πͺ Services and Networking: Ingress and Gateway API
The Hotel Lobby Story π¨
Imagine a giant hotel with hundreds of rooms. Each room is a different service (like a website, an API, or an app). Guests (internet traffic) arrive at the front door every second.
The problem? You canβt just let everyone wander around. You need:
- A receptionist to greet them
- Signs pointing to the right rooms
- Security badges to keep things safe
- Rules about who goes where
In Kubernetes, Ingress is like the hotelβs reception desk. And Gateway API is the newer, fancier lobby with more features!
π― What Youβll Learn
- Ingress fundamentals
- Ingress controllers
- Ingress rules and paths
- Ingress TLS configuration
- Ingress annotations
- Gateway API overview
- Gateway API resources
- Gateway API routes
- Gateway API vs Ingress
Part 1: Ingress Fundamentals
What is Ingress? πͺ
Ingress = The front door manager of your Kubernetes cluster.
Think of it this way:
- Your apps run inside Kubernetes (the hotel)
- People outside want to visit (web traffic)
- Ingress decides WHO gets in and WHERE they go
Simple Example
Without Ingress:
Internet β β β Your App
(Where do I go?)
With Ingress:
Internet β πͺ Ingress β β
Your App
(Follow the signs!)
The Magic of Ingress
graph TD A["π€ User visits myapp.com"] --> B["πͺ Ingress"] B --> C{Check the rules} C -->|/shop| D["π Shop Service"] C -->|/blog| E["π Blog Service"] C -->|/api| F["βοΈ API Service"]
Real-life example:
- User types
myshop.com/products - Ingress sees
/productspath - Sends them to the Products service
- User gets what they need!
Basic Ingress YAML
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- host: myapp.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
What this does:
- Listens for
myapp.com - Sends ALL traffic (
/) tomy-service - Uses port 80
Part 2: Ingress Controllers
The Receptionist Behind the Desk π©βπΌ
Hereβs a secret: Ingress by itself does nothing!
Itβs like writing rules on paper but having no one to read them. You need an Ingress Controller β the actual worker who makes things happen.
Popular Ingress Controllers
| Controller | Best For | Analogy |
|---|---|---|
| NGINX | Most common | The reliable veteran receptionist |
| Traefik | Easy setup | The friendly new hire |
| HAProxy | High performance | The super-fast multitasker |
| AWS ALB | AWS users | The cloud-native specialist |
How Controllers Work
graph TD A["π You write Ingress rules"] --> B["π€ Controller watches"] B --> C["βοΈ Controller configures itself"] C --> D["π Traffic flows correctly"]
Installing NGINX Ingress Controller
# Using Helm (package manager)
helm install ingress-nginx \
ingress-nginx/ingress-nginx
What happens:
- Controller pod starts running
- It watches for Ingress resources
- When you create Ingress, it automatically configures routing!
Example: Controller in Action
# Your Ingress rule
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: blog-ingress
spec:
ingressClassName: nginx # π Uses NGINX
rules:
- host: blog.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: blog-service
port:
number: 3000
The ingressClassName: nginx tells Kubernetes: βHey NGINX controller, this oneβs for you!β
Part 3: Ingress Rules and Paths
The Signpost System πͺ§
Rules and paths are the directions inside your hotel. They tell traffic exactly where to go.
Two Types of Routing
1. Host-based routing (Different buildings)
shop.mysite.com β Shop Service
blog.mysite.com β Blog Service
2. Path-based routing (Different floors)
mysite.com/shop β Shop Service
mysite.com/blog β Blog Service
Path Types Explained
| Type | Matches | Example |
|---|---|---|
Exact |
Only this path | /shop only |
Prefix |
This path and below | /shop, /shop/items |
Multi-Path Example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-path-ingress
spec:
rules:
- host: myapp.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- path: /web
pathType: Prefix
backend:
service:
name: web-service
port:
number: 3000
- path: /
pathType: Prefix
backend:
service:
name: home-service
port:
number: 80
graph TD A["myapp.com"] --> B{Path?} B -->|/api/*| C["api-service:8080"] B -->|/web/*| D["web-service:3000"] B -->|everything else| E["home-service:80"]
Multi-Host Example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-host-ingress
spec:
rules:
- host: shop.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: shop-service
port:
number: 80
- host: blog.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: blog-service
port:
number: 80
Part 4: Ingress TLS Configuration
The Security Guard π
TLS = The padlock on your website (HTTPS).
