Having started with Cloud migration, have setup the very first K8s platform is the great feeling. But right then you get hit with a ton of options to choose from, which network plugin to choose, which service mesh would fit well, do we need multi-cluster setup etc..
This blog is about one such question about choosing the right Ingress Controller. With myriad of options to choose from, choosing the right Ingress can at times complicated.
First Off let’s seperate out the different terminologies involved :
Ingress Controller like other controllers within K8s acts to fullfill the configuration written within Ingress resource, usually with a load-balancer. It acts as a layer of abstraction over Load Balancer to add additional capabilities such as Traffic Routing, Security, Policy Enforcement etc..
There are currently multiple implementations to choose from for ingress controllers :
Ingress is an K8s API object that manages external access to service in a cluster. These typically is a set of configurations which are fulfilled by the underlying Ingress Contoller. Ingress itself doesnot do anything but relies on the underlying Ingress Controller which fulfills the routing and other configurations which are written in the ingress.
You may deploy any number of ingress controllers using ingress class within a cluster. Note the .metadata.name
of your ingress class resource. When you create an ingress you would need that name to specify the ingressClassName
field on your Ingress object (refer to IngressSpec v1 reference). ingressClassName
is a replacement of the older annotation method.
If you do not specify an IngressClass for an Ingress, and your cluster has exactly one IngressClass marked as default, then Kubernetes applies the cluster’s default IngressClass to the Ingress. You mark an IngressClass as default by setting the ingressclass.kubernetes.io/is-default-class
annotation on that IngressClass, with the string value "true"
.
Ideally, all ingress controllers should fulfill this specification, but the various ingress controllers operate slightly differently.
Usually the popular options for Ingress Controller are one of the below This list may differ but usually has the mix of choice from nginx, ha-proxy or envoy as the underlying rever-proxy server to translate the configurations. :
The top two usually become a source of confusion as both uses nginx as the reverse-proxy but one is k8s community built and the other is also opensource but sponsored and controlled by Nginx Inc. To add to the confusion there’s a commercial product from Nginx Inc. called NginxPlus which has advanced capabilities to support cross cluster routing and much more.
For a differences between the three please check out this gist.
Aspect or Feature | kubernetes/ingress-nginx | nginxinc/kubernetes-ingress with NGINX | nginxinc/kubernetes-ingress with NGINX Plus |
---|---|---|---|
Fundamental | |||
Authors | Kubernetes community | NGINX Inc and community | NGINX Inc and community |
NGINX version | Custom NGINX build that includes several third-party modules | NGINX official mainline build | NGINX Plus |
Commercial support | N/A | N/A | Included |
Implemented in | Go/Lua (while Nginx is written in C) | Go/Python | Go/Python |
Load balancing configuration via the Ingress resource | |||
Merging Ingress rules with the same host | Supported | Supported via Mergeable Ingresses | Supported via Mergeable Ingresses |
HTTP load balancing extensions - Annotations | See the supported annotations | See the supported annotations | See the supported annotations |
HTTP load balancing extensions – ConfigMap | See the supported ConfigMap keys | See the supported ConfigMap keys | See the supported ConfigMap keys |
TCP/UDP | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources |
Websocket | Supported | Supported via an annotation | Supported via an annotation |
TCP SSL Passthrough | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources |
JWT validation | Not supported | Not supported | Supported |
Session persistence | Supported via a third-party module | Not supported | Supported |
Canary testing (by header, cookie, weight) | Supported via annotations | Supported via custom resources | Supported via custom resources |
Configuration templates | See the template | See the templates | See the templates |
Load balancing configuration via Custom Resources | |||
HTTP load balancing | Not supported | See VirtualServer and VirtualServerRoute resources | See VirtualServer and VirtualServerRoute resources |
TCP/UDP load balancing | Not supported | See TransportServer resource | See TransportServer resource |
TCP SSL Passthrough load balancing | Not supported | See TransportServer resource | See TransportServer resource |
Deployment | |||
Command-line arguments | See the arguments | See the arguments | See the arguments |
TLS certificate and key for the default server | Required as a command-line argument/ auto-generated | Required as a command-line argument | Required as a command-line argument |
Helm chart | Supported | Supported | Supported |
Operator | Not supported | Supported | Supported |
Operational | |||
Reporting the IP address(es) of the Ingress controller into Ingress resources | Supported | Supported | Supported |
Extended Status | Supported via a third-party module | Not supported | Supported |
Prometheus Integration | Supported | Supported | Supported |
Dynamic reconfiguration of endpoints (no configuration reloading) | Supported with a third-party Lua module | Not supported | Supported |