SH
SHELL
AI Powered Learning Portal
Ingress controllers and ingress rules

Ingress controllers and ingress rules

Master the front door of your cluster. Learn to consolidate traffic, manage domain-based routing, and automate SSL/TLS certificates for your Next.js and FastAPI services.

Ingress: The Sophisticated Front Door of Kubernetes

In Module 3, we learned about the LoadBalancer service type. While it works perfectly, it has a major drawback in the real world: Cost. On clouds like AWS, every type: LoadBalancer service creates a new physical ELB, which costs around $20/month. If you have 20 microservices, you are paying $400/month just for basic entry points.

Furthermore, a standard LoadBalancer works at Layer 4 (TCP). It doesn't understand "URLs" or "Hostnames." It just blindly sends traffic to a port.

To solve these problems, Kubernetes uses Ingress. An Ingress is a collection of rules that allow inbound connections to reach the cluster services. It acts as a shared Entry Point—a single Load Balancer that can route traffic to dozens of different services based on the path (e.g., /api) or the hostname (e.g., ai.shshell.com).

In this lesson, we will master the Ingress Resource, learn how to set up an Ingress Controller (like Nginx), and automate SSL/TLS Termination so your users always have a secure connection.

1. How Ingress Works: The Controller vs. the Resource

Unlike Pods or Services, Ingress requires two separate parts to function:

  1. The Ingress Resource (The Map): A YAML file where you define your rules: "Send traffic for shshell.com/blog to the blog-service."
  2. The Ingress Controller (The Engine): A specialized pod (usually running Nginx, Envoy, or Traefik) that listens to those rules and actually performs the proxying.

The Workflow:

  • You create an Ingress Resource.
  • The Controller sees it and automatically updates its internal configuration (e.g., nginx.conf).
  • The Controller is exposed to the internet via a single LoadBalancer service.

2. Defining Ingress Rules

There are two primary ways to route traffic with Ingress.

A. Host-Based Routing

Use this to route different domains to different apps.

  • api.ai-app.com -> ai-backend-service
  • dashboard.ai-app.com -> nextjs-frontend-service

B. Path-Based Routing

Use this to route sub-folders of the same domain.

  • shshell.com/api -> fastapi-service
  • shshell.com/static -> nginx-static-service

Example Manifest:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: main-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: "ai.shshell.com"
    http:
      paths:
      - path: /summarize
        pathType: Prefix
        backend:
          service:
            name: ai-api-service
            port:
              number: 80
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nextjs-frontend-service
            port:
              number: 80

3. The Power of Annotations

Ingress resources are highly customizable through Annotations. Because every Ingress Controller (Nginx, ALB, Traefik) has different features, annotations are used to "Unlock" them.

  • Request Limiting: nginx.ingress.kubernetes.io/limit-rps: "5" (Stop bots from DOSing your AI agent).
  • Rewrite Targets: nginx.ingress.kubernetes.io/rewrite-target: /$2 (Useful if your app expects traffic at / but Ingress receives it at /api/).
  • CORS Support: Automatically add headers for your frontend.

4. Securing the Cluster: TLS/SSL Termination

In 2026, a website without HTTPS is unacceptable. Ingress makes SSL management easy.

You store your SSL Certificate and Private Key in a Kubernetes Secret (Module 3.4). You then reference that secret in your Ingress manifest.

spec:
  tls:
  - hosts:
      - ai.shshell.com
    secretName: ai-cert-secret # Reference to your secret

Automation with Cert-Manager

Managing certificates manually is tedious. The industry standard is to use Cert-Manager.

  1. You tell Cert-Manager: "I want a certificate for ai.shshell.com from Let's Encrypt."
  2. Cert-Manager handles the challenge, downloads the cert, and creates the K8s Secret.
  3. Your Ingress picks it up automatically. Zero human intervention.

5. Visualizing the External Traffic Flow

graph TD
    User["User (HTTPS)"] -- "Request to ai.shshell.com" --> ELB["AWS Load Balancer (Single entry)"]
    ELB --> IC["Ingress Controller (Nginx Pod)"]
    
    subgraph "Routing Decisions"
        IC -- "/api ->" --> API["FastAPI Service"]
        IC -- "/ ->" --> UI["Next.js Service"]
    end
    
    API --> Pod1["AI Pod A"]
    UI --> Pod2["UI Pod B"]

6. Practical Example: Setting up Nginx Ingress

On most clusters, you can install the Nginx Ingress Controller with a single command:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml

Once installed, you can run kubectl get ingress to find the Public IP assigned to your cluster. Point your Domain's DNS record to that IP, and your apps are live!

7. AI Implementation: High-Throughput WebSockets

If your AI agent uses WebSockets for real-time streaming (e.g., a voice assistant), your Ingress Controller needs to be configured to handle persistent connections.

Standard HTTP connections timeout after 60 seconds. For a long-running AI conversation, you need to increase the timeout via annotations:

metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"

This ensures your FastAPI WebSocket stays open for the duration of the AI's processing time.

8. Summary and Key Takeaways

  • Ingress: A shared gateway that reduces cloud costs and simplifies L7 routing.
  • Resources & Controllers: You write the "Rules"; the "Controller" (e.g. Nginx) executes them.
  • Host vs Path: Route by domain or by sub-folder.
  • TLS: Use K8s Secrets and Cert-Manager to automate HTTPS.
  • Annotations: Use them to enable advanced features like rate-limiting and rewrites.

In the next lesson, we will look at how we secure the back-end of the cluster using Network Policies.

9. SEO Metadata & Keywords

Focus Keywords: Kubernetes Ingress vs LoadBalancer, Nginx Ingress Controller tutorial, path-based routing K8s example, host-based routing K8s ingress, Cert-Manager Let's Encrypt Kubernetes, securing K8s ingress TLS.

Meta Description: Master the external networking of Kubernetes. Learn how to use Ingress to consolidate your traffic, manage domain-based routing, and automate SSL certificates for your professional AI and web services.

Previous LessonServices and endpoints
Next LessonNetwork policies and security

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn