Updated on 2024-09-30 GMT+08:00

NGINX Ingress Controller

Introduction

Kubernetes uses kube-proxy to expose Services and provide load balancing. The implementation is at the transport layer. When it comes to Internet applications, where a bucket-load of information is generated, forwarding needs to be more fine-grained, precisely and flexibly controlled by policies and load balancers to deliver higher performance.

This is where ingresses enter. Ingresses provide application-layer forwarding functions, such as virtual hosts, load balancing, SSL proxy, and HTTP routing, for Services that can be directly accessed outside a cluster.

Kubernetes has officially released the Nginx-based Ingress controller. CCE Nginx Ingress controller directly uses community templates and images. The NGINX Ingress Controller generates Nginx configuration and stores the configuration using ConfigMap. The configuration will be written to Nginx pods through the Kubernetes API. In this way, the Nginx configuration is modified and updated. For details, see How the Add-on Works.

Open source community: https://github.com/kubernetes/ingress-nginx

  • Starting from version 2.3.3, NGINX Ingress Controller only supports TLS v1.2 and v1.3 by default. If the TLS version is earlier than v1.2, an error will occur during the negotiation process between the client and Nginx Ingress. If more versions of TLS are needed, see TLS/HTTPS.
  • When installing the NGINX Ingress Controller, you can specify Nginx parameters. These parameters take effect globally and are contained in the nginx.conf file. You can search for the parameters in ConfigMaps. If the parameters are not included in ConfigMaps, the configurations will not take effect.
  • After the add-on is installed, you can interconnect with Nginx and set Nginx ingress functions using Annotations when creating an ingress on the CCE console. For details about the supported annotation fields, see Annotations.
  • Do not manually modify or delete the load balancer and listener that are automatically created by CCE. Otherwise, the workload will be abnormal. If you have modified or deleted them by mistake, uninstall the nginx-ingress add-on and re-install it.

How the Add-on Works

NGINX Ingress Controller consists of the ingress object, ingress controller, and Nginx. The ingress controller assembles ingresses into the Nginx configuration file (nginx.conf) and reloads Nginx to make the changed configurations take effect. When it detects that the pod in a Service changes, it dynamically changes the upstream server group configuration of Nginx. In this case, the Nginx process does not need to be reloaded. Figure 1 shows how this add-on works.

  • An ingress is a group of access rules that forward requests to specified Services based on domain names or URLs. Ingresses are stored in the object storage service etcd and are added, deleted, modified, and queried through APIs.
  • The ingress controller monitors the changes of resource objects such as ingresses, Services, endpoints, secrets (mainly TLS certificates and keys), nodes, and ConfigMaps in real time and automatically performs operations on Nginx.
  • Nginx implements load balancing and access control at the application layer.
Figure 1 Working principles of NGINX Ingress Controller

Precautions

  • For clusters earlier than v1.23, kubernetes.io/ingress.class: "nginx" must be added to the annotation of the ingress created through the API. If a cluster has multiple NGINX Ingress Controllers installed, you need to replace nginx with a custom Ingress Class to help identify the controller instance associated with the ingress.
  • A dedicated load balancer must be of the network type (TCP/UDP) and support private networks (with a private IP address).
  • If the node where NGINX Ingress Controller runs and containers on this node cannot access Nginx ingress, you need to configure anti-affinity for the workload pods and Nginx Ingress Controller. For details, see Configuring Anti-affinity Between a Workload and Nginx Ingress Controller.
  • During the NGINX Ingress Controller pod upgrade, 10s are reserved for deleting the NGINX Ingress Controller at the ELB backend.
  • The timeout duration for the graceful exit of the NGINX Ingress Controller is 300s. If the timeout duration is longer than 300s during the upgrade of the NGINX Ingress Controller, persistent connections will be disconnected, and connectivity will be interrupted for a short period of time.

Prerequisites

Before installing this add-on, you have one available cluster and there is a node running properly. If no cluster is available, create one according to Buying a CCE Standard/Turbo Cluster.

Installing the Add-on

  1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Add-ons, locate NGINX Ingress Controller on the right, and click Install.
  2. On the Install Add-on page, configure the specifications as needed.

    You can adjust the number of add-on instances and resource quotas as required. High availability is not possible with a single pod. If an error occurs on the node where the add-on instance runs, the add-on will fail.

