Guide to using ALB Ingress in a self-managed Kubernetes cluster - Server Load Balancer

This topic describes how to use ALB Ingress with a self-managed Kubernetes cluster that is deployed on Alibaba Cloud.

Example scenario

This topic uses the scenario that is shown in the following figure. You have a self-managed Kubernetes cluster that is built on Alibaba Cloud resources and want to use ALB Ingress to forward requests.

You can deploy the `alb-ingress-controller` in a self-managed Kubernetes cluster and create Ingress and Service resources. The `alb-ingress-controller` syncs Ingress resources to ALB as forwarding rules based on the service configurations in the Kubernetes cluster. It also monitors the API server of the cluster for changes to Ingress resources and syncs the changes to ALB. ALB detects these changes and dynamically forwards traffic to the corresponding pods in the cluster. For more information, see ALB Ingress Management.

ALB Ingress scenario example

Notes

If you use an overlay network plug-in, such as Flannel, the backend service for ALB Ingress supports only the NodePort and LoadBalancer types.
The names of resources such as AlbConfig, Namespace, Ingress, and Service cannot start with `aliyun`.

Prerequisites

You have a self-managed Kubernetes cluster of v1.20 or later that is deployed on Alibaba Cloud. You can use the kubectl tool to connect to the cluster. For more information about how to download and install the kubectl tool, see Install and Set Up kubectl.
Public network access is enabled for the cluster using Source Network Address Translation (SNAT). For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
Note the following when you use a controller image for the self-managed cluster:
- If you use a private image, you can compile and upload the image. For more information, see the open source document How to deploy the controller from source code.
- For clusters that use the x86 architecture, you can use a public Alibaba Cloud image for testing.

Procedure

Configuration steps

The following steps involve file modifications. Make sure that you understand the name and purpose of each file.

Step	File name	Purpose
Step 1: Deploy the alb-ingress-controller	load-balancer-controller.yaml Modified from a template	Used to deploy the alb-ingress-controller
Step 2: Create AlbConfig and IngressClass resources	alb.yaml Created and modified	Used to create albconfig and ingressClass resources, and synchronously create an ALB instance.
Step 3: Deploy a test application	test-service.yaml Created and modified	Used to deploy a test service
Step 4: Create an Ingress	test-ingress.yaml Created and modified	Used to create an Ingress

Step 1: Deploy the alb-ingress-controller

Note

The system may fail to pull the deployment image due to carrier network issues. If this issue occurs, use a private image. You can compile and upload the image. For more information, see the open source document How to deploy the controller from source code.

The alb-ingress-controller starts in InCluster mode and is deployed using the load-balancer-controller.yaml file. Permissions to listen for resources such as Service, Endpoint, and Node are configured. The related ServiceAccount, deployment, and ConfigMap are pre-configured. Modify the configurations based on your requirements.

Modify the load-balancer-controller.yaml file to change the deployment image to an available image address.
The `load-balancer-controller.yaml` file is used to deploy the alb-ingress-controller.
Before modification:
```
image: ${path/to/your/image/registry}
```
After modification:
```
image: alibabacloudslb/alibaba-load-balancer-controller:v1.2.0  #Image compiled for x86
```

Modify the `load-balancer-controller.yaml` file to configure the AccessKey ID and AccessKey secret in the ConfigMap.

Note

You can use the Alibaba Cloud account that you use to create ALB instances to log on to the Resource Access Management (RAM) console and view the AccessKey ID and AccessKey secret on the AccessKey page.

apiVersion: v1
kind: ConfigMap
metadata:
  name: load-balancer-config
  namespace: kube-system
data:
  cloud-config.conf: |-
       {
           "Global": {
               "AccessKeyID": "<YOUR_ACCESS_KEY_ID>", # Base64 encoding required
               "AccessKeySecret": "<YOUR_ACCESS_KEY_SECRET>" # Base64 encoding required
           }
       }

Connect to the cluster using kubectl and run the following command to deploy the modified `load-balancer-controller.yaml` file.

kubectl apply -f load-balancer-controller.yaml

Expected output:

clusterrole.rbac.authorization.k8s.io/system:load-balancer-controller created
serviceaccount/load-balancer-controller created
clusterrolebinding.rbac.authorization.k8s.io/system:load-controller-manager created
configmap/load-balancer-config created
deployment.apps/load-balancer-controller created

Run the following command to verify the deployment of the alb-ingress-controller.
```
kubectl -n kube-system get all | grep load-balancer
```
If the status of the pod is Running as shown in the following figure, the deployment is successful.

Step 2: Create AlbConfig and IngressClass resources

After the AlbConfig and IngressClass resources are created, an ALB instance is also created.

