How to deploy Nginx Ingress Controller in EKS
I spent some time researching how to deploy the Nginx Ingress Controller to an EKS cluster. Firstly, we can decide how to use the Nginx Ingress Controller, and you have several different choices:
- CLB or NLB: Deploy the controller as either a Classic Load Balancer or a Network Load Balancer category.
- Public or Private: The load balancer is either publicly accessible or private access only (only accessible within your VPC network).
- HTTP or HTTPS: Whether to configure SSL, allowing encrypted connections between the client and the Load Balancer.
Choosing CLB or NLB
Firstly, determine whether to use a Classic Load Balancer or a Network Load Balancer. In terms of installation, when an AWS Load Balancer Controller exists within the cluster, your Nginx Ingress Controller will be created as a Network Load Balancer (NLB). If the AWS Load Balancer Controller does not exist, then the controller will be deployed as a Classic Load Balancer Controller (CLB). As CLB is referred to as a previous generation load balancer by the AWS official guide [1], it is no longer recommended for use.
A Classic Load Balancer is the Elastic Load Balancing previous-generation load balancer. It supports routing HTTP, HTTPS, or TCP request traffic to different ports on environment instances.
You can use kubectl -n ingress-nginx describe svc ingress-nginx-controller
to check whether the deployed controller is a Classic Load Balancer or a Network Load Balancer:
1 | # Example URL for Classic Load Balancer |
Choosing Publicly Accessible or Private Access Only
By default, AWS load balancers are set to private access only, meaning only machines within the same VPC as you (such as EC2 Instances) can access this load balancer’s endpoint. If you want to install a load balancer with private access, you can directly follow the instructions in the Nginx Ingress Controller documentation and execute the following command for installation (please note: the installation version of the following command is v1.8.2
, which may not be the latest version):
1 | kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/deploy.yaml |
However, if you want to install a load balancer that provides public access, you need to modify its content:
1 | curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/deploy.yaml |
Find this section in the deploy.yaml
file and add the annotation service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
. This will configure the AWS load balancer for public access. You can also find other load balancer parameters that can be set from Annotations - AWS Load Balancer Controller:
1 | # find definition for Service ingress-nginx-controller |
Configuring TLS-related Settings
To further configure TLS for the load balancer, refer to the Nginx Ingress Controller documentation, download the deploy.yaml
, and modify its contents.
1 | curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml |
- Change
proxy-real-ip-cidr
to the CIDR used by the EKS cluster. - Fill in the value of
service.beta.kubernetes.io/aws-load-balancer-ssl-cert
with the ARN of the certificate you wish to use.
Deploying Example Services
We use the example provided by Nginx for modification:
- cafe-ing.yaml: Defines the Ingress object.
- cafe-dep.yaml: Defines two different Services,
tea
andcoffee
, each corresponding to a Pod.
1 | # cafe-ing.yaml |
1 | # cafe-ing.yaml |
Conducting Tests
After deployment, we can confirm the existence of Service and Deployment within our EKS cluster:
1 | $ kubectl get svc |
Attempt to access the URL of the Nginx Ingress Controller:
1 | $ curl k8s-ingressn-ingressn-e78cc5a707-15a0244dd914ab91.elb.eu-west-1.amazonaws.com/tea |
How to deploy Nginx Ingress Controller in EKS