Defining Network Profile for the HTTP/S Ingress Controller

Page last updated:

This topic describes how to define network profiles for Kubernetes clusters provisioned with Enterprise Pivotal Container Service (Enterprise PKS) on vSphere with NSX-T.

About the NCP Ingress Controller

The NSX-T Load Balancer is a logical load balancer that handles a number of functions using virtual servers and pools.

By default the following NSX-T virtual servers are deployed by Enterprise PKS:

  • 1 per cluster TCP layer 4 virtual server for the Kubernetes API server
  • 1 TCP layer 4 virtual server for each Kubernetes service of type: LoadBalancer
  • 2 per cluster layer 7 virtual servers for the Kubernetes Ingress Controller (HTTP and HTTPS)

The TCP layer 4 virtual server that fronts the Kubernetes API server is always created, and it is not controlled by the parameters exposed in the network profile.

The nsx_lb parameter is used to control the TCP layer 4 virtual server that is provisioned for each Kubernetes service of type: LoadBalancer.

The nsx_ingress_controller parameter is used to control if NCP is used as the Ingress Controller for the Kubernetes cluster. By default when you define an ingress resoure for a Kubernetes cluster, NCP instructs the NSX-T load balancer to provision 2 layer 7 virtual services (HTTP and HTTPS) as the Ingress Controller.

The nsx_ingress_controller parameter is subject to the nsx_lb parameter as described in the following table.

nsx_lb setting “nsx_ingress_controller”: true (default) “nsx_ingress_controller”: false
“nsx_lb”: true (default) This means you want to use the NSX-T Layer 4 Load Balancer and the NCP-provisioned Layer 7 Ingress Controller. This means you want to use the NSX-T Layer 4 Load Balancer and a third-party Ingress Controller, such as NGINX.
“nsx_lb”: false This is an invalid configuration because you cannot disable the NSX-T Load Balancer and use NCP as the Ingress Controller. The network profile will fail validation. This means you want to use a third-party load balancer and a third-party ingress controller.

Ingress Parameters

The following table shows the ingress parameters for configuring NCP:








Parameter Type Description
name String User-defined name of the network profile.
description String User-defined description for the network profile.
parameters Map One or more name-value pairs.
cni_configurations Map Map containing two key-value pairs: type and parameters.
type Constant String Only nsxt is accepted.
parameters Map Map containing one or more key-value pairs for NCP settings.
nsx_ingress_controller Boolean Flag to control if NCP is used as the Ingress Controller for the Kubernetes cluster.
ingress_ip String IP address to use for ingress controller load balancer.
ingress_persistence_settings Map Holds parameters for customizing Layer 7 persistence.
persistence_type String Valid values are cookie or source_ip. An empty value is not accepted.
persistence_timeout Integer Value that is equal to 1 or larger. Empty value is not accepted.

Example Network Profile for Ingress

The following network profile is an example that illustrates the paramaters exposed for configuring the NSX Ingress Controller. 

{
  "name": "ncp_network_profile",
  "description": "Example network profile for ingress controller",
  "parameters" : {
     "cni_configurations": {
         "type": "nsxt",
         "parameters": {
           "nsx_ingress_controller": false,        
           "ingress_ip": "192.168.160.212",
           "ingress_persistence_settings": {
             "persistence_type": "cookie",
             "persistence_timeout": 1 
             }
           }
        }
    }
}

NSX Ingress Controller

NCP depends on the NSX-T Load Balancer to fulfill its role as an Ingress Controller. To use a third-party ingress controller, such as the NGINX Ingress Controller, set the nsx_ingress_controller to false.

For example:

{
  "name": "example_network_profile",
  "description": "Use the nsx_lb with a 3rd party ingress controller",
  "parameters": {
    "cni_configurations": {
      "type": "nsxt",
      "parameters": {
         "nsx_lb": true,
         "nsx_ingress_controller": false
      }
    }
  }
}

The following network profile uses a third party load balancer and a third-party ingress controller.

{
  "name": "example_network_profile",
  "description": "Use the nsx_lb with a 3rd party ingress controller",
  "parameters": {
    "cni_configurations": {
      "type": "nsxt",
      "parameters": {
         "nsx_lb": false,
         "nsx_ingress_controller": false
      }
    }
  }
}

The following network profile is invalid; you cannot disable the nsx_lb and use the NCP Ingress Controller.

{
  "name": "example_network_profile",
  "description": "Use the nsx_lb with a 3rd party ingress controller",
  "parameters": {
    "cni_configurations": {
      "type": "nsxt",
      "parameters": {
         "nsx_lb": false,
         "nsx_ingress_controller": true
      }
    }
  }
}

Ingress IP

The ingress_ip parameter instructs NCP to create an ingress virtual server with the given IP address.

The ingress_ip parameter type is a string that accepts any valid IP address. Missing entry is accepted.

Example network profile for ingress_ip:

{
  "name": "example-network-profile",
  "description": "ingress_ip",
  "parameters" : {
     "cni_configurations": {
         "type": "nsxt",
         "parameters": {
           "ingress_ip": "192.168.160.212"
         }
     }
  }
}

An invalid IP address is rejected with an invalid parameter value error. For example, the following network profile parameters cannot be parsed becase the ‘ingress_ip’: '192.168.460.212’ address is an invalid IP address.

{
  "name": "example-network-profile",
  "description": "ingress_ip-ERROR",
  "parameters" : {
     "cni_configurations": {
         "type": "nsxt",
         "parameters": {
           "ingress_ip": "192.168.460.212"
         }
     }
  }
}

The following network profile cannot be parsed because the JOSN input is invalid (not a string).

{
  "name": "example-network-profile",
  "description": "ingress_ip-ERROR",
  "parameters" : {
     "cni_configurations": {
         "type": "nsxt",
         "parameters": {
           "ingress_ip": 192.168.160.212
         }
     }
  }
}

Ingress Persistence Settings

The ingress_persistence parameter lets you customize layer 7 persistence for Kubernetes services.

The ingress_persistence_settings parameter is a map that supports two keys: persistence_type and persistence_timeout. These two keys are correlated and must be set/unset at the same time. If persistence_type and persistence_timeout are not both specified, the network profile fails validation.

Parameter Data type Description
persistence_type String Valid values are cookie or source_ip. An empty value is not accepted.
persistence_timeout Integer Value that is equal to 1 or larger. Empty value is not accepted.

Example 1: network profile for ingress_persistence_settings:

{
  "name": "example_network_profile",
  "description": "ingress_persistence_settings",
  "parameters" : {
     "cni_configurations": {
         "type": "nsxt",
         "parameters": {
           "ingress_ip": "192.168.160.212"       
           "ingress_persistence_settings": {
             "persistence_type": "cookie",
             "persistence_timeout": 1
            }
         }
     }
  }
}

Example 2: network profile for ingress_persistence_settings:

{
  "name": "example_network_profile",
  "description": "ingress_persistence_settings",
  "parameters" : {
     "cni_configurations": {
         "type": "nsxt",
         "parameters": {
           "ingress_ip": "192.168.160.212"         
           "ingress_persistence_settings": {
             "persistence_type": "source_ip",
             "persistence_timeout": 100
            }
         }
     }
  }
}

Please send any feedback you have to pks-feedback@pivotal.io.