Skip to content

Ingress controller#

Traffic that originates outside of your cluster, ingress traffic, is managed through the use of an ingress controller. By default, MKE 4k offers NGINX Ingress Controller, which manages ingress traffic using the Kubernetes Ingress rules.

Info

NGINX Ingress Controller is the only Ingress controller that MKE 4k currently supports. Consequently, MKE 4k does not support upgrades from MKE 3 clusters that use a BYO (Bring Your Own) NGINX Ingress controller. Upgrade support is limited to the default MKE 3 Ingress controller.

Configuration#

You can configure NGINX Ingress Controller through the ingressController section of the mke4.yaml configuration file. The function is enabled by default and must not be disabled for the cluster to function correctly.

Ingress controller parameters that you can configure are detailed in the following table.

Field                                  Description Default
replicaCount Sets the number of NGINX Ingress Controller deployment replicas. 2
enableLoadBalancer Enables an external load balancer.

Valid values: true, false.		 true if apiServer.externalAddress is set in the config file; false otherwise
extraArgs Additional command line arguments to pass to Ingress-Nginx Controller. {} (empty)
extraArgs.httpPort Sets the container port for servicing HTTP traffic. 80
extraArgs.httpsPort Sets the container port for servicing HTTPS traffic. 443
extraArgs.enableSslPassthrough Enables SSL passthrough. false
preserveClientIP Enables preserving inbound traffic source IP.

Valid values: true, false.		 false
externalIPs Sets the list of external IPs for Ingress service. IP addresses of managers nodes are always added automatically. []
configMap Adds custom configuration options to Nginx.

For a complete list of available options, refer to the NGINX Ingress Controller ConfigMap.		 {} (empty)
nodePorts Sets the node ports for the external HTTP/HTTPS/TCP/UDP listener. You should not change the HTTPS port, but if you do so, make sure to change the target port of the MKE 4k Dashboard in your load balancer configuration. Refer to System requirements for more information. HTTP: 33000, HTTPS: 33001
ports Sets the port for the internalHTTP/HTTPS listener. HTTP: 80, HTTPS: 443
disableHttp Disables the HTTP listener. false

Node ports operation for MKE 3 to MKE 4k upgrade#

The handling of node ports during an upgrade from MKE 3 to MKE 4k differs, depending on several factors, as illustrated below:

MKE 3 NodePort Range      Ingress Controller in MKE 3      Ingress NodePorts in MKE 4k
Default Enabled Uses the ports set in MKE 3.
Default Disabled Default ports:

HTTP: 33000
HTTPS: 33001
Custom Enabled Uses the ports set in MKE 3.
Custom Disabled Reserves the first two static ports from the NodePort range for the Ingress Controller.

Info

The calculation of the static NodePort range is calculated based on the official Kubernetes documentation How can you avoid NodePort Service port conflicts?.

Thus, if the NodePort range is 30000-32767, the NodePorts for the ingress controller will be 30000 and 30001.

Affinity#

You can specify node affinities using the ingressController.affinity.nodeAffinity field in the mke4.yaml configuration file.

The following example uses requiredDuringSchedulingIgnoredDuringExecution to schedule the ingress controller pods.

ingressController:
  enabled: true
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - ip-172-31-42-30

Tolerations#

You can set Node tolerations for server scheduling to nodes with taints using the ingressController.tolerations field in the mke4.yaml configuration file.

The following example uses a toleration with NoExecute effect.

ingressController:
  enabled: true
  tolerations:
  - key: "key1"
    operator: "Equal"
    value: "value1"
    effect: "NoExecute"

Example ingress controller configuration#

ingressController:
  enabled: true
  enableLoadBalancer: false
  numReplicas: 1
  preserveClientIP: true
  tolerations:
    - key: "key1"
      operator: "Equal"
      value: "value1"
      effect: "NoExecute"
  extraArgs:
    httpPort: 80
    httpsPort: 443
    enableSslPassthrough: false
  configMap:
    access-log-path: "/var/log/nginx/access.log"
    generate-request-id: "true"
    use-forwarded-headers: "true"
    error-log-path: "/var/log/nginx/error.log"
  tcpServices:
    9000: "default/tcp-echo:9000"
  udpServices:
    5005: "default/udp-listener:5005"
  nodePorts:
    http: 33000
    https: 33001
    tcp:
      9000: 33011
    udp:
      5005: 33012
  ports:
    http: 8080
    https: 4443
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - ip-172-31-42-30

MKE version comparison: Ingress configuration parameters#

MKE 3 MKE 4k
[cluster_config.ingress_controller.enabled] ingressController.enabled
[cluster_config.ingress_controller.ingress_num_replicas] ingressController.numReplicas
[cluster_config.ingress_controller.ingress_enable_lb] ingressController.enableLoadBalancer
[cluster_config.ingress_controller.ingress_preserve_client_ip] ingressController.preserveClientIP
[[cluster_config.ingress_controller.ingress_node_toleration]]
key = "com.docker.ucp.manager"
value = ""
operator = "Exists"
effect = "NoSchedule"		 ingressController.tolerations
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoExecute"
[cluster_config.ingress_controller.ingress_config_map] ingressController.configMap
[cluster_config.ingress_controller.ingress_tcp_services]
9000 = "default/tcp-echo:9000"		 ingressController.tcpServices:
9000: "default/tcp-echo:9000"
[cluster_config.ingress_controller.ingress_udp_services]
5005 = "default/udp-listener:5005"		 ingressController.udpServices:
5005: "default/udp-listener:5005"
[cluster_config.ingress_controller.ingress_extra_args]
http_port = 8080
https_port = 4443
enable_ssl_passthrough = true
default_ssl_certificate = ""		 ingressController.extraArgs:
httpPort: 0
httpsPort: 0
enableSslPassthrough: true
defaultSslCertificate: ""
[cluster_config.ingress_controller.ingress_node_affinity] ingressController.affinity
[[cluster_config.ingress_controller.ingress_exposed_ports]]
name = "http2"
port = 80
target_port = 8080
node_port = 33001
protocol = ""		 Deprecated in MKE 4k.

The http and https ports are enabled by default on 80 and 443 respectively. If the user wants to change it, they can use ingressController.ports.

NodePorts for http and https can be configured via ingressController.nodePorts. The default values are 33000 and 33001 respectively.

For information on how to configure TCP/UDP ports, refer to the TCP and UDP services documentation.