Configuring Ingress Controller of Container Service for Kubernetes to Use an Intranet SLB Instance

After you create a Kubernetes cluster on Container Service, a set of Nginx Ingress Controllers is automatically deployed during the cluster initialization. By default, the Ingress Controllers are mounted to an Internet Server Load Balancer (SLB) instance.

Image for post
Image for post

Configure the Nginx Ingress Controller to Use an Intranet SLB Instance Only

If you want to restrict the services in the cluster to only one VPC, modify the configurations of the Nginx Ingress Controller service.

Image for post
Image for post

1. Apply for an intranet SLB instance.

Apply for an SLB instance with expected specifications on the network of the corresponding VPC.

2. Configure the Nginx Ingress Controller service.

After an intranet SLB instance is obtained, configure the Nginx Ingress Controller to use the instance.

service.beta.kubernetes.io/alicloud-loadbalancer-id

Note:

  1. If you set alicloud-loadbalancer-id to specify an existing SLB instance for use, the manually configured listener may be overwritten.
  2. The SLB instance will not be automatically deleted when the kube-system/nginx-ingress-lb service is deleted.

For more information, see the figure below.

# nginx ingress slb service
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress-lb
namespace: kube-system
labels:
app: nginx-ingress-lb
annotations:
# Set the SLB instance address type to intranet.
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet
# Change the SLB instance ID to that of the intranet SLB instance.
service.beta.kubernetes.io/alicloud-loadbalancer-id: <YOUR_INTRANET_SLB_ID>
# Specify whether to create an SLB port listener automatically or manually. If the listener is created automatically, the original port listener will be overwritten.
#service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: 'true'
spec:
type: LoadBalancer
# route traffic to other nodes
externalTrafficPolicy: "Cluster"
ports:
- port: 80
name: http
targetPort: 80
- port: 443
name: https
targetPort: 443
selector:
# select app=ingress-nginx pods
app: ingress-nginx

After the kube-system/nginx-ingress-lb service configuration is modified, the specified intranet SLB instance can be used.

Configure the Nginx Ingress Controller to Use Either an Internet or Intranet SLB Instance

In some specific scenarios, you may want services in the cluster to be accessible to both the Internet and the VPC to which the services belong (not through the Internet).

Image for post
Image for post

To achieve this, deploy another kube-system/nginx-ingress-lb-intranet service.

Note: By default, a kube-system/nginx-ingress-lb service has been deployed during the cluster initialization and it has been mounted to an Internet SLB instance.

1. Apply for an intranet SLB instance.

Apply for an SLB instance with expected specifications on the network of the corresponding VPC.

2. Create a new Nginx Ingress Controller service for the intranet SLB instance.

After an intranet SLB instance is obtained, create a new kube-system/nginx-ingress-lb-intranet service through YAML.

# intranet nginx ingress slb service
apiVersion: v1
kind: Service
metadata:
# Name the service nginx-ingress-lb-intranet.
name: nginx-ingress-lb-intranet
namespace: kube-system
labels:
app: nginx-ingress-lb-intranet
annotations:
# Set the SLB instance address type to intranet.
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet
# Change the SLB instance ID to that of the intranet SLB instance.
service.beta.kubernetes.io/alicloud-loadbalancer-id: <YOUR_INTRANET_SLB_ID>
# Specify whether to create an SLB port listener automatically or manually. If the listener is created automatically, the original port listener will be overwritten.
#service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: 'true'
spec:
type: LoadBalancer
# route traffic to other nodes
externalTrafficPolicy: "Cluster"
ports:
- port: 80
name: http
targetPort: 80
- port: 443
name: https
targetPort: 443
selector:
# select app=ingress-nginx pods
app: ingress-nginx

The following shows the two Nginx Ingress Controller services mounted to the Internet SLB instance and intranet SLB instance, respectively.

kubectl -n kube-system get svc | grep nginx-ingress-lb
nginx-ingress-lb LoadBalancer 172.19.9.26 47.96.223.50 80:31456/TCP,443:30016/TCP 5h
nginx-ingress-lb-intranet LoadBalancer 172.19.4.140 192.168.2.88 80:32394/TCP,443:31000/TCP 7m

After the configuration, services exposed by Ingress can be accessed through either the Internet or intranet SLB instance.

To learn more about Alibaba Cloud Container Service for Kubernetes, visit https://www.alibabacloud.com/product/kubernetes

Reference:https://www.alibabacloud.com/blog/configuring-ingress-controller-of-container-service-for-kubernetes-to-use-an-intranet-slb-instance_594386?spm=a2c41.12517110.0.0

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store