Kubernetes Ingress 101: NodePort, Load Balancers, and Ingress Controllers

Richard Li
Ambassador Labs
Published in
7 min readFeb 28, 2018

--

This article was updated in April 2020 to reflect the updated state of ingress in Kubernetes 1.18 and the Ingress v1 specification, again in February 2021 to reflect the Gateway API working group, and most recently in December 2021.

This article will introduce the three general strategies in Kubernetes for ingress, and the tradeoffs with each approach. I’ll then explore some of the more sophisticated requirements of an ingress strategy. Finally, I’ll give some guidelines on how to pick your Kubernetes ingress strategy.

What is Kubernetes ingress?

Kubernetes ingress is a collection of routing rules that govern how external users access services running in a Kubernetes cluster. However, in real-world Kubernetes deployments, there are frequently other considerations beyond routing for managing ingress.

We’ll discuss these requirements in more detail below.

Ingress in Kubernetes

In Kubernetes, there are three general approaches to exposing your application.

  • Using a Kubernetes service of type NodePort, which exposes the application on a port across each of your nodes
  • Use a Kubernetes service of type LoadBalancer, which creates an external load balancer that points to a Kubernetes service in your cluster
  • Use a Kubernetes Ingress Resource

What is a NodePort?

A NodePort is an open port on every node of your cluster. Kubernetes transparently routes incoming traffic on the NodePort to your service, even if your application is running on a different node.

Every Kubernetes cluster supports NodePort, although if you’re running in a cloud provider such as Google Cloud, you may have to edit your firewall rules. However, a NodePort is assigned from a pool of cluster-configured NodePort ranges (typically 30000–32767). While this is likely not a problem for most TCP or UDP clients, HTTP or HTTPS traffic end up being exposed on a non-standard port.

The NodePort abstraction is intended to be a building block for higher-level ingress models (e.g., load balancers). It is handy for development purposes, however, when you don’t need a production URL.

What is a Load Balancer?

Using a LoadBalancer service type automatically deploys an external load balancer. This external load balancer is associated with a specific IP address and routes external traffic to a Kubernetes service in your cluster.

The exact implementation of a LoadBalancer is dependent on your cloud provider, and not all cloud providers support the LoadBalancer service type. Moreover, if you’re deploying Kubernetes on bare metal, you’ll have to supply your own load balancer implementation. That said, if you’re in an environment that supports the LoadBalancer service type, this is likely the safest, simplest way to route your traffic.

Ingress Controllers and Ingress Resources

Kubernetes supports a high level abstraction called Ingress, which allows simple host or URL based HTTP routing. An ingress is a core concept (in beta) of Kubernetes, but is always implemented by a third party proxy. These implementations are known as ingress controllers. An ingress controller is responsible for reading the Ingress Resource information and processing that data accordingly. Different ingress controllers have extended the specification in different ways to support additional use cases.

Ingress is tightly integrated into Kubernetes, meaning that your existing workflows around kubectl will likely extend nicely to managing ingress. Note that an ingress controller typically doesn’t eliminate the need for an external load balancer — the ingress controller simply adds an additional layer of routing and control behind the load balancer.

Real-world ingress

We’ve just covered the three basic patterns for routing external traffic to your Kubernetes cluster. However, we’ve only discussed how to route traffic to your cluster. Typically, though, your Kubernetes services will impose additional requirements on your ingress. Examples of this include:

  • content-based routing, e.g., routing based on HTTP method, request headers, or other properties of the specific request
  • resilience, e.g., rate limiting, timeouts
  • support for multiple protocols, e.g., WebSockets or gRPC
  • authentication

Unless you’re running a very simple cloud application, you’ll likely need support for some or all of these capabilities. And, importantly, many of these requirements may need to be managed at the service level, which means you want to manage these concerns inside Kubernetes.

Start with a load balancer

Regardless of your ingress strategy, you probably will need to start with an external load balancer. This load balancer will then route traffic to a Kubernetes service (or ingress) on your cluster that will perform service-specific routing. In this set up, your load balancer provides a stable endpoint (IP address) for external traffic to access.

