On-Demand Recording: https://www.nginx.com/resources/webinars/whats-new-nginx-ingress-controller-kubernetes-version-150/ Kubernetes is the leading orchestration platform for deploying, scaling, and managing containerized applications. Infrastructure operators constantly impose new application delivery requirements as they adopt Kubernetes for production workloads. The NGINX Ingress controller is the most popular ingress load balancer for Kubernetes, providing a complete and supported solution for delivering your containerized applications to clients. Attend this webinar to learn about the latest developments in NGINX Ingress Controller for Kubernetes Release 1.5.0.

1. 1

2. Kubernetes Ingress
Controller: Version 1.5.0
2

3. Agenda
1 NGINX Kubernetes Ingress Controller
Overview
2 New configuration approach based
on Custom Resources (CR)
3 Additional Ingress Controller Metrics
with Prometheus
4 Routing traffic to ‘ExternalName’ type
services
5 Deploying the NGINX Ingress
Controller Helm Chart
6 Demo
7 Summary
8 Q&A
3

4. NGINX and NGINX Plus
• NGINX – First a webserver and content cache,
now a Layer 4/Layer 7 load balancing solution:
◦ The busiest sites choose NGINX
◦ #1 downloaded application image on DockerHub
• NGINX Plus – Commercial version of NGINX,
with advanced features and 24x7 support
◦ JWT authentication
◦ API for Dynamic Reconfiguration
◦ Extended status with 90 additional metrics
◦ Dynamic DNS resolution
◦ Health checks
4

5. • NGINX/NGINX Plus Ingress Controller maintained
by NGINX, Inc.
https://github.com/nginxinc/kubernetes-ingress
• Kubernetes community ingress controller using NGINX
compiled with external third party modules
https://github.com/kubernetes/ingress-nginx
More details on differences
https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/
nginx-ingress-controllers.md
NGINX Ingress Controllers
5

6. • L7 routing based on the
host header and URL
• TLS termination
Configuration with Ingress Resources
1. apiVersion: extensions/v1beta1
2. kind: Ingress
3. metadata:
4. name: hello-ingress
5. spec:
6. tls:
7. - hosts:
8. - product.example.com
9. secretName: product-secret
10. rules:
11. - host: product.example.com
12. http:
13. paths:
14. - path: /productpage
15. backend:
16. serviceName: product-svc
17. servicePort: 9080
6

7. • Additional NGINX
features with annotations
Details on annotations:
https://github.com/nginxinc/kube
rnetes-
ingress/blob/master/docs/config
map-and-annotations.md
Additional NGINX Features with Annotations
1. apiVersion: extensions/v1beta1
2. kind: Ingress
3. metadata:
4. name: hello-ingress
5. annotations:
6. nginx.org/lb-method: "least-connected"
7. nginx.org/proxy-connect-timeout: "30s"
8. nginx.org/proxy-read-timeout: "20s"
9. nginx.org/proxy-read-timeout:
10. nginx.org/client-max-body-size: "4m"
11. nginx.org/keepalive: "100"
12. nginx.org/rewrites: "serviceName=product-svc
rewrite=/nginx-plus/"
13. spec:
14. tls:
15. - hosts:
16. - product.example.com
17. secretName: product-secret
18. rules:
19. - host: product.example.com
20. http:
21. paths:
22. - path: /productpage
23. backend:
24. serviceName: product-svc
25. servicePort: 9080
7

8. Limitations of the
Ingress Resource
• Annotations are limited and difficult to use
• RBAC based, self-service means of configuration
• Limited flexibility in matching requests and selecting upstreams
8

9. A New Approach
We are previewing a new approach to configuring ingress policies
with the following goals:
• Avoid relying on annotations
• Follow the Kubernetes API style
• Easier management of ingress routing
• Support for RBAC in a scalable and predictable manner
9

10. VirtualServer (VS) CR Basics
1. apiVersion: extensions/v1beta1
2. kind: Ingress
3. metadata:
4. name: hello-ingress
5. spec:
6. tls:
7. - hosts:
8. - product.example.com
9. secretName: product-secret
10. rules:
11. - host: product.example.com
12. http:
13. paths:
14. - path: /productpage
15. backend:
16. serviceName: product-
svc
17. servicePort: 9080
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServer
3. metadata:
4. name: products
5. spec:
6. host: product.example.com
7. tls:
8. secret: product-secret
9. upstreams:
10. - name: products
11. service: product-svc
12. port: 9080
13. routes:
14. - path: /productpage
15. upstream: products
10

11. Cross-Namespace Configuration
with VirtualServerRoutes CR
11

12. Cross-Namespace Configuration
with VirtualServerRoutes CR
• Routing requests to services in different namespaces.
• Gives the following benefits:
◦ Easier management of ingress routing
◦ Provides delegated self-service configuration in a secure and managed
RBAC fashion
Note: This capability not supported in regular ingress resources
12

13. • L7 routing based on the host
header and URL
• TLS termination
• Requests matching a path is
delegated to one of two
VirtualServerRoute
definitions in the namespace
product-ns and solution-ns
respectively
VS CR Configuration
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServer
3. metadata:
4. name: app
5. namespace: app-ingress
6. spec:
7. host: app.example.com
8. tls:
9. secret: app-secret
10. routes:
11. - path: /productpage
12. route: product-ns/productpage
13. - path: /solutionpage
14. route: solution-ns/solutions
13

