Notes from the field: Nginx Ingress Controller for Production on AKS Hybrid
Published Mar 31 2023 09:06 AM 5,442 Views
Microsoft

Install the Nginx Ingress Controller

A Deployment in Kubernetes is a resource object that defines how many replicas of a Pod should be running at any given time. A Pod is the smallest deployable unit in Kubernetes and represents a single instance of a running process. By creating a deployment object, you can ensure that a certain number of Pods are always running, even if some of them fail.

 

Deployments are useful for managing containerized applications that need to be scaled up or down based on demand. For example, a web application might have more traffic during peak hours, and deployment can automatically add more replicas to handle the increased load. Conversely, when traffic subsides, the deployment can scale down the number of replicas to save resources.

 

In Kubernetes, a DaemonSet is a resource object that ensures that a specific pod runs on every node in a cluster. It is designed to run a copy of a pod on each node in a cluster, which makes it useful for running system daemons or other processes that need to be present on every node.

 

A DaemonSet is similar to a Deployment in that it manages the lifecycle of a set of pods. However, unlike Deployments, DaemonSets are typically used to run system-level services or daemons that need to be running on every node in a cluster.

leslielin_0-1680024185621.png

 

Installing the Nginx ingress controller as a DaemonSet is considered more performance efficient compared to a deployment in Kubernetes for several reasons.

 

A DaemonSet ensures that the Nginx ingress controller pod is running on every node in a cluster, whereas a deployment only guarantees that the desired number of replicas are running. This means that with a DaemonSet, the Nginx ingress controller is distributed evenly across all nodes in the cluster, allowing for faster and more efficient load balancing.

 

 

Enable Monitoring for Nginx Ingress Controller

 

Monitoring the Nginx ingress controller is important for several reasons:

 

Ensuring availability

The Nginx ingress controller is responsible for routing traffic to your backend services. If the Nginx ingress controller is not available, traffic will not be able to reach your services, resulting in downtime and potentially lost revenue or other negative impacts. By monitoring the Nginx ingress controller, you can quickly identify any issues and take action to ensure that it remains available.

 

Performance optimization

Monitoring the Nginx ingress controller can help you identify performance issues and optimize your configuration to improve response times and reduce latency. By monitoring key metrics such as request rates, response times, and error rates, you can gain insight into how the Nginx ingress controller is performing and make informed decisions about how to optimize your configuration.

 

Capacity planning

Monitoring the Nginx ingress controller can help you plan for future capacity requirements by providing insight into traffic patterns and usage trends. By monitoring key metrics such as request rates and resource utilization, you can identify when you may need to scale up or down your infrastructure to ensure that you can handle increasing traffic volumes.

 

 

Overall, monitoring the Nginx ingress controller is critical for ensuring availability, optimizing performance, and planning for future capacity requirements. By using monitoring tools and techniques to gain insight into the health and performance of your Nginx ingress controller, you can ensure that your infrastructure remains reliable and performant.

 

The ServiceMonitor object in the Prometheus Operator is a Kubernetes resource that is used to configure Prometheus to scrape metrics from a specific set of services in your Kubernetes cluster.

 

When you create a ServiceMonitor object, you specify a set of labels that define which services should be monitored, as well as a set of endpoints that Prometheus should scrape to collect metrics. The ServiceMonitor object also includes a set of rules that define how the metrics should be collected, including the scrape interval and timeout.

 

The ServiceMonitor object is used in conjunction with the Prometheus Operator, which is a tool that simplifies the process of deploying and managing Prometheus instances in Kubernetes. When you create a ServiceMonitor object, the Prometheus Operator automatically creates a corresponding set of Prometheus configuration files that specify how to scrape metrics from the specified services.

 

The ServiceMonitor object is particularly useful for monitoring microservices and other distributed applications that are deployed in Kubernetes. By using labels to define which services to monitor, you can easily configure Prometheus to collect metrics from all instances of a particular service, regardless of how many replicas are running or which nodes they are running on. This can help ensure that you have comprehensive visibility into the performance of your application, even as it scales and evolves over time.

 

In summary, the ServiceMonitor object is a key component of the Prometheus Operator that enables you to configure Prometheus to monitor specific services in your Kubernetes cluster. By using labels and rules to define which services and endpoints to monitor, you can ensure that you have comprehensive visibility into the performance of your application, regardless of how it is deployed or scaled.

leslielin_1-1680024185639.png

 

Grafana, a popular open-source visualization tool, by default. When you install the Prometheus Operator from the official Helm chart repository, Grafana is automatically deployed along with Prometheus, and you can use it to create custom dashboards and visualizations based on the metrics collected by Prometheus.

 

After the configuration of the ServiceMonitor object, the Service Discovery for Nginx should be visible in the Prometheus UI, as shown in the snapshot below. 

leslielin_2-1680024185646.png

 

However, if you are using the AKS hybrid Monitoring solution from AKS hybrid Monitoring to deploy the Prometheus Operator, you will need to install Grafana separately. This is because AKS hybrid Monitoring is a custom implementation of the Prometheus Operator that is optimized for use with AKS Hybrid, and it does not include Grafana by default.

 

To install Grafana in this scenario, you can use the Grafana Helm chart and configure it to connect to the Prometheus instance deployed by the Prometheus Operator. This will enable you to visualize and analyze the Kubernetes metrics collected by Prometheus, and gain valuable insights into the performance and health of your cluster.

