An Ingress is an API object that provides Layer-7 load balancing to manage external access to services in a Kubernetes cluster. To better support cloud-native scenarios, Alibaba Cloud provides Microservices Engine (MSE) Ingress gateways that are developed based on deep integration and optimization of MSE cloud-native gateways and Container Service for Kubernetes (ACK). MSE Ingress gateways help you manage ingress traffic of clusters in an efficient manner. This topic describes the basic concepts, features, and usage notes of MSE Ingress gateways. This topic also describes how an MSE Ingress gateway works.
In a Kubernetes cluster, an Ingress functions as an access point that exposes services in the cluster. The Ingress distributes most of the network traffic that is destined for the services in the cluster. An Ingress is a Kubernetes resource that manages external access to the services in a Kubernetes cluster. You can configure routing rules for an Ingress to route network traffic to backend pods of different services in a Kubernetes cluster.
Kubernetes Ingress resources allow you to configure only the rules for routing HTTP traffic. Advanced features such as load balancing algorithms and session affinity cannot be configured. The advanced features require support from NGINX Ingress gateways or MSE Ingress gateways.
MSE Ingress gateways are developed based on MSE cloud-native gateways and provide a more powerful method to manage ingress traffic. MSE Ingress gateways are compatible with NGINX Ingress gateways and are compatible with more than 50 annotations defined in NGINX Ingress gateways. MSE Ingress gateways are suitable for more than 90% of scenarios of NGINX Ingress gateways. MSE Ingress gateways support canary releases of multiple service versions at the same time and provides flexible service governance capabilities and comprehensive security protection. MSE Ingress gateways can meet requirements for traffic governance in scenarios in which a large number of cloud-native distributed applications are used.
For more information about the features of MSE Ingress gateways, see the following topics:
Kubernetes services such as ACK and ACK Serverless can use MSE Ingress gateways to route external traffic to services in a Kubernetes cluster. This way, Layer-7 load balancing is implemented. You must deploy MSE Ingress Controller in your Kubernetes cluster. MSE Ingress Controller is used to monitor resources defined by MseIngressConfig CustomResourceDefinitions (CRDs) and dynamically manage the lifecycles of MSE cloud-native gateways, global parameter settings, and monitoring items of Ingress resources. MSE cloud-native gateways are used to monitor Ingress resources in a Kubernetes cluster and convert the monitored Ingress resources into the required traffic governance configurations. This way, cluster services are externally exposed. For more information, see Use MSE Ingresses to access applications in ACK clusters.
Kubernetes Ingress resources support only HTTP traffic management. Advanced features are implemented based on annotations. MSE Ingress gateways are compatible with annotations defined in NGINX Ingress gateways and provides additional annotations to enhance traffic governance and security protection. For more information, see Advanced usage of MSE Ingress.
How an MSE Ingress gateway works
MSE Ingress Controller
MSE Ingress Controller is not a network data plane, but is a control plane that manages MSE cloud-native gateways and their configurations. MSE Ingress Controller does not process any service request traffic. MSE Ingress Controller works as a traffic bypass to manage MSE cloud-native gateways that process service traffic.
You must install the MSE Ingress Controller component in your ACK or ACK Serverless cluster, use the MseIngressConfig CRDs provided by this component to manage cloud-native gateways based on annotations, and configure Ingress resource monitoring items for the gateways.
For more information about how to install the MSE Ingress Controller component, see Manage system components.
MSE cloud-native gateways: MSE cloud-native gateways are created based on the MseIngressConfig CRD that you configured. An MSE cloud-native gateway consists of a control plane and a data plane.
Control plane: monitors resources such as Ingresses, Ingress classes, and services in an associated ACK cluster. After the resources are parsed, the parsed resource configurations are sent to the gateway data plane in real time.
Data plane: implements traffic governance. The data plane processes external requests based on the governance rules that are sent from the control plane, and routes the requests to your destination backend service.
MSE Ingress Controller monitors the resource that is defined by an MseIngressConfig CRD in an ACK cluster and dynamically maintains the lifecycle of the cloud-native gateway that corresponds to the resource and the association between the gateway and ACK cluster in real time.
The control plane of the cloud-native gateway obtains the changes of Ingress resources by using the API server of the associated ACK cluster, and dynamically updates the routing rules of the gateway. After the cloud-native gateway receives a request, the gateway matches the request with an Ingress routing rule and routes the request to the pod that corresponds to the backend service based on the matched routing rule.
In a Kubernetes cluster, services, Ingresses, Ingress classes, MseIngressConfigs, and MSE Ingress Controller work in the following process:
Service: an abstraction of an application that is deployed in a group of replicated pods.
Ingress: a set of reverse proxy rules. An Ingress specifies the service to which HTTP or HTTPS requests are routed. For example, an Ingress routes requests to different services based on the hostnames and URLs in the requests.
Ingress class: a description of the Ingress processor. An Ingress class is used to declare the implementation of an Ingress processor in a Kubernetes cluster. The Ingress resources that are associated with the Ingress class are parsed by the Ingress processor. You must associate an MseIngressConfig CRD with the Parameter field of the Ingress class to implement the traffic management rule that is specified in the parsed Ingress resource description.
MseIngressConfig: a CRD that is provided by MSE Ingress Controller. An MseIngressConfig CRD provides basic information about a cloud-native gateway.
MSE Ingress Controller: a control plane that manages MSE cloud-native gateways and their configurations. MSE Ingress Controller is not a network data plane. MSE Ingress Controller is used to monitor Ingress resources defined by MseIngressConfig CRDs in a cluster and coordinate MSE cloud-native gateways to implement the traffic management rule that is specified in the parsed Ingress resource description.
The following figure shows how MSE Ingress Controller works.