14. • Define the name of the
VirtualServerRoute as
productpage and specify the
namespace as product-ns
• Each subroute must have a
path that starts with the same
prefix defined in the VS.
• The host in the VSR must
match the host in the VS
VirtualServerRoute (VSR) CR Config
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServerRoute
3. metadata:
4. name: productpage
5. namespace: product-ns
6. spec:
7. host: app.example.com
8. upstreams:
9. - name: products
10. service: productpage
11. port: 8090
12. subroutes:
13. - path: /productpage
14. upstream: products
14

15. • Define the name of the
VirtualServerRoute as
productpage and specify the
namespace as product-ns
• Each subroute must have a
path that starts with the same
prefix defined in the VS.
• The host in the VSR must
match the host in the VS
VirtualServerRoute (VSR) CR Config
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServerRoute
3. metadata:
4. name: solutions
5. namespace: solution-ns
6. spec:
7. host: app.example.com
8. upstreams:
9. - name: solutions
10. service: solution-svc
11. port: 8090
12. subroutes:
13. - path: /solutionpage
14. upstream: solutions
15

16. Content-Based Routing and
Traffic Splitting
16

17. Content-Based Routing and
Traffic Splitting
• Content-Based routing: Imposed routing rules with a list of
conditions and values you want to match to an upstream.
• Traffic splitting: Distribute traffic across several upstreams
according to the weight.
Note: This capability not supported in regular ingress resources
17

18. • Specify advanced routing
policies in VS and VSRs.
• Route requests based on
headers, cookies, arguments,
and NGINX variables.
• Includes sensitive and non
sensitive case matching and
regular expressions.
Content Based Routing
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServerRoute
3. metadata:
4. name: solutions
5. namespace: solution-ns
6. spec:
7. host: app.example.com
8. upstreams:
9. - name: solutions
10. service: solution-svc
11. port: 9080
12. - name: suffer
13. service: suffer-svc
14. port: 80
15. subroutes:
16. - path: /solutionpage
17. rules:
18. conditions:
19. - variable: $request_method
20. matches:
21. - values:
22. - POST
23. upstream: solutions
24. defaultUpstream: suffer
18

19. • Deploy canary releases;
Select traffic based on
statistical split.
• NGINX will route 90 percent
of requests to solution-v1,
and remainder 10 percent to
solution-v2
Traffic Splitting
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServerRoute
3. metadata:
4. name: solutions
5. namespace: solution-ns
6. spec:
7. host: app.example.com
8. upstreams:
9. - name: solution-v1
10. service: solution-v1-svc
11. port: 8090
12. - name: solution-v2
13. service: solution-v2-svc
14. port: 8090
15. subroutes:
16. - path: /solutionpage
17. splits:
18. - weight: 90
19. upstream: solution-v1
20. - weight: 10
21. upstream: solution-v2
19

20. Monitoring the NGINX Ingress
Controller with Prometheus
20

21. Enabling Prometheus Metrics
• Add the -enable-prometheus-metrics command line
flag to the arguments of the NGINX Ingress Controller
Deployment
• Additional metrics include:
◦ # of NGINX reloads
◦ Status/Time elapsed of the last reload
◦ # of Ingress Resources that make up the IC config
21

22. Support for
ExternalName Services
22

23. Support for
ExternalName Services
Load balance requests to services external to the cluster. Provides
the following benefits:
• Easier migrating services in the cluster to services that have
not been yet moved to the cluster
Note: Exclusive to NGINX Plus; relies on the dynamic DNS
resolution feature of NGINX Plus
23

24. • Specify the IP address of the
nameserver where NGINX will
resolve the DNS names
ConfigMap Definition
1. kind: ConfigMap
2. apiVersion: v1
3. metadata:
4. name: nginx-config
5. namespace: nginx-ingress
6. data:
7. resolver-addresses: "10.0.0.10"
24

25. • Specify the domain of your
external service
ExternalName Service Definition
25
1. kind: Service
2. apiVersion: v1
3. metadata:
4. name: my-service
5. spec:
6. type: ExternalName
7. externalName:
my.service.example.com

26. Routing Traffic to the External Service
1. apiVersion: extensions/v1beta1
2. kind: Ingress
3. metadata:
4. name: app-ingress
5. spec:
6. tls:
7. - hosts:
8. - app.example.com
9. secretName: app-secret
10. rules:
11. - host: app.example.com
12. http:
13. paths:
14. - path: /
15. backend:
16. serviceName: external-
svc
17. servicePort: 80
26

27. Simpler Sharing of
Wildcard Certificates
27

28. Simpler Sharing of
Wildcard Certificates
• Add the -wildcard-tls-secret <namespace/secret-
name> command line flag to the arguments of the NGINX
Ingress Controller deployment
28

29. Installing The NGINX IC
with Helm
29

30. NGINX Plus and Helm
• Simplified installation of the NGINX Ingress Controller
with Helm
• We provide the Helm Chart of the NGINX IC version 1.5.0
via our Helm repository
30

31. Demo
31

32. Summary
• New configuration approach using NGINX CRs to define ingress
policies
• Additional Metrics, provided by streamlined Prometheus exporter
• Support for load balancing traffic to external services, using
ExternalName services
• Simplified configuration of complex TLS deployments with
Wildcard certificates
• A dedicated Helm chart repository
32

33. Q&A
33
Get the NGINX Ingress controller:
github.com/nginxinc/kubernetes-ingress
Try NGINX Plus free for 30 days: nginx.com/free-trial-request

34. nginx.com | @nginx
Thank you!
34