Without TLS:
π http://mysite.com
(Anyone can see your data!)
With TLS:
π https://mysite.com
(Your data is encrypted!)
How TLS Works in Ingress
graph TD A["π€ User"] -->|π HTTPS| B["πͺ Ingress"] B -->|π HTTP| C["π₯οΈ Your Service"] style B fill:#4CAF50
The Ingress handles encryption so your services donβt have to!
Step 1: Create a Secret
apiVersion: v1
kind: Secret
metadata:
name: my-tls-secret
type: kubernetes.io/tls
data:
tls.crt: BASE64_ENCODED_CERT
tls.key: BASE64_ENCODED_KEY
Or use kubectl:
kubectl create secret tls my-tls \
--cert=path/to/cert.crt \
--key=path/to/key.key
Step 2: Add TLS to Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: secure-ingress
spec:
tls:
- hosts:
- secure.example.com
secretName: my-tls-secret
rules:
- host: secure.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-service
port:
number: 443
What happens:
- User visits
https://secure.example.com - Ingress uses
my-tls-secretfor encryption - Connection is secure! π
Auto-TLS with Cert-Manager
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auto-tls-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
spec:
tls:
- hosts:
- auto.example.com
secretName: auto-tls-secret
rules:
- host: auto.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
Cert-Manager automatically gets and renews certificates!
Part 5: Ingress Annotations
The Special Instructions π
Annotations are like sticky notes on your Ingress. They add extra features specific to your controller.
Common NGINX Annotations
| Annotation | What It Does |
|---|---|
rewrite-target |
Changes the URL path |
ssl-redirect |
Force HTTPS |
proxy-body-size |
Max upload size |
proxy-connect-timeout |
How long to wait |
Example: URL Rewriting
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rewrite-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- host: myapp.com
http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
Magic explained:
- User visits:
myapp.com/api/users - Service receives:
/users - The
/apipart is stripped!
Example: Force HTTPS
metadata:
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
Now HTTP automatically becomes HTTPS!
Example: Rate Limiting
metadata:
annotations:
nginx.ingress.kubernetes.io/limit-rps: "10"
nginx.ingress.kubernetes.io/limit-connections: "5"
Prevents one user from overwhelming your service!
Part 6: Gateway API Overview
The Upgraded Hotel Lobby π’β¨
Gateway API is the next generation of Ingress. Same job, more power!
Why Gateway API?
| Problem with Ingress | Gateway API Solution |
|---|---|
| Too simple | More features built-in |
| Needs annotations | Standard configuration |
| One-size-fits-all | Role-based separation |
| Limited protocols | HTTP, TCP, gRPC, etc. |
The Big Picture
graph TD A["ποΈ Platform Team"] --> B["GatewayClass"] B --> C["Gateway"] D["π¨βπ» App Team"] --> E["HTTPRoute"] E --> C C --> F["π₯οΈ Services"]
Separation of concerns:
- Platform team: Sets up infrastructure (Gateway)
- App team: Defines routing (Routes)
Core Concepts
Think of it like this:
- GatewayClass = The type of door (wooden, glass, automatic)
- Gateway = The actual door installed
- Routes = Signs pointing where to go
Part 7: Gateway API Resources
The Building Blocks π§±
1. GatewayClass
The blueprint for your gateways.
