On-Demand Recording:
https://www.nginx.com/resources/webinars/whats-new-nginx-ingress-controller-kubernetes-version-150/
Kubernetes is the leading orchestration platform for deploying, scaling, and managing containerized applications. Infrastructure operators constantly impose new application delivery requirements as they adopt Kubernetes for production workloads. The NGINX Ingress controller is the most popular ingress load balancer for Kubernetes, providing a complete and supported solution for delivering your containerized applications to clients.
Attend this webinar to learn about the latest developments in NGINX Ingress Controller for Kubernetes Release 1.5.0.
3. Agenda
1 NGINX Kubernetes Ingress Controller
Overview
2 New configuration approach based
on Custom Resources (CR)
3 Additional Ingress Controller Metrics
with Prometheus
4 Routing traffic to ‘ExternalName’ type
services
5 Deploying the NGINX Ingress
Controller Helm Chart
6 Demo
7 Summary
8 Q&A
3
4. NGINX and NGINX Plus
• NGINX – First a webserver and content cache,
now a Layer 4/Layer 7 load balancing solution:
◦ The busiest sites choose NGINX
◦ #1 downloaded application image on DockerHub
• NGINX Plus – Commercial version of NGINX,
with advanced features and 24x7 support
◦ JWT authentication
◦ API for Dynamic Reconfiguration
◦ Extended status with 90 additional metrics
◦ Dynamic DNS resolution
◦ Health checks
4
5. • NGINX/NGINX Plus Ingress Controller maintained
by NGINX, Inc.
https://github.com/nginxinc/kubernetes-ingress
• Kubernetes community ingress controller using NGINX
compiled with external third party modules
https://github.com/kubernetes/ingress-nginx
More details on differences
https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/
nginx-ingress-controllers.md
NGINX Ingress Controllers
5
8. Limitations of the
Ingress Resource
• Annotations are limited and difficult to use
• RBAC based, self-service means of configuration
• Limited flexibility in matching requests and selecting upstreams
8
9. A New Approach
We are previewing a new approach to configuring ingress policies
with the following goals:
• Avoid relying on annotations
• Follow the Kubernetes API style
• Easier management of ingress routing
• Support for RBAC in a scalable and predictable manner
9
12. Cross-Namespace Configuration
with VirtualServerRoutes CR
• Routing requests to services in different namespaces.
• Gives the following benefits:
◦ Easier management of ingress routing
◦ Provides delegated self-service configuration in a secure and managed
RBAC fashion
Note: This capability not supported in regular ingress resources
12
13. • L7 routing based on the host
header and URL
• TLS termination
• Requests matching a path is
delegated to one of two
VirtualServerRoute
definitions in the namespace
product-ns and solution-ns
respectively
VS CR Configuration
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServer
3. metadata:
4. name: app
5. namespace: app-ingress
6. spec:
7. host: app.example.com
8. tls:
9. secret: app-secret
10. routes:
11. - path: /productpage
12. route: product-ns/productpage
13. - path: /solutionpage
14. route: solution-ns/solutions
13
14. • Define the name of the
VirtualServerRoute as
productpage and specify the
namespace as product-ns
• Each subroute must have a
path that starts with the same
prefix defined in the VS.
• The host in the VSR must
match the host in the VS
VirtualServerRoute (VSR) CR Config
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServerRoute
3. metadata:
4. name: productpage
5. namespace: product-ns
6. spec:
7. host: app.example.com
8. upstreams:
9. - name: products
10. service: productpage
11. port: 8090
12. subroutes:
13. - path: /productpage
14. upstream: products
14
15. • Define the name of the
VirtualServerRoute as
productpage and specify the
namespace as product-ns
• Each subroute must have a
path that starts with the same
prefix defined in the VS.
• The host in the VSR must
match the host in the VS
VirtualServerRoute (VSR) CR Config
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServerRoute
3. metadata:
4. name: solutions
5. namespace: solution-ns
6. spec:
7. host: app.example.com
8. upstreams:
9. - name: solutions
10. service: solution-svc
11. port: 8090
12. subroutes:
13. - path: /solutionpage
14. upstream: solutions
15
17. Content-Based Routing and
Traffic Splitting
• Content-Based routing: Imposed routing rules with a list of
conditions and values you want to match to an upstream.
• Traffic splitting: Distribute traffic across several upstreams
according to the weight.
Note: This capability not supported in regular ingress resources
17
18. • Specify advanced routing
policies in VS and VSRs.
