When you configure an Application Load Balancer (ALB) Ingress, you must create multiple resources in your cluster to enable the ALB Ingress to route traffic to backend pods. This topic describes how to deploy an application that uses an ALB Ingress to provide external services.
Usage notes
If you use the Flannel network plug-in, the backend Services of the ALB Ingress gateway must be of the NodePort or LoadBalancer type.
The names of AlbConfig objects, namespaces, Ingresses, and Services cannot start with aliyun.
Earlier NGINX Ingress controller versions cannot recognize the
spec : ingressClassName
field in the Ingress resource. If an earlier NGINX Ingress controller version is installed and both NGINX Ingresses and ALB Ingresses are used in your ACK cluster, the ALB Ingresses may be reconciled by the NGINX Ingress controller. To avoid this problem, update the NGINX Ingress controller at the earliest opportunity or use annotations to specify the IngressClasses of ALB Ingresses. For more information, see Update the NGINX Ingress controller or Advanced ALB Ingress configurations.
Usage notes
Before you create an ALB Ingress, we recommend that learn about the principles and requirements of ALB. For more information, see ALB Ingress management. Make sure that the following resource conditions are met:
To use an ALB Ingress in an ACK dedicated cluster, you must first grant the cluster the permissions to access the ALB Ingress controller. For more information, see Authorize an ACK dedicated cluster to access the ALB Ingress controller.
When you install the ALB Ingress, you can set the Gateway Source parameter to different values, which may result in different operational outcomes.
(Recommended) Select New or Existing:
The controller automatically creates an AlbConfig named
alb
and the corresponding IngressClass resource. By default, the AlbConfig is configured with an HTTP listener on port 80.Select None:
Before you create an ALB Ingress, you must manually create AlbConfig and create IngressClass. The controller does not create the corresponding resources.
AlbConfig and IngressClass
AlbConfig:
AlbConfig is used to manage ALB instances. The parameters of AlbConfig determine the configuration of the ALB instance. An AlbConfig corresponds to one ALB instance. For more information, see Use AlbConfigs to configure ALB instances.
IngressClass:
An IngressClass must be associated with an AlbConfig. This way, the IngressClass can be associated with an ALB instance. When you create an ALB Ingress, you can configure the IngressClass to use the corresponding AlbConfig configurations. This way, you can use specific application routing configurations and load balancing policies.
Create Deployments and Services
A Service is a unified ingress to pods that serve the same feature. When you create an ALB Ingress, you must configure a routing rule to forward external traffic to the corresponding Service.
This topic describes how to set the Gateway Source parameter to New when you install the ALB Ingress controller. Applications named coffee
and tea
, and their corresponding Services are deployed. An ALB Ingress with the domain name demo.domain.ingress.top
is created for these application. Once the DNS resolution is complete, you can access the applications.
Install the ALB Ingress controller
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose
.On the Add-ons page, click the Networking tab. In the Networking section, find the ALB Ingress Controller card and click Install in the lower-right corner.
In the Install Component ALB Ingress Controller dialog box, set Gateway Source to New and click OK.
Instance source
Description
Result
New
Network Type: You can create an ALB instance for Internet or Intranet as needed. For billing details, see ALB billing rules.
VPC: This value is the same as the virtual private cloud (VPC) in which the cluster resides and cannot be modified.
vSwitch: The vSwitches corresponding to the zones supported by ALB under this VPC are displayed. You need to select two vSwitches in different zones. Otherwise, two available vSwitches will be automatically selected. You can also create a new vSwitch by clicking Create vSwitch.
The controller will automatically create an AlbConfig named
alb
and the corresponding IngressClass resource. In AlbConfig, a listener with port 80 and protocol HTTP is configured by default. For more information about listener extensions, see Create an HTTPS listener.Existing
You can select an existing ALB instance from the drop-down menu for reuse. Basic ALB instances are not supported. For more information, see Reuse an existing ALB instance.
None
Only the ALB Ingress controller is installed. No ALB instance is created.
The controller will not create the corresponding resources. You must manually create an AlbConfig and create an IngressClass.
Create Deployments and Services
Use the ACK console
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
Click Create from YAML.
Sample Template: Select Custom.
Template: Copy the following code to the code editor. The YAML configuration file is used to deploy two Deployments named
coffee
andtea
, and two Services namedcoffee-svc
andtea-svc
.
After the configurations are complete, click Create. The Created message appears.
Perform the following steps to check whether the Deployments and Services are created:
In the left-side navigation pane, choose Workloads > Deployments. The Deployments named coffee and tea are displayed.
In the left-side navigation pane, choose Network > Services. The Services named coffee-svc and tea-svc are displayed.
Use kubectl
Create a file named cafe-service.yaml and copy the following content to the file. The file is used to deploy two Deployments named
coffee
andtea
and two Services namedcoffee-svc
andtea-svc
.Run the following command to deploy the Deployments and Services:
kubectl apply -f cafe-service.yaml
Expected output:
deployment "coffee" created service "coffee-svc" created deployment "tea" created service "tea-svc" created
View the status of the Deployments and Services.
Run the following command to view the status of the Deployments:
kubectl get deployment
Expected output:
NAME READY UP-TO-DATE AVAILABLE AGE coffee 1/2 2 1 2m26s tea 1/1 1 1 2m26s
Run the following command to view the status of the Services:
kubectl get svc
Expected output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE coffee-svc NodePort 172.16.XX.XX <none> 80:32056/TCP 9m38s tea-svc NodePort 172.16.XX.XX <none> 80:31696/TCP 9m38s
Create ALB Ingress
Use the ACK console
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Ingresses page, click Create Ingress. In the Create Ingress dialog box, configure the Ingress.
