CNCFKubernetesContainer OrchestrationIntermediate23 min read

What Is Ingress Resources in Networking?

Also known as: Ingress Resources, Kubernetes, CKA exam, Ingress Controller, Services and Networking

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Ingress Resources are like a smart traffic director for a Kubernetes cluster. They let you control how people from the internet reach your applications running inside the cluster. Instead of opening many doors, you create one main door that looks at the request and decides which room (service) it should go to based on the web address or path.

Must Know for Exams

Ingress Resources are explicitly covered in the CNCF Certified Kubernetes Administrator (CKA) exam, under the ‘Services and Networking’ domain (which is about 20% of the exam). The exam objectives state: ‘Understand how to expose applications using Ingress.’ You may also encounter Ingress in the CKAD (Certified Kubernetes Application Developer) exam, though with less emphasis. In CKA, the tasks are hands-on: you must be able to create and modify Ingress YAML manifests to expose a Service correctly.

The exam might ask you to configure an Ingress that routes traffic to a specific Service based on a hostname, or to add TLS termination. You will need to know the correct API version (networking.k8s.io/v1), the required fields (apiVersion, kind, metadata.name, spec.rules), and the structure of rules including host, http.paths, pathType, and backend.service.name with service.port.number. You should also understand how Ingress interacts with Services and Pods.

Importantly, the exam does not require deep knowledge of a specific Ingress controller implementation (like NGINX-specific annotations). The focus is on the standard Ingress API. However, you must know that an Ingress Resource alone does not work; an Ingress Controller must be running in the cluster. The exam environment usually has a working Ingress Controller, so your YAML will take effect. You may also be asked to troubleshoot why a Service is not reachable via Ingress, which involves checking that the Service exists, the Ingress YAML is correct, and the hostname resolves properly.

Exam questions can be in the form of a scenario: you are given a deployment and a Service, and you must create an Ingress to expose it at a given hostname. You might also have to update an existing Ingress to add a new path. Time management matters: knowing the YAML structure cold saves precious minutes. Practicing with kubectl create ingress or writing YAML from scratch is essential.

Simple Meaning

Imagine you live in a large apartment building with many different offices. Each office offers a different service, like a bakery, a post office, and a bank. People from outside the building need to visit these offices, but the building only has one main entrance. Without a system, visitors would have to know exactly which office is where and knock on every door.

Ingress Resources are like a smart reception desk placed just inside the main entrance. When a visitor arrives, they tell the receptionist which office they want (for example, by saying ‘I want the bakery’ or by saying ‘I need to mail a letter’). The receptionist looks at a list of rules and directs the visitor to the correct office. This way, the visitor only needs to know the building’s main address, not each office’s specific location. The reception desk also handles security, ensuring only certain visitors are allowed in.

In Kubernetes, the Ingress Resource is that set of rules. It tells the cluster how to handle incoming web traffic. Instead of creating a separate public internet address for each service, you create one or a few Ingress rules. When a request arrives, the Ingress controller (the software that implements the rules) reads the request. It looks at the hostname (like ‘store.myapp.com’) and the path (like ‘/images’ or ‘/api’). It then forwards the request to the correct backend service inside the cluster. This avoids complicated manual port management and makes it easier to scale, secure, and update your applications. In short, Ingress Resources are the official rulebook for directing internet traffic inside your Kubernetes cluster.

Full Technical Definition

Ingress Resources are a standard Kubernetes API object defined in the networking.k8s.io/v1 API group. They provide HTTP and HTTPS routing rules for external traffic entering a cluster. An Ingress Resource is not a working component by itself; it requires an Ingress Controller, which is a separate pod or set of pods that watches the Kubernetes API for Ingress Resource definitions and configures a load balancer or proxy accordingly.

An Ingress Resource definition includes several key fields: spec.rules, spec.tls, and spec.defaultBackend. Each rule can specify a host (domain name) and a list of paths. Each path has a pathType, which can be Prefix, Exact, or ImplementationSpecific. The path points to a backend, which is a reference to a Kubernetes Service by name and port. When a request arrives, the Ingress Controller matches the request’s host and path against the rules. If matched, the request is forwarded to the corresponding Service, which then distributes it to running Pods.

