Day 8: Ingress and External Access
What You'll Learn Today
- How Ingress works and how it differs from Services
- Installing an Ingress Controller
- Path-based and host-based routing
- TLS/SSL configuration
Why Ingress?
In Day 5, you learned to expose services externally using NodePort and LoadBalancer. But when exposing multiple services, each LoadBalancer adds cost.
flowchart TB
subgraph Without["Without Ingress"]
LB1["LoadBalancer 1\n$$$"]
LB2["LoadBalancer 2\n$$$"]
LB3["LoadBalancer 3\n$$$"]
end
subgraph With["With Ingress"]
ING["Ingress\n(1 LB)"]
end
LB1 --> S1A["frontend"]
LB2 --> S2A["api"]
LB3 --> S3A["admin"]
ING -->|"/api"| S1B["api"]
ING -->|"/admin"| S2B["admin"]
ING -->|"/"| S3B["frontend"]
style Without fill:#ef4444,color:#fff
style With fill:#22c55e,color:#fff
| Approach | Pros | Cons |
|---|---|---|
| Service (LoadBalancer) | Simple | One LB per service (expensive) |
| Service (NodePort) | Free | Port management is cumbersome |
| Ingress | One LB for multiple services | Requires Ingress Controller |
How Ingress Works
Ingress routes external HTTP/HTTPS traffic to Services based on URL paths or hostnames.
flowchart LR
CLIENT["Client"] -->|"HTTPS"| IC["Ingress Controller\n(nginx, etc.)"]
IC -->|"app.example.com/"| WEB["web-service"]
IC -->|"app.example.com/api"| API["api-service"]
IC -->|"admin.example.com"| ADMIN["admin-service"]
style IC fill:#3b82f6,color:#fff
Two Components of Ingress
| Component | Description |
|---|---|
| Ingress Resource | YAML manifest defining routing rules |
| Ingress Controller | Software that executes the rules (nginx, Traefik, etc.) |
Important: An Ingress Controller must be installed separately β it's not included in Kubernetes by default.
Installing an Ingress Controller
NGINX Ingress Controller
The most widely used Ingress Controller.
# Install with Helm
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx
# Or install from manifest
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
# For Minikube
minikube addons enable ingress
# Verify installation
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx
Path-Based Routing
Route to different Services based on URL path.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 80
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- path: /admin
pathType: Prefix
backend:
service:
name: admin-service
port:
number: 80
pathType
| Type | Description | Example |
|---|---|---|
| Prefix | Matches path prefix | /api matches /api/users |
| Exact | Exact match only | /api matches /api only |
| ImplementationSpecific | Controller-dependent | - |
Host-Based Routing
Route based on hostname (domain).
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-host-ingress
spec:
ingressClassName: nginx
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- host: admin.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: admin-service
port:
number: 80
flowchart TB
IC["Ingress Controller"]
IC -->|"app.example.com"| APP["app-service"]
IC -->|"api.example.com"| API["api-service"]
IC -->|"admin.example.com"| ADMIN["admin-service"]
style IC fill:#3b82f6,color:#fff
style APP fill:#22c55e,color:#fff
style API fill:#8b5cf6,color:#fff
style ADMIN fill:#f59e0b,color:#fff
TLS/SSL Configuration
1. Create a TLS Secret
# Create self-signed certificate (for testing)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key -out tls.crt \
-subj "/CN=app.example.com"
# Register as Secret
kubectl create secret tls app-tls-secret \
--cert=tls.crt \
--key=tls.key
2. Configure TLS on Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: secure-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- app.example.com
secretName: app-tls-secret
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
Practical Example: Complete Setup
Frontend and API behind a single Ingress.
# deployments and services
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
spec:
replicas: 2
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
containers:
- name: frontend
image: nginx:1.27
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: api
spec:
replicas: 3
selector:
matchLabels:
app: api
template:
metadata:
labels:
app: api
spec:
containers:
- name: api
image: httpd:2.4
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: frontend-service
spec:
selector:
app: frontend
ports:
- port: 80
---
apiVersion: v1
kind: Service
metadata:
name: api-service
spec:
selector:
app: api
ports:
- port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
ingressClassName: nginx
rules:
- host: myapp.local
http:
paths:
- path: /(.*)
pathType: ImplementationSpecific
backend:
service:
name: frontend-service
port:
number: 80
- path: /api/(.*)
pathType: ImplementationSpecific
backend:
service:
name: api-service
port:
number: 80
Common Annotations
| Annotation | Description |
|---|---|
nginx.ingress.kubernetes.io/rewrite-target |
Path rewriting |
nginx.ingress.kubernetes.io/ssl-redirect |
HTTPS redirect |
nginx.ingress.kubernetes.io/proxy-body-size |
Request body size limit |
nginx.ingress.kubernetes.io/cors-allow-origin |
CORS configuration |
nginx.ingress.kubernetes.io/rate-limit |
Rate limiting |
Summary
| Concept | Description |
|---|---|
| Ingress | Defines HTTP/HTTPS routing rules |
| Ingress Controller | Software executing routing rules (nginx, etc.) |
| Path-based routing | Route by URL path |
| Host-based routing | Route by domain name |
| TLS | HTTPS configuration |
Key Takeaways
- Ingress lets you expose multiple Services through a single entry point
- An Ingress Controller must be installed separately
- Combine path-based and host-based routing for flexible traffic management
Practice Exercises
Exercise 1: Basics
Create an Ingress with path-based routing for three services: frontend, api, and docs.
Exercise 2: Host-Based
Create an Ingress routing app.example.com and api.example.com to different Services.
Challenge
Create a TLS Secret and configure an HTTPS-enabled Ingress with automatic HTTP-to-HTTPS redirect.
References
Next up: In Day 9, you'll learn about "Scaling and Update Strategies" β Horizontal Pod Autoscaler, Blue/Green deployments, Canary releases, and StatefulSets.