Author: Rufeng

Introduction of K8s Ingress

The network in the K8s cluster is isolated from the outside, that is, the outside of the K8s cluster cannot directly access the services inside the cluster. How to provide the services inside the K8s cluster to external users? K8s community has three solutions: NodePort, LoadBalancer, and Ingress. The following is a comparison of these three solutions:

By comparison, it can be seen that Ingress is a more suitable method for business use, and it can be used for more complex secondary route distribution, which is also the mainstream choice of users at present.

K8s Ingress status quo

To paraphrase a popular saying: This sentence also applies to K8s Ingress. K8s hopes to standardize the rule definition of cluster entrance flow through Ingress, but the actual business needs far more function points than Ingress provides. In order to meet business demands, Each Ingress Provider also has its own approach. In general, the solution can be divided into two types: using Annotations to extend annotations and using new CRDS. The following illustration is used:

Trends of K8s Ingress Provider

Ingress Provider has advantages and disadvantages from the perspective of users. The advantages are that users have many options, while the disadvantages are just too many choices. How can we choose an Ingress Provider that is suitable for our own business? Take a look at the authoritative CNCF statistics:

It can be seen intuitively that Nginx, which occupies the first place of Ingress Provider, is within the expectation. Though Nginx Ingress still occupies the top spot, its growth is a little weak, and even has a downward trend. In contrast, Envoy has climbed from third place in 2019 to second place in 2020, and its use has almost doubled from less than 20 percent in 2019 to 37 percent in 2020.

So, why do envoys grow so fast? To sum up the following points:

In the context of distributed micro services, features such as configuration hot updates, HTTP3, and Wasm fit nicely into the current usage landscape, and the community governance is very healthy, with many of the Internet’s biggest players participating deeply.

2. Envoy can be used as an Ingress Provider and is the de facto leader of sidecar in ServiceMesh. Using the same technology to address both north – and east-west traffic scheduling is another reason why users choose Envoy.

3. Envoy meets production-level requirements and has been extensively tested by Lyft.

The new option of K8s Ingress Provider is the cloud native gateway

Under the micro service architecture of virtualization period, the business usually adopts micro flow gateway + service gateway two layers architecture, traffic gateway is responsible for the north-south traffic scheduling and safety protection, the service gateway is responsible for the east-west traffic scheduling and service management, and in the era of containers and K8s leading cloud native, Ingress into K8s ecological standard of gateway, The gateway is endowed with a new mission, which makes it possible to combine traffic gateway with micro-service gateway.

The cloud native gateway released by MSE changes the two-layer gateway into one layer without compromising the capability, which can not only save 50% of the resource cost, but also reduce the operation, maintenance and usage cost.

Advantages of the cloud native gateway

Stronger performance

Before we begin, a quick question: Is the performance of Nginx Ingress equivalent to Nginx? With this question in mind we go straight to the manometry data comparison:

Are you surprised? To be honest, after the pressure test, including ourselves, we also had some surprises. The results of the pressure test are as follows:

We also looked at the implementation of Nginx Ingress and community feedback. The K8s Nginx Ingress community also has a specific issue: github.com/kubernetes/…

The following screenshot shows the impact of Lua on Nginx Ingress performance:

More features

Cloud native gateway as traffic gateway combined with micro service gateway, its function at the same time provide a rich safety certification and service governance capability, and also made the kernel tuning on performance and hardware acceleration, to be published next combined with ali within two years of experience in large presses on the construction of the high availability also did further extension, a larger overall function is as follows:

Stability is more reliable

After years of intensive verification, Ali has accumulated a set of high availability guarantee schemes to control risks and improve stability from the time of research and development, operation and change. At each stage, they have their own means to verify their high availability goals, as illustrated in the following figure:

Cloud Raw Gateway’s upcoming blockbuster features

TLS hardware acceleration

At present, HTTPS has become the main way to use public network requests. After HTTPS is used, the TLS handshake is required, which will inevitably lead to high performance loss compared with HTTP. With the significant improvement of CPU performance, the SIMD mechanism of CPU can be used to accelerate THE PERFORMANCE of TLS. Therefore, we launched TLS hardware acceleration function based on Intel Ice Lake processor. QPS can be greatly improved after TLS acceleration is enabled through pressure test, as shown in the figure below:

Built-in Waf

As a north-south oriented public gateways, use Waf protective abnormal flow is very regular demand, and with the Internet environment is becoming more and more complex, the user demands for protection is enhanced continuously, conventional practice is to flow to access Waf security gateway, will forward traffic to flow again after filtering gateway, finally reached micro service gateway; The cloud native gateway hopes that the built-in Waf module can directly connect to the Waf cloud product of Ali Cloud, so that users can complete Waf protection, traffic distribution and microservice governance at the same time only through the cloud native gateway, which improves link RT and reduces the operation and maintenance complexity of the gateway, as shown below:

Wasm plug-in market

Wasm is one of the most popular technologies out there. It’s popular because it allows you to write Wasm programs in multiple languages, and Wasm provides a great sandbox environment for controlling the execution environment of your programs. The Istiod and Envoy communities have already done basic support for Wasm plug-ins. Cloud native Gateway hopes to launch its own plug-in market on the basis of the community, improve the scalability of the gateway, and facilitate users to customize gateway plug-ins. We have also performed performance comparisons and tests on the existing WASM Runtime, which will be used as a basis for our development, as shown below:

Write in the last

MSE – cloud native gateway, to provide users with more reliable, lower cost, higher efficiency, accord with K8s Ingress standard enterprise gateway products, release more details set studio to watch: yqh.aliyun.com/live/detail…

Mse-cloud native Gateway provides two payment modes: post-payment and monthly payment. It supports hangzhou, Shanghai, Beijing, Shenzhen, Zhangjiakou, Hong Kong, Singapore, The United States (Virginia), the United States (Silicon Valley) and Germany (Frankfurt), and will gradually open other regions. Click here to purchase the cloud Native Gateway.

You can also search group number 34754806 to join the user group to communicate and answer questions. Release the latest information of cloud native technology, collect the most complete content of cloud native technology, hold cloud native activities and live broadcast regularly, and release ali products and user best practices. Explore the cloud native technology with you and share the cloud native content you need.

Pay attention to [Alibaba Cloud native] public account, get more cloud native real-time information!