  3. Configure the add-on parameters.

    • Ingress Class: Enter a custom controller name, which uniquely identifies an Ingress controller. The name of each controller in the same cluster must be unique and cannot be set to cce. (cce is the unique identifier of the ELB Ingress Controller.) When creating an Ingress, you can specify the controller name to declare which controller should manage this Ingress.
    • Namespace for add-on installation: Select a namespace for the ingress controller.
    • Load Balancer: Select a shared or dedicated load balancer. If no load balancer is available, create one. The load balancer has at least two listeners, and ports 80 and 443 are not occupied by listeners.
      If you select a shared load balancer, you can enable the function of obtaining the client IP address. With this function enabled, you can use Nginx ingresses to access application servers, and the servers can obtain the source IP address of clients. When a dedicated load balancer is used, the function of obtaining the client IP address is enabled by default.

      This function is available only in clusters of v1.23.17-r0, v1.25.12-r0, v1.27.9-r0, v1.28.7-r0, v1.29.3-r0, or later versions.

      If backend services have been configured when you enable or disable the function of obtaining a client IP address, traffic will be interrupted. Exercise caution when performing this operation.

    • Admission Check: Admission control is performed on Ingresses to ensure that the controller can generate valid configurations. Admission verification is performed on the configuration of Nginx Ingresses. If the verification fails, the request will be intercepted. For details about admission verification, see Access Control.
      • Admission check slows down the responses to Ingress requests.
      • Only add-ons of version 2.4.1 or later support admission verification.
    • Nginx Parameters: You can configure the nginx.conf file, which will affect all managed ingresses. You can select GUI-based configuration or YAML-based configuration. GUI-based configuration is supported by the NGINX Ingress Controller of version 2.2.75, 2.6.26, 3.0.1, or later.

      To configure custom parameters supported by the Kubernetes community, choose YAML-based configuration and find the related parameters in ConfigMaps. For example, you can use the keep-alive-requests parameter to describe how to set the maximum number of requests for keeping active connections to 100.

      {
          "keep-alive-requests": "100"
      }
      • If the parameters you configure are not listed in ConfigMaps, the configurations will not take effect.
      • The parameter value must be a string. Otherwise, the installation fails.
      The table below shows parameters can be configured on the GUI of the NGINX Ingress Controller add-on of version 2.2.75, 2.6.26, 3.0.1, and later.

      Nginx Parameter

      Description

      Default Value

      max-worker-connections

      Specifies the maximum number of connections that can be concurrently processed by each NGINX worker process. This parameter is used to control the load of worker processes. In a high-concurrency environment, you are advised to set this parameter to a large value to ensure system stability. Such connections include client connections and connections to backend servers.

      65536

      keep-alive-requests

      Controls how many requests can be processed by a keepalive connection. If requests exhaust the limit, the connection is closed.

      100

      upstream-keepalive-connections

      Activates the cache connected to an upstream server. This parameter sets how many idle keepalive connections can be stored in the cache of each worker process. If the idle connections stored in a process exhaust the limit, the connections that are not used for the longest time will be closed.

      320

      upstream-keepalive-timeout

      Specifies the timeout interval (in seconds) of the keepalive connections between the upstream server and backend server. During this period, NGINX Ingress Controller can maintain connections for reuse. This reduces the overhead required for establishing new connections and significantly improves performance in high QPS scenarios.

      900

      proxy-connect-timeout

      Specifies the timeout interval (in seconds) for establishing a connection between a client and the proxy server. If the backend server cannot be accessed within 10 seconds, NGINX Ingress Controller will return the 502 Bad Gateway error. It applies to scenarios where the connection speed is high.

      10

      proxy-body-size

      Specifies the maximum size of a request body that can be accepted by the Nginx proxy when it sends the request to the backend server. This value limits the size of a file to be uploaded or a big data table to be submitted. If the size of any request body exceeds the limit, the 413 Payload Too Large error will be returned.

      20m

      allow-backend-server-header

      Typically, NGINX Ingress Controller eliminates the server header information sent by a backend server to a client, which identifies the server. However, if this parameter is set to true, the NGINX Ingress Controller will transmit the server header information directly from the backend server to the client. To prevent revealing the server type and version, it is recommended that you disable this feature.

