Kubernetes has become the de facto standard for orchestrating containerized applications. With increasing complexity in microservices architectures, efficient traffic management and advanced ingress routing techniques are paramount for seamless service delivery. Ingress resources in Kubernetes provide HTTP and HTTPS routing to services based on paths, hostnames, or other parameters. This tutorial delves into advanced ingress routing methods that help manage traffic flow effectively within a Kubernetes cluster.

Understanding Kubernetes Ingress

Ingress is an API object that manages external access to the services in a cluster, typically HTTP and HTTPS. It allows you to consolidate your routing rules into a single resource, as it can expose multiple services under the same IP address.

Prerequisites

Working knowledge of Kubernetes objects.

A Kubernetes cluster with administrative access.
Installed Ingress controller of your choice (e.g., Nginx, Traefik).
kubectl command-line tool configured.

Advanced Routing Techniques

The following sections outline several advanced techniques for ingress routing in Kubernetes:

1. Hostname-based Routing

This method routes traffic based on requested hostnames. It’s useful for multi-domain apps deployed on the same cluster.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hostname-routing
spec:
  rules:
  - host: 'app1.example.com'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              number: 80
  - host: 'app2.example.com'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              number: 80

2. Path-based Routing

Routes requests based on the URL path. Ideal for a single domain with multiple services.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: path-routing
spec:
  rules:
  - http:
      paths:
      - path: /service1
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80
      - path: /service2
        pathType: Prefix
        backend:
          service:
            name: service2
            port:
              number: 80

3. Canary Releases

An advanced deployment technique that routes a subset of users to a new version of a service. It is used for A/B testing or gradual rollouts.

With Nginx Ingress Controller Annotations:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: canary-routing
  annotations:
    nginx.ingress.kubernetes.io/canary: 'true'
    nginx.ingress.kubernetes.io/canary-weight: '20'
spec:
  rules:
  - host: 'app.example.com'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app-canary
            port:
              number: 80

4. Subdomain-based Routing

You can also distinguish between services using subdomains, creating cleaner separation of services.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: subdomain-routing
spec:
  rules:
  - host: 'api.example.com'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 80
  - host: 'blog.example.com'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: blog-service
            port:
              number: 80

5. Rewrites and Redirects

Use rewrites and redirects for backward compatibility or to enforce policy (e.g., redirect HTTP to HTTPS).

Redirect HTTP to HTTPS:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: http-to-https-redirect
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
  rules:
  - host: 'secure.example.com'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: secure-app
            port:
              number: 80

The above annotation will redirect all HTTP traffic to HTTPS.

Example: Adding Customization with Middleware

You’re not limited to simple route matching in Ingress; you can enhance the routing capabilities using various middlewares or plugins, depending on your ingress controller, to handle requirements like authentication, request transformation, or more complex routing scenarios.

To demonstrate adding customization with middleware in a Kubernetes Ingress resource, let’s consider an example where we use an ingress controller like NGINX or Traefik, which supports additional configurations for handling advanced routing, authentication, or request transformations.

In this example, I’ll create an Ingress resource that uses a basic auth middleware for authentication and a rewrite-target middleware for request transformation. Assume we’re using Traefik as the ingress controller, which supports these middlewares.

First, ensure you have a Kubernetes cluster with Traefik as the ingress controller. You’ll also need a service to route to, which I’ll call my-service.

Step 1: Create a Secret for Basic Auth

Create a secret containing your basic auth credentials. The credentials are typically stored in the form of username:password in base64 encoding.

kubectl create secret generic my-basic-auth --from-file=auth

Where auth is a file containing the base64 encoded credentials.

Step 2: Define Middlewares

Define the middlewares in Kubernetes. Create YAML definitions for each middleware:

Basic Auth Middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-auth
spec:
  basicAuth:
    secret: my-basic-auth

Rewrite Target Middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-rewrite
spec:
  stripPrefix:
    prefixes:
      - /stripme

Step 3: Create an Ingress Resource

Now, create an Ingress resource that uses these middlewares.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: test-auth@kubernetescrd, test-rewrite@kubernetescrd
spec:
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /stripme
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 80

In this example:

The test-auth middleware enforces basic authentication on all requests.
The test-rewrite middleware rewrites the URL path, stripping out /stripme before forwarding the request to the backend service.

This is a simplified example to illustrate how middlewares can be utilized with Ingress in Kubernetes. The actual implementation can vary depending on the ingress controller and the specific requirements of your application.

Conclusion

The advanced ingress routing techniques demonstrated in this tutorial empower you to manage and scale your Kubernetes services more effectively. Whether it’s deploying canary releases, securing services with HTTPS enforcement, or achieving high availability and scalability by using hostname and path-based routing, ingress controllers in Kubernetes offer the flexibility to adapt to almost any routing requirement you might have.

Remember that the ingress resource is just one part of the Kubernetes networking puzzle. You should also consider other aspects such as Network Policies and service meshes for a robust and secure network architecture.

By investing the time to understand and apply these advanced ingress techniques, you’ll maximize your Kubernetes cluster efficiency, reliability, and performance. As Kubernetes continues to evolve, it’s worth keeping an eye on the latest features and capabilities in ingress routing to remain at the cutting edge of container orchestration.

Next Article: How to Use Kubernetes on DigitalOcean

Previous Article: Kubernetes error: User 'system:serviceaccount:default:default' cannot get services in the namespace

Series: Kubernetes Tutorials

DevOps