Overview
This topic describes how to configure internal SLB instances for NGINX Ingress controllers in clusters of Alibaba Cloud Container Service for Kubernetes (ACK).
Information
Background
When you create an ACK cluster in the ACK console, the system automatically deploys an NGINX Ingress controller in the cluster and associates it with a public SLB instance during cluster initialization.
Configure an internal SLB instance
If you need to allow only access from other workloads in the same Virtual Private Cloud (VPC) network where the cluster is deployed, modify the NGINX Ingress controller configurations.
- Create an SLB instance in the same VPC network as the target cluster. Configure the instance specifications based on your requirements.
- Use the following YAML template to configure the NGINX Ingress controller. A LoadBalancer service that is named nginx-ingress-lb is created in the kube-system namespace. This service is associated with the internal SLB instance that is created in Step 1.
# nginx ingress slb service apiVersion: v1 kind: Service metadata: name: nginx-ingress-lb namespace: kube-system labels: app: nginx-ingress-lb annotations: service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet service.beta.kubernetes.io/alicloud-loadbalancer-id: [$SLB_ID] #service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: 'true' spec: type: LoadBalancer # route traffic to other nodes externalTrafficPolicy: "Cluster" ports: - port: 80 name: http targetPort: 80 - port: 443 name: https targetPort: 443 selector: # select app=ingress-nginx pods app: ingress-nginx
Note:
alicloud-loadbalancer-address-type: intranet
specifies that the SLB instance uses an internal IP address.- [$SLB_ID] specifies the ID of the internal SLB instance.
alicloud-loadbalancer-force-override-listeners: 'true'
specifies that listeners are automatically created for the SLB instance.
Use an internal SLB instance and a public SLB instance together
You may need to allow both Internet access and access from other workloads in the same VPC network to your services. In this scenario, you can deploy another NGINX Ingress controller. For example, a service named nginx-ingress-lb-intranet can be deployed in the kube-system namespace.
When you create an ACK cluster, an nginx-ingress-lb service is automatically created in the kube-system namespace during cluster initialization. This service is associated with a public SLB instance.
- Create an SLB instance in the same VPC network as the target cluster. Configure the instance specifications based on your requirements.
- Use the following YAML template to create a service named nginx-ingress-lb-intranet in the kube-system namespace.
# intranet nginx ingress slb service apiVersion: v1 kind: Service metadata: # Set the service name to nginx-ingress-lb-intranet. name: nginx-ingress-lb-intranet namespace: kube-system labels: app: nginx-ingress-lb-intranet annotations: service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet # Specify [$SLB_ID] as the ID of the created internal SLB instance. service.beta.kubernetes.io/alicloud-loadbalancer-id: [$SLB_ID] #service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: 'true' spec: type: LoadBalancer # route traffic to other nodes externalTrafficPolicy: "Cluster" ports: - port: 80 name: http targetPort: 80 - port: 443 name: https targetPort: 443 selector: # select app=ingress-nginx pods app: ingress-nginx
Note: In this example, the name of the service is specified as nginx-ingress-lb-intranet. You can specify a custom name based on your requirements.
- After the nginx-ingress-lb-intranet service is deployed in the kube-system namespace, run the following command to query the deployed services. The output shows that two NGINX Ingress controllers are deployed. One is associated with a public SLB instance, and the other is associated with an internal SLB instance.
kubectl -n kube-system get svc | grep nginx-ingress-lb nginx-ingress-lb LoadBalancer XX.XX.XX.XX a.b.c.d<Public IP address> 80:31456/TCP,443:30016/TCP 5h nginx-ingress-lb-intranet LoadBalancer XX.XX.XX.XX e.f.g.h<Internal IP address> 80:32394/TCP,443:31000/TCP 7m
- When you expose the service through Ingresses, the public SLB instance is used to allow access to the service over the Internet and the internal SLB instance is used to allow access to the service from other workloads in the same VPC network.
Application scope
- All ACK clusters