An Ingress is a Kubernetes resource object that is used to enable external access to Services in a Kubernetes cluster. Container Service for Kubernetes (ACK) allows you to use Ingresses to configure multiple forwarding rules for handling requests to pods in a Kubernetes cluster. This topic describes how to create, view, update, and delete an Ingress in the ACK console or by using kubectl.

Prerequisites

An ACK cluster is created. For more information, see Create an ACK managed cluster.

Manage Ingresses in the ACK console

Create an Ingress

  1. Log on to the ACK console and click Clusters in the left-side navigation pane.
  2. On the Clusters page, click the name of a cluster and choose Network > Ingresses in the left-side navigation pane.
  3. On the Ingresses page, click Create. In the Create dialog box, set the name of the Ingress. In this example, the Ingress is named nginx-ingress.
  4. Configure Ingress rules.
    Ingress rules are used to manage external access to Services in a cluster. Ingress rules can be HTTP or HTTPS rules. You can configure the following items in an Ingress rule: domain name (virtual hostname), URL path, Service name, port, and weight.
    In this example, a complex rule is added to configure Services for the default domain name and virtual hostname of the cluster. Traffic routing is based on domain names.
    Ingress rule
    • Create a simple Ingress that uses the default domain name to enable external access.
      • Domain: Enter the default domain name of the cluster. In this example, the default domain name is test.[cluster-id].[region-id].alicontainer.com.

        In the Create dialog box, the default domain name of the cluster is displayed in the format of *.[cluster-id].[region-id].alicontainer.com. You can also obtain the default domain name from the details page of the cluster.

      • Services: Set the names, paths, and port numbers of the backend Services that you want to access.
        • Path: You can enter the URL for accessing the backend Services. The default path is the root path /. In this example, the default path is used. Each path is associated with a backend Service. Server Load Balancer (SLB) forwards traffic to a backend Service only when inbound requests match the domain name and path.
        • Services: Set the names, port numbers, and weights of the backend Services that you want to access. You can specify the same path for multiple Services. The Ingress then distributes network traffic to these Services based on the Service weights.
    • Create a simple fanout Ingress that uses multiple domain names. In this example, a virtual hostname is used as the test domain name for external access. Weights are specified for two backend Services and canary release settings are configured for one of the Services. In a production environment, you can use a domain name that has obtained an Internet Content Provider (ICP) number for external access.
      • Domain: Enter the test domain name. In this example, the test domain name is foo.bar.com.

        You must add the following domain name mapping rule to the hosts file: 

        118.178.XX.XX foo.bar.com       # The IP address of the Ingress.
        Note If you want to use a custom domain name, add a DNS record for the domain name in the Alibaba Cloud DNS console.
      • Services: Set the names, paths, port numbers, and weights of the backend Services.
        • Path: Enter the URL path of the backend Service. In this example, the root path / is used.
        • Name: In this example, select the new-nginx and old-new-nginx Services.
        • Port: In this example, port 80 is open.
        • Weight: Set a weight for each backend Service. The weight is a percentage value. The default value is 100. In this example, the weight of each backend Service is set to 50. This means that the two backend Services have the same weight.
  5. Configure Transport Layer Security (TLS).
    Select EnableTLS to enable TLS authentication for the Ingress. For more information, see Configure an Ingress.
    • You can use an existing Secret.
      1. Log on to a master node. Run the following command to create a file named tls.key and another file named tls.crt. 
        openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"
      2. Create a Secret. 
        kubectl create secret tls foo.bar --key tls.key --cert tls.crt
      3. Run the kubectl get secret command to check whether the Secret is created. Then, you can select the foo.bar Secret in the console.
        Configure TLS
    • You can use the TLS private key and certificate to create a Secret.
      1. Log on to a master node. Run the following command to create a file named tls.key and another file named tls.crt. 
        openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"
      2. Run the vim tls.key and vim tls.crt commands to obtain the newly generated private key and certificate.
      3. Copy the certificate to the Cert field and the private key to the Key field.
        Create a key
  6. Configure canary release. You can select Open Source Solution, Alibaba Cloud Solution, and Disable.

    We recommend that you select Open Source Solution . For more information about the differences between the open source solution and the Alibaba Cloud solution, see Use the NGINX Ingress controller to implement canary releases and blue-green releases.

  7. Configure annotations.
    Click Add to the right side of Annotations. In the Type drop-down list, you can select a type of annotation based on the following description:
    • Custom Annotation: Enter names and values as key-value pairs for the annotation. For more information, see Annotations.
    • Ingress-NGINX: Select annotations by name.
      You can add an annotation to redirect inbound traffic. For example, nginx.ingress.kubernetes.io/rewrite-target: / specifies that requests to /path are redirected to the root path /. The root path can be recognized by backend Services.
      Note In this example, no path is configured for the backend Services. Therefore, you do not need to configure rewrite annotations. Rewrite annotations allow the Ingress to forward traffic through the root path to the backend Services. This avoids the 404 error that is caused by invalid paths.
  8. Add labels.
    You can add labels to describe the characteristics of the Ingress.
    Add labels
  9. Click Create. You are redirected to the Ingresses page.
    After the Ingress is created, it appears on the Ingresses page.

What to do next

On the Ingresses page, you can click Details, Update, or Delete in the Actions column.

Manage Ingresses by using kubectl

Create an Ingress

  1. Create a Deployment and a Service.

    You must create a Service to enable external access before you create an Ingress.

    1. Create a file named test-deployment-service.yaml and copy the following content to the file.
      The following YAML template is used to create a Deployment named test-web1 and a Service named web1-service: 
      apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-web1
  labels:
    app: test-web1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-web1
  template:
    metadata:
      labels:
        app: test-web1
    spec:
      containers:
      - name: test-web1
        imagePullPolicy: IfNotPresent
        image: registry.cn-hangzhou.aliyuncs.com/yilong/ingress-test:web1
        ports:
        - containerPort: 8080
--- 
apiVersion: v1
kind: Service
metadata:
  name: web1-service
spec:
  type: ClusterIP
  selector:
    app: test-web1
  ports:
    - port: 8080
      targetPort: 8080
    2. Run the following command to create the Deployment and Service: 
      kubectl apply -f test-deployment-service.yaml
  2. Create an Ingress.
    1. Create a file named test-ingress.yaml and copy the following content to the file: 
      apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
spec:
  rules:
  - host: test-ingress.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: web1-service
          servicePort: 8080
      - path: /bar
        backend:
          serviceName: web1-service
          servicePort: 8080
      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
spec:
  rules:
  - host: test-ingress.com
    http:
      paths:
      - path: /foo
        backend:
          service: 
            name: web1-service
            port:
              number: 8080
        pathType: ImplementationSpecific
      - path: /bar
        backend:
          service: 
            name: web1-service
            port:
              number: 8080
        pathType: ImplementationSpecific

      • name: the name of the Ingress. In this example, the name is set to test-ingress.
      • host: the domain name that is used to enable external access to the backend Service.
      • path: the URL paths that are used to match requests. SLB forwards traffic to the backend Service only when inbound requests match the host and path settings.
      • backend: the name and port number of the backend Service.
        • Service name: the name of the backend Service.
        • Service port: the Service port that is exposed.
    2. Run the following command to create the Ingress: 
      kubectl apply -f test-ingress.yaml

View an Ingress

Run the following command to view an Ingress: 
kubectl get ingress

Update an Ingress

Run the following command to update an Ingress: 
kubectl edit ingress <Ingress name>

Delete an Ingress

Run the following command to delete an Ingress: 
kubectl delete ingress <Ingress name>