Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

Ingress Controllers

An Ingress Controller is a component that implements Ingress resources by watching for Ingress objects and configuring a load balancer or reverse proxy accordingly. While Ingress resources define what routing rules you want, the Ingress Controller is responsible for how those rules are implemented. Think of the Ingress Controller as the engine that powers Ingress—without it, Ingress resources are just configuration that does nothing.

What is an Ingress Controller?

An Ingress Controller is a pod (or set of pods) that:

  • Watches for Ingress resources in the cluster
  • Reads Ingress rules and configurations
  • Configures a load balancer or reverse proxy (NGINX, Traefik, etc.)
  • Handles SSL/TLS termination
  • Routes traffic based on Ingress rules
graph TB A[Ingress Resources] --> B[Ingress Controller Watches] B --> C[Controller Reads Rules] C --> D[Configures Load Balancer] D --> E[Traffic Routes Based on Rules] F[HTTP Request] --> D D --> G[Backend Services] style B fill:#e8f5e9 style D fill:#fff4e1 style G fill:#fff4e1

How Ingress Controllers Work

The Ingress Controller follows this workflow:

  1. Deploy Controller - Controller pods are deployed in the cluster
  2. Watch for Ingress - Controller watches the Kubernetes API for Ingress resources
  3. Read Configuration - Controller reads Ingress rules, TLS config, and annotations
  4. Configure Proxy - Controller updates its load balancer/reverse proxy configuration
  5. Route Traffic - Incoming traffic is routed based on the configured rules
graph LR A[Controller Deployed] --> B[Watches API Server] B --> C[Ingress Created/Updated] C --> D[Controller Reads Ingress] D --> E[Updates Config] E --> F[Reloads Proxy] F --> G[Traffic Routes] style A fill:#e1f5ff style D fill:#e8f5e9 style G fill:#fff4e1

NGINX Ingress Controller

The most popular Ingress Controller, based on NGINX:

Features:

  • High performance
  • Extensive annotation support
  • SSL/TLS termination
  • URL rewriting
  • Rate limiting
  • WebSocket support

Installation:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml

Traefik

Modern, cloud-native reverse proxy and load balancer:

Features:

  • Automatic HTTPS with Let’s Encrypt
  • Dynamic configuration
  • Modern dashboard
  • Service mesh integration
  • Middleware support

Installation:

helm repo add traefik https://traefik.github.io/charts
helm install traefik traefik/traefik

HAProxy Ingress

High-performance load balancer:

Features:

  • Extremely high performance
  • Advanced load balancing algorithms
  • TCP and HTTP support
  • Health checking

Istio Gateway

Part of the Istio service mesh:

Features:

  • Integrated with service mesh
  • Advanced traffic management
  • mTLS support
  • Observability

Kong

API gateway with extensive plugin ecosystem:

Features:

  • API gateway features
  • Plugin ecosystem
  • Authentication/authorization
  • Rate limiting
  • Request/response transformation
graph TB A[Ingress Controllers] --> B[NGINX<br/>Most Popular] A --> C[Traefik<br/>Modern & Auto HTTPS] A --> D[HAProxy<br/>High Performance] A --> E[Istio Gateway<br/>Service Mesh] A --> F[Kong<br/>API Gateway] style B fill:#e8f5e9 style C fill:#fff4e1 style D fill:#fff4e1 style E fill:#fff4e1 style F fill:#fff4e1

Choosing an Ingress Controller

Consider these factors when choosing:

Performance Requirements

  • High traffic: NGINX or HAProxy
  • Standard traffic: Any controller works
  • Low latency: HAProxy or NGINX

Feature Needs

  • Basic routing: NGINX (simple, well-documented)
  • Auto HTTPS: Traefik (Let’s Encrypt integration)
  • API gateway features: Kong
  • Service mesh: Istio Gateway

Ease of Use

  • Simple setup: NGINX (most tutorials and examples)
  • Modern interface: Traefik (nice dashboard)
  • Enterprise features: Kong or Istio

Community and Support

  • Largest community: NGINX
  • Active development: Traefik, NGINX
  • Enterprise support: Kong, Istio

NGINX Ingress Controller

The most popular choice, NGINX Ingress Controller is battle-tested and well-documented.

