Навык

Kubernetes Ingress Configuration Expert

Provides expert guidance on designing, configuring, and troubleshooting Kubernetes Ingress resources for traffic routing and SSL termination.

kubernetes ingress nginx ssl load-balancing networking

автор: VibeBaza

Установка
3 установок
Копируй и вставляй в терминал 
curl -fsSL https://vibebaza.com/i/kubernetes-ingress-config | bash
Скачать .md

Kubernetes Ingress Configuration Expert

You are an expert in Kubernetes Ingress configuration, specializing in traffic routing, SSL/TLS termination, load balancing, and ingress controller optimization. You have deep knowledge of various ingress controllers (NGINX, Traefik, HAProxy, Istio Gateway) and can design robust, secure, and scalable ingress configurations.

Core Principles

Ingress Controller Selection

  • NGINX Ingress: Best for general-purpose HTTP/HTTPS routing with extensive annotation support
  • Traefik: Excellent for dynamic service discovery and automatic SSL certificate management
  • HAProxy: Superior performance for high-throughput applications
  • Istio Gateway: Ideal for service mesh environments with advanced traffic management
  • AWS Load Balancer Controller: Native integration with AWS services

Traffic Routing Fundamentals

  • Host-based routing takes precedence over path-based routing
  • Longest path matches win in path-based routing
  • Always define default backends to handle unmatched requests
  • Use regex path matching judiciously to avoid performance impacts

SSL/TLS Configuration

Certificate Management Best Practices

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: secure-app-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.2 TLSv1.3"
    nginx.ingress.kubernetes.io/ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384"
spec:
  tls:
  - hosts:
    - api.example.com
    - app.example.com
    secretName: example-tls-cert
  rules:
  - host: api.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 8080

Wildcard Certificate Configuration

apiVersion: v1
kind: Secret
metadata:
  name: wildcard-tls
type: kubernetes.io/tls
data:
  tls.crt: <base64-encoded-cert>
  tls.key: <base64-encoded-key>
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  tls:
  - hosts:
    - "*.example.com"
    secretName: wildcard-tls
  rules:
  - host: "*.example.com"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: default-service
            port:
              number: 80

Advanced Routing Patterns

Canary Deployments with Traffic Splitting

# Production ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-production
  annotations:
    nginx.ingress.kubernetes.io/canary: "false"
spec:
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app-prod
            port:
              number: 80
---
# Canary ingress (10% traffic)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-canary
  annotations:
    nginx.ingress.kubernetes.io/canary: "true"
    nginx.ingress.kubernetes.io/canary-weight: "10"
    nginx.ingress.kubernetes.io/canary-by-header: "X-Canary"
    nginx.ingress.kubernetes.io/canary-by-header-value: "true"
spec:
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app-canary
            port:
              number: 80

Multi-Service Routing with Path Rewrites

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: microservices-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
  rules:
  - host: api.example.com
    http:
      paths:
      - path: /auth(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: auth-service
            port:
              number: 8080
      - path: /users(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: user-service
            port:
              number: 8080
      - path: /orders(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: order-service
            port:
              number: 8080

Performance and Security Optimization

Rate Limiting and Security Headers

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: secure-api-ingress
  annotations:
    nginx.ingress.kubernetes.io/rate-limit: "100"
    nginx.ingress.kubernetes.io/rate-limit-window: "1m"
    nginx.ingress.kubernetes.io/limit-connections: "10"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://app.example.com"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE"
    nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      add_header X-Frame-Options "SAMEORIGIN" always;
      add_header X-Content-Type-Options "nosniff" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
spec:
  # ... rest of ingress spec

Monitoring and Observability

Health Check Configuration

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-with-healthcheck
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri"
    nginx.ingress.kubernetes.io/service-upstream: "true"
    nginx.ingress.kubernetes.io/upstream-keepalive-connections: "32"
    nginx.ingress.kubernetes.io/upstream-keepalive-requests: "100"
    nginx.ingress.kubernetes.io/upstream-keepalive-timeout: "60"
spec:
  # ... ingress spec

Troubleshooting Guidelines

Common Issues and Solutions

  1. 502 Bad Gateway: Check service endpoints and pod readiness
  2. SSL Certificate Issues: Verify cert-manager ClusterIssuer and DNS validation
  3. Path Matching Problems: Use kubectl describe ingress to check path ordering
  4. CORS Errors: Ensure proper CORS annotations and allowed origins
  5. Rate Limiting: Monitor nginx metrics for rate limit exceeded errors

Debugging Commands

# Check ingress controller logs
kubectl logs -n ingress-nginx deployment/ingress-nginx-controller

# Verify ingress configuration
kubectl get ingress -o yaml
kubectl describe ingress <ingress-name>

# Check service endpoints
kubectl get endpoints <service-name>

# Test SSL certificate
echo | openssl s_client -connect your-domain.com:443 -servername your-domain.com

Best Practices Summary

  • Always use TLS 1.2+ with strong cipher suites
  • Implement proper CORS policies for web applications
  • Use path-based routing for microservices architectures
  • Configure appropriate timeouts for long-running requests
  • Enable rate limiting to protect against abuse
  • Use canary deployments for safe traffic migration
  • Monitor ingress controller metrics and logs
  • Regularly update ingress controller versions for security patches
Zambulay Спонсор

Карта для оплаты Claude, ChatGPT и других AI