Ingress Controllers
Ingress is only an API object. An Ingress Controller is the component that watches those objects and programs real data-plane behavior (load balancer rules, proxy config, TLS settings).
When to Use This Page
Section titled “When to Use This Page”Use this guide when you need to choose a controller, wire TLS/mTLS, and troubleshoot ingress behavior in production.
Common Controller Choices
Section titled “Common Controller Choices”| Controller | Best fit | Notes |
|---|---|---|
| NGINX Ingress Controller | General-purpose Kubernetes ingress | Mature ecosystem, rich annotations, common in self-managed clusters. |
| Traefik | Simpler dynamic config and CRD-first workflows | Good developer ergonomics; common in platform teams that prefer Traefik CRDs. |
| AWS Load Balancer Controller | EKS with native ALB/NLB integration | Creates AWS resources from Kubernetes objects; strong fit for AWS-native edge integration. |
TLS Termination Patterns
Section titled “TLS Termination Patterns”Edge Termination (Most Common)
Section titled “Edge Termination (Most Common)”Client TLS terminates at the ingress edge (ALB, NLB+TLS, NGINX, Traefik), then traffic continues to backends over HTTP or re-encrypted HTTPS.
Use when:
- You want centralized cert handling and simpler app configs.
- You need host/path routing and policy at the edge.
TLS Passthrough
Section titled “TLS Passthrough”TLS stays encrypted through the ingress layer and is terminated by the backend service.
Use when:
- The application must own certificates directly.
- You need end-to-end TLS visibility at the workload tier.
Trade-off: less L7 visibility and fewer routing features at ingress.
mTLS Patterns at Ingress
Section titled “mTLS Patterns at Ingress”Client-to-Ingress mTLS
Section titled “Client-to-Ingress mTLS”The client presents a certificate; ingress validates it against a trusted CA bundle.
Typical use:
- B2B APIs
- Admin endpoints
- Internal service entrypoints with strict client identity
Ingress-to-Backend mTLS
Section titled “Ingress-to-Backend mTLS”Ingress presents a client cert to upstream services, and upstream verifies it.
Typical use:
- Zero-trust internal boundaries
- Compliance-driven encryption and identity between tiers
cert-manager Integration
Section titled “cert-manager Integration”cert-manager automates certificate issuance and renewal in-cluster.
Core resources:
- Issuer / ClusterIssuer: where certs come from (ACME, Vault, private PKI).
- Certificate: desired cert config; resulting keypair lands in a Secret.
- Secret: consumed by ingress for TLS/mTLS.
High-level flow:
- Install
cert-managerand createIssuerorClusterIssuer. - Create
Certificateresources for ingress hostnames. - Reference the generated TLS Secret in Ingress.
- Verify renewal before expiry and alert on failures.
AWS-Specific Notes
Section titled “AWS-Specific Notes”- On EKS, AWS Load Balancer Controller maps Ingress to ALB behavior.
- For public certs on AWS-managed edges, teams often use ACM.
- Keep
Servicetype: LoadBalancerandIngressroles clear: one is L4 service exposure, the other is L7 routing intent. - For deeper AWS context, see Service with
type: LoadBalancer(L4, Often NLB) and Ingress withingressClassName: alb(L7, ALB).
See:
Troubleshooting Checklist
Section titled “Troubleshooting Checklist”- Controller running? Check deployment/pods and controller logs.
- Ingress class correct?
ingressClassNamematches the installed controller. - TLS secret present? Secret name and namespace are correct.
- Certificate valid? SAN/CN match host; chain is complete; cert not expired.
- Client trust aligned? mTLS CA bundle on ingress matches client cert issuer.
- DNS and SNI correct? Host resolves to ingress edge and requested SNI matches cert.
- Backend protocol consistent? Avoid accidental double TLS or protocol mismatch.
Minimal Examples
Section titled “Minimal Examples”Ingress with TLS Secret
Section titled “Ingress with TLS Secret”apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: app-ingressspec: ingressClassName: nginx tls: - hosts: ["app.example.com"] secretName: app-example-com-tls rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app port: number: 80cert-manager Certificate
Section titled “cert-manager Certificate”apiVersion: cert-manager.io/v1kind: Certificatemetadata: name: app-example-comspec: secretName: app-example-com-tls dnsNames: - app.example.com issuerRef: kind: ClusterIssuer name: letsencrypt-prod