Parameter
Description
Example
Gateway type
You can select ALB Ingress, MSE Ingressy, or Nginx Ingress based on your requirements.
For more information about the differences among the three gateway types, see Comparison among Nginx Ingresses, ALB Ingresses, and MSE Ingresses.
ALB Ingress
Name
Specify the name of the Ingress.
cafe-ingress
Ingress Class
Specify the class of the Ingress that is associated with the AlbConfig.
alb
Rules
Click +Add Rule to add an Ingress rule.
Domain Name: Specify a custom domain name.
Mappings: Configure the following parameters:
Path: Specify the URL path of the backend Service.
Rule:
Prefix (Prefix-based Match): matches the prefix of the requested URL path.
Exact (Exact Match): exactly matches the requested URL path.
ImplementationSpecific (Default Value): depends on the logic implemented by the ALB Ingress controller.
For more information, see Forward requests based on URL paths.
Service: Select the backend Service.
Port: Specify the Service port that you want to expose.
You can configure multiple paths for a domain name. Click + Add to add a path.
Domain Name: demo.domain.ingress.top
Mappings:
Path: /tea
Rule: Prefix (Prefix-based Match)
Service: tea-svc
Port: 80
Mappings:
Path: /coffee
Rule: Prefix (Prefix-based Match)
Service: coffee-svc
Port: 80
Use the default values for other parameters. For more information, see (Optional) Configure additional parameters.
After the configurations are complete, click OK in the lower-left corner of the Create Ingress panel.
Check whether the Ingress is created and copy the endpoint:
In the left-side navigation pane, choose Network > Ingresses. The Ingress named
cafe-ingress
is displayed on the Ingresses page.In the Endpoint column of
cafe-ingress
, copy the domain name of the ALB instance.
Use kubectl
Create a file named cafe-ingress.yaml and copy the following content to the file. The file is used to create an Ingress.
The following table describes the parameters that you can specify.
Parameter
Required
Description
metadata.name
Yes
The name of the Ingress.
NoteThe name of an Ingress must be unique in the cluster. When you create an Ingress, make sure that the Ingress name is unique to prevent name conflicts.
spec.ingressClassName
Yes
The name of the associated IngressClass.
spec.rules.host
No
The domain name in the HTTP host header. You must set this parameter to a custom domain name.
When you access the domain name, such as http://demo.domain.ingress.top, in a browser, the browser automatically adds the Host: demo.domain.ingress.top header when an HTTP request is sent. This way, the server identifies the destination host based on the header. In Kubernetes, the host field in an Ingress rule is used to match the host header in a request. If the host header is matched, the request is sent to the corresponding backend Service.
NoteIf you specify a custom domain name, make sure that an Internet Content Provider (ICP) filing for the domain name is complete. Otherwise, the domain name may fail to be resolved. For more information, see ICP filing process.
If you leave this parameter empty, the Ingress rule matches all requests that are sent to the Ingress controller.
spec.rules.http.paths.path
Yes
The URL path.
spec.rules.http.paths.pathType
Yes
The URL matching rule. For more information, see Forward requests based on URL paths.
spec.rules.http.paths.backend.service.name
Yes
The name of the Service that you created.
spec.rules.http.paths.backend.service.port.number
Yes
The port of the Service that you created.
The port is important because the port is used to route requests to the backend Service. Make sure that the port is valid to ensure that requests can be routed to the backend Service and processed as expected.
Run the following command to configure an externally accessible domain name and a
path
for thecoffee
andtea
Services:kubectl apply -f cafe-ingress.yaml
Expected output:
ingress.networking.k8s.io/cafe-ingress created
Optional. Run the following command to obtain the domain name of the ALB instance:
kubectl get ingress
Expected output:
NAME CLASS HOSTS ADDRESS PORTS AGE cafe-ingress alb demo.domain.ingress.top alb-m551oo2zn63yov****.cn-hangzhou.alb.aliyuncs.com 80 50s
Configure domain name resolution
Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, click Add Domain Name.
In the Add Domain Name dialog box, enter the custom domain name and click OK.
ImportantBefore you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings page, click Add DNS Record.
In the Add DNS Record panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Record Type
The type of the DNS record. Select CNAME from the drop-down list.
Hostname
The prefix of the domain name. Example:
www
.DNS Request Source
The region from which the DNS request is sent. Select Default from the drop-down list.
Record Value
Enter the CNAME, which is the domain name of the ALB instance.
TTL
The time-to-live (TTL) of the CNAME record to be cached on the DNS server. In this example, the default value is used.
Test traffic forwarding
Enter "test domain name + URL path" in the address bar of a browser to check whether traffic is forwarded to the specified Service.
In this example, demo.domain.ingress.top
is used.
Enter
demo.domain.ingress.top/coffee
in the address bar of a browser. The page of thecoffee-svc
Service appears.Enter
demo.domain.ingress.top/tea
in the address bar of a browser. The page of thetea-svc
Service appears.
(Optional) Configure additional parameters
Parameter | Description | Reference |
TLS Settings | Specifies whether to enable TLS authentication. You can enable TLS authentication for the Ingress.
You can click + Add to add more TLS certificates. | |
More | ||
Custom Forwarding Rules |
FAQ
For more information about how to troubleshoot ALB Ingress issues, see ALB Ingress controller troubleshooting. The following content provides frequently asked questions (FAQs).
What do I do if the "listener is not exist in alb, port: xxx" error message appears?
By default, only a listener on port 80 is configured for the AlbConfig. For more information about how to create a listener, see Create listeners.
How do I configure an HTTP listener and an HTTPS listener for the Ingress after HTTP listeners and HTTPS listeners are configured for the AlbConfig?
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: https-ingress annotations: alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]' # Add this annotation if the ALB Ingress is associated with multiple listeners. spec: #...