      Disable

      enable-underscores-in-headers

      Some HTTP headers may contain underscores (_), such as X_Custom-Header, but this is not recommended according to Request For Comments (RFC) standards. So underscores are not allowed by many servers by default. You can activate this parameter if you require underscores in certain headers, such as when third-party services or clients use underscores in their header information.

      Disable

      generate-request-id

      After a request is received, NGINX Ingress Controller generates a unique request ID. This ID is usually recorded in logs or transferred to a backend server through header information. This is useful for tracing and debugging requests, especially for locating problems in distributed systems.

      Enable

      ignore-invalid-headers

      By default, NGINX Ingress Controller rejects HTTP requests that contain an invalid header. With this setting enabled, NGINX Ingress Controller will ignore invalid headers and keep on processing requests. It is useful for clients that do not fully comply with the HTTP standard.

      Enable

      reuse-port

      Enabling SO_REUSEPORT allows multiple processes or threads to be bound to the same {IP}:{Port}. This can effectively improve the concurrent performance of servers, especially for those with multi-core CPUs. With this function enabled, a port can accept more new connections.

      Enable

      server-tokens

      Disables the server information added to a response header by NGINX Ingress Controller by default. The information usually contains the NGINX version. Disabling this option helps hide server information, enhancing security and preventing attackers from using version information to attack the system.

      Disable

      ssl-redirect

      Disables automatic redirection from HTTP to HTTPS. For example, if you want to use HTTPS only for specific pages, such as the login page, and HTTP for other pages, you can disable the default redirection using this option.

      Disable

      worker-cpu-affinity

      Automatically allocates worker processes to specific CPU cores to improve the performance of multi-core systems. For example, on a multi-core server, some worker processes can be bound on a specific CPU core. This reduces context switching and improves processing efficiency.

      Auto

    • Enabling Indicator Collection: If the add-on version is 2.4.12 or later, Prometheus monitoring metrics can be collected. For details, see Monitoring Metrics of NGINX Ingress Controller.
    • Default certificate of the server: Select an IngressTLS or kubernetes.io/tls key to configure the default certificate when the NGINX Ingress Controller is started. If no secret is available, click Create TLS Secret. For details, see Creating a Secret. For details about the default server certificate, see Default SSL Certificate.
    • 404 Service: By default, the 404 service provided by the add-on is used. To customize the 404 service, enter the namespace/service name. If the service does not exist, the add-on installation will fail.
    • Adding a TCP/UDP Service: By default, Nginx Ingress Controller can forward only external HTTP and HTTPS traffic. You can add TCP/UDP port mapping to forward external TCP/UDP traffic to services in the cluster. For more information about adding TCP/UDP services, see Exposing TCP and UDP services.
      • Protocol: Select TCP or UDP.
      • Service Port: specifies the port used by the ELB listener. The port number ranges from 1 to 65535.
      • Target Service Namespace: Select the namespace where the Service is in.
      • Destination Service: Select an existing Service. Any Services that do not match the search criteria will be filtered out automatically.
      • Destination Service Port: Select the access port of the destination Service.
      • If the cluster version is v1.19.16-r5, v1.21.8-r0, v1.23.6-r0, or later, the TCP/UDP hybrid protocols can be configured.
      • If the cluster version is v1.19.16-r5, v1.21.8-r0, v1.23.6-r0, v1.25.2-r0, or later, you can configure the TCP/UDP hybrid protocols to use the same external port.

  4. Configure deployment policies for the add-on pods.

    • Scheduling policies do not take effect on add-on instances of the DaemonSet type.
    • When configuring multi-AZ deployment or node affinity, ensure that there are nodes meeting the scheduling policy and that resources are sufficient in the cluster. Otherwise, the add-on cannot run.
    Table 1 Configurations for add-on scheduling

    Parameter

    Description

    Multi AZ

    • Preferred: Deployment pods of the add-on will be preferentially scheduled to nodes in different AZs. If all the nodes in the cluster are deployed in the same AZ, the pods will be scheduled to different nodes in that AZ.
    • Equivalent mode: Deployment pods of the add-on are evenly scheduled to the nodes in the cluster in each AZ. If a new AZ is added, you are advised to increase add-on pods for cross-AZ HA deployment. With the Equivalent multi-AZ deployment, the difference between the number of add-on pods in different AZs will be less than or equal to 1. If resources in one of the AZs are insufficient, pods cannot be scheduled to that AZ.
    • Required: Deployment pods of the add-on are forcibly scheduled to nodes in different AZs. There can be at most one pod in each AZ. If nodes in a cluster are not in different AZs, some add-on pods cannot run properly. If a node is faulty, add-on pods on it may fail to be migrated.

