By default, RKE deploys the NGINX ingress controller on all schedulable nodes.
Note: As of v0.1.8, only workers are considered schedulable nodes, but prior to v0.1.8, worker and controlplane nodes were considered schedulable nodes.
RKE will deploy the ingress controller as a DaemonSet with
hostnetwork: true, so ports
443 will be opened on each node where the controller is deployed.
The images used for ingress controller is under the
system_images directive. For each Kubernetes version, there are default images associated with the ingress controller, but these can be overridden by changing the image tag in
Scheduling Ingress Controllers
If you only wanted ingress controllers to be deployed on specific nodes, you can set a
node_selector for the ingress. The label in the
node_selector would need to match the label on the nodes for the ingress controller to be deployed.
nodes: - address: 18.104.22.168 role: [controlplane,worker,etcd] user: root labels: app: ingress ingress: provider: nginx node_selector: app: ingress
Disabling the Default Ingress Controller
You can disable the default controller by specifying
none to the ingress
provider directive in the cluster configuration.
ingress: provider: none
Configuring NGINX Ingress Controller
ingress: provider: nginx options: map-hash-bucket-size: "128" ssl-protocols: SSLv2 extra_args: enable-ssl-passthrough: ""
Configuring an NGINX Default Certificate
When configuring an ingress object with TLS termination, you must provide it with a certificate used for encryption/decryption. Instead of explicitly defining a certificate each time you configure an ingress, you can set up a custom certificate that’s used by default.
Setting up a default certificate is especially helpful in environments where a wildcard certificate is used, as the certificate can be applied in multiple subdomains.
- Access to the
cluster.ymlused to create the cluster.
- The PEM encoded certificate you will use as the default certificate.
Obtain or generate your certificate key pair in a PEM encoded form.
Generate a Kubernetes secret from your PEM encoded certificate with the following command, substituting your certificate for
kubectl -n ingress-nginx create secret tls ingress-default-cert --cert=mycert.cert --key=mycert.key -o yaml --dry-run=true > ingress-default-cert.yaml
Include the contents of
ingress-default-cert.ymlinline with your RKE
cluster.ymlfile. For example:
addons: |- --- apiVersion: v1 data: tls.crt: [ENCODED CERT] tls.key: [ENCODED KEY] kind: Secret metadata: creationTimestamp: null name: ingress-default-cert namespace: ingress-nginx type: kubernetes.io/tls
Define your ingress resource with the following
default-ssl-certificateargument, which references the secret we created earlier under
ingress: provider: "nginx" extra_args: default-ssl-certificate: "ingress-nginx/ingress-default-cert"
Optional: If you want to apply the default certificate to ingresses in a cluster that already exists, you must delete the NGINX ingress controller pods to have Kubernetes schedule new pods with the newly configured
kubectl delete pod -l app=ingress-nginx -n ingress-nginx