|
| 1 | +# Kong Ingress Controller and ingress class |
| 2 | + |
| 3 | + |
| 4 | +## Table of Contents |
| 5 | + |
| 6 | +- [**Introduction**](#introduction) |
| 7 | +- [**Configuring the controller class**](#configuring-the-controller-ingress-class) |
| 8 | +- [**Loading resources by class**](#loading-resouces-by-class) |
| 9 | +- [**When to use a custom class**](#when-to-use-a-custom-class) |
| 10 | +- [**Legacy behavior**](#legacy-behavior) |
| 11 | +- [**Examples**](#examples) |
| 12 | + |
| 13 | +## Introduction |
| 14 | + |
| 15 | +The Kong Ingress Controller uses ingress classes to filter Kubernetes Ingress |
| 16 | +objects and other resources before converting them into Kong configuration. |
| 17 | +This allows it to coexist with other ingress controllers and/or other |
| 18 | +deployments of the Kong Ingress Controller in the same cluster: a Kong Ingress |
| 19 | +Controller will only process configuration marked for its use. |
| 20 | + |
| 21 | +## Configuring the controller ingress class |
| 22 | + |
| 23 | +The `--ingress-class` flag (or `CONTROLLER_INGRESS_CLASS` environment variable) |
| 24 | +specify the ingress class expected by the Kong Ingress Controller. By default, |
| 25 | +it expects the `kong` class. |
| 26 | + |
| 27 | +## Loading resources by class |
| 28 | + |
| 29 | +The Kong Ingress Controller translates a variety of Kubernetes resources into |
| 30 | +Kong configuration. Broadly speaking, we can separate these resources into two |
| 31 | +categories: |
| 32 | + |
| 33 | +- Resources that the controller translates directly into Kong configuration. |
| 34 | +- Resources referenced by some other resource, where the other resource is |
| 35 | + directly translated into Kong configuration. |
| 36 | + |
| 37 | +For example, an Ingress is translated directly into a Kong route, and a |
| 38 | +KongConsumer is translated directly into a [Kong consumer](https://docs.konghq.com/latest/admin-api/#consumer-object). A Secret containing |
| 39 | +an authentication plugin credential is _not_ translated directly: it is only |
| 40 | +translated into Kong configuration if a KongConsumer resource references it. |
| 41 | + |
| 42 | +Because they create Kong configuration indenpendent of any other resources, |
| 43 | +directly-translated resources require an ingress class, and their class must |
| 44 | +match the class configured for the controller. Referenced resources do not |
| 45 | +require a class, but must be referenced by a directly-translated resource |
| 46 | +that matches the controller. |
| 47 | + |
| 48 | +### Adding class information to resources |
| 49 | + |
| 50 | +Most resources use a [kubernetes.io/ingress-class annotation][class-annotation] |
| 51 | +to indicate their class. There are several exceptions: |
| 52 | + |
| 53 | +- v1 Ingress resources have a dedicated `class` field. |
| 54 | +- Knative Services [use the class specifed][knative-class] by the |
| 55 | + `ingress.class` key of the Knative installation's `config-network` ConfigMap. |
| 56 | + You can optionally [override this on a per-Service basis][knative-override] |
| 57 | + by adding a `networking.knative.dev/ingress.class` annotation to the Service. |
| 58 | + |
| 59 | +### Enabling support for classless resources |
| 60 | + |
| 61 | +Specifying a class is optional for some resources. Although specifying a class |
| 62 | +is recommended, you can instruct the controller to process resources without a |
| 63 | +class annotation using flags: |
| 64 | + |
| 65 | +- `--process-classless-ingress-v1beta1` instructs the controller to translate |
| 66 | + v1beta1 Ingress resources with no class annotation. |
| 67 | +- `--process-classless-kong-consumer` instructs the controller to translate |
| 68 | + KongConsumer resources with no class annotation. |
| 69 | + |
| 70 | +These flags are primarily intended for compatibility with older configuration |
| 71 | +(Kong Ingress Controller before 0.10 had less strict class |
| 72 | +requirements, and it was common to omit class annotations). If you are creating |
| 73 | +new configuration and do not have older configuration without class |
| 74 | +annotations, recommended best practice is to add class information to Ingress |
| 75 | +and KongConsumer resources and not set the above flags. Doing so avoids |
| 76 | +accidentally creating duplicate configuration in other ingress controller |
| 77 | +instances. |
| 78 | + |
| 79 | +These flags do not _ignore_ `ingress.class` annotations: they allow resources |
| 80 | +with no such annotation, but will not allow resource that have a non-matching |