Ingress Resources support TLS termination, meaning you can attach TLS certificates to secure traffic. The spec.tls field lists hosts and a secret name that contains the certificate and key. The controller terminates the TLS connection at the ingress layer, then forwards plain HTTP to the backend Services. This offloads encryption overhead from application pods.

In real IT environments, Ingress Resources are often used with controllers like NGINX Ingress Controller, Traefik, HAProxy, or cloud-provider-specific ones like AWS Load Balancer Controller or GKE Ingress. The controller can automatically provision cloud load balancers (like ALB on AWS) and update them when Ingress rules change. Ingress Resources can also support advanced features like rewrite rules, headers manipulation, websocket support, and rate limiting, although these are often controller-specific annotations rather than core API fields.

From an exam perspective, the CNCF CKA exam tests understanding of Ingress Resources at the object definition level. You may be asked to create an Ingress YAML manifest, expose a Service via Ingress, or troubleshoot why traffic is not reaching a Service. You must know the structure of spec.rules, path matching types, and how TLS configuration works. The exam does not require deep knowledge of a specific controller’s advanced features, but you must understand the core API and how it integrates with Services.

Real-Life Example

Think of a large office building with multiple companies on different floors. The building has one main lobby and one main address: 100 Business Avenue. Each company inside offers different services: Company A handles accounting, Company B handles legal advice, and Company C handles IT support. Visitors come to the building wanting to reach a specific company.

Instead of giving each company its own separate entrance with a different street address (which would be expensive and confusing), the building has a single reception desk in the lobby. The receptionist has a directory. When a visitor arrives and says ‘I need to see the accountant at Company A,’ the receptionist checks the directory and tells the visitor to go to the third floor, room 301. If another visitor says ‘I need legal help from Company B,’ the receptionist directs them to the fifth floor, room 502.

Additionally, some visitors may need security checks. For example, only employees of Company A can enter their floor after hours. The receptionist checks badges before granting access. This is like TLS termination: the Ingress controller checks the visitor’s security credentials (TLS certificate) before allowing them through.

This maps directly to Ingress Resources. The building’s main address is the cluster’s external IP or DNS name. The companies are backend Services. The directory of rules (which company is on which floor) is the Ingress Resource. The receptionist is the Ingress Controller, which reads the rules and routes traffic. Without Ingress, each company would need its own separate entrance (a separate LoadBalancer Service), which is costly and messy. The Ingress Resource keeps everything organized under a single entry point.

Why This Term Matters

In real IT work, managing external access to a Kubernetes cluster efficiently is critical. Without Ingress Resources, every Service that needs to be accessed from outside the cluster would require its own LoadBalancer type Service, which provisions a cloud load balancer. In cloud environments, each load balancer costs money and adds complexity in DNS management, certificate handling, and security. Using Ingress Resources, you consolidate all HTTP and HTTPS traffic through one or a small number of entry points, drastically reducing costs and simplifying operations.

Ingress Resources also enable advanced traffic management. You can route traffic based on URL paths, which is essential for microservices architectures where different services handle different parts of a single application (for example, /api requests go to a backend service, while /static requests go to a file server). You can also route based on hostnames, allowing multiple applications (like app1.example.com and app2.example.org) to share the same cluster and same IP address, reducing the number of public IPs needed.

Security is another major reason Ingress matters. By terminating TLS at the ingress point, you centralize certificate management. You can use a single wildcard certificate or multiple certificates for different domains, all stored in Kubernetes Secrets. The Ingress controller can also integrate with authentication systems (like OAuth or basic auth) to protect backend services. This is far simpler than managing certificates on every pod.

