All Products
Search

This Product

    Container Service for Kubernetes:Configure an Internet-facing or internal facing NGINX Ingress controller

    Document Center

    Container Service for Kubernetes:Configure an Internet-facing or internal facing NGINX Ingress controller

    Last Updated:Sep 25, 2024

    In some scenarios, you may need to adjust the network type of the Nginx Ingress controller to control the range of clients allowed to access it, such as allowing internal services to be accessed only through a private network. You can configure the Nginx Ingress Controller to allow only Internet access, only internal access, or both Internet and internal access.

    Prerequisites

    Procedure

    When you create a Container Service for Kubernetes (ACK) cluster through the ACK Console and install the NGINX Ingress controller in the cluster, you can select the Internet-facing or internal-facing network type. If you need to change the network type of the NGINX Ingress controller after installation, you need to redeploy the Service used by the Nginx Ingress controller. For more information about how to configure Server Load Balancer (SLB) instances by using annotations, see Use annotations to configure CLB instances.

    Change the network type from internal-facing to Internet-facing

    1. Run the following command to delete the Service used by the Nginx Ingress controller:

      kubectl delete svc -n kube-system nginx-ingress-lb

    2. Create a file named nginx-ingress-lb.yaml and copy the following sample code to it:

      apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Local"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

    3. Run the following command to create an Internet-facing LoadBalancer Service:

      kubectl apply -f  nginx-ingress-lb.yaml

    4. Run the following command to query the network type of the Service:

      kubectl -n kube-system get svc | grep nginx-ingress-lb

      Expected output:

      nginx-ingress-lb   LoadBalancer   192.168.*.**   120.26.**.**   80:30275/TCP,443:30899/TCP               52m

    Change the network type from Internet-facing to internal-facing

    1. Run the following command to delete the Service used by the Nginx Ingress controller:

      kubectl delete svc -n kube-system nginx-ingress-lb

    2. Create a file named nginx-ingress-lb.yaml and copy the following sample code to it:

      apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet # Specify the load balancer instance address type as private.
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Local"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

    3. Run the following command to create an internal-facing LoadBalancer Service:

      kubectl apply -f  nginx-ingress-lb.yaml

    4. Run the following command to query the network type of the Service:

      kubectl -n kube-system get svc | grep nginx-ingress-lb

      Expected output:

      nginx-ingress-lb    LoadBalancer   192.168.*.**    172.2**.**   80:30275/TCP,443:30899/TCP   5h

    Use both internal-facing and Internet-facing network types

    In some scenarios, you may need to expose Services in your ACK cluster to both internal access within the VPC of the cluster and external access. You need to deploy two Services of different network types for the pod to which the Nginx Ingress controller belongs:

    • If your Nginx Ingress controller is Internet-facing, create an internal-facing Service named nginx-ingress-lb-intranet and bind an internal-facing SLB instance to the Service.

    • If your Nginx Ingress controller is internal-facing, create an Internet-facing Service named nginx-ingress-lb-internet and bind an Internet-facing SLB instance to the Service.

    image

    1. Create a file named nginx-ingress-lb.yaml and copy the following sample code to it.

      Create an internal-facing Service

      apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb-intranet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet # Specify the load balancer instance address type as private.
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

      Create an Internet-facing Service

      apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb-internet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

    2. Run the following command to create the new Service:

      kubectl apply -f  nginx-ingress-lb.yaml