Ingress on Google Cloud Platform

This page describes Ingress on Google Cloud Platform. For general information about GKE networking, visit the Network Overview.

What is an Ingress?

In Google Kubernetes Engine, Ingress resource defines L7 load balancer rules and configuration for routing external HTTP(S) traffic to Services. Ingress can be used to expose multiple services on a single IP using a single load balancer.

When you create an Ingress in your cluster, GKE creates a Google Cloud Platform HTTP(S) load balancer and configures it to route traffic to your application.

How does Ingress work on GKE?

By default, GKE clusters have the HttpLoadBalancing addon enabled. This addon runs a controller on the master, which creates HTTP(S) load balancers based on the Ingress resources. You can find the source code and detailed documentation of this controller at the ingress- gce repository on GitHub.

Other Ingress controllers are not officially supported on GKE.

Features

Ingress on GCP includes the following features:

Flexible configuration for Services
Ingresses define how traffic reaches your Services and how the traffic is routed to your application. In addition, an Ingress provides a single VIP for all Services in your cluster.
Native integration with GCP network services
Ingress offers native support for GCP features such as Cloud Armor, Cloud CDN, and Cloud IAP.
Support for multiple clusters
Ingress supports load balancing traffic across multiple clusters within a single project.
Support for multiple SSL/TLS certificates
Ingress supports the use of multiple certificates for request termination.

To learn more about these features, refer to HTTP(S) Load Balancing Concepts.

Example

The following sample Ingress, test-ingress, targets port 80 of a NodePort Service named testsvc:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
spec:
  backend:
    serviceName: testsvc
    servicePort: 80

Deploying this Ingress on GKE provisions a GCP HTTP(S) load balancer to route all external HTTP traffic to port 80 of the Service.

A client request is terminated with the matching L7 protocol. By default, an HTTP(S) load balancer exposes port 80. If annotation kubernetes.io/ingress.allow-http is false, then HTTP port 80 is not exposed. If the Ingress manifest includes a tls field, or if annotation ingress.kubernetes.io.pre-shared-cert is a valid Compute Engine SSL certificate name, the load balancer exposes HTTPS on port 443. tls and ingress.kubernetes.io.pre-shared-cert are mutually exclusive.

Application protocols annotation

An HTTP(S) load balancer acts as a proxy between your clients and your application. Clients can use HTTP or HTTPS to communicate with the load balancer proxy. However, the connection from the load balancer proxy to your application uses HTTP by default. If your application, running in a Kubernetes Engine pod, is capable of receiving HTTPS requests, you configure the load balancer to use HTTPS when it forwards requests to your application.

To configure the protocol used between the load balancer and your application, use the cloud.google.com/app-protocols annotation in your Service manifest.

The following Service manifest specifies two ports. The annotation says that when an HTTP(S) load balancer targets port 80 of the Service, it should use HTTP. And when the load balancer targets port 443 of the Service, it should use HTTPS.

kind: Service
metadata:
  name: my-service
  annotations:
    “cloud.google.com/app-protocols”: '{"my-https-port":"HTTPS","my-http-port":"HTTP"}'
spec:
  ports:
  - name: my-https-port
    port: 443
  - name: my-http-port
    port: 80

The cloud.google.com/app-protocols annotation serves the same purpose as the older service.alpha.kubernetes.io/app-protocols annotation. The old and new annotation names can coexist, as shown in the following Service manifest. When both annotations appear in the same Service manifest, service.alpha.kubernetes.io/app-protocols takes precedence.

kind: Service
metadata:
  name: my-service
  annotations:
    “cloud.google.com/app-protocols”: '{"my-https-port":"HTTPS","my-http-port":"HTTP"}'
    “service.alpha.kubernetes.io/app-protocols”: '{"my-https-port":"HTTPS","my-http-port":"HTTP"}'
spec:
  ports:
name: my-https-port
port: 443
name: my-http-port
port: 80

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Kubernetes Engine