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: my-gateway-class
spec:
controllerName: example.com/gateway
Like choosing: βWe use automatic sliding doors in this buildingβ
2. Gateway
The actual entry point.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: my-gateway
spec:
gatewayClassName: my-gateway-class
listeners:
- name: http
port: 80
protocol: HTTP
- name: https
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: my-cert
Like saying: βInstall a door at entrance A, listening on ports 80 and 443β
3. HTTPRoute
The routing rules.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: my-route
spec:
parentRefs:
- name: my-gateway
hostnames:
- "app.example.com"
rules:
- matches:
- path:
value: /api
backendRefs:
- name: api-service
port: 8080
4. Other Route Types
| Route Type | Protocol |
|---|---|
| HTTPRoute | HTTP/HTTPS |
| TCPRoute | Raw TCP |
| TLSRoute | TLS passthrough |
| GRPCRoute | gRPC traffic |
| UDPRoute | UDP traffic |
Part 8: Gateway API Routes
The Navigation System πΊοΈ
HTTPRoute Deep Dive
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: complex-route
spec:
parentRefs:
- name: my-gateway
hostnames:
- "shop.example.com"
rules:
# Rule 1: API traffic
- matches:
- path:
type: PathPrefix
value: /api
headers:
- name: version
value: v2
backendRefs:
- name: api-v2
port: 8080
# Rule 2: Default
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: frontend
port: 3000
Matching Options
graph TD A["HTTPRoute Matching"] --> B["Path"] A --> C["Headers"] A --> D["Query Params"] A --> E["Method"] B --> B1["Exact: /users"] B --> B2["Prefix: /api"] B --> B3["Regex: /user/.*"]
Traffic Splitting
Send traffic to multiple services:
rules:
- backendRefs:
- name: service-v1
port: 80
weight: 90 # 90% of traffic
- name: service-v2
port: 80
weight: 10 # 10% of traffic
Perfect for canary deployments!
Request Modification
rules:
- matches:
- path:
value: /old-path
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplacePrefixMatch
replacePrefixMatch: /new-path
backendRefs:
- name: my-service
port: 80
Part 9: Gateway API vs Ingress
The Comparison π
Side-by-Side
| Feature | Ingress | Gateway API |
|---|---|---|
| Age | Old (stable) | New (growing) |
| Complexity | Simple | More flexible |
| Protocol | HTTP only | HTTP, TCP, gRPC |
| Config style | Annotations | Standard fields |
| Role separation | β None | β Built-in |
| Traffic split | Via annotation | β Native |
| Header matching | Via annotation | β Native |
Visual Comparison
graph LR subgraph Ingress A["Single Resource"] --> B["Service"] end subgraph Gateway API C["GatewayClass"] --> D["Gateway"] D --> E["HTTPRoute"] E --> F["Service"] end
When to Use What?
Use Ingress when:
- β Simple HTTP routing
- β Already working setup
- β Basic needs only
Use Gateway API when:
- β Need advanced features
- β Multiple protocols (TCP, gRPC)
- β Team separation needed
- β Starting fresh
Migration Path
Good news! You can run both at the same time.
graph TD A["Start with Ingress"] --> B["Add Gateway API"] B --> C["Migrate routes gradually"] C --> D["Remove old Ingress"]
π Summary
You just learned how to be the ultimate traffic controller for Kubernetes!
| Concept | One-Liner |
|---|---|
| Ingress | The front door for HTTP traffic |
| Controller | The worker that makes Ingress work |
| Rules/Paths | Directions inside your cluster |
| TLS | The security padlock (HTTPS) |
| Annotations | Special controller-specific features |
| Gateway API | The upgraded, more powerful door |
| Gateway Resources | GatewayClass β Gateway β Route |
| Routes | Flexible routing for any protocol |
Remember the hotel analogy:
- Ingress = Reception desk
- Gateway API = Modern automated lobby
- Controllers = Staff who do the work
- Rules = Signs pointing guests to rooms
- TLS = Security badges
Youβre now ready to route traffic like a pro! π