Kubernetes Ingress#
For new MKE 4k deployments, the only supported ingress solution is the Gateway API implemented with the Envoy Gateway controller. If, though, you are upgrading from MKE 3 or from an MKE 4k version earlier than 4.1.3, you may continue using Kubernetes Ingress with the NGINX Ingress Controller after upgrading to MKE 4k 4.1.3—provided these components were enabled prior to the upgrade.
Configuration#
You can configure NGINX Ingress Controller through the ingressController
section of the mke4.yaml configuration file. The function is enabled by
default and must not be disabled for the cluster to function correctly.
Ingress controller parameters that you can configure are detailed in the following table.
| Field | Description | Default |
|---|---|---|
| replicaCount | Sets the number of NGINX Ingress Controller deployment replicas. | 2 |
| enableLoadBalancer | Enables an external load balancer. Valid values: true, false. |
true if apiServer.externalAddress is set in the config file; false otherwise |
| extraArgs | Additional command line arguments to pass to Ingress-Nginx Controller. | {} (empty) |
| extraArgs.httpPort | Sets the container port for servicing HTTP traffic. | 80 |
| extraArgs.httpsPort | Sets the container port for servicing HTTPS traffic. | 443 |
| extraArgs.enableSslPassthrough | Enables SSL passthrough. | false |
| extraArgs.defaultSslCertificate | Sets the TLS certificate. extraArgs.defaultSslCertificate is managed by MKE and must not be changed manually. If you want to change the TLS certificates used by MKE 4k, refer to TLS certificates. |
mke/mke-ingress.tls |
| preserveClientIP | Enables preserving inbound traffic source IP. Valid values: true, false. |
false |
| externalIPs | Sets the list of external IPs for Ingress service. IP addresses of managers nodes are always added automatically. | [] |
| affinity | Sets node affinity. Example Affinity is always configured to schedule ingress controller pods on manager nodes. Additional rules may be added, but it is not recommended. For more information, refer to the Kubernetes documentation Affinity and anti-affinity. |
{} (empty) |
| tolerations | Sets node toleration. Example Tolerations are always configured to allow scheduling on manager nodes. Additional rules may be added, but it is not recommended. Refer to the Kubernetes documentation Assigning Pods to Nodes for more details. |
[] (empty) |
| configMap | Adds custom configuration options to Nginx. For a complete list of available options, refer to the NGINX Ingress Controller ConfigMap. |
{} (empty) |
| tcpServices | Sets TCP service key-value pairs; enables TCP services. Example Refer to the NGINX Ingress documentation Exposing TCP and UDP services for more information. |
{} (empty) |
| udpServices | Sets UDP service key-value pairs; enables UDP services. Example Refer to the NGINX Ingress documentation Exposing TCP and UDP services for more information. |
{} (empty) |
| nodePorts | Sets the node ports for the external HTTP/HTTPS/TCP/UDP listener. | {} (empty) |
| ports | Sets the port for the internal HTTP/HTTPS listener. | HTTP: 80, HTTPS: 443 |
| disableHttp | Disables the HTTP listener. | false |
Tolerations#
You can set node tolerations for server scheduling to nodes with taints using
the ingressController.tolerations field in the mke4.yaml configuration file.
The following example uses a toleration with NoExecute effect.
ingressController:
enabled: true
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoExecute"
Example ingress controller configuration#
ingressController:
enabled: true
enableLoadBalancer: false
replicaCount: 1
preserveClientIP: true
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoExecute"
extraArgs:
httpPort: 80
httpsPort: 443
enableSslPassthrough: false
configMap:
access-log-path: "/var/log/nginx/access.log"
generate-request-id: "true"
use-forwarded-headers: "true"
error-log-path: "/var/log/nginx/error.log"
tcpServices:
9000: "default/tcp-echo:9000"
udpServices:
5005: "default/udp-listener:5005"
nodePorts:
http: 33000
https: 33001
tcp:
9000: 33011
udp:
5005: 33012
ports:
http: 8080
https: 4443
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- ip-172-31-42-30
MKE version comparison: Ingress configuration parameters#
| MKE 3 | MKE 4k |
|---|---|
| [cluster_config.ingress_controller.enabled] | ingressController.enabled |
| [cluster_config.ingress_controller.ingress_num_replicas] | ingressController.replicaCount |
| [cluster_config.ingress_controller.ingress_enable_lb] | ingressController.enableLoadBalancer |
| [cluster_config.ingress_controller.ingress_preserve_client_ip] | ingressController.preserveClientIP |
| [[cluster_config.ingress_controller.ingress_node_toleration]] key = "com.docker.ucp.manager" value = "" operator = "Exists" effect = "NoSchedule" |
ingressController.tolerations - key: "key1" operator: "Equal" value: "value1" effect: "NoExecute" |
| [cluster_config.ingress_controller.ingress_config_map] | ingressController.configMap |
| [cluster_config.ingress_controller.ingress_tcp_services] 9000 = "default/tcp-echo:9000" |
ingressController.tcpServices: 9000: "default/tcp-echo:9000" |
| [cluster_config.ingress_controller.ingress_udp_services] 5005 = "default/udp-listener:5005" |
ingressController.udpServices: 5005: "default/udp-listener:5005" |
| [cluster_config.ingress_controller.ingress_extra_args] http_port = 8080 https_port = 4443 enable_ssl_passthrough = true default_ssl_certificate = "" |
ingressController.extraArgs: httpPort: 0 httpsPort: 0 enableSslPassthrough: true defaultSslCertificate: "" |
| [cluster_config.ingress_controller.ingress_node_affinity] | ingressController.affinity |
| [[cluster_config.ingress_controller.ingress_exposed_ports]] name = "http2" port = 80 target_port = 8080 node_port = 33001 protocol = "" |
Deprecated in MKE 4k. The HTTP and HTTPS ports are enabled by default on 80 and 443 respectively. If the user wants to change it, they can use ingressController.ports. NodePorts for HTTP and HTTPS can be configured through ingressController.nodePorts. For information on how to configure TCP/UDP ports, refer to the TCP and UDP services documentation. |