    Node Affinity

    • Not configured: Node affinity is disabled for the add-on.
    • Node Affinity: Specify the nodes where the add-on is deployed. If you do not specify the nodes, the add-on will be randomly scheduled based on the default cluster scheduling policy.
    • Specified Node Pool Scheduling: Specify the node pool where the add-on is deployed. If you do not specify the node pool, the add-on will be randomly scheduled based on the default cluster scheduling policy.
    • Custom Policies: Enter the labels of the nodes where the add-on is to be deployed for more flexible scheduling policies. If you do not specify node labels, the add-on will be randomly scheduled based on the default cluster scheduling policy.

      If multiple custom affinity policies are configured, ensure that there are nodes that meet all the affinity policies in the cluster. Otherwise, the add-on cannot run.

    Toleration

    Using both taints and tolerations allows (not forcibly) the add-on Deployment to be scheduled to a node with the matching taints, and controls the Deployment eviction policies after the node where the Deployment is located is tainted.

    The add-on adds the default tolerance policy for the node.kubernetes.io/not-ready and node.kubernetes.io/unreachable taints, respectively. The tolerance time window is 60s.

    For details, see Configuring Tolerance Policies.

  5. Click Install.

Installing Multiple NGINX Ingress Controllers

  1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Add-ons, locate the installed Nginx Ingress Controller, and click New.
  2. On the page displayed, reconfigure the add-on parameters. For details, see Installing the Add-on.
  3. Click Install.
  4. Wait until the installation instruction is delivered. Go back to Add-ons, click Manage, and view the installed add-on instance on the add-on details page.

Components

Table 2 Add-on components

Component

Description

Resource Type

cceaddon-nginx-ingress-<Controller name>-controller

(The controller name in versions earlier than 2.5.4 is cceaddon-nginx-ingress-controller.)

Nginx Ingress controller, which provides flexible routing and forwarding for clusters

Deployment

cceaddon-nginx-ingress-<Controller name>-backend

(The controller name in versions earlier than 2.5.4 is cceaddon-nginx-ingress-default-backend.)

Default backend of Nginx Ingress. The message "default backend - 404" is returned.

Deployment

Configuring Anti-affinity Between a Workload and Nginx Ingress Controller

To avoid a situation where the node running NGINX Ingress Controller and its containers cannot access the Nginx Ingress Controller, you should set up anti-affinity between the workload and Nginx Ingress Controller. This means that the workload pods cannot be scheduled to the same node as the Nginx Ingress Controller.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:aplpine
        imagePullPolicy: IfNotPresent
        name: nginx
      imagePullSecrets:
      - name: default-secret
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:    # Implement anti-affinity through the label of the NGINX Ingress Controller pods.
                  - key: app
                    operator: In
                    values:
                      - nginx-ingress   #If multiple NGINX Ingress Controllers are installed in the cluster, the label value is nginx-ingress-<Controller name>.
                  - key: component
                    operator: In
                    values:
                      - controller
              namespaces:
                - kube-system
              topologyKey: kubernetes.io/hostname

Change History

Table 3 Release history for NGINX Ingress Controller 3.0.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

3.0.8

v1.27

v1.28

v1.29

v1.30

  • Updated the add-on to its community version v1.11.2.
  • Fixed the CVE-2024-7646 vulnerability.

1.11.2

Table 4 Release history for NGINX Ingress Controller 2.6.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

2.6.32

v1.25

v1.27

v1.28

v1.29

Fixed some issues.

1.9.6

2.6.5

v1.25

v1.27

v1.28

v1.29

Metric collection can be disabled in the startup command.

1.9.6

2.6.4

v1.25

v1.27

v1.28

v1.29

CCE clusters 1.29 are supported.

1.9.6

Table 5 Release history for NGINX Ingress Controller 2.5.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

2.5.6

v1.25

v1.27

v1.28

Fixed some issues.

1.9.3

2.5.4

v1.25

v1.27

v1.28

  • Multiple Nginx Ingress Controllers can be installed in the same cluster.
  • The default nginx-ingress certificate can be configured on the console.
  • Nginx Ingress Controller related metrics can be reported to Prometheus.

