ALB (Application Load Balancer) Ingress is a fully managed, O&M-free gateway that routes Layer 7 traffic for Knative Services. It supports HTTP, HTTPS, and QUIC (Quick UDP Internet Connections), and handles auto scaling and canary release rules — making it suited for large-scale web applications, fine-grained traffic routing, and complex HTTP/HTTPS routing requirements.
Prerequisites
Before you begin, make sure you have:
-
Knative deployed in your cluster. For more information, see Deploy Knative.
-
The ALB Ingress controller installed. For more information, see Manage the ALB Ingress controller.
If your cluster uses the Flannel network plugin, Knative Services must be exposed via the NodePort service type. Add eni: false to the config-network ConfigMap before proceeding:
-
Open the ConfigMap for editing:
kubectl -n knative-serving edit configmap config-network -
Add
eni: falseunder thedatasection:apiVersion: v1 data: ... eni: false # Add this line. ... kind: ConfigMap metadata: name: config-network namespace: knative-serving ...
Step 1: Configure the ALB Ingress
Choose one of the following methods based on whether you want Knative to create a new ALB instance or reuse an existing one.
Method 1: Auto-create an ALB instance
Use this method if you don't have an existing ALB instance. Knative creates and manages the ALB instance for you.
Option A: Configure during Knative deployment
-
Log on to the ACK console. In the left navigation pane, click Clusters.
-
Find the target cluster and click its name. In the left navigation pane, choose Applications > Knative.
-
On the Components tab, click Deploy Knative. On the Deploy Knative page, select ALB and select at least two vSwitches in different zones. Follow the on-page instructions to complete deployment. For information on creating vSwitches, see Create and manage a vSwitch.
Option B: Modify an existing Knative deployment
If Knative is already deployed, run the following command to open the ConfigMap for editing:
kubectl -n knative-serving edit configmap config-networkModify ingress.class: alb.ingress.networking.knative.dev, configure the vswitch-ids parameter, and save the config-network file and exit. For more information about the regions and zones that support ALB Ingress, see Regions and zones.
apiVersion: v1
data:
...
ingress.class: alb.ingress.networking.knative.dev # Specifies the ALB Ingress controller.
vswitch-ids: vsw-uf6kbvc7mccqia2pi****,vsw-uf66scyuw2fncpn38**** # Two vSwitch IDs in different zones. The system automatically binds the vSwitches when creating the ALB instance.
intranet: "true" # Creates an internal ALB instance.
...
kind: ConfigMap
metadata:
name: config-network
namespace: knative-serving
...For more information on deploying Knative, see Deploy Knative in an ACK cluster and Deploy Knative in an ACK Serverless cluster.
Method 2: Use an existing ALB instance
Use this method if you already have a public-facing ALB instance and want Knative to route through it. You don't need to configure vswitch-ids.
Run the following command to open the ConfigMap for editing:
kubectl -n knative-serving edit configmap config-networkModify ingress.class: alb.ingress.networking.knative.dev and set albconfig to the name of an existing ALBConfig resource (for example, alb-dev-albconfig):
apiVersion: v1
data:
...
ingress.class: alb.ingress.networking.knative.dev # Specifies the ALB Ingress controller.
albconfig: alb-dev-albconfig # Name of the existing ALBConfig resource.
...
kind: ConfigMap
metadata:
name: config-network
namespace: knative-serving
...Step 2: Access a Knative Service through ALB Ingress
-
Log on to the ACK console. In the left navigation pane, click Clusters.
-
Find the target cluster and click its name. In the left navigation pane, choose Applications > Knative.
-
On the Services tab, select default from the Namespace drop-down list, and click Create from Template. Paste the following YAML into the editor and click Create:
apiVersion: serving.knative.dev/v1 kind: Service metadata: name: helloworld-go spec: template: spec: containers: - image: registry-vpc.cn-beijing.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 # Replace with your region. env: - name: TARGET value: "Knative"This creates a Knative Service named
helloworld-go. -
On the Services page, record the domain name and gateway IP address from the Default Domain and Gateway columns for the
helloworld-goService. -
Run the following command to verify access:
This command uses a
Hostheader because DNS is not yet configured. To access the Service directly by domain name, set up a CNAME record as described in Add a CNAME record.curl -H "Host: helloworld-go.default.example.com" http://alb-******.cn-beijing.alb.aliyuncs.comReplace the Host header value and ALB address with the actual values from step 4. Expected output:
Hello Knative!
(Optional) Step 3: View the Knative monitoring dashboard
Knative provides out-of-the-box monitoring. On the Knative page, click the Monitoring Dashboards tab to view metrics for your Services. For more information, see View the Knative monitoring dashboard.
More operations
Enable HTTPS with TLS
To secure your Knative Services with Transport Layer Security (TLS), add the following annotation to the Knative Service. Make sure you have a certificate specified in ALBConfig first.
annotations:
knative.k8s.alibabacloud/tls: "true"Full example:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: helloworld
namespace: default
annotations:
knative.k8s.alibabacloud/tls: "true"
spec:
template:
spec:
containers:
- image: registry-vpc.cn-shenzhen.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 # Replace with your region.
env:
- name: TARGET
value: "Knative"To manage a certificate as a Secret, see Create a certificate that is managed as a Secret.
Verify HTTPS access:
curl -H "Host: helloworld.default.knative.top" https://alb-ppcate4ox6ge9m1wik.cn-shenzhen.alb.aliyuncs.com -kExpected output:
Hello Knative!Redirect HTTP to HTTPS
To redirect HTTP requests to HTTPS at the per-Service level, add the following annotation to your Knative Service:
annotations:
networking.knative.dev/http-protocol: redirectedFull example:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: helloworld-go
annotations:
networking.knative.dev/http-protocol: redirected
spec:
template:
spec:
containers:
- image: registry-vpc.cn-beijing.aliyuncs.com/knative-sample/helloworld-go:73fbdd56 # Replace with your region.
env:
- name: TARGET
value: "Knative"Add a CNAME record
Map a custom domain name to the ALB instance domain by adding a CNAME record. This lets users access your Knative Service directly by domain name. For more information, see Configure a CNAME record for an ALB instance.
config-network parameter reference
The following table lists the config-network ConfigMap parameters used in this document:
| Parameter | Description | Method |
|---|---|---|
ingress.class |
Specifies the ingress controller. Set to alb.ingress.networking.knative.dev for ALB. |
Both |
vswitch-ids |
Comma-separated IDs of two vSwitches in different zones. Required when creating a new ALB instance. | Method 1 only |
intranet |
Set to "true" to create an internal ALB instance. |
Method 1 only |
albconfig |
Name of an existing ALBConfig resource to reuse. | Method 2 only |
What's next
-
Use custom domain names and paths — configure custom domains for Knative Services.
-
Configure a certificate to access Services over HTTPS — set up TLS for production use.
-
Deploy a gRPC Service in Knative — use gRPC to improve network efficiency.
-
Configure port probing in Knative — monitor Service health and availability.
-
Associate an elastic IP address (EIP) with the elastic container instance on which a Knative Service runs — connect elastic container instances to the internet.