Join our - Lead the Future of API Dev: A New Approach with Blackbird -Webinar on September 19thRegister Now

Back to blog
KUBERNETES INGRESS CONTROLLER, LOAD BALANCERS

Kubernetes Ingress 101: NodePort, Load Balancers, and Ingress Controllers

Richard Li
February 28, 2018 | 12 min read
Kubernetes Ingress 101

This article was updated in December 2021.

This article will introduce the three general strategies in Kubernetes for ingress, and the tradeoffs with each approach. I’ll then explore some of the more sophisticated requirements of an ingress strategy. Finally, I’ll give some guidelines on how to pick your Kubernetes ingress strategy.

What is Kubernetes ingress?

Kubernetes ingress is a collection of routing rules that govern how external users access services running in a Kubernetes cluster. However, in real-world Kubernetes deployments, there are frequently other considerations beyond routing for managing ingress.

We’ll discuss these requirements in more detail below.

Ingress in Kubernetes: In Kubernetes, there are three general approaches to exposing your application.

  • Using a Kubernetes service of type
    NodePort
    , which exposes the application on a port across each of your nodes
  • Use a Kubernetes service of type
    LoadBalancer
    , which creates an external load balancer that points to a Kubernetes service in your cluster
  • Use a Kubernetes Ingress Resource

What is a NodePort?

A

is an open port on every node of your cluster. Kubernetes transparently routes incoming traffic on the
NodePort
to your service, even if your application is running on a different node.

Every Kubernetes cluster supports

NodePort
, although if you’re running in a cloud provider such as Google Cloud, you may have to edit your firewall rules. However, a
NodePort
is assigned from a pool of cluster-configured
NodePort
ranges (typically 30000–32767). While this is likely not a problem for most TCP or UDP clients, HTTP or HTTPS traffic end up being exposed on a non-standard port.

The

NodePort
abstraction is intended to be a building block for higher-level ingress models (e.g., load balancers). It is handy for development purposes, however, when you don’t need a production URL.

What is a Load Balancer?

Using a

LoadBalancer
service type automatically deploys an external load balancer. This external load balancer is associated with a specific IP address and routes external traffic to a Kubernetes service in your cluster.

The exact implementation of a

LoadBalancer
is dependent on your cloud provider, and not all cloud providers support the
LoadBalancer
service type. Moreover, if you’re deploying Kubernetes on bare metal, you’ll have to supply your own load balancer implementation. That said, if you’re in an environment that supports the
LoadBalancer
service type, this is likely the safest, simplest way to route your traffic.

Ingress Controllers and Ingress Resources

Kubernetes supports a high level abstraction called Ingress, which allows simple host or URL based HTTP routing. An ingress is a core concept (in beta) of Kubernetes, but is always implemented by a third party proxy. These implementations are known as ingress controllers. An ingress controller is responsible for reading the Ingress Resource information and processing that data accordingly. Different ingress controllers have extended the specification in different ways to support additional use cases.

Ingress is tightly integrated into Kubernetes, meaning that your existing workflows around

kubectl
will likely extend nicely to managing ingress. Note that an ingress controller typically doesn’t eliminate the need for an external load balancer — the ingress controller simply adds an additional layer of routing and control behind the load balancer.

Real-world ingress

We’ve just covered the three basic patterns for routing external traffic to your Kubernetes cluster. However, we’ve only discussed how to route traffic to your cluster. Typically, though, your Kubernetes services will impose additional requirements on your ingress. Examples of this include:

  • content-based routing, e.g., routing based on HTTP method, request headers, or other properties of the specific request
  • resilience, e.g., rate limiting, timeouts
  • support for multiple protocols, e.g., WebSockets or gRPC
  • authentication

Unless you’re running a very simple cloud application, you’ll likely need support for some or all of these capabilities. And, importantly, many of these requirements may need to be managed at the service level, which means you want to manage these concerns inside Kubernetes.

Start with a load balancer

Regardless of your ingress strategy, you probably will need to start with an external load balancer. This load balancer will then route traffic to a Kubernetes service (or ingress) on your cluster that will perform service-specific routing. In this set up, your load balancer provides a stable endpoint (IP address) for external traffic to access.

Both ingress controllers and Kubernetes services require an external load balancer, and, as previously discussed,

NodePort
s are not designed to be directly used for production.

Service-specific ingress management

So the question for your ingress strategy is really about choosing the right way to manage traffic from your external load balancer to your services. What are your options?

Assuming you don’t want to deploy your own, how do you choose between an ingress controller and an API gateway? It comes down to actual capabilities.

