How to set up Ingress controller in Kubernetes on Linux

How to Set Up Ingress Controller in Kubernetes on Linux An Ingress controller is a crucial component in Kubernetes that manages external access to services within a cluster. It acts as a reverse proxy, load balancer, and SSL termination point, providing a single entry point for HTTP and HTTPS traffic. This comprehensive guide will walk you through setting up various Ingress controllers on Linux-based Kubernetes clusters, from basic installation to advanced configurations. What You'll Learn By the end of this guide, you'll understand: - What Ingress controllers are and why they're essential - How to install and configure popular Ingress controllers (NGINX, Traefik, HAProxy) - Best practices for production deployments - Common troubleshooting techniques - Advanced configuration options and security considerations Prerequisites and Requirements Before proceeding with the Ingress controller setup, ensure you have the following: System Requirements - A running Kubernetes cluster (version 1.19 or later) - `kubectl` command-line tool configured to communicate with your cluster - Administrative access to the Kubernetes cluster - Linux-based nodes (Ubuntu 18.04+, CentOS 7+, or RHEL 7+) - At least 2GB RAM and 2 CPU cores available on worker nodes Network Requirements - External IP addresses or load balancer capability - DNS configuration access for domain routing - Firewall rules allowing HTTP (80) and HTTPS (443) traffic - Network policies configured appropriately Knowledge Prerequisites - Basic understanding of Kubernetes concepts (Pods, Services, Deployments) - Familiarity with YAML configuration files - Basic networking knowledge (DNS, HTTP/HTTPS, load balancing) - Command-line interface proficiency Understanding Ingress Controllers What is an Ingress Controller? An Ingress controller is a specialized load balancer that understands Kubernetes Ingress resources. Unlike traditional load balancers, Ingress controllers can: - Route traffic based on hostnames and paths - Provide SSL/TLS termination - Implement advanced routing rules - Integrate with Kubernetes service discovery - Support multiple backend services through a single entry point Popular Ingress Controller Options 1. NGINX Ingress Controller: Most widely used, feature-rich, and well-documented 2. Traefik: Cloud-native with automatic service discovery and modern features 3. HAProxy Ingress: High-performance option with advanced load balancing 4. Ambassador: API Gateway focused with developer-friendly features 5. Istio Gateway: Service mesh integration with advanced traffic management Installing NGINX Ingress Controller NGINX Ingress Controller is the most popular choice due to its stability and extensive feature set. Let's start with its installation. Method 1: Using Helm (Recommended) First, add the NGINX Ingress Helm repository: ```bash Add the ingress-nginx repository helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx Update your local Helm chart repository cache helm repo update Install the ingress-nginx chart helm install ingress-nginx ingress-nginx/ingress-nginx \ --namespace ingress-nginx \ --create-namespace \ --set controller.service.type=LoadBalancer ``` Method 2: Using Kubernetes Manifests If you prefer not to use Helm, you can install using raw Kubernetes manifests: ```bash Apply the NGINX Ingress Controller manifests kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` Verifying the Installation Check if the NGINX Ingress Controller is running: ```bash Check the pods in the ingress-nginx namespace kubectl get pods -n ingress-nginx Check the service kubectl get svc -n ingress-nginx View the controller logs kubectl logs -n ingress-nginx deployment/ingress-nginx-controller ``` Expected output should show the controller pod in `Running` status and the service with an external IP assigned. Configuring Your First Ingress Resource Creating a Sample Application Let's create a simple application to test our Ingress controller: ```yaml sample-app.yaml apiVersion: apps/v1 kind: Deployment metadata: name: sample-app namespace: default spec: replicas: 3 selector: matchLabels: app: sample-app template: metadata: labels: app: sample-app spec: containers: - name: sample-app image: nginx:1.21 ports: - containerPort: 80 volumeMounts: - name: html mountPath: /usr/share/nginx/html volumes: - name: html configMap: name: sample-app-html --- apiVersion: v1 kind: ConfigMap metadata: name: sample-app-html namespace: default data: index.html: | Sample App

Hello from Sample App!

