Standard NGINX Ingress Controller does not support complex traffic routing, multiple application-layer protocols such as Dubbo and QUIC, or Layer 7 traffic balancing. MSE Ingress is an Ingress implementation built on cloud-native gateways of Alibaba Cloud Microservices Engine (MSE). It is compatible with NGINX Ingresses and NGINX Ingress annotations, and addresses these gaps with the following capabilities:
Protocol support: Handles Dubbo, QUIC, and other application-layer protocols in addition to HTTP/HTTPS.
Traffic governance: Provides canary releases for multiple service versions and flexible traffic routing rules.
Security protection: Includes built-in security features at the gateway level.
High availability: Runs as a fully managed, multi-replica gateway.
This topic describes how to configure an MSE Ingress to route external traffic to applications in a Container Service for Kubernetes (ACK) cluster. For more information about MSE Ingresses and how they work, see MSE Ingress management.
Prerequisites
Before you begin, make sure that:
MSE is activated. Go to the MSE console to activate MSE
The MSE Ingress Controller component is installed in the ACK cluster. You can install it using one of the following methods:
During cluster creation: select MSE Ingress for Ingress in the Component Configurations step
For an existing cluster: install the component on the Add-ons page. For details, see Install the MSE Ingress Controller component on the Add-ons page
The cluster runs Kubernetes v1.16 or later. For information about creating a cluster, see Create an ACK managed cluster or Create an ACK dedicated cluster (discontinued). To upgrade an existing cluster, see Update the Kubernetes version of an ACK cluster
Permissions are granted to the MSE Ingress Controller component. For details, see Grant permissions to MSE Ingress Controller
A kubectl client is connected to the ACK cluster. For details, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster
Step 1: Create an MSE cloud-native gateway
An MseIngressConfig is a CustomResourceDefinition (CRD) provided by MSE Ingress Controller. It manages the lifecycle and global configurations of an MSE cloud-native gateway.
One MseIngressConfig maps to one cloud-native gateway. If you need multiple gateways, create multiple MseIngressConfigs. Deleting an MseIngressConfig also deletes its mapped cloud-native gateway, except in the reuse scenario.
Run the following command to create a gateway named mse-ingress with three replicas. Each replica uses 2 vCPUs and 4 GB of memory.
cat << EOF | kubectl apply -f -
apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
name: test
spec:
name: mse-ingress # Name of the cloud-native gateway
common:
instance:
spec: 2c4g # 2 vCPUs, 4 GB memory per replica (default: 4c8g)
replicas: 3 # Number of gateway replicas (default: 3)
EOFWhen you omit optional configurations, the system applies defaults:
vSwitch: Automatically selects the vSwitch of the Kubernetes node scheduled by the MSE Ingress Controller. Only one vSwitch is configured. For production environments, manually configure two vSwitches.
SLB: Automatically creates an Internet-facing Server Load Balancer (SLB) instance with
slb.s2.smallspecifications.Security group: Automatically creates a basic security group.
The following table describes the parameters in spec.
Parameter | Required | Default | Description |
| No | - | The name of the cloud-native gateway. |
| No |
| The specifications per replica. For example, |
| No | 3 | The number of gateway replicas. |
For the full parameter reference, see Configure an MseIngressConfig.
Step 2: Create an IngressClass resource
An IngressClass resource declares which Ingress controller handles a set of Ingress resources. Associate the IngressClass with the MseIngressConfig created in Step 1 so that the cloud-native gateway processes matching Ingress rules.
Choose one of the following methods based on your scenario.
Method 1: Use a Kubernetes IngressClass resource (recommended)
Use this method for new services that access the MSE Ingress. Run one of the following commands based on your cluster's Kubernetes version.
Clusters running Kubernetes versions earlier than v1.19
cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
name: mse
spec:
controller: mse.alibabacloud.com/ingress
parameters:
apiGroup: mse.alibabacloud.com # API group of MseIngressConfig
kind: MseIngressConfig # Resource kind
name: test # Name of the MseIngressConfig from Step 1
EOFClusters running Kubernetes v1.19 or later
cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: mse
spec:
controller: mse.alibabacloud.com/ingress
parameters:
apiGroup: mse.alibabacloud.com # API group of MseIngressConfig
kind: MseIngressConfig # Resource kind
name: test # Name of the MseIngressConfig from Step 1
EOFMethod 2: Use MseIngressConfig resources (for migration)
Use this method when migrating from NGINX Ingress to MSE Ingress, or in scenarios where IngressClass resources cannot be created. During migration, both NGINX Ingress and MSE Ingress must listen to the same IngressClass resource. This method lets you configure the IngressClass directly within the MseIngressConfig, avoiding IngressClass name conflicts.
