Ingress controller

Traffic that originates outside of your cluster, ingress traffic, is managed through the use of an ingress controller. By default, MKE 4 offers NGINX Ingress Controller, which manages ingress traffic using the Kubernetes Ingress rules.

NGINX Ingress Controller is the only one ingress controller that MKE 4 currently supports.

Configuration

You can configure NGINX Ingress Controller through the ingressController section of the MKE 4 configuration file. The function is enabled by default and must not be disabled for the cluster to function correctly.

Ingress controller parameters that you can configure are detailed in the following table.

FieldDescriptionDefault
replicaCountSets the number of NGINX Ingress Controller deployment replicas.2
enableLoadBalancerEnables an external load balancer.

Valid values: true, false.
true if apiServer.externalAddress is set in the config file; false otherwise
extraArgsAdditional command line arguments to pass to Ingress-Nginx Controller.{} (empty)
extraArgs.httpPortSets the container port for servicing HTTP traffic.80
extraArgs.httpsPortSets the container port for servicing HTTPS traffic.443
extraArgs.enableSslPassthroughEnables SSL passthrough.false
extraArgs.defaultSslCertificateThe only valid value is mke/auth-https.tls. Must NOT be changed.mke/auth-https.tls
preserveClientIPEnables preserving inbound traffic source IP.

Valid values: true, false.
false
externalIPsSets the list of external IPs for Ingress service. IP addresses of managers nodes are always added automatically.[]
affinitySets node affinity. Example
Affinity is always configured to schedule ingress controller pods on manager nodes. Additional rules may be added, but it’s not recommended.

For more information, refer to the Kubernetes documentation Affinity and anti-affinity.
{} (empty)
tolerationsSets node toleration. Example
Tolerations are always configured to allow scheduling on manager nodes. Additional rules may be added, but it’s not recommended.

Refer to the Kubernetes documentation Assigning Pods to Nodes for more detail.
[] (empty)
configMapAdds custom configuration options to Nginx.

For a complete list of available options, refer to the NGINX Ingress Controller ConfigMap.
{} (empty)
tcpServicesSets TCP service key-value pairs; enables TCP services. Example

Refer to the NGINX Ingress documentation Exposing TCP and UDP services for more information. for more information.
{} (empty)
udpServicesSets UDP service key-value pairs; enables UDP services. Example

Refer to the NGINX Ingress documentation Exposing TCP and UDP services for more information.
{} (empty)
nodePortsSets the node ports for the external HTTP/HTTPS/TCP/UDP listener. You should not change the HTTPS port, but if you do so, make sure to change the target port of the MKE Dashboard in your load balancer configuration. Refer to System requirements for more information.HTTP: 33000, HTTPS: 33001
portsSets the port for the internalHTTP/HTTPS listener.HTTP: 80, HTTPS: 443
disableHttpDisables the HTTP listener.false

Node ports operation for MKE 3 to MKE 4 upgrade

The handling of node ports during an upgrade from MKE 3 to MKE 4 differs, depending on several factors, as illustrated below:

MKE 3 NodePort RangeIngress Controller in MKE 3Ingress NodePorts in MKE 4
DefaultEnabledUses the ports set in MKE 3.
DefaultDisabledDefault ports:

HTTP: 33000
HTTPS: 33001
CustomEnabledUses the ports set in MKE 3.
CustomDisabledReserves the first two static ports from the NodePort range for the Ingress Controller.
ℹ️
The calculation of the static NodePort range is calculated based on the official Kubernetes documentation How can you avoid NodePort Service port conflicts?.

Thus, if the NodePort range is 30000-32767, the NodePorts for the ingress controller will be 30000 and 30001.

Affinity

You can specify node affinities using the ingressController.affinity.nodeAffinity field in the MKE configuration file.

The following example uses requiredDuringSchedulingIgnoredDuringExecution to schedule the ingress controller pods.

ingressController:
  enabled: true
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - ip-172-31-42-30

Tolerations

You can set Node tolerations for server scheduling to nodes with taints using the ingressController.tolerations field in the MKE configuration file.

The following example uses a toleration with NoExecute effect.

ingressController:
  enabled: true
  tolerations:
  - key: "key1"
    operator: "Equal"
    value: "value1"
    effect: "NoExecute"

Example ingress controller configuration

ingressController:
  enabled: true
  enableLoadBalancer: false
  numReplicas: 1
  preserveClientIP: true
  tolerations:
    - key: "key1"
      operator: "Equal"
      value: "value1"
      effect: "NoExecute"
  extraArgs:
    httpPort: 80
    httpsPort: 443
    enableSslPassthrough: false
  configMap:
    access-log-path: "/var/log/nginx/access.log"
    generate-request-id: "true"
    use-forwarded-headers: "true"
    error-log-path: "/var/log/nginx/error.log"
  tcpServices:
    9000: "default/tcp-echo:9000"
  udpServices:
    5005: "default/udp-listener:5005"
  nodePorts:
    http: 33000
    https: 33001
    tcp:
      9000: 33011
    udp:
      5005: 33012
  ports:
    http: 8080
    https: 4443
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - ip-172-31-42-30

MKE version comparison: Ingress configuration parameters

MKE-3MKE-4
[cluster_config.ingress_controller.enabled]ingressController.enabled
[cluster_config.ingress_controller.ingress_num_replicas]ingressController.numReplicas
[cluster_config.ingress_controller.ingress_enable_lb]ingressController.enableLoadBalancer
[cluster_config.ingress_controller.ingress_preserve_client_ip]ingressController.preserveClientIP
[[cluster_config.ingress_controller.ingress_node_toleration]]
key = “com.docker.ucp.manager”
value = ""
operator = “Exists”
effect = “NoSchedule”
ingressController.tolerations
- key: “key1”
operator: “Equal”
value: “value1”
effect: “NoExecute”
[cluster_config.ingress_controller.ingress_config_map]ingressController.configMap
[cluster_config.ingress_controller.ingress_tcp_services]
9000 = “default/tcp-echo:9000”
ingressController.tcpServices:
9000: “default/tcp-echo:9000”
[cluster_config.ingress_controller.ingress_udp_services]
5005 = “default/udp-listener:5005”
ingressController.udpServices:
5005: “default/udp-listener:5005”
[cluster_config.ingress_controller.ingress_extra_args]
http_port = 8080
https_port = 4443
enable_ssl_passthrough = true
default_ssl_certificate = ""
ingressController.extraArgs:
httpPort: 0
httpsPort: 0
enableSslPassthrough: true
defaultSslCertificate: ""
[cluster_config.ingress_controller.ingress_node_affinity]ingressController.affinity
[[cluster_config.ingress_controller.ingress_exposed_ports]]
name = “http2”
port = 80
target_port = 8080
node_port = 33001
protocol = ""
Deprecated in MKE 4.

The http and https ports are enabled by default on 80 and 443 respectively. If the user wants to change it, they can use ingressController.ports.

NodePorts for http and https can be configured via ingressController.nodePorts. The default values are 33000 and 33001 respectively.

For information on how to configure TCP/UDP ports, refer to the TCP and UDP services documentation.
Last updated on