aws-load-balancer-controller
aws-load-balancer-controller copied to clipboard
kubernetes-sigs
Feature: Allow setting of priority order rule
Describe the bug We are facing issue with priority order rule
ingress manifest
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/actions.response-403: |
{"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"403","messageBody":"403 External access to endpoint not allowed"}}
alb.ingress.kubernetes.io/actions.root-redirect: '{"Type": "redirect", "RedirectConfig":
{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301", "Path": "/auth"}}'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":
{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/group.name: alb-ingress
alb.ingress.kubernetes.io/healthcheck-path: /health
alb.ingress.kubernetes.io/healthcheck-port: "8443"
alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-FS-1-2-Res-2019-08
alb.ingress.kubernetes.io/target-type: ip
kubernetes.io/ingress.class: alb
meta.helm.sh/release-name: application
meta.helm.sh/release-namespace: default
creationTimestamp: "2022-09-19T04:10:23Z"
finalizers:
- group.ingress.k8s.aws/alb-ingress
generation: 2
labels:
app: application
app.kubernetes.io/managed-by: Helm
name: application
namespace: default
resourceVersion: "417101858"
uid: c7047b08-d71c-455b-a6cb-88277b14fe05
spec:
rules:
- host: example.com
http:
paths:
- backend:
service:
name: response-403
port:
name: use-annotation
path: /metrics
pathType: ImplementationSpecific
- backend:
service:
name: application-service
port:
number: 8443
path: /
pathType: Prefix
tls:
- hosts:
- example.com
secretName: example-secret
Expected outcome
- We expect in ALB rule, rule with path /metrics will have higher priority than rule with path / then while we access from https://example.com/metrics it still returns metric data that we expect it returns 403.
- We try move backend service with path / to defaultBackend however if we deploy 2 same ingresses (with different host) that include defaultBackend then it will generate below error. Then we expect in ingress support to set priority order rule
Warning FailedBuildModel 8s (x13 over 30s) ingress Failed build model due to multiple ingress defined default backend:
Any solution to resolve this issue would be very much appreciated!
Environment
- AWS Load Balancer controller version: v2.5.2
- Kubernetes version: 1.25
- Using EKS (yes/no), if so version? yes
Hi @chary1112004 ,
From my understanding, if you want to configure rule priority, a way is to create two Ingresses with the same alb.ingress.kubernetes.io/group.name [1] annotaion, and configure the Ingress order with alb.ingress.kubernetes.io/group.order [2] annotation.
For example, you can set the Ingress with rule path /metrics with smaller number of group.order, so it's rule will be evaluated first.
[1] AWS Load Balancer Controller - Ingress annotations - alb.ingress.kubernetes.io/group.name https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/ingress/annotations/#group.name
[2] AWS Load Balancer Controller - Ingress annotations - alb.ingress.kubernetes.io/group.order https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/ingress/annotations/#group.order
Hi @ysam12345,
Thank you for your suggestion. As I know if we create new group then it means new application load balancer will be created. Does it cost for this new application load balancer (for example without throughput)?
Regards
Hi @chary1112004 ,
What I mean is to use multiple Ingresses with the same alb.ingress.kubernetes.io/group.name. In this case, controller will only create a single ALB for multiple Ingresses, the rules in multiple Ingresses will be aggregate into a single ALB, just like the document said here [1]:
IngressGroup feature enables you to group multiple Ingress resources together.
The controller will automatically merge Ingress rules for all Ingresses within IngressGroup and support them with a single ALB.
In addition, most annotations defined on an Ingress only apply to the paths defined by that Ingress.
So it shouldn't create a new ALB without throughput. I hope this helps.
[1] IngressGroup https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/ingress/annotations/#ingressgroup
Hi @ysam12345, thank you. I thought the group order is for ordering between groups, not same group.
I will give a try. Thank you!
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The priority on the rules is decided on the PathType. The prefix type take higher priority here than the implementations specific. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/spec/#ingress-specification Have you tried setting appropriate pathtype on your rules?
@shraddhabang thanks for the follow up. Since we have tried do manual step to re-order to work around currently then we did not have a chance to come back this again. I will close this one since there is already suggestion from @ysam12345
Hi @ysam12345,
We are coming back this one.
I have checked again then what you mean it could be for different hosts. For our case, we configure for same host (in this one is host: example.com) with different path.
@shraddhabang: yes, however we try to switch between prefix and implementations specific then there is error in ingress: prefix path shouldn't contain wildcards
Hi @chary1112004 ,
My reply is not specifically for the usecase of different hosts, you can define the same host with different path in different ingresses, because those Ingress Rules will be eventually transfered to ALB Listener rules.
Example 1
group.order 10 -> 20 -> 30
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-1
annotations:
alb.ingress.kubernetes.io/group.order: '10'
alb.ingress.kubernetes.io/group.name: my-ingress-group
spec:
ingressClassName: alb
rules:
- host: foo.bar
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: "foo-bar"
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-2
annotations:
alb.ingress.kubernetes.io/group.order: '20'
alb.ingress.kubernetes.io/group.name: my-ingress-group
spec:
ingressClassName: alb
rules:
- host: foo.bar
http:
paths:
- path: /aaa
pathType: ImplementationSpecific
backend:
service:
name: "foo-bar"
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-3
annotations:
alb.ingress.kubernetes.io/group.order: '30'
alb.ingress.kubernetes.io/group.name: my-ingress-group
spec:
ingressClassName: alb
rules:
- host: foo.bar
http:
paths:
- path: /bbb
pathType: ImplementationSpecific
backend:
service:
name: "foo-bar"
port:
number: 80
Example 2
group.order 30 -> 20 -> 10
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-1
annotations:
alb.ingress.kubernetes.io/group.order: '30'
alb.ingress.kubernetes.io/group.name: my-ingress-group
spec:
ingressClassName: alb
rules:
- host: foo.bar
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: "foo-bar"
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-2
annotations:
alb.ingress.kubernetes.io/group.order: '20'
alb.ingress.kubernetes.io/group.name: my-ingress-group
spec:
ingressClassName: alb
rules:
- host: foo.bar
http:
paths:
- path: /aaa
pathType: ImplementationSpecific
backend:
service:
name: "foo-bar"
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-3
annotations:
alb.ingress.kubernetes.io/group.order: '10'
alb.ingress.kubernetes.io/group.name: my-ingress-group
spec:
ingressClassName: alb
rules:
- host: foo.bar
http:
paths:
- path: /bbb
pathType: ImplementationSpecific
backend:
service:
name: "foo-bar"
port:
number: 80
I'm not sure if this meets your requirement, also please ignore the HTTP 503 response code in the screenshot becuase I didn't define "foo-bar" in my environment.
Hi @ysam12345,
I have added multiple ingress with same host and different group order (in same group) then it works for me.
Thanks for your support!