So how do you choose between an ingress controller and an API gateway deployed as a Kubernetes service? Surprisingly, there are no fundamental differences!

The original motivation behind ingress was to create a standard API to manage how external traffic is routed to cluster services. However, the reality is that ingress isn’t actually a portable standard. The standard is imprecise (different ingress controllers have different semantics, e.g., behavior of trailing

/
is not specified in the standard). The ingress standard has also focused on lowest common denominator functionality, so many ingress controllers have extended the ingress resource with custom annotations, creating additional fragmentation.

The Evolution of the Ingress API, Ingress v1, and the Gateway API

Ever since the Ingress resource moved to its final location under the permanent

networking.k8s.io
API group, a thorough clean up the ingress API to resolve some ambiguities in the specification has been underway. As Kubernetes 1.18 sets the table and prepares to make a cleaned up ingress API GA with the imminent v1 release, the existing v1beta1 version was enhanced to includes backward-compatible additions to the resource definition. Progressive changes will allow ingress-controller implementors and users of Ingress resources to adapt and migrate gradually.

Kubernetes 1.18, therefore, introduced 3 noteworthy changes:

  • The new pathType field can specify how HTTP request paths should be matched.
  • The new IngressClass resource can specify which Ingress should be handled by controllers. The IngressClass resource effectively replaces the
    kubernetes.io/ingress.class
    annotation and allows for extension points using the
    parameters
    field.
  • Added support for wildcards hostnames.

More details of changes rationale can be found in this Kubernetes Enhancement Proposal, KEP for short. The KEP also notes some of the challenges in making a consistent standard for ingress across multiple implementations. Kubernetes 1.19 sees the introduction of Ingress and IngressClass in

networking.k8s.io/v1
with further non-backward compatible API changes, while
networking.k8s.io/v1beta1
will officially be marked as deprecated.

In 2020, the SIG-Network community convened a working group to evolve the Ingress v1 specification. Originally called the Service APIs working group, the group was renamed the Gateway API working group in February 2021. The Gateway API (https://kubernetes-sigs.github.io/gateway-api/) is a much richer set of APIs that will be added to Kubernetes. One of the core principles of the design is decoupling routes from the actually configuration of the gateway resource itself. This is very similar to the evolution of other ingress controllers have evolved (e.g., Ambassador with its

Mapping
resource which does exactly this). In October 2021, the Gateway API working group released
0.4.0
of the Gateway specification, which is expected to become the basis for a
v1beta1
release as it exits from alpha state.


So, at the end of the day, your choice for service-specific ingress management should depend on your specific requirements, and a specific implementation’s ability to meet your requirements. Different ingress controllers will have different functionality, just like API Gateways. Here are a few choices to consider:

  • There are three different NGINX ingress controllers, with different feature sets and functionality.
  • Traefik can also be deployed as an ingress controller, and exposes a subset of its functionality through Kubernetes annotations.
  • Kong is a popular open source API gateway built on NGINX. However, because it supports many infrastructure platforms, it isn’t optimized for Kubernetes. For example, Kong requires a database, when Kubernetes provides an excellent persistent data store in etcd. Kong also is configured via REST, while Kubernetes embraces declarative configuration management.
  • Edge Stack is built on the Envoy Proxy, and exposes a rich set of configuration options for your services, as well as support for external authentication services. Ambassador has been accepted as a CNCF Incubation project, Emissary-ingress.

Summary

Kubernetes ingress is a work-in-progress. Organizations appear to be converging on an external load balancer that sends external traffic to a service router (API Gateway, ingress controller). This service router is declaratively configured via Kubernetes annotations. If you’re interested in following the evolution of Kubernetes ingress, check out the Kubernetes Network SIG and the current plan in this KEP. To learn more about Kubernetes ingress and the options available for ingress controllers and API gateways, check out our resources on Kubernetes Ingress.

Kubernetes ingress with Ambassador Edge Stack

Edge Stack Kubernetes-native API Gateway built on the Envoy Proxy. Ambassador is easily configured via Kubernetes Custom Resource Definitions, and supports all the use cases mentioned in this article. Deploy Ambassador to Kubernetes in just a few simple steps and use Edge Stack as your Envoy-powered Kubernetes ingress controller.

Ambassador Edge Stack - Most Popular Kubernetes Native API Gateway

Ambassador Labs makes the Edge Stack. The most popular Kubernetes native API Gateway. Edge Stack contains an ingress controller. You can use the community version for free up to 5 requests per second. Or start with the enterprise version without limits.