Ingress controller

Traffic that originates outside of your cluster, ingress traffic, is managed through the use of an ingress controller. By default, MKE 4 offers NGINX Ingress Controller, which manages ingress traffic using the Kubernetes Ingress rules.

NGINX Ingress Controller is the only one ingress controller that MKE 4 currently supports.

Configuration

You can configure NGINX Ingress Controller through the ingressController section of the MKE 4 configuration file. The function is enabled by default and must not be disabled for the cluster to function correctly.

Ingress controller parameters that you can configure are detailed in the following table.

Field	Description	Default
replicaCount	Sets the number of NGINX Ingress Controller deployment replicas.	2
enableLoadBalancer	Enables an external load balancer. Valid values: `true`, `false`.	`true` if `apiServer.externalAddress` is set in the config file; `false` otherwise
extraArgs	Additional command line arguments to pass to Ingress-Nginx Controller.	{} (empty)
extraArgs.httpPort	Sets the container port for servicing HTTP traffic.	`80`
extraArgs.httpsPort	Sets the container port for servicing HTTPS traffic.	`443`
extraArgs.enableSslPassthrough	Enables SSL passthrough.	false
extraArgs.defaultSslCertificate	The only valid value is `mke/auth-https.tls`. Must NOT be changed.	`mke/auth-https.tls`
preserveClientIP	Enables preserving inbound traffic source IP. Valid values: `true`, `false`.	`false`
externalIPs	Sets the list of external IPs for Ingress service. IP addresses of managers nodes are always added automatically.	[]
affinity	Sets node affinity. Example Affinity is always configured to schedule ingress controller pods on manager nodes. Additional rules may be added, but it’s not recommended. For more information, refer to the Kubernetes documentation Affinity and anti-affinity.	{} (empty)
tolerations	Sets node toleration. Example Tolerations are always configured to allow scheduling on manager nodes. Additional rules may be added, but it’s not recommended. Refer to the Kubernetes documentation Assigning Pods to Nodes for more detail.	[] (empty)
configMap	Adds custom configuration options to Nginx. For a complete list of available options, refer to the NGINX Ingress Controller ConfigMap.	{} (empty)
tcpServices	Sets TCP service key-value pairs; enables TCP services. Example Refer to the NGINX Ingress documentation Exposing TCP and UDP services for more information. for more information.	{} (empty)
udpServices	Sets UDP service key-value pairs; enables UDP services. Example Refer to the NGINX Ingress documentation Exposing TCP and UDP services for more information.	{} (empty)
nodePorts	Sets the node ports for the external HTTP/HTTPS/TCP/UDP listener. You should not change the HTTPS port, but if you do so, make sure to change the target port of the MKE Dashboard in your load balancer configuration. Refer to System requirements for more information.	HTTP: 33000, HTTPS: 33001
ports	Sets the port for the internalHTTP/HTTPS listener.	HTTP: 80, HTTPS: 443
disableHttp	Disables the HTTP listener.	false

Affinity

You can specify node affinities using the ingressController.affinity.nodeAffinity field in the MKE configuration file.

The following example uses requiredDuringSchedulingIgnoredDuringExecution to schedule the ingress controller pods.

ingressController:
  enabled: true
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - ip-172-31-42-30

Tolerations

You can set Node tolerations for server scheduling to nodes with taints using the ingressController.tolerations field in the MKE configuration file.

The following example uses a toleration with NoExecute effect.

ingressController:
  enabled: true
  tolerations:
  - key: "key1"
    operator: "Equal"
    value: "value1"
    effect: "NoExecute"

Example ingress controller configuration

ingressController:
  enabled: true
  enableLoadBalancer: false
  numReplicas: 1
  preserveClientIP: true
  tolerations:
    - key: "key1"
      operator: "Equal"
      value: "value1"
      effect: "NoExecute"
  extraArgs:
    httpPort: 80
    httpsPort: 443
    enableSslPassthrough: false
  configMap:
    access-log-path: "/var/log/nginx/access.log"
    generate-request-id: "true"
    use-forwarded-headers: "true"
    error-log-path: "/var/log/nginx/error.log"
  tcpServices:
    9000: "default/tcp-echo:9000"
  udpServices:
    5005: "default/udp-listener:5005"
  nodePorts:
    http: 33000
    https: 33001
    tcp:
      9000: 33011
    udp:
      5005: 33012
  ports:
    http: 8080
    https: 4443
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - ip-172-31-42-30

MKE version comparison: Ingress configuration parameters

MKE-3	MKE-4
[cluster_config.ingress_controller.enabled]	ingressController.enabled
[cluster_config.ingress_controller.ingress_num_replicas]	ingressController.numReplicas
[cluster_config.ingress_controller.ingress_enable_lb]	ingressController.enableLoadBalancer
[cluster_config.ingress_controller.ingress_preserve_client_ip]	ingressController.preserveClientIP
[[cluster_config.ingress_controller.ingress_node_toleration]] key = “com.docker.ucp.manager” value = "" operator = “Exists” effect = “NoSchedule”	ingressController.tolerations - key: “key1” operator: “Equal” value: “value1” effect: “NoExecute”
[cluster_config.ingress_controller.ingress_config_map]	ingressController.configMap
[cluster_config.ingress_controller.ingress_tcp_services] 9000 = “default/tcp-echo:9000”	ingressController.tcpServices: 9000: “default/tcp-echo:9000”
[cluster_config.ingress_controller.ingress_udp_services] 5005 = “default/udp-listener:5005”	ingressController.udpServices: 5005: “default/udp-listener:5005”
[cluster_config.ingress_controller.ingress_extra_args] http_port = 8080 https_port = 4443 enable_ssl_passthrough = true default_ssl_certificate = ""	ingressController.extraArgs: httpPort: 0 httpsPort: 0 enableSslPassthrough: true defaultSslCertificate: ""
[cluster_config.ingress_controller.ingress_node_affinity]	ingressController.affinity
[[cluster_config.ingress_controller.ingress_exposed_ports]] name = “http2” port = 80 target_port = 8080 node_port = 33001 protocol = ""	Deprecated in MKE 4. The http and https ports are enabled by default on 80 and 443 respectively. If the user wants to change it, they can use ingressController.ports. NodePorts for http and https can be configured via ingressController.nodePorts. The default values are 33000 and 33001 respectively. For information on how to configure TCP/UDP ports, refer to the TCP and UDP services documentation.