Recap: Setting the Stage
In our previous post on Mastering Kubernetes Nginx Ingress: Deploying Two Applications with Ease, we walked through the initial setup of our Kubernetes cluster, deploying two applications and using Nginx Ingress to manage the routing. We created a straightforward Ingress resource that directed traffic to these applications through specific hostnames. Now, it’s time to build upon that foundation and delve deeper into managing our deployments more dynamically and efficiently.
Advanced Ingress Configuration
Basic Ingress setup covered in the previous post is perfect for simple use cases. However, as our applications grow, we might need more control over our routing rules, performance, and security. Let’s explore advanced Ingress features to enhance our setup.
Path-Based Routing
In many scenarios, you’ll want to route traffic based on URL paths. For instance, you might have a single hostname serving multiple applications or microservices located at different paths. Adjusting our Ingress configuration for path-based routing is quite straightforward:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: example.com
http:
paths:
- path: /app1
pathType: Prefix
backend:
service:
name: app1-service
port:
number: 80
- path: /app2
pathType: Prefix
backend:
service:
name: app2-service
port:
number: 80
In this configuration, traffic destined for example.com/app1 routes to app1-service, while example.com/app2 routes to app2-service. The nginx.ingress.kubernetes.io/rewrite-target annotation is used to point the backend service to the root path.
Enabling TLS/SSL
Securing applications with HTTPS is crucial. To enable TLS/SSL for our services, we need to create a Kubernetes Secret containing our SSL certificate and key. First, let’s create that secret:
kubectl create secret tls example-tls --cert=path/to/tls.crt --key=path/to/tls.key
Next, update the Ingress resource to reference this secret:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
spec:
tls:
- hosts:
- example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /app1
pathType: Prefix
backend:
service:
name: app1-service
port:
number: 80
- path: /app2
pathType: Prefix
backend:
service:
name: app2-service
port:
number: 80
Now, any traffic to example.com will be served over HTTPS using the specified certificate.
Rate Limiting and Security Enhancements
Improving security and managing traffic efficiently is a critical aspect of handling production workloads. Nginx Ingress provides a suite of tools for these requirements.
Rate Limiting
To avoid abuse and ensure fair usage, we can set rate limits on requests. This is done using annotations in our Ingress resource:
You landed the Cloud Storage of the future internet. 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/limit-connections: "20"
nginx.ingress.kubernetes.io/limit-rpm: "60"
spec:
rules:
- host: example.com
http:
paths:
- path: /app1
pathType: Prefix
backend:
service:
name: app1-service
port:
number: 80
- path: /app2
pathType: Prefix
backend:
service:
name: app2-service
port:
number: 80
Here, we’ve set a connection limit of 20 and a rate limit of 60 requests per minute for each client IP.
Authentication
Enabling basic authentication can add an additional layer of security. First, create a password file using htpasswd:
htpasswd -c auth user1
Create a Kubernetes Secret from this file:
kubectl create secret generic basic-auth --from-file=auth
Next, update the Ingress resource to use this authentication method:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/auth-type: "basic"
nginx.ingress.kubernetes.io/auth-secret: "basic-auth"
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
rules:
- host: example.com
http:
paths:
- path: /app1
pathType: Prefix
backend:
service:
name: app1-service
port:
number: 80
- path: /app2
pathType: Prefix
backend:
service:
name: app2-service
port:
number: 80
Now, accessing the paths under example.com will prompt for basic authentication credentials.
Final Thoughts & Future Enhancements
We’ve now covered the advanced configuration of Nginx Ingress in a Kubernetes cluster, enhancing our deployments with path-based routing, TLS/SSL, rate limiting, and authentication. This robust setup ensures our applications are both secure and scalable.
The journey doesn’t end here! In future posts, we will dive into even more sophisticated scenarios, such as leveraging custom plugins, integrating with external authentication providers, and automating deployment workflows. Kubernetes Nginx Ingress is a powerful tool, and we’ve only scratched the surface.
Stay tuned for more technical deep-dives and keep experimenting with these configurations to find what best suits your needs. Happy coding and Kubernetes-ing!