In DevOps and continuous delivery workflows, Ingress Resources are part of the infrastructure as code. You can version control your routing rules, audit them, and roll back changes if something breaks. This aligns with the Kubernetes philosophy of declarative management. In short, Ingress Resources are central to making Kubernetes clusters production-ready for web traffic. Skipping this concept means your cluster will be much harder to manage, more expensive, and less secure.

How It Appears in Exam Questions

On the CKA exam, questions around Ingress Resources typically fall into a few categories. The most common is a configuration task: the exam provides a YAML file for a Deployment and a Service, and you must create an Ingress Resource to route traffic from a specific hostname to that Service. For example, the question might say: ‘Create an Ingress named ‘api-ingress’ in namespace ‘default’ that exposes the Service ‘api-service’ on port 80 at host ‘api.example.com’ with path ‘/’. Use the correct pathType.’ You would need to write the YAML or use kubectl create ingress with the appropriate flags.

Another common pattern is troubleshooting. You might be given a cluster where an application is not accessible externally. You must inspect existing Ingress Resources, Services, and Endpoints. The issue could be that the Ingress Resource has no host field, or the pathType is wrong, or the Service doesn’t have a matching port, or the Ingress controller is not deployed. You might also need to check TLS configuration if the question involves HTTPS.

Some questions combine Ingress with NetworkPolicies or Services. For instance: ‘The application is reachable only from within the cluster. Create an Ingress that exposes it to external traffic, then verify connectivity.’ Here you must create the Ingress and potentially test it with curl from a temporary pod.

You will not see multiple-choice questions on the CKA; it is entirely performance-based. However, in other certification exams (like the new KCNA or some vendor-specific ones), concepts about Ingress may appear in multiple-choice format. Those might ask: ‘Which Kubernetes object defines HTTP routing rules?’ or ‘What is the purpose of an Ingress Controller?’ The key is to differentiate between Ingress Resource (the rule definition) and Ingress Controller (the implementation).

Finally, some exam scenarios test your understanding of the multiple path matching types. For example, a question might ask you to route all traffic under /app/ to a backend, and you must choose Prefix as the pathType instead of Exact. Wrong choices lead to routing failures, so you must know the difference.

Study cncf-cka

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a Kubernetes administrator for an e-commerce company. The company has three microservices running in the cluster: a product catalog service, a checkout service, and a customer support service. All of them need to be accessible to customers on the internet. The domain name is shop.example.com.

Instead of creating three separate load balancers, you decide to use an Ingress Resource. You create an Ingress named shop-ingress in the namespace ecommerce. You define two rules based on paths: requests to /products are routed to the products-service on port 8080, requests to /checkout are routed to checkout-service on port 8080, and requests to /support are routed to support-service on port 8080. The default backend handles all other requests by returning a 404 page.

After applying the Ingress YAML, the Ingress Controller (which is already running) picks up the configuration. Now customers can reach all services via https://shop.example.com/products, https://shop.example.com/checkout, and https://shop.example.com/support. The company saves money by using only one cloud load balancer, and the developers can update the routing rules simply by editing the Ingress YAML and re-applying it. This scenario illustrates how Ingress simplifies external access in a real microservices environment.

Common Mistakes

Thinking an Ingress Resource works without an Ingress Controller.

An Ingress Resource is just a set of rules stored in etcd. Without a running Ingress Controller pod that watches for those rules and implements them (by configuring a load balancer or proxy), no traffic will be routed. The cluster does not have a built-in controller by default.

Always ensure an Ingress Controller (like NGINX Ingress, Traefik, or the cloud provider’s controller) is deployed in the cluster *before* relying on Ingress Resources. If traffic doesn’t reach your service, check if the controller pods are running.

Omitting the 'pathType' field in Ingress rules or using the wrong path type.

In Kubernetes v1.18+, the pathType field is mandatory. Using a wrong type (e.g., Exact when you want Prefix) will cause routing to fail for many requests. For example, using Exact for /api will only match the exact path /api, not /api/v1/products.