This is served through Kubernetes Ingress

--- apiVersion: v1 kind: Service metadata: name: sample-app-service namespace: default spec: selector: app: sample-app ports: - port: 80 targetPort: 80 type: ClusterIP ``` Apply the configuration: ```bash kubectl apply -f sample-app.yaml ``` Creating the Ingress Resource Now create an Ingress resource to expose your application: ```yaml sample-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: sample-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: sample-app.local http: paths: - path: / pathType: Prefix backend: service: name: sample-app-service port: number: 80 ``` Apply the Ingress resource: ```bash kubectl apply -f sample-ingress.yaml Check the Ingress status kubectl get ingress sample-ingress ``` Testing the Configuration To test your setup, you'll need to configure DNS or modify your local hosts file: ```bash Get the external IP of your Ingress controller kubectl get svc -n ingress-nginx Add to /etc/hosts (replace with actual IP) echo " sample-app.local" | sudo tee -a /etc/hosts Test the connection curl http://sample-app.local ``` Installing Traefik Ingress Controller Traefik is a modern, cloud-native Ingress controller with automatic service discovery and excellent Docker/Kubernetes integration. Installing Traefik with Helm ```bash Add the Traefik Helm repository helm repo add traefik https://traefik.github.io/charts Update the repository helm repo update Install Traefik helm install traefik traefik/traefik \ --namespace traefik \ --create-namespace \ --set service.type=LoadBalancer ``` Traefik Configuration Example Create a Traefik-specific Ingress resource: ```yaml traefik-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: traefik-sample-ingress namespace: default annotations: kubernetes.io/ingress.class: "traefik" traefik.ingress.kubernetes.io/router.entrypoints: web spec: rules: - host: traefik-app.local http: paths: - path: / pathType: Prefix backend: service: name: sample-app-service port: number: 80 ``` SSL/TLS Configuration Automatic SSL with cert-manager Install cert-manager for automatic SSL certificate management: ```bash Install cert-manager kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml Create a ClusterIssuer for Let's Encrypt cat <Symptoms: The Ingress controller service shows `` for EXTERNAL-IP. Solutions: ```bash Check if your cluster supports LoadBalancer services kubectl get svc -n ingress-nginx If using a cloud provider, ensure proper permissions For on-premises, consider using NodePort instead helm upgrade ingress-nginx ingress-nginx/ingress-nginx \ --namespace ingress-nginx \ --set controller.service.type=NodePort ``` Issue 2: 404 Not Found Errors Symptoms: Requests return 404 errors even though the Ingress is configured. Debugging steps: ```bash Check Ingress status kubectl describe ingress your-ingress-name Verify backend service exists and has endpoints kubectl get svc kubectl get endpoints Check Ingress controller logs kubectl logs -n ingress-nginx deployment/ingress-nginx-controller ``` Issue 3: SSL Certificate Issues Symptoms: SSL warnings or certificate errors in browsers. Solutions: ```bash Check certificate status kubectl describe certificate your-certificate-name Verify cert-manager is working kubectl get certificaterequests kubectl get challenges Check cert-manager logs kubectl logs -n cert-manager deployment/cert-manager ``` Issue 4: Backend Service Unreachable Symptoms: 502 or 503 errors when accessing applications. Debugging approach: ```bash Test service directly kubectl port-forward svc/your-service 8080:80 curl localhost:8080 Check pod health kubectl get pods -l app=your-app kubectl describe pod your-pod-name Verify network policies kubectl get networkpolicies ``` Best Practices and Production Considerations Resource Management Configure appropriate resource limits for your Ingress controller: ```yaml resource-limits.yaml apiVersion: apps/v1 kind: Deployment metadata: name: ingress-nginx-controller namespace: ingress-nginx spec: template: spec: containers: - name: controller resources: requests: cpu: 100m memory: 90Mi limits: cpu: 500m memory: 500Mi ``` High Availability Setup Deploy multiple Ingress controller replicas: ```bash Scale the Ingress controller for high availability helm upgrade ingress-nginx ingress-nginx/ingress-nginx \ --namespace ingress-nginx \ --set controller.replicaCount=3 \ --set controller.