Installation

# Using kubectl
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml

# Using Helm
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx

Configuration

NGINX Ingress Controller uses annotations for configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
spec:
  ingressClassName: nginx
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-service
            port:
              number: 80

Common Annotations

  • nginx.ingress.kubernetes.io/rewrite-target - URL rewriting
  • nginx.ingress.kubernetes.io/ssl-redirect - Redirect HTTP to HTTPS
  • nginx.ingress.kubernetes.io/proxy-body-size - Max request size
  • nginx.ingress.kubernetes.io/rate-limit - Rate limiting
  • nginx.ingress.kubernetes.io/cors-enable - Enable CORS

Traefik Ingress Controller

Traefik is modern and feature-rich, with excellent automatic HTTPS support.

Installation

# Using Helm (recommended)
helm repo add traefik https://traefik.github.io/charts
helm install traefik traefik/traefik

# Or using kubectl
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

Features

  • Automatic HTTPS: Integrates with Let’s Encrypt
  • Dynamic configuration: No reloads needed
  • Modern dashboard: Web UI for monitoring
  • Middleware: Request/response transformation

Ingress Class

Kubernetes supports multiple Ingress Controllers via Ingress Classes:

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: nginx
spec:
  controller: k8s.io/ingress-nginx

Ingress resources specify which class to use:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
spec:
  ingressClassName: nginx  # Uses NGINX controller
  rules:
  # ...

This allows you to run multiple controllers and route different Ingress resources to different controllers.

Controller Deployment

Ingress Controllers are typically deployed as:

  1. Deployment - Standard deployment with replicas
  2. DaemonSet - One pod per node
  3. LoadBalancer Service - Exposes controller externally
graph TB A[Ingress Controller] --> B[Deployment/DaemonSet] B --> C[Controller Pods] C --> D[LoadBalancer Service] D --> E[External IP] F[Ingress Resources] --> C C --> G[Configures NGINX/Traefik/etc] style C fill:#e8f5e9 style D fill:#fff4e1 style G fill:#fff4e1

Monitoring Ingress Controllers

Monitor your Ingress Controller for health and performance:

# Check controller pods
kubectl get pods -n ingress-nginx

# Check controller logs
kubectl logs -n ingress-nginx -l app.kubernetes.io/component=controller

# Check controller metrics (if exposed)
kubectl port-forward -n ingress-nginx <controller-pod> 10254:10254
curl http://localhost:10254/metrics

Best Practices

  1. Choose based on needs - NGINX for simplicity, Traefik for auto-HTTPS, etc.
  2. Use ingressClassName - Explicitly specify which controller to use
  3. Monitor controller health - Ensure controller pods are running
  4. Review controller logs - Check for configuration errors
  5. Use annotations wisely - Controller-specific annotations should be documented
  6. Test after updates - Verify Ingress rules work after controller updates
  7. Plan for high availability - Run multiple controller replicas
  8. Secure controller - Use RBAC and network policies
  9. Monitor performance - Track metrics and latency
  10. Keep updated - Regularly update controller to latest version

Troubleshooting

Controller Not Working

  1. Check pods: kubectl get pods -n <controller-namespace>
  2. Check logs: kubectl logs -n <controller-namespace> <controller-pod>
  3. Verify Service: kubectl get svc -n <controller-namespace>
  4. Check RBAC: Ensure controller has necessary permissions
  5. Review events: kubectl get events -n <controller-namespace>

Ingress Not Being Processed

  1. Check ingressClassName: Verify Ingress specifies correct class
  2. Verify controller watches: Check controller is watching correct namespace
  3. Review controller logs: Look for Ingress processing errors
  4. Check Ingress resource: Verify Ingress YAML is valid
  5. Test controller connectivity: Ensure controller can reach API server

Configuration Not Applied

  1. Check annotations: Verify annotations are correct for your controller
  2. Review controller docs: Ensure annotation syntax is correct
  3. Check controller version: Some features require specific versions
  4. Verify reload: Controller may need time to reload configuration
  5. Test with simple Ingress: Start with minimal configuration

Performance Issues

  1. Check resource limits: Ensure controller has adequate resources
  2. Review metrics: Monitor request rate and latency
  3. Scale controller: Add more replicas if needed
  4. Optimize configuration: Review and optimize Ingress rules
  5. Check backend Services: Verify backend Services are performing well

See Also