Use Prefix pathType if you want to match a path and all its subpaths (e.g., /api matches /api and /api/v1). Use Exact only if you need an exact string match. Use ImplementationSpecific only if your controller supports it and you know exactly how it behaves.

Using the wrong Service port or not referencing the correct Service name.

The Ingress rule must specify a backend service name and port that actually exist in the namespace. If you misspell the service name or use a port number that is not defined in the Service object, the Ingress controller will not forward traffic correctly, leading to errors like 503 Service Unavailable.

Verify the Service exists with `kubectl get svc -n <namespace>` and check the correct port name or number. Use service.port.number (integer) or service.port.name (string) consistently. Double-check spelling in the Ingress YAML.

Confusing Ingress with NodePort or LoadBalancer Services as the only way to expose apps.

Many beginners think every external exposure requires a NodePort or LoadBalancer Service type. While those work, Ingress provides more flexibility and cost efficiency for HTTP(S) traffic. Ingress should be your default choice for web applications, not an afterthought.

Use NodePort only for testing or non-HTTP protocols. Use LoadBalancer for direct exposure when Ingress is not needed (e.g., for UDP traffic). For most web apps, use Ingress. Remember that Ingress still requires a Service of type ClusterIP (or NodePort) to route traffic to pods, but you don’t need a LoadBalancer for each service.

Exam Trap — Don't Get Fooled

The exam gives you a scenario where an Ingress Resource exists, but traffic still fails. You are asked to fix it. The trap is that the Ingress Resource has a host field but the hostname in the request does not match the host field in the Ingress rule.

Learners often focus on the path or service name, ignoring the host mismatch. Read the exam question carefully: if a host is specified in the Ingress, you must ensure the curl or test command uses that exact hostname (e.g.

, curl -H 'Host: api.example.com' http://<IP>). Or, if the question does not specify a host, you should either omit the host field entirely (so the rule matches all hostnames) or use a wildcard.

When troubleshooting, always check `kubectl describe ingress <name>` and look at the Rules section. If the host is set and you are testing with a different host, the traffic will not reach the intended service.

Commonly Confused With

Ingress ResourcesvsService (ClusterIP / NodePort / LoadBalancer)

A Service is an abstraction that exposes a set of Pods as a network service. It works at layer 4 (TCP/UDP) and provides stable IP and DNS. Ingress works at layer 7 (HTTP/HTTPS) and provides intelligent routing based on URLs and hostnames. Ingress relies on a Service to forward traffic to the backend Pods, but Ingress itself is not a Service type.

If you have a web application, you might create a ClusterIP Service to let other pods inside the cluster talk to it. To expose it to the internet, you create an Ingress that points to that Service. The Service alone (ClusterIP) is not accessible externally. You would not use Ingress to expose a database that uses a custom TCP port; you would use a LoadBalancer or NodePort Service instead.

Ingress ResourcesvsNetworkPolicy

NetworkPolicy controls traffic flow at the pod level within the cluster, acting as a firewall for pods. It regulates which pods can communicate with each other. Ingress, by contrast, controls traffic entering the cluster from outside. NetworkPolicy does not deal with hostnames or URL paths; it works on IP addresses and ports. Ingress does not enforce pod-to-pod traffic rules.

If you have a frontend pod and a backend pod, a NetworkPolicy might block the frontend from talking to the backend except on port 8080. An Ingress would route external requests (like from a browser) to the frontend pod. They serve different security layers: NetworkPolicy for east-west traffic, Ingress for north-south traffic.

Ingress ResourcesvsIngress Controller

The Ingress Resource is the declarative YAML definition of routing rules. The Ingress Controller is the software component that reads those rules and implements them, typically by configuring a reverse proxy (like NGINX or HAProxy) or a cloud load balancer. Without the Controller, the Ingress Resource is just a configuration file that does nothing.

Writing an Ingress YAML is like writing a recipe (the rule). The Ingress Controller is the chef who actually cooks the dish (configures the proxy). If you only have the recipe but no chef, no meal is prepared. Similarly, if you only apply an Ingress YAML but no Controller is running, no traffic routing happens.