1.9.3

Table 6 Release history for NGINX Ingress Controller 2.4.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

2.4.6

v1.25

v1.27

v1.28

  • CCE clusters 1.28 are supported.
  • Supported admission verification.
  • Supported graceful shutdown and hitless upgrade.
  • Supported equivalent distribution of add-on instances in multi-AZ deployment mode.
  • Fixed the CVE-2023-44487 vulnerability.

1.9.3

Table 7 Release history for NGINX Ingress Controller 2.3.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

2.3.5

v1.27

None

1.8.0

Table 8 Release history for NGINX Ingress Controller 2.2.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

2.2.82

v1.23

v1.25

Fixed some issues.

1.5.1

2.2.53

v1.23

v1.25

Fixed some issues.

1.5.1

2.2.52

v1.23

v1.25

  • Multiple Nginx Ingress Controllers can be installed in the same cluster.
  • The default nginx-ingress certificate can be configured on the console.

1.5.1

2.2.42

v1.23

v1.25

  • Supported graceful shutdown and hitless upgrade.
  • Supported equivalent distribution of add-on instances in multi-AZ deployment mode.

1.5.1

2.2.7

v1.25

  • Synchronized time zones used by the add-on and the node.
  • Supports IPv4 and IPv6 dual stack.

1.5.1

2.2.3

v1.25

  • Supported anti-affinity scheduling of add-on pods on nodes in different AZs.
  • Added the tolerance time during which the pods with temporary storage volumes cannot be scheduled.
  • The default taint tolerance duration is changed to 60s.

1.5.1

2.2.1

v1.25

  • CCE clusters 1.25 are supported.
  • Updated the add-on to its community version v1.5.1.

1.5.1

Table 9 Release history for NGINX Ingress Controller 2.1.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

2.1.54

v1.19

v1.21

v1.23

Fixed some issues.

1.2.1

2.1.33

v1.19

v1.21

v1.23

  • Supported graceful shutdown and hitless upgrade.
  • Supported equivalent distribution of add-on instances in multi-AZ deployment mode.

1.2.1

2.1.9

v1.19

v1.21

v1.23

  • Supported anti-affinity scheduling of add-on pods on nodes in different AZs.
  • The default taint tolerance duration is changed to 60s.
  • Synchronized time zones used by the add-on and the node.
  • Supports IPv4 and IPv6 dual stack.

1.2.1

2.1.5

v1.19

v1.21

v1.23

  • Supported anti-affinity scheduling of add-on pods on nodes in different AZs.
  • The default taint tolerance duration is changed to 60s.

1.2.1

2.1.3

v1.19

v1.21

v1.23

Enables publishService for nginx-ingress.

1.2.1

2.1.1

v1.19

v1.21

v1.23

Updated the add-on to its community version v1.2.1.

1.2.1

2.1.0

v1.19

v1.21

v1.23

  • Updated the add-on to its community version v1.2.0.
  • Fixed the CVE-2021-25746 vulnerability and added rules to disable some annotations values that may cause unauthorized operations.
  • Fixed the CVE-2021-25745 vulnerability and added rules to disable some access paths that may cause unauthorized operations.

1.2.0

Table 10 Release history for NGINX Ingress Controller 2.0.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

2.0.1

v1.19

v1.21

v1.23

  • CCE clusters 1.23 are supported.
  • Updated the add-on to its community version v1.1.1.

1.1.1

Table 11 Release history for NGINX Ingress Controller 1.3.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

1.3.2

v1.15

v1.17

v1.19

v1.21

  • CCE clusters 1.21 are supported.
  • Updated the add-on to its community version v0.49.3.

0.49.3

Table 12 Release history for NGINX Ingress Controller 1.2.x

Add-on Version

Supported Cluster Version

New Feature

Community Version

1.2.6

v1.15

v1.17

v1.19

Adds the default seccomp profile.

0.46.0

1.2.5

v1.15

v1.17

v1.19

Updated the add-on to its community version v0.46.0.

0.46.0

1.2.3

v1.15

v1.17

v1.19

CCE clusters 1.19 are supported.

0.43.0

1.2.2

v1.15

v1.17

Updated the add-on to its community version v0.43.0.

0.43.0