Advanced Kubernetes Nginx Ingress Strategies: Scaling and Optimizing Two Applications

Recap: Setting the Stage

In our previous post on Mastering Kubernetes Nginx Ingress: Deploying Two Applications with Ease, we walked through the initial setup of our Kubernetes cluster, deploying two applications and using Nginx Ingress to manage the routing. We created a straightforward Ingress resource that directed traffic to these applications through specific hostnames. Now, it’s time to build upon that foundation and delve deeper into managing our deployments more dynamically and efficiently.

Advanced Ingress Configuration

Basic Ingress setup covered in the previous post is perfect for simple use cases. However, as our applications grow, we might need more control over our routing rules, performance, and security. Let’s explore advanced Ingress features to enhance our setup.

One ring to rule them all.

J. R. R. Tolkien

One Cloud Storage to Share with Them All: China, USA, Europe, APAC…

Sesame Disk by NiHao Cloud

Path-Based Routing

In many scenarios, you’ll want to route traffic based on URL paths. For instance, you might have a single hostname serving multiple applications or microservices located at different paths. Adjusting our Ingress configuration for path-based routing is quite straightforward:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /app1
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              number: 80
      - path: /app2
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              number: 80

In this configuration, traffic destined for example.com/app1 routes to app1-service, while example.com/app2 routes to app2-service. The nginx.ingress.kubernetes.io/rewrite-target annotation is used to point the backend service to the root path.

Enabling TLS/SSL

Securing applications with HTTPS is crucial. To enable TLS/SSL for our services, we need to create a Kubernetes Secret containing our SSL certificate and key. First, let’s create that secret:

Upgrade & share files freely!

Unlock the full potential of cloud storage by subscribing today. Logo Sesame Disk

Enjoy seamless access and sharing across China, the USA, Europe, and just everywhere!


kubectl create secret tls example-tls --cert=path/to/tls.crt --key=path/to/tls.key

Next, update the Ingress resource to reference this secret:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls
  rules:
  - host: example.com
    http:
      paths:
      - path: /app1
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              number: 80
      - path: /app2
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              number: 80

Now, any traffic to example.com will be served over HTTPS using the specified certificate.

Rate Limiting and Security Enhancements

Improving security and managing traffic efficiently is a critical aspect of handling production workloads. Nginx Ingress provides a suite of tools for these requirements.

Rate Limiting

To avoid abuse and ensure fair usage, we can set rate limits on requests. This is done using annotations in our Ingress resource:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/limit-connections: "20"
    nginx.ingress.kubernetes.io/limit-rpm: "60"
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /app1
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              number: 80
      - path: /app2
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              number: 80

Here, we’ve set a connection limit of 20 and a rate limit of 60 requests per minute for each client IP.

Authentication

Enabling basic authentication can add an additional layer of security. First, create a password file using htpasswd:


htpasswd -c auth user1

Create a Kubernetes Secret from this file:


kubectl create secret generic basic-auth --from-file=auth

Next, update the Ingress resource to use this authentication method:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-type: "basic"
    nginx.ingress.kubernetes.io/auth-secret: "basic-auth"
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /app1
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              number: 80
      - path: /app2
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              number: 80

Now, accessing the paths under example.com will prompt for basic authentication credentials.

Final Thoughts & Future Enhancements

We’ve now covered the advanced configuration of Nginx Ingress in a Kubernetes cluster, enhancing our deployments with path-based routing, TLS/SSL, rate limiting, and authentication. This robust setup ensures our applications are both secure and scalable.

The journey doesn’t end here! In future posts, we will dive into even more sophisticated scenarios, such as leveraging custom plugins, integrating with external authentication providers, and automating deployment workflows. Kubernetes Nginx Ingress is a powerful tool, and we’ve only scratched the surface.

Stay tuned for more technical deep-dives and keep experimenting with these configurations to find what best suits your needs. Happy coding and Kubernetes-ing!