Ingress ResourcesvsGateway API (Kubernetes Gateway)

Gateway API is a newer, more expressive API for managing service networking. It aims to supersede Ingress by offering more flexible routing, support for multiple protocols (not just HTTP), and better role separation. Ingress is simpler and older, while Gateway API is more powerful but still maturing. The CKA exam covers Ingress, not Gateway API.

If you need to route HTTP traffic based on headers or split traffic by percentage (canary releases), Gateway API offers dedicated resources like HTTPRoute and can handle those scenarios natively. Ingress would require controller-specific annotations for such features. For basic host/path routing, Ingress is sufficient.

Step-by-Step Breakdown

1

Create a Deployment for your application

The application must run as Pods managed by a Deployment. This ensures replicas, rolling updates, and self-healing. Without a Deployment, the application may not have the desired number of replicas or recovery mechanisms.

2

Expose the Deployment as a Service (typically ClusterIP)

You need a Service to provide a stable network endpoint (IP and DNS) for the Pods. The Service defines a port that the Ingress will forward traffic to. Even though the Service is ClusterIP (internal only), it works because the Ingress Controller can reach it within the cluster.

3

Create an Ingress Resource YAML manifest

Write a YAML file with apiVersion networking.k8s.io/v1, kind Ingress, and metadata.name. In spec.rules, define the host (optional) and http.paths. Each path has pathType (Prefix or Exact) and a backend referencing your Service by name and port.

4

Apply the Ingress YAML to the cluster

Use kubectl apply -f ingress.yaml. The Ingress Resource is stored in etcd. The Ingress Controller watches for new or updated Ingress objects and will read this YAML to configure its reverse proxy or load balancer.

5

The Ingress Controller configures the proxy

The Controller (e.g., NGINX Ingress) generates a configuration file (e.g., nginx.conf) that includes the routing rules. It reloads the proxy to apply the new rules. If a cloud controller is used, it may create or update a cloud load balancer.

6

Verify external access to the application

After the Ingress Controller picks up the configuration, you can access the application via the Ingress’s external address (often the load balancer’s IP or a DNS name). Use curl or a browser to test the hostname and path. If the application does not respond, check Service, Pod, and Ingress controller logs.

7

Maintain and update the Ingress rules

Over time, you may need to add new paths, change hostnames, or update TLS certificates. You edit the Ingress YAML and re-apply it. The Controller will respond dynamically. This declarative approach makes routing changes auditable and version-controllable.

Practical Mini-Lesson

Ingress Resources form the backbone of external HTTP(S) traffic management in Kubernetes. To work with them effectively, you must understand the full chain: from DNS resolution to the Ingress Controller to the Service to the Pod. Let’s break this down practically.

First, ensure an Ingress Controller is running in your cluster. Many beginners skip this step. You can deploy the NGINX Ingress Controller using a Helm chart or a simple manifest from the Kubernetes documentation. Without this, your Ingress Resource is just a decoration. Once the Controller’s pods are running, they will watch for Ingress Resources and configure an NGINX or HAProxy instance accordingly.

When writing an Ingress YAML, always specify apiVersion: networking.k8s.io/v1. Use the correct annotation for the Ingress class if needed (e.g., spec.ingressClassName: nginx). For the host field, if you want the rule to apply to all hostnames, simply omit the host field. This is useful for development environments. For production, using a specific hostname is safer.

Path matching requires attention. Prefix pathType matches a URL path and all its subpaths. For example, path /api with Prefix matches /api, /api/v1, /api/v2/items. Exact matches only the exact string; /api does not match /api/. ImplementationSpecific gives ultimate control to the controller, but it can be confusing. For the CKA exam, stick with Prefix for most cases.

Now, about the Service: the backend in the Ingress must be a Service of type ClusterIP, NodePort, or LoadBalancer. But using ClusterIP is standard. The Service must have a port that matches the port defined in the Ingress. The Ingress Controller will send traffic to that port on the Service, which then loadbalances to the Pods. Ensure your Pods are listening on the same port as the Service’s targetPort.