Add the ingressClass field to the MseIngressConfig created in Step 1:
apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
name: test
spec:
name: mse-ingress
common:
instance:
spec: 2c4g
replicas: 3
ingress:
local:
ingressClass: mse # IngressClass name to listen onThe following table describes the ingress.local.ingressClass values.
Value | Behavior |
Not configured | The gateway does not listen to any Ingress resources. |
| The gateway listens to Ingress resources associated with the IngressClass named |
| The gateway listens to all Ingress resources. |
| The gateway listens to Ingress resources associated with the IngressClass named |
Other values | The gateway listens to Ingress resources associated with the specified IngressClass. |
If both a Kubernetes IngressClass resource (Method 1) and this parameter are configured, the Kubernetes IngressClass resource takes precedence.
Verify the gateway status
Run the following command to check the MseIngressConfig status:
kubectl get MseIngressConfig testExpected output:
NAME STATUS AGE
test Listening 3m15sThe Listening status confirms that the cloud-native gateway is running and watching for Ingress resources associated with the mse IngressClass.
The status transitions in the following order:
| Status | Description |
|---|---|
| Pending | The gateway is being created. This process takes about 3 minutes. |
| Running | The gateway is created and running. |
| Listening | The gateway is running and listening to Ingress resources in the cluster. |
| Failed | The gateway is invalid. Run kubectl describe MseIngressConfig test and check the Message field in Status to identify the cause. |
Step 3: Route traffic to an application
Deploy a sample backend service
Run the following command to deploy the go-httpbin service:
cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: go-httpbin
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: go-httpbin
template:
metadata:
labels:
app: go-httpbin
version: v1
spec:
containers:
- image: specialyang/go-httpbin:v3
args:
- "--port=8090" # Application listens on port 8090
- "--version=v1" # Reports version v1
imagePullPolicy: Always
name: go-httpbin
ports:
- containerPort: 8090
---
apiVersion: v1
kind: Service
metadata:
name: go-httpbin
namespace: default
spec:
ports:
- port: 80 # Service port exposed to Ingress
targetPort: 8090 # Forwards to container port 8090
protocol: TCP
selector:
app: go-httpbin
EOFCreate an Ingress resource
Run one of the following commands to create an Ingress resource. The Ingress routes requests for example.com/version to the go-httpbin service.
Clusters running Kubernetes versions earlier than v1.19
cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: default
spec:
ingressClassName: mse # Associates with the MSE IngressClass
rules:
- host: example.com
http:
paths:
- path: /version
backend:
serviceName: go-httpbin
servicePort: 80
EOFClusters running Kubernetes v1.19 or later
cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: default
spec:
ingressClassName: mse # Associates with the MSE IngressClass
rules:
- host: example.com
http:
paths:
- backend:
service:
name: go-httpbin
port:
number: 80
path: /version
pathType: Prefix
EOFVerify the result
Get the address assigned to the Ingress: Expected output:
kubectl get ingress ingressNAME CLASS HOSTS ADDRESS PORTS AGE ingress mse example.com 114.55.XX.XX 80 12mSend a test request using the Ingress address: Expected output: The
version:v1response confirms that traffic is routed through the MSE Ingress to thego-httpbinbackend service.curl -H "host: example.com" <ADDRESS>/versionversion:v1
If the ADDRESS field is empty, the cloud-native gateway may still be provisioning. Wait a few minutes and run kubectl get ingress ingress again. If the issue persists, check the MseIngressConfig status with kubectl describe MseIngressConfig test.
Clean up resources
To remove the sample resources created in this tutorial, run the following commands:
kubectl delete ingress ingress
kubectl delete service go-httpbin
kubectl delete deployment go-httpbinDeleting the MseIngressConfig also deletes the associated MSE cloud-native gateway. Only delete it if you no longer need the gateway:
kubectl delete MseIngressConfig testWhat's next
Configure an MseIngressConfig -- Customize vSwitches, SLB instances, and security groups for your gateway.
MSE Ingress management -- Learn about advanced traffic governance features including canary releases and traffic splitting.
Grant permissions to MSE Ingress Controller -- Configure fine-grained access control for the MSE Ingress Controller.