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight=100 \ --set controller.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key=app.kubernetes.io/name \ --set controller.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator=In \ --set controller.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]=ingress-nginx \ --set controller.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey=kubernetes.io/hostname ``` Security Hardening Implement security best practices: ```yaml security-config.yaml apiVersion: v1 kind: ConfigMap metadata: name: nginx-configuration namespace: ingress-nginx data: # Hide server tokens server-tokens: "false" # Enable HSTS hsts: "true" hsts-max-age: "31536000" hsts-include-subdomains: "true" # SSL configuration ssl-protocols: "TLSv1.2 TLSv1.3" ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" # Security headers add-headers: "ingress-nginx/custom-headers" ``` Performance Optimization Optimize performance for production workloads: ```yaml performance-config.yaml apiVersion: v1 kind: ConfigMap metadata: name: nginx-configuration namespace: ingress-nginx data: # Worker processes worker-processes: "auto" # Connection settings max-worker-connections: "16384" worker-rlimit-nofile: "65536" # Keepalive settings keep-alive-requests: "10000" upstream-keepalive-connections: "50" # Buffer sizes proxy-buffer-size: "16k" proxy-buffers-number: "8" ``` Backup and Disaster Recovery Implement backup strategies for your Ingress configurations: ```bash Backup all Ingress resources kubectl get ingress --all-namespaces -o yaml > ingress-backup.yaml Backup Ingress controller configuration helm get values ingress-nginx -n ingress-nginx > ingress-controller-config.yaml Create automated backup script cat < backup-ingress.sh #!/bin/bash DATE=$(date +%Y%m%d_%H%M%S) kubectl get ingress --all-namespaces -o yaml > "ingress-backup-\${DATE}.yaml" kubectl get configmap -n ingress-nginx -o yaml > "ingress-config-backup-\${DATE}.yaml" EOF chmod +x backup-ingress.sh ``` Conclusion and Next Steps Setting up an Ingress controller in Kubernetes on Linux is a crucial step in building a production-ready cluster. This guide covered the essential aspects of Ingress controller deployment, from basic installation to advanced configurations and troubleshooting. Key Takeaways 1. Choose the Right Controller: NGINX is reliable for most use cases, while Traefik offers modern features and automatic discovery. 2. Security First: Always implement SSL/TLS, security headers, and rate limiting in production environments. 3. Monitor and Observe: Set up proper monitoring, logging, and alerting for your Ingress controllers. 4. Plan for Scale: Consider high availability, resource limits, and performance optimization from the beginning. 5. Regular Maintenance: Keep your Ingress controllers updated and regularly backup configurations. Next Steps After successfully setting up your Ingress controller, consider these advanced topics: - Service Mesh Integration: Explore Istio or Linkerd for advanced traffic management - API Gateway Features: Implement authentication, authorization, and API rate limiting - Multi-cluster Ingress: Set up cross-cluster load balancing and failover - GitOps Integration: Automate Ingress configuration deployment using ArgoCD or Flux - Custom Controllers: Develop custom Ingress controllers for specific use cases Additional Resources - Official Kubernetes Ingress documentation - NGINX Ingress Controller GitHub repository - Traefik documentation and community resources - cert-manager documentation for SSL automation - Prometheus and Grafana integration guides By following this comprehensive guide, you now have the knowledge and tools to successfully deploy and manage Ingress controllers in your Kubernetes environment on Linux. Remember to always test configurations in a development environment before applying them to production clusters.