Knative provides multiple Ingress gateway solutions for you to create gateways for cloud resources. These gateways are stable and reliable because they do not require resident resources. Knative Ingress gateways help reduce infrastructure costs and simplify your maintenance work. This topic describes the benefits of Knative Ingress gateways and how to use Knative Ingress gateways.


By default, open source Knative provides multiple Ingress gateway solutions, such as Istio, Gloo, Contour, Kourier, and Ambassador. Among these solutions, Istio is most frequently used. This is because Istio can also be used as a service mesh. At least two resident gateway instances are required for each application that is deployed within Knative. The two gateway instances provide backup for each other to ensure high availability. The Kubernetes controllers of these gateways must be resident. You must pay infrastructure and maintenance fees for these resident instances.

A serverless Kubernetes (ASK) cluster that has Knative enabled uses Server Load Balancer (SLB) instances as gateways. Internet-facing SLB instances function as external gateways and internal-facing SLB instances function as internal gateways. Knative Ingress gateways support both HTTP and HTTPS. By default, Knative generates a self-signed certificate for HTTPS connections. This certificate can secure all domain names. Therefore, you can use the certificate to test applications. Before you use Knative to deploy applications, configure an SSL certificate and specify the certificate ID in Kubernetes annotations. For more information, see Configure an SSL certificate.

To improve user experience, Alibaba Cloud allows you to use SLB instances as Knative Ingress gateways. 1

Use Knative Ingress gateways

  1. Run the following command to query the IP addresses of the SLB instances:
    kubectl -n knative-serving get svc

    Expected output:

    NAME                    TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                      AGE
    ingress-gateway         LoadBalancer   172.21.XX.XX   8.131.XX.XX      80:32701/TCP,443:30561/TCP   2d20h
    ingress-local-gateway   LoadBalancer   172.21.XX.XX   192.168.XX.XX    80:32537/TCP                 2d20h
    • ingress-gateway indicates an external gateway that exposes applications to the Internet.
    • ingress-local-gateway indicates an internal gateway that exposes applications only within a virtual private cloud (VPC).
  2. Access the application.
    • Access the application over the Internet
      • Access the application over HTTP.

        In the CLI, run the following command:

        curl -H  "Host:" http://8.131.XX.XX

        Expected output:

        Hello Knative!
      • Access the application over HTTPS.

        In the CLI, run the following command:

        curl -H  "Host:" https://8.131.XX.XX -k

        Expected output:

        Hello Knative!
    • Access the application within a VPC
      Note You must first enable Alibaba Cloud DNS PrivateZone.
      1. Run the following command to modify the eci-profile file:
        kubectl -n kube-system edit configmap eci-profile
      2. Set enablePrivateZone to true. Save the modification to eci-profile and exit.
        apiVersion: v1
          enablePrivateZone: "true"
        kind: ConfigMap
          name: eci-profile
          namespace: kube-system
      3. Access the application by using Application name.namespace.svc.cluster.local.

        The helloworld-go application in the default namespace is used as an example:

  3. Bind the IP address of the SLB instance to the domain name of Knative by modifying the hosts file. The following example shows how to bind the IP address to the domain name:
    Note The default root domain name of Knative is You can use a custom domain name. For more information, see Set a custom domain name for Knative Serving.
    If you can use the domain name to access the application after you modify the hosts file, the Knative Ingress gateway functions as normal. 1