What can go wrong? The most common issues are: the Ingress Controller is not running, the Service is in a different namespace than the Ingress (Ingress can only reference Services in the same namespace by default), the pathType is missing or wrong, the Service port is wrong, or the hostname in the request does not match the host field. Always check `kubectl describe ingress` to see the events and status. Also check the Controller’s logs (e.g., kubectl logs -n ingress-nginx deployment/ingress-nginx-controller).

Finally, consider TLS. To add HTTPS, create a Kubernetes Secret with a TLS certificate and private key, then reference it in the Ingress’s spec.tls section. The Ingress Controller will terminate TLS and forward plain HTTP to the backend. This centralizes certificate management. Remember that the Secret must be in the same namespace as the Ingress.

In professional environments, Ingress Resources are also used with services like cert-manager to automatically provision Let’s Encrypt certificates. But for exam purposes, stick to manual TLS configuration. Mastering Ingress Resources is a key skill for any Kubernetes administrator, as it directly impacts application availability and security.

Memory Tip

Think of ‘IN’ in Ingress as ‘INternet’ and ‘RESS’ as ‘RESSources’ — Ingress Rules for External Service Selection. When in doubt, remember: Host filters, Path matches, Service forwards.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Do I need a separate Ingress for each Service?

No, you can define multiple rules in a single Ingress Resource. Each rule can point to a different Service based on hostname or path. This keeps your configuration organized and reduces the number of YAML objects.

Can I use Ingress for non-HTTP traffic like TCP or UDP?

The standard Ingress API only supports HTTP and HTTPS. For TCP or UDP traffic, you need to use a Service of type LoadBalancer or NodePort, or use a controller-specific solution like the NGINX Ingress Controller’s TCP/UDP configuration via ConfigMaps.

What is the difference between an Ingress Resource and an Ingress Controller?

The Ingress Resource is a YAML object that defines routing rules. The Ingress Controller is a software component that implements those rules by configuring a proxy or load balancer. You need both for traffic to flow.

Can an Ingress route traffic to Services in different namespaces?

Standard Ingress Resources only support backends in the same namespace. If you need cross-namespace routing, you would need a controller that supports it (e.g., NGINX Ingress with the ForwardAuth feature) or use the newer Gateway API.

How do I troubleshoot an Ingress that is not working?

Check that the Ingress Controller is running. Then inspect the Ingress with kubectl describe ingress. Look for Events that indicate errors. Verify the backend Service exists and has endpoints. Check DNS resolution for the hostname. Finally, check the Controller’s logs for configuration errors.

Is TLS configuration required for an Ingress?

No, TLS is optional. Without spec.tls, the Ingress only accepts HTTP traffic. If you want HTTPS, you must provide a TLS secret with a certificate and key, and add a tls section to the Ingress.

What is the default backend in an Ingress?

The default backend is a fallback Service that handles any requests that do not match any rule. If not specified, the Ingress controller typically returns a 404 or a default page. You can define spec.defaultBackend to send unmatched traffic to a custom Service.

Summary

Ingress Resources are essential Kubernetes API objects that define how external HTTP and HTTPS traffic should be routed to Services inside a cluster. They act as a centralized rule book for directing visitors to the correct application based on hostnames and URL paths. Unlike individual LoadBalancer Services, Ingress consolidates external access, saving costs and simplifying management.

The key components are the Ingress Resource (the YAML) and the Ingress Controller (the software that enforces the rules). For the CKA exam, you must be able to create, modify, and troubleshoot Ingress YAML manifests, including correct use of pathType, host, and TLS configuration. Common pitfalls include forgetting the Ingress Controller, using wrong pathType, and mismatching hostnames.

Mastery of Ingress is crucial for any Kubernetes administrator, as it directly affects how users reach applications. Remember that Ingress works at layer 7, not layer 4, and that it is the standard way to expose web services in production Kubernetes clusters.