An Ingress is an API object that provides Layer-7 load balancing to manage external access to services in a Kubernetes cluster. To better support cloud-native scenarios, Alibaba Cloud provides Microservices Engine (MSE) Ingress gateways that are developed based on deep integration and optimization of MSE cloud-native gateways and Container Service for Kubernetes (ACK). MSE Ingress gateways help you manage ingress traffic of clusters in an efficient manner. This topic describes the basic concepts, features, and instructions of MSE Ingress gateways. This topic also describes how an MSE Ingress gateway works.
Basic concepts
In a Kubernetes cluster, an Ingress functions as an access point that exposes services in the cluster. The Ingress distributes most of the network traffic that is destined for the services in the cluster. An Ingress is a Kubernetes resource that manages external access to the services in a Kubernetes cluster. You can configure routing rules for an Ingress to route network traffic to backend pods of different services in a Kubernetes cluster.
Kubernetes Ingress resources allow you to configure only the rules for routing HTTP traffic. Advanced features such as load balancing algorithms and session affinity cannot be configured. The advanced features require support from NGINX Ingress gateways or MSE Ingress gateways.
MSE Ingress gateways are developed based on MSE cloud-native gateways and provide a more powerful method to manage ingress traffic. MSE Ingress gateways are compatible with NGINX Ingress gateways and are compatible with more than 50 annotations defined in NGINX Ingress gateways. MSE Ingress gateways are suitable for more than 90% of scenarios of NGINX Ingress gateways. MSE Ingress gateways support canary releases of multiple service versions at the same time and provide flexible service governance capabilities and comprehensive security protection. MSE Ingress gateways can meet requirements for traffic governance in scenarios in which a large number of cloud-native distributed applications are used.
Features
For more information about the features of MSE Ingress gateways, see the following topics:
Instructions
Kubernetes services such as ACK and ACK Serverless can use MSE Ingress gateways to route external traffic to services in a Kubernetes cluster. This way, Layer-7 load balancing is implemented. You must deploy MSE Ingress Controller in your Kubernetes cluster. MSE Ingress Controller is used to listen to resources defined in MseIngressConfig CustomResourceDefinitions (CRDs) and dynamically manage the lifecycles, global parameter settings, and listening items of Ingress resources for MSE cloud-native gateways. MSE cloud-native gateways are used to listen to Ingress resources in a Kubernetes cluster and convert the listened Ingress resources into the required traffic governance configurations. This way, cluster services are externally exposed. For more information, see Use MSE Ingress gateways to access applications in ACK clusters.
Kubernetes Ingress resources support only HTTP traffic management. Advanced features are implemented based on annotations. MSE Ingress gateways are compatible with annotations defined in NGINX Ingress gateways and provides additional annotations to enhance traffic governance and security protection. For more information, see Advanced usage of MSE Ingress.
How an MSE Ingress gateway works
Components
MSE Ingress Controller:
MSE Ingress Controller is not a network data plane, but is a control plane that manages MSE cloud-native gateways and their configurations. MSE Ingress Controller does not process any service requests. MSE Ingress Controller works as a traffic bypass to manage MSE cloud-native gateways that process service traffic.
You must install the MSE Ingress Controller component in your ACK cluster or ACK Serverless cluster, use the MseIngressConfig CRDs provided by this component to manage cloud-native gateways based on annotations, and configure Ingress resource listening items for the gateways.
For more information about how to install the MSE Ingress Controller component, see Manage components.
MSE cloud-native gateways: MSE cloud-native gateways are created by MSE Ingress Controller based on the MseIngressConfig CRDs that you configured. An MSE cloud-native gateway consists of a control plane and a data plane.
Control plane: listens to resources such as Ingress resources, Ingress classes, and services in an associated ACK cluster. After the resources are parsed, the parsed resource configurations are sent to the gateway data plane in real time.
Data plane: implements traffic governance. The data plane processes external requests based on the governance rules that are sent from the control plane, and routes the requests to the destination backend service.
Implementation
MSE Ingress Controller listens to the resource that is defined in an MseIngressConfig CRD in an ACK cluster and dynamically maintains the lifecycle of the cloud-native gateway that corresponds to the resource and the association between the gateway and ACK cluster in real time.
The control plane of the cloud-native gateway obtains the changes of Ingress resources by using the API server of the associated ACK cluster, and dynamically updates the routing rules of the gateway. After the cloud-native gateway receives a request, the gateway matches the request with an Ingress routing rule and routes the request to the pod that corresponds to the backend service based on the matched routing rule.
The following content describes the relationships among services, Ingresses, Ingress classes, MseIngressConfigs, and MSE Ingress Controller in a Kubernetes cluster.
Service: an abstraction of real backend services. One service can represent multiple identical backend services.
Ingress: a set of reverse proxy rules. An Ingress specifies the service to which HTTP requests or HTTPS requests are routed. For example, an Ingress routes requests to different services based on the hostnames and URLs in the requests.
Ingress class: a description of the Ingress processor. An Ingress class is used to declare the implementation of an Ingress processor in a Kubernetes cluster. The Ingress resources that are associated with the Ingress class are parsed by the Ingress processor. You must associate an MseIngressConfig with the Parameter field of the Ingress class to implement the traffic management rule that is specified in the parsed Ingress resource description.
MseIngressConfig: a CRD that is provided by MSE Ingress Controller. An MseIngressConfig CRD provides basic information about a cloud-native gateway.
MSE Ingress Controller: a control plane that manages MSE cloud-native gateways and their configurations. MSE Ingress Controller is not a network data plane. MSE Ingress Controller is used to listen to Ingress resources defined in MseIngressConfig CRDs in a cluster and coordinate MSE cloud-native gateways to implement the traffic management rule that is specified in the parsed Ingress resource description.
The following figure shows how MSE Ingress Controller works.