Both ingress controllers and Kubernetes services require an external load balancer, and, as previously discussed, NodePorts are not designed to be directly used for production.

Service-specific ingress management

So the question for your ingress strategy is really about choosing the right way to manage traffic from your external load balancer to your services. What are your options?

Assuming you don’t want to deploy your own, how do you choose between an ingress controller and an API gateway? It comes down to actual capabilities.

So how do you choose between an ingress controller and an API gateway deployed as a Kubernetes service? Surprisingly, there are no fundamental differences!

The original motivation behind ingress was to create a standard API to manage how external traffic is routed to cluster services. However, the reality is that ingress isn’t actually a portable standard. The standard is imprecise (different ingress controllers have different semantics, e.g., behavior of trailing / is not specified in the standard). The ingress standard has also focused on lowest common denominator functionality, so many ingress controllers have extended the ingress resource with custom annotations, creating additional fragmentation.

The Evolution of the Ingress API, Ingress v1, and the Gateway API

Ever since the Ingress resource moved to its final location under the permanent networking.k8s.io API group, a thorough clean up the ingress API to resolve some ambiguities in the specification has been underway. As Kubernetes 1.18 sets the table and prepares to make a cleaned up ingress API GA with the imminent v1 release, the existing v1beta1 version was enhanced to includes backward-compatible additions to the resource definition. Progressive changes will allow ingress-controller implementors and users of Ingress resources to adapt and migrate gradually.

Kubernetes 1.18, therefore, introduced 3 noteworthy changes:

  • The new pathType field can specify how HTTP request paths should be matched.
  • The new IngressClass resource can specify which Ingress should be handled by controllers. The IngressClass resource effectively replaces the kubernetes.io/ingress.class annotation and allows for extension points using the parameters field.
  • Added support for wildcards hostnames.

More details of changes rationale can be found in this Kubernetes Enhancement Proposal, KEP for short. The KEP also notes some of the challenges in making a consistent standard for ingress across multiple implementations. Kubernetes 1.19 sees the introduction of Ingress and IngressClass in networking.k8s.io/v1 with further non-backward compatible API changes, while networking.k8s.io/v1beta1 will officially be marked as deprecated.

In 2020, the SIG-Network community convened a working group to evolve the Ingress v1 specification. Originally called the Service APIs working group, the group was renamed the Gateway API working group in February 2021. The Gateway API is a much richer set of APIs that will be added to Kubernetes. One of the core principles of the design is decoupling routes from the actually configuration of the gateway resource itself. This is very similar to the evolution of other ingress controllers have evolved (e.g., Ambassador with its Mapping resource which does exactly this). In October 2021, the Gateway API working group released 0.4.0 of the Gateway specification, which is expected to become the basis for a v1beta1 release as it exits from alpha state.

So, at the end of the day, your choice for service-specific ingress management should depend on your specific requirements, and a specific implementation’s ability to meet your requirements. Different ingress controllers will have different functionality, just like API Gateways. Here are a few choices to consider:

Summary

Kubernetes ingress is a work-in-progress. Organizations appear to be converging on an external load balancer that sends external traffic to a service router (API Gateway, ingress controller). This service router is declaratively configured via Kubernetes annotations. If you’re interested in following the evolution of Kubernetes ingress, check out the Kubernetes Network SIG and the current plan in this KEP. To learn more about Kubernetes ingress and the options available for ingress controllers and API gateways, check out our resources on Kubernetes Ingress.

Kubernetes ingress with Ambassador

Ambassador is an open source, Kubernetes-native API Gateway built on the Envoy Proxy. Ambassador is easily configured via Kubernetes Custom Resource Definitions, and supports all the use cases mentioned in this article. Deploy Ambassador to Kubernetes in just a few simple steps and use Ambassador as your Envoy-powered Kubernetes ingress controller.

--

--

CEO, Amorphous Data. Formerly: Ambassador Labs, Duo Security, Rapid7, Red Hat.