Use ALB Ingresses to route traffic in Knative - Container Service for Kubernetes

We recommend that you use Application Load Balancer (ALB) Ingresses to route traffic of Knative Services for large-scale web applications, applications that require fine-grained traffic routing or auto scaling, and applications with complex routing requirements for HTTP/HTTPS requests. ALB runs at the application layer and supports protocols such as HTTP, HTTPS, and Quick UDP Internet Connections (QUIC). ALB offers high elasticity and can process a large amount of network traffic at Layer 7. ALB Ingresses is a fully managed and O&M-free gateway that supports auto scaling and multiple canary release rules.

Prerequisites

Knative is deployed in your cluster. For more information, see Deploy and manage Knative.
The ALB Ingress controller is installed. For more information, see Manage the ALB Ingress controller.
In clusters using the Flannel network plugin, Knative services must be exposed via the NodePort service type. To enable this behavior, add the parameter eni: false in the config-network ConfigMap.
1. Open the config-network.yaml for editing.
```
kubectl -n knative-serving edit configmap config-network
```
2. In the editor that opens, add the eni: false line under the data section as shown below:
```
apiVersion: v1
data:
  ...
  eni: false  # Add this configuration.
  ...
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving
  ...
```

Step 1: Deploy an ALB Ingress

When you deploy an ALB Ingress in Knative, you can use the ALB instance automatically created by Knative or specify an existing ALB instance.

Method 1: Automatically create an ALB instance when you deploy an ALB Ingress

You can configure an ALB Ingress during the deployment of Knative. If Knative is deployed, you can modify the configuration file of Knative to configure an ALB Ingress.

Configure an ALB Ingress when you deploy Knative

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Applications > Knative.
On the Components tab, click Deploy Knative. On the Deploy Knative page, select ALB and select at least two vSwitches. Follow the instructions on the page to deploy Knative.
For more information about how to create vSwitches, see Create and manage a vSwitch.

Modify the configuration file of Knative to configure an ALB Ingress

If Knative is deployed, you can modify the configuration file of Knative to specify an ALB Ingress. For more information about how to deploy Knative, see Deploy Knative in an ACK cluster and Deploy Knative in an ACK Serverless cluster.

Run the following command to modify the config-network.yaml file:
```
kubectl -n knative-serving edit configmap config-network
```

Refer to the following template to modify and save the config-network.yaml file.

Modify ingress.class: alb.ingress.networking.knative.dev, configure the vswitch-ids parameter, and save the config-network file and exit. For more information about the regions and zones that support ALB Ingresses, see Regions and zones.

apiVersion: v1
data:
  ...
  ingress.class: alb.ingress.networking.knative.dev # Specify the ALB Ingress controller. 
  vswitch-ids: vsw-uf6kbvc7mccqia2pi****,vsw-uf66scyuw2fncpn38**** # Replace with the IDs of the two vSwitches that you created in different zones. The system automatically binds the vSwitches when you create an ALB instance. 
  intranet: "true" # Create an internal ALB instance.
  ...
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving
  ...

Method 2: Use an existing ALB instance to configure an ALB Ingress

You can modify the configuration file of Knative to configure an ALB Ingress by using an existing ALB instance.

Run the following command to modify the config-network.yaml file:
```
kubectl -n knative-serving edit configmap config-network
```

Modify and save the config-network.yaml file based on the following template.

Modify ingress.class: alb.ingress.networking.knative.dev in the configuration file and set albconfig to an existing ALB Ingress. You do not need to configure the vswitch-ids parameter.

apiVersion: v1
data:
  ...
  ingress.class: alb.ingress.networking.knative.dev # Specify the ALB Ingress controller. 
  albconfig: alb-dev-albconfig # Specify the name of an existing, public-facing ALB instance to reuse.
  ...
kind: ConfigMap
metadata:
  name: config-network
  namespace: knative-serving
  ...

Step 2: Use the ALB Ingress to access a Service

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left navigation pane, choose Applications > Knative.

On the Services tab of the Knative page, select default from the Namespace drop-down list, click Create from Template, copy the following YAML content to the code editor, and then click Create

The template creates a Service named helloworld-go.

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
spec:
  template:
    spec:
      containers:
      - image: registry-vpc.cn-beijing.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 # Replace the sample region with your actual region.
        env:
        - name: TARGET
          value: "Knative"

On the Services page, record the domain name and gateway IP address of the helloworld-go Service in the Default Domain and Gateway columns, respectively.

Run the following command to access the Service named helloworld-go:

curl -H "Host: helloworld-go.default.example.com" http://alb-******.cn-beijing.alb.aliyuncs.com	 # Replace the IP address and domain name with the actual values.

Expected output:

Hello Knative!

(Optional) Step 3: View the Knative monitoring dashboard

Knative provides out-of-the-box monitoring features. On the Knative page, click the Monitoring Dashboards tab to view the monitoring data of the specified Service. For more information about how to enable the Knative monitoring dashboard, see View the Knative monitoring dashboard.

Related steps

Configure access over HTTPS

To secure your Knative Services with Transport Layer Security (TLS), you can specify a certificate in ALBConfig. TLS access can be enabled in a Knative Service by using the annotation knative.k8s.alibabacloud/tls: "true". Example:

Note

To manage a certificate as a Secret, see Step 2: Create a certificate that is managed as a Secret.

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld
  namespace: default
  annotations:
    knative.k8s.alibabacloud/tls: "true"
spec:
  template:
    spec:
      containers:
      - image: registry-vpc.cn-shenzhen.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 # Replace the sample region with your actual region.
        env:
        - name: TARGET
          value: "Knative"

Run the following command to access the HTTPS Service:

curl -H "Host: helloworld.default.knative.top" https://alb-ppcate4ox6ge9m1wik.cn-shenzhen.alb.aliyuncs.com -k

Expected output:

Hello Knative!

Redirect HTTP requests to the HTTPS port 443

HTTP requests can be redirected to HTTPS port 443 in a Knative Service by using the annotation networking.knative.dev/http-protocol. Example:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
  annotations:
    networking.knative.dev/http-protocol: redirected
spec:
  template:
    spec:
      containers:
      - image: registry-vpc.cn-beijing.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 # Replace the sample region with your actual region.
        env:
        - name: TARGET
          value: "Knative"

Add a CNAME record

To facilitate access to network resources, you can use a CNAME record to map a custom domain name to the domain name of an ALB instance. For more information see Add a CNAME record to an ALB instance.

References

You can customize domain names for Knative Services. For more information, see Configure a custom domain name.
You can configure a certificate to access Knative Services over HTTPS. For more information, see Configure a certificate to access Services over HTTPS.
You can deploy a gRPC Service in Knative to improve network efficiency. For more information, see Deploy a gRPC Service in Knative.
You can configure probes to monitor the health status and availability of Knative Services. For more information, see Configure port probing in Knative.
If you want to connect an elastic container instance to the Internet, you must associate an elastic IP address (EIP) with the elastic container instance. For more information, see Associate an EIP with the elastic container instance on which a Knative Service runs.