Manage Ingress Controllers
When APL is installed, exposure (ingress) for all services (included exposure for platform services) is handeled by the default platform ingress class using a public (cloud) load balancer. APL offers the option to use multiple ingress classes. Each class will get a dedicated ingress controller. In case of a security requirement, where platform services are not allowed to be exposed publicly, the default platform class can be configured to use a private load balancer instead of a public one by adding the required annotations. Additional (public) ingress classes can be created to expose team (application) services.
prerequisites
- Access to the internal subnet (using a VPN or a Jumphost) when using a private load balancer.
Steps
Steps to change to use a private load balancer for exposing platform services:
If there are no Team services created that use the default platform class, then you can skip step 2.
Create an additional public ingress class
-
Go to Ingress Classes under Settings in the web UI.
-
Under
additional classes
click onadd item
. -
Provide a name for the additional ingress class (for example
teams
). -
(optional) If you need to add specific annotations to Configure the Load Balancer by applying annotations to the Service resource, Click on
Add Item
and add the required annotations. -
(optional) If you would like to use a static (public) IP for the load balancer, then fill in the IP address.
-
(optional) If you need to whitelist source IP address ranges, add the CIDR in the
Source IP address filtering
field. -
Click
submit
. -
Click
Deploy Changes
.
Move all existing Team Services to use the new ingress class
-
Go to
services
, click on the service you would like to move to the new ingress class. -
Under
Exposure Ingress
, fill in the name of the new ingress class in theingress class name
field. -
Click
submit
. -
Click
Deploy Changes
.
Change the platform class from public to private
-
Go to Ingress Classes under Settings in the web UI.
-
Under
Platform class
, add the requiredannotations
:
For Azure:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: <lb-subnet>
For AWS:
service.beta.kubernetes.io/aws-load-balancer-internal: true
For GCP:
networking.gke.io/load-balancer-type: "Internal"
-
Click
submit
. -
Click
Deploy Changes
.
Cloud provider specific annotations
Add the following annotations when using:
AWS
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
Azure
service.beta.kubernetes.io/azure-load-balancer-resource-group: <resource-group-name>
Digital Ocean
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: true