• Route requests based on
headers, cookies, arguments,
and NGINX variables.
• Includes sensitive and non
sensitive case matching and
regular expressions.
Content Based Routing
1. apiVersion: k8s.nginx.org/v1alpha1
2. kind: VirtualServerRoute
3. metadata:
4. name: solutions
5. namespace: solution-ns
6. spec:
7. host: app.example.com
8. upstreams:
9. - name: solutions
10. service: solution-svc
11. port: 9080
12. - name: suffer
13. service: suffer-svc
14. port: 80
15. subroutes:
16. - path: /solutionpage
17. rules:
18. conditions:
19. - variable: $request_method
20. matches:
21. - values:
22. - POST
23. upstream: solutions
24. defaultUpstream: suffer
18
21. Enabling Prometheus Metrics
• Add the -enable-prometheus-metrics command line
flag to the arguments of the NGINX Ingress Controller
Deployment
• Additional metrics include:
◦ # of NGINX reloads
◦ Status/Time elapsed of the last reload
◦ # of Ingress Resources that make up the IC config
21
23. Support for
ExternalName Services
Load balance requests to services external to the cluster. Provides
the following benefits:
• Easier migrating services in the cluster to services that have
not been yet moved to the cluster
Note: Exclusive to NGINX Plus; relies on the dynamic DNS
resolution feature of NGINX Plus
23
24. • Specify the IP address of the
nameserver where NGINX will
resolve the DNS names
ConfigMap Definition
1. kind: ConfigMap
2. apiVersion: v1
3. metadata:
4. name: nginx-config
5. namespace: nginx-ingress
6. data:
7. resolver-addresses: "10.0.0.10"
24
25. • Specify the domain of your
external service
ExternalName Service Definition
25
1. kind: Service
2. apiVersion: v1
3. metadata:
4. name: my-service
5. spec:
6. type: ExternalName
7. externalName:
my.service.example.com
28. Simpler Sharing of
Wildcard Certificates
• Add the -wildcard-tls-secret <namespace/secret-
name> command line flag to the arguments of the NGINX
Ingress Controller deployment
28
30. NGINX Plus and Helm
• Simplified installation of the NGINX Ingress Controller
with Helm
• We provide the Helm Chart of the NGINX IC version 1.5.0
via our Helm repository
30
32. Summary
• New configuration approach using NGINX CRs to define ingress
policies
• Additional Metrics, provided by streamlined Prometheus exporter
• Support for load balancing traffic to external services, using
ExternalName services
• Simplified configuration of complex TLS deployments with
Wildcard certificates
• A dedicated Helm chart repository
32
33. Q&A
33
Get the NGINX Ingress controller:
github.com/nginxinc/kubernetes-ingress
Try NGINX Plus free for 30 days: nginx.com/free-trial-request
List of third party modules: Lua
Different approach Configuration style and approach
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
Configuring Additional NGINX Features
Annotations are not part of the `spec` v(the spec part of the resource - the place where you define the load balancing configuration)
Annotations can grow bigger than specs
Annotations do not provide any type of safety in comparison to the spec (they are just key-value stores).
Annotations are bad at configuring complex rules (ex. Service A needs this feature with these parameters, while Service B needs the same feature with some different parameters)
it’s challenging to use the same annotation feature with different parameters for different services
Ingress:
Kubernetes Custom Resource
Automates configuration for an edge load balancer (or ADC)
Ingress features:
L7 routing based on the host header and URL
TLS termination
The configuration approach in release 1.5.0 – using custom resources – is a preview of our future direction. As we develop the next release (1.6.0), we welcome feedback, criticism, and suggestions for improvement to this approach. Once we’re satisfied we have a solid configuration architecture, we’ll lock it down and regard it as stable and fully production‑ready.
it’s challenging to use the same annotation feature with different parameters for different services.
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
Meets the following use cases:
A/B testing
Blue-green deployments
Debug Routing
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
These metrics can help reveal problems in Ingress Controller operations.
You can view the frequency of nginx reloads. Excessive reloading can degrade performance.
Valid NGINX configuration by checking status of last reload.
it’s challenging to use the same annotation feature with different parameters for different services.
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
Defines a route for a virtual server, consisting of one or several subroutes.
We define a route with the path products and solutions, which is further defined in the VirtualServerRoute Definitions in the product-ns and solution-ns namespaces respectively.
Now you don’t need to reference TLS secrets in the Ingress Resources, and making it available in each namespace that requires the secret. Reduces exposing sensitive data in a multi-user, self-service environment.