 

To visualize Nginx ingress controller metrics, we need to deploy as a configmap in order to make Grafana load as a dashboard.

 

After the configuration of Grafana configmap, the dashboard for Nginx should be visible in Grafana, as shown in the snapshot below.

leslielin_3-1680024185656.png

 

Prometheus AlertManager is a component of Prometheus, an open-source monitoring and alerting system that is widely used in Kubernetes environments. It enables the system to monitor and alert administrators to potential issues with the Nginx Ingress Controller and other workloads running in the Kubernetes cluster.

 

Prometheus AlertManager is necessary for the Nginx Ingress Controller because it enables the system to detect and respond to issues that may affect the performance and availability of the Nginx Ingress Controller. It can detect issues such as high CPU usage, memory pressure, or network connectivity problems, which could cause the Nginx Ingress Controller to become unresponsive or perform poorly.

 

PrometheusRule CRD provides a way to manage the alerting rules within a Prometheus instance, enabling administrators to define specific conditions for generating alerts. For example, PrometheusRule can be used to define rules for alerting when the number of errors encountered by a service exceeds a certain threshold or when the response time of a service exceeds a certain value. These rules are based on metrics collected by Prometheus, such as CPU usage, memory usage, or network latency. When these metrics exceed predefined thresholds, PrometheusRule generates an alert that can be sent to various channels, such as email, Slack, or PagerDuty.

 

For example, you can use PrometheusRule to define alerting rules for the Nginx Ingress Controller, such as alerting when the number of 5xx HTTP status codes exceeds a certain threshold, or when the average response time exceeds a certain value. You can then use these rules to generate alerts when specific conditions are met, ensuring that any potential issues are quickly identified and addressed.

leslielin_4-1680024185678.png

 

After the configuration of the PrometheusRule object, the rules for Nginx should be visible in the Prometheus UI, as shown in the snapshot below. 

leslielin_5-1680024185687.png

 

 

Best Practice for Memory/ CPU Request/ limit for Nginx Ingress Controller

Kubernetes provides memory requests and limit settings to control the amount of memory allocated to a container. Memory requests indicate the amount of memory a container requests from the system, while memory limits specify the maximum amount of memory a container can use.

 

It is best practice to set memory requests and limits to the same value. Doing so guarantees that the container has the required amount of memory available and can operate effectively, avoiding performance issues or crashes that result from insufficient memory.

 

Moreover, it is crucial to use QoS classes to prioritize workload scheduling and eviction decisions based on container resource requirements. Kubernetes offers three QoS classes: Guaranteed, Burstable, and BestEffort.

 

Guaranteed pods ensure that all containers have CPU and memory requests and limits set to the same value. This guarantees that the container has the requested resources available, and Kubernetes will prioritize scheduling and evicting Guaranteed pods based on their QoS class.

 

Burstable pods have CPU and/or memory requests and limits that are not of the same value. In contrast, BestEffort pods have no CPU or memory requests or limits defined. Kubernetes uses QoS classes to determine which pods to schedule or evict first based on the QoS class and available resources on the node.

 

In summary, Kubernetes memory request and limit settings are essential to manage the amount of memory allocated to containers. It is best practice to set memory requests and limits to the same value to ensure effective container operation. Additionally, QoS classes ensure that workloads are scheduled and evicted based on container resource requirements, with Guaranteed pods having the highest priority due to their strict resource requirements.

 

After analyzing the memory and CPU usage of your Nginx Ingress Controller, it is essential to tune the memory request/limit and CPU request/limit values. Setting these values correctly can improve your cluster's performance and prevent potential issues in the future.

leslielin_6-1680024185691.png

 

 

Decision process of creating a separate nodepool

Creating a separate node pool for the Nginx Ingress Controller depends on your specific use case. It may be a useful strategy in certain situations, but it is not always necessary or recommended.

 

One reason to create a separate node pool for the Nginx Ingress Controller is to ensure that it runs on dedicated nodes that are not shared with other workloads. This approach can improve the reliability and performance of the Nginx Ingress Controller since it has exclusive access to the resources of the node.

 

Another reason to create a separate node pool is to isolate the Nginx Ingress Controller from other workloads that may compete for resources. This approach can prevent the Nginx Ingress Controller from being impacted by other workloads' resource-intensive operations, improving its stability and performance.

 

However, creating a separate node pool for the Nginx Ingress Controller may not always be necessary or recommended. If your cluster has sufficient resources and the Nginx Ingress Controller workload is not resource-intensive, running it on the same node pool as other workloads may not cause any issues.

 

Additionally, creating a separate node pool for the Nginx Ingress Controller may result in underutilized resources, leading to unnecessary costs. You may be better off optimizing your current node pool and ensuring that the Nginx Ingress Controller has sufficient resources to run optimally.

 

In summary, creating a separate node pool for the Nginx Ingress Controller can be beneficial in some cases, but it is not always necessary or recommended. It is essential to consider your specific use case, cluster resources, and workload requirements before deciding to create a separate node pool.

 

 

Leave us a note or engage with us at our GitHub repository https://github.com/azure/aks-hybrid

1 Comment
Version history
Last update:
‎Mar 28 2023 02:22 PM
Updated by: