Tuesday, May 16, 2023

Having started with Cloud migration, have setup the very first K8s platform is the great feeling. But right then you get hit with a ton of options to choose from, which network plugin to choose, which service mesh would fit well, do we need multi-cluster setup etc..

This blog is about one such question about choosing the right Ingress Controller. With myriad of options to choose from, choosing the right Ingress can at times complicated.

First Off let’s seperate out the different terminologies involved :

What is an Ingress Controller ?

Ingress Controller like other controllers within K8s acts to fullfill the configuration written within Ingress resource, usually with a load-balancer. It acts as a layer of abstraction over Load Balancer to add additional capabilities such as Traffic Routing, Security, Policy Enforcement etc..

There are currently multiple implementations to choose from for ingress controllers :

  • AKS Application Gateway Ingress Controller is an ingress controller that configures the Azure Application Gateway.
  • Ambassador API Gateway is an Envoy-based ingress controller.
  • Apache APISIX ingress controller is an Apache APISIX-based ingress controller.
  • Avi Kubernetes Operator provides L4-L7 load-balancing using VMware NSX Advanced Load Balancer.
  • BFE Ingress Controller is a BFE-based ingress controller.
  • Cilium Ingress Controller is an ingress controller powered by Cilium.
  • The Citrix ingress controller works with Citrix Application Delivery Controller.
  • Contour is an Envoy based ingress controller.
  • EnRoute is an Envoy based API gateway that can run as an ingress controller.
  • Easegress IngressController is an Easegress based API gateway that can run as an ingress controller.
  • F5 BIG-IP Container Ingress Services for Kubernetes lets you use an Ingress to configure F5 BIG-IP virtual servers.
  • Gloo is an open-source ingress controller based on Envoy, which offers API gateway functionality.
  • HAProxy Ingress is an ingress controller for HAProxy.
  • The HAProxy Ingress Controller for Kubernetes is also an ingress controller for HAProxy.
  • Istio Ingress is an Istio based ingress controller.
  • The Kong Ingress Controller for Kubernetes is an ingress controller driving Kong Gateway.
  • Kusk Gateway is an OpenAPI-driven ingress controller based on Envoy.
  • The NGINX Ingress Controller for Kubernetes works with the NGINX webserver (as a proxy).
  • The ngrok Kubernetes Ingress Controller is an open source controller for adding secure public access to your K8s services using the ngrok platform.
  • The Pomerium Ingress Controller is based on Pomerium, which offers context-aware access policy.
  • Skipper HTTP router and reverse proxy for service composition, including use cases like Kubernetes Ingress, designed as a library to build your custom proxy.
  • The Traefik Kubernetes Ingress provider is an ingress controller for the Traefik proxy.
  • Tyk Operator extends Ingress with Custom Resources to bring API Management capabilities to Ingress. Tyk Operator works with the - Open Source Tyk Gateway & Tyk Cloud control plane.
  • Voyager is an ingress controller for HAProxy.
  • Wallarm Ingress Controller is an Ingress Controller that provides WAAP (WAF) and API Security capabilities.

What is an Ingress ?

Ingress is an K8s API object that manages external access to service in a cluster. These typically is a set of configurations which are fulfilled by the underlying Ingress Contoller. Ingress itself doesnot do anything but relies on the underlying Ingress Controller which fulfills the routing and other configurations which are written in the ingress.

Connecting Ingress and Ingress Controllers

You may deploy any number of ingress controllers using ingress class within a cluster. Note the of your ingress class resource. When you create an ingress you would need that name to specify the ingressClassName field on your Ingress object (refer to IngressSpec v1 reference). ingressClassName is a replacement of the older annotation method.

If you do not specify an IngressClass for an Ingress, and your cluster has exactly one IngressClass marked as default, then Kubernetes applies the cluster’s default IngressClass to the Ingress. You mark an IngressClass as default by setting the annotation on that IngressClass, with the string value "true".

Ideally, all ingress controllers should fulfill this specification, but the various ingress controllers operate slightly differently.

Common source of confusion

Usually the popular options for Ingress Controller are one of the below This list may differ but usually has the mix of choice from nginx, ha-proxy or envoy as the underlying rever-proxy server to translate the configurations. :

The top two usually become a source of confusion as both uses nginx as the reverse-proxy but one is k8s community built and the other is also opensource but sponsored and controlled by Nginx Inc. To add to the confusion there’s a commercial product from Nginx Inc. called NginxPlus which has advanced capabilities to support cross cluster routing and much more.

For a differences between the three please check out this gist.

Aspect or Featurekubernetes/ingress-nginxnginxinc/kubernetes-ingress with NGINXnginxinc/kubernetes-ingress with NGINX Plus
AuthorsKubernetes communityNGINX Inc and communityNGINX Inc and community
NGINX versionCustom NGINX build that includes several third-party modulesNGINX official mainline buildNGINX Plus
Commercial supportN/AN/AIncluded
Implemented inGo/Lua (while Nginx is written in C)Go/PythonGo/Python
Load balancing configuration via the Ingress resource
Merging Ingress rules with the same hostSupportedSupported via Mergeable IngressesSupported via Mergeable Ingresses
HTTP load balancing extensions - AnnotationsSee the supported annotationsSee the supported annotationsSee the supported annotations
HTTP load balancing extensions – ConfigMapSee the supported ConfigMap keysSee the supported ConfigMap keysSee the supported ConfigMap keys
TCP/UDPSupported via a ConfigMapSupported via custom resourcesSupported via custom resources
WebsocketSupportedSupported via an annotationSupported via an annotation
TCP SSL PassthroughSupported via a ConfigMapSupported via custom resourcesSupported via custom resources
JWT validationNot supportedNot supportedSupported
Session persistenceSupported via a third-party moduleNot supportedSupported
Canary testing (by header, cookie, weight)Supported via annotationsSupported via custom resourcesSupported via custom resources
Configuration templatesSee the templateSee the templatesSee the templates
Load balancing configuration via Custom Resources
HTTP load balancingNot supportedSee VirtualServer and VirtualServerRoute resourcesSee VirtualServer and VirtualServerRoute resources
TCP/UDP load balancingNot supportedSee TransportServer resourceSee TransportServer resource
TCP SSL Passthrough load balancingNot supportedSee TransportServer resourceSee TransportServer resource
Command-line argumentsSee the argumentsSee the argumentsSee the arguments
TLS certificate and key for the default serverRequired as a command-line argument/ auto-generatedRequired as a command-line argumentRequired as a command-line argument
Helm chartSupportedSupportedSupported
OperatorNot supportedSupportedSupported
Reporting the IP address(es) of the Ingress controller into Ingress resourcesSupportedSupportedSupported
Extended StatusSupported via a third-party moduleNot supportedSupported
Prometheus IntegrationSupportedSupportedSupported
Dynamic reconfiguration of endpoints (no configuration reloading)Supported with a third-party Lua moduleNot supportedSupported