Overview
Kubernetes has become the de facto standard for orchestrating containerized applications. With increasing complexity in microservices architectures, efficient traffic management and advanced ingress routing techniques are paramount for seamless service delivery. Ingress resources in Kubernetes provide HTTP and HTTPS routing to services based on paths, hostnames, or other parameters. This tutorial delves into advanced ingress routing methods that help manage traffic flow effectively within a Kubernetes cluster.
Understanding Kubernetes Ingress
Ingress is an API object that manages external access to the services in a cluster, typically HTTP and HTTPS. It allows you to consolidate your routing rules into a single resource, as it can expose multiple services under the same IP address.
Prerequisites
- Working knowledge of Kubernetes objects.
- A Kubernetes cluster with administrative access.
- Installed Ingress controller of your choice (e.g., Nginx, Traefik).
- kubectl command-line tool configured.
Advanced Routing Techniques
The following sections outline several advanced techniques for ingress routing in Kubernetes:
1. Hostname-based Routing
This method routes traffic based on requested hostnames. It’s useful for multi-domain apps deployed on the same cluster.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hostname-routing
spec:
rules:
- host: 'app1.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app1-service
port:
number: 80
- host: 'app2.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app2-service
port:
number: 80
2. Path-based Routing
Routes requests based on the URL path. Ideal for a single domain with multiple services.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: path-routing
spec:
rules:
- http:
paths:
- path: /service1
pathType: Prefix
backend:
service:
name: service1
port:
number: 80
- path: /service2
pathType: Prefix
backend:
service:
name: service2
port:
number: 80
3. Canary Releases
An advanced deployment technique that routes a subset of users to a new version of a service. It is used for A/B testing or gradual rollouts.
With Nginx Ingress Controller Annotations:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: canary-routing
annotations:
nginx.ingress.kubernetes.io/canary: 'true'
nginx.ingress.kubernetes.io/canary-weight: '20'
spec:
rules:
- host: 'app.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-canary
port:
number: 80
4. Subdomain-based Routing
You can also distinguish between services using subdomains, creating cleaner separation of services.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: subdomain-routing
spec:
rules:
- host: 'api.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
- host: 'blog.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: blog-service
port:
number: 80
5. Rewrites and Redirects
Use rewrites and redirects for backward compatibility or to enforce policy (e.g., redirect HTTP to HTTPS).
Redirect HTTP to HTTPS:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: http-to-https-redirect
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
rules:
- host: 'secure.example.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-app
port:
number: 80
The above annotation will redirect all HTTP traffic to HTTPS.
Example: Adding Customization with Middleware
You’re not limited to simple route matching in Ingress; you can enhance the routing capabilities using various middlewares or plugins, depending on your ingress controller, to handle requirements like authentication, request transformation, or more complex routing scenarios.
To demonstrate adding customization with middleware in a Kubernetes Ingress resource, let’s consider an example where we use an ingress controller like NGINX or Traefik, which supports additional configurations for handling advanced routing, authentication, or request transformations.
In this example, I’ll create an Ingress resource that uses a basic auth middleware for authentication and a rewrite-target middleware for request transformation. Assume we’re using Traefik as the ingress controller, which supports these middlewares.
First, ensure you have a Kubernetes cluster with Traefik as the ingress controller. You’ll also need a service to route to, which I’ll call my-service
.
Step 1: Create a Secret for Basic Auth
Create a secret containing your basic auth credentials. The credentials are typically stored in the form of username:password
in base64 encoding.
kubectl create secret generic my-basic-auth --from-file=auth
Where auth
is a file containing the base64 encoded credentials.
Step 2: Define Middlewares
Define the middlewares in Kubernetes. Create YAML definitions for each middleware:
Basic Auth Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
secret: my-basic-auth
Rewrite Target Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-rewrite
spec:
stripPrefix:
prefixes:
- /stripme
Step 3: Create an Ingress Resource
Now, create an Ingress resource that uses these middlewares.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
traefik.ingress.kubernetes.io/router.middlewares: test-auth@kubernetescrd, test-rewrite@kubernetescrd
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /stripme
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
In this example:
- The
test-auth
middleware enforces basic authentication on all requests. - The
test-rewrite
middleware rewrites the URL path, stripping out/stripme
before forwarding the request to the backend service.
This is a simplified example to illustrate how middlewares can be utilized with Ingress in Kubernetes. The actual implementation can vary depending on the ingress controller and the specific requirements of your application.
Conclusion
The advanced ingress routing techniques demonstrated in this tutorial empower you to manage and scale your Kubernetes services more effectively. Whether it’s deploying canary releases, securing services with HTTPS enforcement, or achieving high availability and scalability by using hostname and path-based routing, ingress controllers in Kubernetes offer the flexibility to adapt to almost any routing requirement you might have.
Remember that the ingress resource is just one part of the Kubernetes networking puzzle. You should also consider other aspects such as Network Policies and service meshes for a robust and secure network architecture.
By investing the time to understand and apply these advanced ingress techniques, you’ll maximize your Kubernetes cluster efficiency, reliability, and performance. As Kubernetes continues to evolve, it’s worth keeping an eye on the latest features and capabilities in ingress routing to remain at the cutting edge of container orchestration.