Create an `alb.yaml` file and copy the following content into the file.
The `alb.yaml` file is used to create AlbConfig and IngressClass resources.
```
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    name: alb-test             #alb-test is the name of the ALB instance.
    addressType: Internet      #Intranet specifies a private network. Internet specifies the Internet.
    zoneMappings:
    - vSwitchId: vsw-wz9e2usil7e5an1xi****    #ALB requires the IDs of vSwitches in at least two zones.
    - vSwitchId: vsw-wz92lvykqj1siwvif****
  listeners:
    - port: 80
      protocol: HTTP
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb-demo   #The specified AlbConfig resource.
```
Note
Take note of the configurations of the following two parameters:
- albconfig.spec.config.addressType: The network type of the instance. Valid values are:
  Internet (default): The instance is connected to the Internet. A public IP address and a private IP address are provided in each zone. An Internet-facing ALB instance uses an Elastic IP Address (EIP) to provide public network access. If you select this option, you are charged for the EIP instance and for bandwidth or data transfer.
  An EIP provides public-facing services and allows access to ALB over the Internet.
  The private IP address allows ECS instances in a VPC to access the ALB.
  Intranet: The instance is connected to a private network. A private IP address is provided in each zone. The ALB instance can be accessed only over the Alibaba Cloud internal network, not from the Internet.
- spec.config.zoneMappings: Specifies the vSwitch IDs for the ALB Ingress. You must specify the IDs of at least two vSwitches from different zones. The specified vSwitches must be in zones that are supported by ALB. For more information about the regions and zones supported by ALB, see Supported regions and zones.
Connect to the cluster using kubectl and run the following command to deploy the `alb.yaml` file.
```
kubectl apply -f alb.yaml
```
Expected output:
```
AlbConfig.alibabacloud.com/alb-demo create
ingressclass.networking.k8s.io/alb created
```
Verify that the ALB instance is created.
- Method 1: Run the following command to view the ALB instance ID.
```
kubectl get albconfig alb-demo     
```
- Method 2: Log on to the Application Load Balancer console to view the created ALB instances.
  Note
  Log on to the console using the Alibaba Cloud account that is configured in the ConfigMap file in Step 1: Deploy the alb-ingress-controller.

Step 3: Deploy a test application

This step uses a test image to create a deployment resource. This resource is then used to deploy a test application.

Create a `test-service.yaml` file and copy the following content into the file.

The `test-service.yaml` file is used to deploy two deployments named test01 and test02, and two services named test01-service and test02-service.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test01
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test01
  template:
    metadata:
      labels:
        app: test01
    spec:
      containers:
      - name: test01
        image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginxdemos:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: test01-service
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
  selector:
    app: test01
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test02
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test02
  template:
    metadata:
      labels:
        app: test02
    spec:
      containers:
      - name: test02
        image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginxdemos:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: test02-service
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
  selector:
    app: test02
  type: NodePort

Connect to the cluster using kubectl and run the following command to deploy the `test-service.yaml` file.

kubectl apply -f test-service.yaml

Expected output:

deployment "test01" created
service "test01-service" created
deployment "test02" created
service "test02-service" created

Run the following command to verify that the test service is deployed.
```
kubectl get svc,deploy  
```
If a response that is similar to the following one is returned, the test service is deployed.

Step 4: Create an Ingress

An Ingress corresponds to forwarding rules in an ALB instance. This topic describes a configuration that uses the path-based forwarding feature. For more information about advanced features, see the ALB Ingress User Guide.

Create a `test-ingress.yaml` file and copy the following content into the file.

The `test-ingress.yaml` file is used to create an Ingress.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
spec:
  ingressClassName: alb
  rules:
   - host: demo.domain.ingress.top
     http:
      paths:
      - path: /test01
        pathType: Prefix
        backend:
          service:
            name: test01-service
            port:
              number: 80
      - path: /test02
        pathType: Prefix
        backend:
          service:
            name: test02-service
            port:
              number: 80

Connect to the cluster using kubectl and run the following command to deploy the `test-ingress.yaml` file.
```
kubectl apply -f test-ingress.yaml
```
Expected output:
```
ingress "test-ingress" created
```
Run the following command to verify the creation of the test-ingress resource.
```
kubectl get ingress
```
If a response that is similar to the following one is returned, the test-ingress resource is created.

Step 5: Verify the results

Access the service through domain name resolution

Create a CNAME record to map your domain name to the DNS name of the ALB instance. For more information, see Add a CNAME record for an ALB instance.
This example assumes that the custom domain name demo.domain.ingress.top is mapped to the public service domain name of the ALB instance.
Run the following command to access the test01 service using the ALB instance.
```
curl http://demo.domain.ingress.top/test01
```
Run the following command to access the test02 service using the ALB instance.
```
curl http://demo.domain.ingress.top/test02
```

If you have questions, join the DingTalk group ALB Customer Communication Group (ID: 31945843) for assistance.

References

Overview and features of ALB Ingress:

Source code documentation: