NGINX Guest Blog: NGINX Kubernetes Ingress Controller

Guest blog by Dylen Turnbull, Solution Architect at NGINX (F5)

REGISTER FOR OUR UPCOMING WEBINAR (3/20/21) – NGINX & Rancher – Simplifying, Securing, and Scaling Your Kubernetes Deployments

Now available through the Rancher Apps and Marketplace

You probably know by now that Kubernetes is a powerful platform – but it needs other tools to make it even better. Ingress Controllers fall into that category, and if you’ve been using Kubernetes, you’re probably quite familiar with them. But here’s a quick refresher on Ingress and Ingress controllers.

By design, Kubernetes pods can be accessed only by other pods within the cluster – not from the external network. Ingress is Kubernetes’ built‑in configuration for HTTP load balancing that defines rules for external connectivity. When you need to provide external access to your Kubernetes services, you create an Ingress resource that defines rules, including the URI path, backing service name, and other information. Then you use an Ingress controller to automatically program a front‑end load balancer to enable Ingress configuration.

NGINX Ingress Controller from NGINX (now part of F5) provides enterprise-grade delivery services for Kubernetes applications. In this blog, we’ll explore the integration of NGINX Ingress Controller with the Rancher Apps and Marketplace. But before we jump into the blog, let’s talk about which NGINX Ingress Controller you may be using.

There are two popular Kubernetes Ingress controllers that use NGINX – both are open source and hosted on GitHub. One is maintained by the Kubernetes open source community (kubernetes/ingress-nginx on GitHub) and one is maintained by NGINX, Inc. (nginxinc/kubernetes-ingress on GitHub).

What Makes NGINX’s Ingress Controller Different?

Here’s how the goals of NGINX’s Ingress controller differ from the community’s Ingress controller, straight from NGINX’s VP of Product Management, Sidney Rabsatt:

• Development philosophy – NGINX’s top priority for our Ingress controller is to deliver long‑term stability and consistency. We make every possible effort to avoid changes in behavior between releases, particularly any that break backward compatibility. We promise you won’t see any unexpected surprises when you upgrade.
• Continual production readiness – NGINX provides commercial support for every release of our Ingress controller, so every release is built and maintained to a supportable, production standard. You benefit from this “enterprise‑grade” focus equally whether you’re using NGINX Open Source or NGINX Plus.
• Integrated codebase – NGINX’s Ingress controller uses a 100% pure NGINX or NGINX Plus instance for load balancing, applying best‑practice configuration using native NGINX capabilities alone. It does not rely on any third‑party modules or Lua code that have not benefited from our interoperability testing. Furthermore, the community’s Ingress controller relies on slower Lua code for some functionality native to NGINX Plus.
• Security – We don’t assemble our Ingress controller from lots of third‑party repos; we develop and maintain the load balancer (NGINX and NGINX Plus) and Ingress controller software (a Go application) ourselves. We are the single authority for all components of our Ingress controller.
• Support – NGINX’s Ingress controller is fully supported for NGINX Plus customers and users of NGINX Open Source who have a paid support contract.

And while we’re here, let’s review some of the key benefits you get from NGINX Plus when using it with NGINX’s Ingress controller:

• Additional capabilities – Real‑time metrics, additional load‑balancing methods, session persistence, active health checks, JWT validation
• Dynamic reconfiguration – Faster, non‑disruptive reconfiguration ensures you can deliver applications with consistent performance and resource usage
• Commercial support – It’s like having an NGINX developer on your DevOps team!

Of course, NGINX and NGINX Plus can be deployed on any platform including bare metal, containers, VMs, and public, private, and hybrid clouds.

Now that we’ve covered the differences of the NGINX Ingress Controllers, let’s dive in.

NGINX and the Rancher Apps and Marketplace

In partnership with Rancher Labs, NGINX has added the NGINX Ingress Controller to the Rancher Apps and Marketplace. We have provided a drop-in solution in the form of a Rancher Chart that leverages the official open-source version of NGINX. In addition, the Apps and Marketplace provides a simple upgrade path to the fully supported version of NGINX Plus with extended functionality.

Let’s walk through setting up both versions.

Once you’ve fulfilled some minor prerequisites, you set a couple of configuration options via the Rancher Chart UI to deploy the NGINX Open Source or NGINX Plus version to any Rancher-managed cluster as either a NodePort or a DaemonSet.

Deploying the NGINX Plus version gives you access to a number of advanced features, which we’ll explore in the next section. It also includes  NGINX App Protect, for an enterprise‑grade Ingress controller with a web application firewall (WAF) that sits inside the Kubernetes cluster.

So, why use the NGINX Ingress Controller for Kubernetes?

Both the NGINX Open Source and NGINX Plus versions provide SSL/TLS termination, WebSocket, URL rewrites, HTTP/2, Prometheus exporter. and Helm charts. The NGINX Plus version also includes:

• Reduced complexity
• Advanced load balancing
• Observability
• Security
• Self-service and multi-tenancy
• Production readiness

See here for more information

Integration with NGINX App Protect

As we said earlier, the NGINX Plus version is now fully integrated with NGINX App Protect. It is the only supported WAF that sits inside the Kubernetes cluster along with the application pods it protects from malicious attacks.

Why Is Integrating the WAF into the Ingress Controller So Significant?

Integrating the WAF into the Ingress Controller brings three unique benefits to both administrators and app developers:

·        Securing the application perimeter

·        Consolidating the data plane

·        Consolidating the control plane – having fewer security tools to manage increases efficiency and reduces possible points of failure

Developers can also incorporate WAF functionality into their workflows, without having to ask other teams to grant permissions. This creates efficiencies and supports compliance with security requirements.

For more information, visit: nginx.com/products/nginx/nginx-ingress-controller

Bio: Dylen Turnbull – Solution Architect

Dylen Turnbull (@Dylen_Turnbull) / Twitter

https://www.linkedin.com/in/dylen-turnbull/

Throughout his career, Dylen Turnbull has worked for several companies Symantec, Veritas, F5 Networks, and now

F5’s NGINX business unit. This time represents an accumulation of over 22 years of enterprise / open

source software and solution development experience. Working with NGINX Business Development on strategic partner alliances with Rancher and Grafana Labs, his primary focus has been integration work with open-source technologies including Rancher, Rancher Kubernetes Engine, K3s, Prometheus, and Grafana in the containerization, virtualization, and continuous integration/delivery solutions space.