{"id":520,"date":"2021-02-28T02:22:44","date_gmt":"2021-02-28T01:22:44","guid":{"rendered":"https:\/\/nubisoft.io\/blog\/?p=520"},"modified":"2021-12-30T14:53:57","modified_gmt":"2021-12-30T13:53:57","slug":"how-to-set-up-kubernetes-ingress-with-aws-alb-ingress-controller","status":"publish","type":"post","link":"https:\/\/nubisoft.io\/blog\/how-to-set-up-kubernetes-ingress-with-aws-alb-ingress-controller\/","title":{"rendered":"How to set up Kubernetes Ingress with AWS ALB Ingress Controller"},"content":{"rendered":"\n

In this blog post you will learn how to set up ingress for your Kubernetes application with AWS Application Load Balancer.<\/h4>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Mots of workloads run on your Kubernetes cluster ultimately need to be exposed to end-users. This is where Ingress comes to play – a special Kubernetes object responsible for providing external access to the services in a cluster. Typically, you define there rules, how HTTP traffic is routed to the backend services. But every ingress resource must be of some Ingress class that points to a controller, which will, in the end, implement rules with cloud infrastructure and services. When you are on AWS the natural choice is to use Application Load Balancer<\/a> for it. Let’s see how to do that!<\/p>\n\n\n\n

Installation<\/h5>\n\n\n\n

Before we can use ALB, we must first install the controller in our cluster. In this tutorial, I’ll use an alb-demo<\/strong> EKS cluster located in eu-central-1<\/strong> region. As usually in AWS, let’s start with defining some IAM permissions so that controller can access ALB resources. First, we need to create an IAM OIDC provider for our cluster with the following command.<\/p>\n\n\n\n

