iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🔖

Accessing Services Across Namespaces with Amazon EKS ALB

に公開
AWS
ALB
EKS
ingress
Kubernetes
tech

Overview

When creating an ALB in Amazon EKS, you need to create an Ingress.
From the perspective of cost and architecture, if you do not want to create an ALB for each namespace, you can create a single ALB and then create Ingresses and Services per namespace.
However, if you create an Ingress in kube-system and a Service in a namespace called dev1 as is, the service will result in not found because it crosses namespace boundaries.

Conclusion

As a solution, this can be resolved by specifying a group in the Ingress annotations.
While methods like using ExternalName exist, specifying a group allows for a simpler implementation.

  1. Create the AWS Load Balancer Controller in an arbitrary namespace (e.g., kube-system).
  2. Create an Ingress and a Service in each namespace.
  3. Set a group for the Ingresses created in each namespace.

Architecture

As shown below, listener rules are added to a single ALB for each Host header.

Ingress annotations

By setting the same name in alb.ingress.kubernetes.io/group.name, the same ALB will be used.
https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/ingress/annotations/

manifest sample

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: exampleA
  namespace: dev1
  annotations:
    alb.ingress.kubernetes.io/load-balancer-name: example-alb
    alb.ingress.kubernetes.io/group.name: example <-- Specify here
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/manage-backend-security-group-rules: true
spec:
  ingressClassName: alb
  rules:
    - host: dev1.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: dev1-service
                port:
                  number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: exampleB
  namespace: dev2
  annotations:
    alb.ingress.kubernetes.io/load-balancer-name: example-alb
    alb.ingress.kubernetes.io/group.name: example <-- Specify here
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/manage-backend-security-group-rules: true
spec:
  ingressClassName: alb
  rules:
    - host: dev2.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: dev2-service
                port:
                  number: 80

Discussion