| 81 | +`ingress.class` annotation. |
| 82 | + |
| 83 | +## When to use a custom class |
| 84 | + |
| 85 | +Using the default `kong` class is fine for simpler deployments, where only one |
| 86 | +Kong Ingress Controller instance is running in a cluster. Changing the class is |
| 87 | +typical when: |
| 88 | + |
| 89 | +- You install multiple Kong environments in one Kubernetes cluster to handle |
| 90 | + different types of ingress traffic, e.g. when using separate Kong instances |
| 91 | + to handle traffic on internal and external load balancers, or deploying |
| 92 | + different types of non-production environments in a single test cluster. |
| 93 | +- You install multiple controller instances alongside a single Kong cluster to |
| 94 | + separate configuration into different Kong workspaces (using the |
| 95 | + `--kong-workspace` flag) or to restrict which Kubernetes namespaces any one |
| 96 | + controller instance has access to. |
| 97 | + |
| 98 | +## Legacy behavior |
| 99 | + |
| 100 | +This overview covers behavior in Kong Ingress Controller version 0.10.0 onward. |
| 101 | +Earlier versions had a special case for the default class and a bug affecting |
| 102 | +custom classes: |
| 103 | + |
| 104 | +- When using the default `kong` class, the controller would always process |
| 105 | + classless resources in addition to `kong`-class resources. When using a |
| 106 | + non-default controller class, the controller would only process resources |
| 107 | + with that class, not classless resources. Although this was by design, it was |
| 108 | + a source of user confusion. |
| 109 | +- When using a custom controller class, some resources that should not have |
| 110 | + required a class (because they were referenced by other resources) |
| 111 | + effectively did require a class: while these resources were loaded initially, |
| 112 | + the controller would not track updates to them unless they had a class |
| 113 | + annotation. |
| 114 | + |
| 115 | +In versions 0.10.0+ you must instruct the controller to load classless |
| 116 | +resources, which is allowed (but not recommended) for either the default or |
| 117 | +custom classes. Resources referenced by another resource are always loaded and |
| 118 | +updated correctly regardless of which class you set on the controller; you do |
| 119 | +not need to add class annotations to these resources when using a custom class. |
| 120 | + |
| 121 | +## Examples |
| 122 | + |
| 123 | +Typical configurations will include a mix of resources that have class |
| 124 | +information and resources that are referenced by them. For example, consider |
| 125 | +the following configuration for authenticating a request, using a KongConsumer, |
| 126 | +credential Secret, Ingress, and KongPlugin (a Service is implied, but not |
| 127 | +shown): |
| 128 | + |
| 129 | +```yaml |
| 130 | +kind: KongConsumer |
| 131 | +metadata: |
| 132 | + name: dyadya-styopa |
| 133 | + annotations: |
| 134 | + kubernetes.io/ingress.class: "kong" |
| 135 | +username: styopa |
| 136 | +credentials: |
| 137 | +- styopa-key |
| 138 | + |
| 139 | +--- |
| 140 | + |
| 141 | +kind: Secret |
| 142 | +apiVersion: v1 |
| 143 | +stringData: |
| 144 | + key: bylkogdatomoryakom |
| 145 | + kongCredType: key-auth |
| 146 | +metadata: |
| 147 | + name: styopa-key |
| 148 | + |
| 149 | +--- |
| 150 | + |
| 151 | +kind: Ingress |
| 152 | +apiVersion: extensions/v1beta1 |
| 153 | +metadata: |
| 154 | + name: ktonezhnaet |
| 155 | + annotations: |
| 156 | + kubernetes.io/ingress.class: "kong" |
| 157 | + konghq.com/plugins: "key-auth-example" |
| 158 | +spec: |
| 159 | + rules: |
| 160 | + - http: |
| 161 | + paths: |
| 162 | + - path: /vsemznakom |
| 163 | + backend: |
| 164 | + serviceName: httpbin |
| 165 | + servicePort: 80 |
| 166 | + |
| 167 | +--- |
| 168 | + |
| 169 | +apiVersion: configuration.konghq.com/v1 |
| 170 | +kind: KongPlugin |
| 171 | +metadata: |
| 172 | + name: key-auth-example |
| 173 | +plugin: key-auth |
| 174 | +``` |
| 175 | +
|
| 176 | +The KongConsumer and Ingress resources both have class annotations, as they are |
| 177 | +resources that the controller uses as a basis for building Kong configuration. |
| 178 | +The Secret and KongPlugin _do not_ have class annotations, as they are |
| 179 | +referenced by other resources that do. |
| 180 | +
|
| 181 | +[class-annotation]: ../references/annotations.md#kubernetesioingressclass |
| 182 | +[knative-class]: ../guides/using-kong-with-knative.md#ingress-class |
| 183 | +[knative-override]: https://knative.tips/networking/ingress-override/ |
0 commit comments