eksctl utils associate-iam-oidc-provider \\\n    --region eu-central-1 \\\n    --cluster alb-demo \\\n    --approve<\/pre>\n\n\n\n
Next, we create a dedicated IAM policy called AWSLoadBalancerControllerIAMPolicy<\/code>. We use a predefined template, but feel free to modify it if needed.<\/p>\n\n\n\n
curl -o iam-policy.json https:\/\/raw.githubusercontent.com\/kubernetes-sigs\/aws-load-balancer-controller\/v2.1.2\/docs\/install\/iam_policy.json\n\naws iam create-policy \\\n    --policy-name AWSLoadBalancerControllerIAMPolicy \\\n    --policy-document file:\/\/iam-policy.json<\/pre>\n\n\n\n
Finally, we can create an IAM role and ServiceAccount for the controller in the kube-system<\/code> namespace. Please note, that we must use the policy ARN from the previous step.<\/p>\n\n\n\n
eksctl create iamserviceaccount \\\n--cluster=alb-demo \\\n--region=eu-central-1 \\\n--namespace=kube-system \\\n--name=aws-load-balancer-controller \\\n--attach-policy-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:policy\/AWSLoadBalancerControllerIAMPolicy \\\n--override-existing-serviceaccounts \\\n--approve<\/pre>\n\n\n\n
Now we are ready to deploy the ALB controller to our cluster. The easiest way to do that is to use a Helm chart from the official EKS chart repository.<\/p>\n\n\n\n
helm repo add eks https:\/\/aws.github.io\/eks-charts\nkubectl apply -k \"github.com\/aws\/eks-charts\/stable\/aws-load-balancer-controller\/\/crds?ref=master\"\nhelm install aws-load-balancer-controller eks\/aws-load-balancer-controller -n kube-system \\ \n--set clusterName=alb-demo \\\n--set serviceAccount.create=false \\\n--set serviceAccount.name=aws-load-balancer-controller<\/pre>\n\n\n\n
And that’s it, you can now use ALB when creating ingress for the application. Let’s see how to do that!<\/p>\n\n\n\n
ALB configuration<\/h5>\n\n\n\n
For the purpose of this tutorial, we will deploy a simple web application into the Kubernetes cluster and expose it to the Internet with an ALB ingress controller. Complete source code is available in the GitLab repository<\/a>.<\/p>\n\n\n\n
Let’s first run the application on the EKS cluster by creating a deployment and service.<\/p>\n\n\n\n
kubectl apply -f app-deployment.yaml\nkubectl apply -f app-service.yaml<\/pre>\n\n\n\n
Now we can deploy the ingress, however before we do that, let’s take a closer look at it.<\/p>\n\n\n\n
apiVersion: networking.k8s.io\/v1beta1\nkind: Ingress\nmetadata:\n  name: alb-demo-ingress\n  annotations:\n    kubernetes.io\/ingress.class: alb\n    alb.ingress.kubernetes.io\/scheme: internet-facing\n    alb.ingress.kubernetes.io\/listen-ports: '[{\"HTTP\": 80}]'\n    alb.ingress.kubernetes.io\/healthcheck-protocol: HTTP\n    alb.ingress.kubernetes.io\/healthcheck-port: http-healthcheck\n    alb.ingress.kubernetes.io\/healthcheck-path: \/healthcheck\nspec:\n  rules:\n    - http:\n        paths:\n          - path: \/*\n            backend:\n              serviceName: app-service\n              servicePort: 80<\/pre>\n\n\n\n
Apart from the standard ingress definition you probably noticed the special annotations attached to this resource. That is where we tell the ingress controller how to configure ALB. In our case, we want to expose our backend service to the Internet at HTTP port 80. We also define a health check so that the load balancer won’t route traffic to instances that are down. Let’s deploy the ingress.<\/p>\n\n\n\n
kubectl apply -f ingress.yaml\nkubectl describe ingress\/alb-demo-ingress<\/pre>\n\n\n\n
After executing the above command you will probably see the following output.<\/p>\n\n\n\n
Name:             alb-demo-ingress\nNamespace:        alb-demo\nAddress:          \nDefault backend:  default-http-backend:80 (<error: endpoints \"default-http-backend\" not found>)\nRules:\n  Host        Path  Backends\n  ----        ----  --------\n  *           \n              \/*   alb-demo-service:80 (172.31.24.80:80)\nAnnotations:  alb.ingress.kubernetes.io\/healthcheck-path: \/healthcheck\n              alb.ingress.kubernetes.io\/healthcheck-port: http-healthcheck\n              alb.ingress.kubernetes.io\/healthcheck-protocol: HTTP\n              alb.ingress.kubernetes.io\/scheme: internet-facing\n              kubernetes.io\/ingress.class: alb\nEvents:\n  Type     Reason            Age               From     Message\n  ----     ------            ----              ----     -------\n  Warning  FailedBuildModel  2s (x10 over 6s)  ingress  Failed build model due to couldn't auto-discover subnets: unable to discover at least one subnet<\/pre>\n\n\n\n
Deploy failed with error message: Failed build model due to couldn’t auto-discover subnets: unable to discover at least one subnet<\/strong>. This is because we must explicitly mark our subnets with a special tag: kubernetes.io\/role\/elb=1<\/code>. Once this is done, deploying ingress is successful and you can access the app from the browser.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
SSL Support<\/h5>\n\n\n\n
It’s always a good idea to serve your application over a secure SSL connection so let’s see how we can enable it in ALB. As with most of the configuration, this can be done by adding additional annotations to the ingress definition.<\/p>\n\n\n\n
apiVersion: networking.k8s.io\/v1beta1\nkind: Ingress\nmetadata:\n  name: alb-demo-ingress\n  annotations:\n    kubernetes.io\/ingress.class: alb\n    alb.ingress.kubernetes.io\/scheme: internet-facing\n    alb.ingress.kubernetes.io\/listen-ports: '[{\"HTTP\": 80}, {\"HTTPS\": 443}]'\n    alb.ingress.kubernetes.io\/healthcheck-protocol: HTTP\n    alb.ingress.kubernetes.io\/healthcheck-port: http-healthcheck\n    alb.ingress.kubernetes.io\/healthcheck-path: \/healthcheck\n    alb.ingress.kubernetes.io\/certificate-arn: arn:aws:acm:eu-central-1:<ACCOUNT_ID>:certificate\/<CERTIFICATE_ID>\n    alb.ingress.kubernetes.io\/listen-ports: '[{\"HTTP\": 80}, {\"HTTPS\":443}]'\n    alb.ingress.kubernetes.io\/actions.ssl-redirect: '{\"Type\": \"redirect\", \"RedirectConfig\": { \"Protocol\": \"HTTPS\", \"Port\": \"443\", \"StatusCode\": \"HTTP_301\"}}'\n\nspec:\n  rules:\n    - http:\n        paths:\n          - path: \/*\n            backend:\n              serviceName: ssl-redirect\n              servicePort: use-annotation\n          - path: \/*\n            backend:\n              serviceName: app-service\n              servicePort: 80\n<\/pre>\n\n\n\n
Summary<\/h5>\n\n\n\n
As you can see using the ALB ingress controller to expose Kubernetes workloads to the Internet is pretty straightforward, although it requires few preparation steps. Most of the configuration is done using annotations, so make sure you’ve read the full documentation<\/a>.<\/p>\n\n\n\n
With ALB ingress controller your web application is exposed to end users over the Internet. When traffic grows you may need to scale your infrastructure to ensure best user experience. Read our blog post How to enable Kubernetes cluster autoscaling in AWS<\/a> to ensure it’s done automatically!<\/p>\n","protected":false},"excerpt":{"rendered":"
In this blog post you will learn how to set up ingress for your Kubernetes application with AWS Application Load Balancer. Mots of workloads run on your Kubernetes cluster ultimately need to be exposed to end-users. This is where Ingress comes to play – a special Kubernetes object responsible for providing external access to the […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_case_study_excerpt":"","footnotes":""},"categories":[55],"tags":[102,32,103,46],"class_list":["post-520","post","type-post","status-publish","format-standard","hentry","category-devops","tag-alb","tag-aws","tag-ingress","tag-kubernetes"],"_links":{"self":[{"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/posts\/520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/comments?post=520"}],"version-history":[{"count":19,"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/posts\/520\/revisions"}],"predecessor-version":[{"id":776,"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/posts\/520\/revisions\/776"}],"wp:attachment":[{"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/media?parent=520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/categories?post=520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nubisoft.io\/blog\/wp-json\/wp\/v2\/tags?post=520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}