An Ingress is an API object that provides Layer-7 load balancing to manage external access to services in a Kubernetes cluster. To provide better support for scenarios where cloud-native applications are deployed, Alibaba Cloud provides Microservices Engine (MSE) Ingress gateways that are developed based on deep integration and optimization of MSE cloud-native gateways and Container Service for Kubernetes (ACK). MSE Ingress gateways help you manage ingress traffic of clusters in an efficient manner. This topic describes the basic concepts, features, and instructions of MSE Ingress gateways. This topic also describes how an MSE Ingress gateway works and how to install MSE Ingress Controller.
Basic concepts
In a Kubernetes cluster, an Ingress functions as an access point that exposes services in the cluster. The Ingress distributes most of the traffic that is destined for the services in the cluster. An Ingress is a Kubernetes resource that manages external access to the services in a Kubernetes cluster. You can configure routing rules for an Ingress to route traffic to backend pods of different services in the Kubernetes cluster.
Kubernetes Ingress resources allow you to configure only the rules for routing HTTP traffic. Advanced features such as load balancing algorithms and session affinity cannot be configured. The advanced features require support from NGINX Ingress gateways or MSE Ingress gateways.
MSE Ingress gateways are developed based on MSE cloud-native gateways and provide a more powerful method to manage ingress traffic. MSE Ingress gateways are compatible with NGINX Ingress gateways and are compatible with more than 50 annotations defined in NGINX Ingress gateways. MSE Ingress gateways are suitable for more than 90% of scenarios of NGINX Ingress gateways. MSE Ingress gateways support canary releases of multiple service versions at the same time and provide flexible service governance capabilities and comprehensive security protection. MSE Ingress gateways can meet requirements for traffic governance in scenarios in which a large number of cloud-native distributed applications are used.
Features
For more information about the features of MSE Ingress gateways, see the following topics:
Instructions
Kubernetes services such as ACK managed clusters, ACK Serverless clusters, and ACS clusters can use MSE Ingress gateways to route external traffic to services in a Kubernetes cluster. This way, Layer-7 load balancing is implemented. You must deploy MSE Ingress Controller in your Kubernetes cluster. MSE Ingress Controller is used to listen to resources defined in MseIngressConfig CustomResourceDefinitions (CRDs) and dynamically manage the lifecycles, global parameter settings, and listening items of Ingress resources for MSE cloud-native gateways. MSE cloud-native gateways are used to listen to Ingress resources in a Kubernetes cluster and convert the listened Ingress resources into the required traffic governance configurations. This way, cluster services are externally exposed. For more information, see Use MSE Ingress gateways to access services in a container cluster.
Kubernetes Ingress resources support only HTTP traffic management. Advanced features are implemented based on annotations. MSE Ingress gateways are compatible with annotations defined in NGINX Ingress gateways and provide additional annotations to enhance traffic governance and security protection. For more information, see Advanced usage of MSE Ingress.
How an MSE Ingress gateway works
Components
MSE Ingress Controller:
MSE Ingress Controller is not a network data plane, but is a control plane that manages MSE cloud-native gateways and their configurations. MSE Ingress Controller does not process any service requests. MSE Ingress Controller works as a traffic bypass to manage MSE cloud-native gateways that process service requests.
You must install MSE Ingress Controller in your ACK managed cluster, ACK Serverless cluster, or ACS cluster, use the MseIngressConfig CRDs provided by this component to manage cloud-native gateways based on annotations, and configure Ingress resource listening items for the gateways.
For more information about how to install the MSE Ingress Controller component, see Manage the MSE Ingress Controller component.
MSE cloud-native gateways: MSE cloud-native gateways are created by MSE Ingress Controller based on the MseIngressConfig CRDs that you configured. An MSE cloud-native gateway consists of a control plane and a data plane.
Control plane: Listens to resources such as Ingresses, Ingress classes, and services in your cluster. The resource configurations are internally parsed and then sent to the data plane of the gateway in real time.
Data plane: implements traffic governance. The data plane processes external requests based on the governance rules that are sent from the control plane, and routes the requests to the destination backend service.
