Ingress controller
Traffic that originates outside of your cluster, ingress traffic, is managed through the use of an ingress controller. By default, MKE 4 offers NGINX Ingress Controller, which manages ingress traffic using the Kubernetes Ingress rules.
NGINX Ingress Controller is the only one ingress controller that MKE 4 currently supports.
Configuration
You can configure NGINX Ingress Controller through the ingressController
section of the MKE 4 configuration file. The function is enabled by default
and must not be disabled for the cluster to function correctly.
Ingress controller parameters that you can configure are detailed in the following table.
Field | Description | Default |
---|---|---|
replicaCount | Sets the number of NGINX Ingress Controller deployment replicas. | 2 |
enableLoadBalancer | Enables an external load balancer. Valid values: true , false . | true if apiServer.externalAddress is set in the config file; false otherwise |
extraArgs | Additional command line arguments to pass to Ingress-Nginx Controller. | {} (empty) |
extraArgs.httpPort | Sets the container port for servicing HTTP traffic. | 80 |
extraArgs.httpsPort | Sets the container port for servicing HTTPS traffic. | 443 |
extraArgs.enableSslPassthrough | Enables SSL passthrough. | false |
extraArgs.defaultSslCertificate | Sets the TLS certificate. For more information, refer to TLS certificates. | mke/mke-ingress.tls |
preserveClientIP | Enables preserving inbound traffic source IP. Valid values: true , false . | false |
externalIPs | Sets the list of external IPs for Ingress service. IP addresses of managers nodes are always added automatically. | [] |
affinity | Sets node affinity. Example Affinity is always configured to schedule ingress controller pods on manager nodes. Additional rules may be added, but it’s not recommended. For more information, refer to the Kubernetes documentation Affinity and anti-affinity. | {} (empty) |
tolerations | Sets node toleration. Example Tolerations are always configured to allow scheduling on manager nodes. Additional rules may be added, but it’s not recommended. Refer to the Kubernetes documentation Assigning Pods to Nodes for more detail. | [] (empty) |
configMap | Adds custom configuration options to Nginx. For a complete list of available options, refer to the NGINX Ingress Controller ConfigMap. | {} (empty) |
tcpServices | Sets TCP service key-value pairs; enables TCP services. Example Refer to the NGINX Ingress documentation Exposing TCP and UDP services for more information. for more information. | {} (empty) |
udpServices | Sets UDP service key-value pairs; enables UDP services. Example Refer to the NGINX Ingress documentation Exposing TCP and UDP services for more information. | {} (empty) |
nodePorts | Sets the node ports for the external HTTP/HTTPS/TCP/UDP listener. You should not change the HTTPS port, but if you do so, make sure to change the target port of the MKE Dashboard in your load balancer configuration. Refer to System requirements for more information. | HTTP: 33000, HTTPS: 33001 |
ports | Sets the port for the internalHTTP/HTTPS listener. | HTTP: 80, HTTPS: 443 |
disableHttp | Disables the HTTP listener. | false |
Node ports operation for MKE 3 to MKE 4 upgrade
The handling of node ports during an upgrade from MKE 3 to MKE 4 differs, depending on several factors, as illustrated below:
MKE 3 NodePort Range | Ingress Controller in MKE 3 | Ingress NodePorts in MKE 4 |
---|---|---|
Default | Enabled | Uses the ports set in MKE 3. |
Default | Disabled | Default ports: HTTP: 33000 HTTPS: 33001 |
Custom | Enabled | Uses the ports set in MKE 3. |
Custom | Disabled | Reserves the first two static ports from the NodePort range for the Ingress Controller. |
Thus, if the NodePort range is 30000-32767
, the NodePorts for the ingress controller will be 30000
and 30001
.
Affinity
You can specify node affinities using the
ingressController.affinity.nodeAffinity
field in the MKE configuration file.
The following example uses requiredDuringSchedulingIgnoredDuringExecution
to
schedule the ingress controller pods.
ingressController:
enabled: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- ip-172-31-42-30
Tolerations
You can set Node tolerations for server scheduling to nodes with taints using
the ingressController.tolerations
field in the MKE configuration file.
The following example uses a toleration with NoExecute
effect.
ingressController:
enabled: true
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoExecute"
Example ingress controller configuration
ingressController:
enabled: true
enableLoadBalancer: false
numReplicas: 1
preserveClientIP: true
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoExecute"
extraArgs:
httpPort: 80
httpsPort: 443
enableSslPassthrough: false
configMap:
access-log-path: "/var/log/nginx/access.log"
generate-request-id: "true"
use-forwarded-headers: "true"
error-log-path: "/var/log/nginx/error.log"
tcpServices:
9000: "default/tcp-echo:9000"
udpServices:
5005: "default/udp-listener:5005"
nodePorts:
http: 33000
https: 33001
tcp:
9000: 33011
udp:
5005: 33012
ports:
http: 8080
https: 4443
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- ip-172-31-42-30
MKE version comparison: Ingress configuration parameters
MKE-3 | MKE-4 |
---|---|
[cluster_config.ingress_controller.enabled] | ingressController.enabled |
[cluster_config.ingress_controller.ingress_num_replicas] | ingressController.numReplicas |
[cluster_config.ingress_controller.ingress_enable_lb] | ingressController.enableLoadBalancer |
[cluster_config.ingress_controller.ingress_preserve_client_ip] | ingressController.preserveClientIP |
[[cluster_config.ingress_controller.ingress_node_toleration]] key = “com.docker.ucp.manager” value = "" operator = “Exists” effect = “NoSchedule” | ingressController.tolerations- key: “key1”operator: “Equal”value: “value1”effect: “NoExecute” |
[cluster_config.ingress_controller.ingress_config_map] | ingressController.configMap |
[cluster_config.ingress_controller.ingress_tcp_services] 9000 = “default/tcp-echo:9000” | ingressController.tcpServices: 9000: “default/tcp-echo:9000” |
[cluster_config.ingress_controller.ingress_udp_services] 5005 = “default/udp-listener:5005” | ingressController.udpServices: 5005: “default/udp-listener:5005” |
[cluster_config.ingress_controller.ingress_extra_args] http_port = 8080 https_port = 4443 enable_ssl_passthrough = true default_ssl_certificate = "" | ingressController.extraArgs: httpPort: 0 httpsPort: 0 enableSslPassthrough: true defaultSslCertificate: "" |
[cluster_config.ingress_controller.ingress_node_affinity] | ingressController.affinity |
[[cluster_config.ingress_controller.ingress_exposed_ports]] name = “http2” port = 80 target_port = 8080 node_port = 33001 protocol = "" | Deprecated in MKE 4. The http and https ports are enabled by default on 80 and 443 respectively. If the user wants to change it, they can use ingressController.ports. NodePorts for http and https can be configured via ingressController.nodePorts. The default values are 33000 and 33001 respectively. For information on how to configure TCP/UDP ports, refer to the TCP and UDP services documentation. |