingress controller.
After you create an internal-facing SLB instance, use the following YAML file to create the kube-system/nginx-ingress-lb-intranet Service.
# intranet nginx ingress slb service apiVersion: v1 kind: Service metadata: # Set the Service name to nginx-ingress-lb-intranet. name: nginx-ingress-lb-intranet namespace: kube-system labels: app: nginx-ingress-lb-intranet annotations: # Specify that the SLB instance uses an internal IP address. service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet # Specify the ID of the created internal-facing SLB instance. service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: <YOUR_INTRANET_SLB_ID> # Specify whether to automatically create listeners, which overwrite existing listeners. You can also manually create listeners. service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: 'true' spec: type: LoadBalancer # route traffic to other nodes externalTrafficPolicy: "Cluster" ports: - port: 80 name: http targetPort: 80 - port: 443 name: https targetPort: 443 selector: # select app=ingress-nginx pods app: ingress-nginx
After the kube-system/nginx-ingress-lb-intranet Service is created, run the kubectl -n kube-system get svc | grep nginx-ingress-lb
command and verify that two NGINX Ingress controllers are running. One controller is associated with an Internet-facing SLB instance, and the other controller is associated with an internal-facing SLB instance.
kubectl -n kube-system get svc | grep nginx-ingress-lb
nginx-ingress-lb LoadBalancer 172.1*.*.** 47.96.2**.** 80:31456/TCP,443:30016/TCP 5h
nginx-ingress-lb-intranet LoadBalancer 172.19.*.*** 192.16*.*.** 80:32394/TCP,443:31000/TCP 7m
When you expose Services through Ingresses, you can allow Internet access through the Internet-facing SLB instance and also access from other services in the same VPC through the internal-facing SLB instance.