How it works
MSE Ingress Controller listens to the resource that is defined in an MseIngressConfig CRD in your cluster and dynamically maintains the lifecycle of the cloud-native gateway that corresponds to the resource and the association between the gateway and your cluster in real time.
The control plane of the cloud-native gateway obtains the changes of Ingress resources by using the API server of the associated cluster, and dynamically updates the routing rules of the gateway. After the cloud-native gateway receives a request, the gateway matches the request with an Ingress routing rule and routes the request to the pod that corresponds to the backend service based on the matched routing rule.
The following content describes the relationships among services, Ingresses, Ingress classes, MseIngressConfigs, and MSE Ingress Controller in a Kubernetes cluster.
Service: an abstraction of real backend services. One service can represent multiple identical backend services.
Ingress: a set of reverse proxy rules. An Ingress specifies the service to which HTTP requests or HTTPS requests are routed. For example, an Ingress routes requests to different services based on the hostnames and URLs in the requests.
Ingress class: a description of the Ingress processor. An Ingress class is used to declare the implementation of an Ingress processor in a Kubernetes cluster. The Ingress resources that are associated with the Ingress class are parsed by the Ingress processor. You must associate an MseIngressConfig with the Parameter field of the Ingress class to implement the traffic management rule that is specified in the parsed Ingress resource description.
MseIngressConfig: a CRD that is provided by MSE Ingress Controller. An MseIngressConfig CRD provides basic information about a cloud-native gateway.
MSE Ingress Controller: a control plane that manages MSE cloud-native gateways and their configurations. MSE Ingress Controller is not a network data plane. MSE Ingress Controller is used to listen to Ingress resources defined in MseIngressConfig CRDs in a cluster and coordinate MSE cloud-native gateways to implement the traffic management rule that is specified in the parsed Ingress resource description.
The following figure shows how MSE Ingress Controller works.
Install MSE Ingress Controller
MSE Ingress Controller can be installed in an ACK managed cluster, ACK Serverless cluster, or ACS cluster.
Method 1: Install the MSE Ingress Controller component when you create a cluster
When you create an ACK managed cluster, ACK Serverless cluster, or ACS cluster, select MSE Ingress for Ingress in the Component Configurations step. For more information about how to create a cluster, see Create an ACK managed cluster and Create an ACK Serverless cluster.
Method 2: Install the MSE Ingress Controller component on the Add-ons page
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose .
On the Add-ons page, click the Networking tab. In the lower-right corner of the MSE Ingress Controller component card, click Install.
Method 3: Install the MSE Ingress Controller component on the Routes page of your cluster
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose .
On the Ingresses page, click Create Ingress in the upper-right corner. In the Create Ingress panel, select MSE Cloud-native Gateway for Gateway Type. Then, install the component as prompted.
Release notes
Version number | Release date | Description | Impact |
1.1.9 | 2024-06-28 | ACS clusters and multiple zones are supported. Serverless gateways can be created. | No impact on workloads |
November 2023
Version number | Release date | Description | Impact |
1.1.7 | 2023-11-13 | The global parameters for creating and reusing MSE cloud-native gateways are adjusted for the installation of the MSE Ingress Controller component. | No impact on workloads |
1.1.6 | 2023-11-07 | MSE cloud-native gateways can be created or reused when the MSE Ingress Controller component is installed. | No impact on workloads |
August 2023
Version number | Release date | Description | Impact |
1.1.5 | 2023-08-28 | The authorization logic of the MSE Ingress Controller component is optimized. | No impact on workloads |
1.1.4 | 2023-08-16 |
| No impact on workloads |
June 2023
Version number | Release date | Description | Impact |
1.1.3 | 2023-06-02 |
| No impact on workloads |
March 2023
Version number | Release date | Description | Impact |
1.1.2 | 2023-03-31 | The permissions of the MSE Ingress Controller component is restricted. | No impact on workloads |
December 2022
Version number | Release date | Description | Impact |
1.1.0 | 2022-12-23 | The MSE Ingress Controller component is available on the Add-ons page. | No impact on workloads |