The best ingress controller for Kubernetes is not an Ingress controller, as the Gateway API now supersedes the Ingress API. Hence, “the best ingress controller” is a Kubernetes Gateway API implementation. However, that likely doesn’t narrow the choice down a lot since there are a lot of Gateway API implementations to pick from. In this article we’ll look at the The Big Three open source solutions available to you.
If you are here because you are looking for a single solution to solve all your problems, let me tell you a trick: you can have multiple Gateway Classes in your Kubernetes cluster. Pick the right one for the job, but don’t go wild in the pick-n-mix aisle. Weigh the good enough scale for 80% of your use cases and the 20% specialized. I’m going to guess that your 80-20 is about 80% API traffic to services, and 20% is serving static content.
I must be honest because no solution is most suitable in every category to handle ingress traffic in Kubernetes. It all depends on what you are serving and what problems you are willing to take on when solving your problems.
Pick the problems you want to have, not the solution.
The Big Three: Envoy, NGINX and HAProxy
When looking for a Kubernetes ingress solution, there are three main open-source choices: Envoy (via Envoy Gateway), NGINX, and HAProxy. Below is a high level summary of each solution and their strengths and weaknesses to help you navigate this space.
Envoy, a CNCF Graduated Project
Envoy has the most advanced and modern traffic management and observability features, which are particularly suited for microservices and service mesh architectures.
What problems do you pick? Higher latency in exchange for more advanced traffic routing features, extensibility, and observability.
How do you minimize the problems? Optimize the configurations for your Envoy to support your use case. Ensure you use Envoy, where traffic management flexibility and observability are vital requirements.
NGINX by F5
NGINX offers versatile web serving, proxying, and load-balancing features. It is especially well-suited for serving static content, like websites and apps.
What problems do you pick? Limited advanced traffic management features, fewer observability metrics, and risk of complex configurations for large-scale deployments.
How do you minimize the problems? Leverage third-party tools for advanced traffic management, observability, and configuration management.
HAProxy by HAProxy Technologies
HAProxy is specialized and highly efficient for load balancing and proxying with a focus on performance and reliability. If saving milliseconds is crucial for your system, HAProxy is a good option.
What problems do you pick? Limited advanced traffic management features, challenging service mesh integrations, and less suitable for microservices architectures.
How do you minimize the problems? Use HAProxy only in situations where its performance and low latency are critical. Keep on top of optimizing load-balancing algorithms and parameters for your needs.
Get Enterprise Ready
If you operate in an enterprise environment and implement a solution at a critical failure point in your architecture, the question of Enterprise support will eventually arise. When deciding whether to go down the Envoy, NGINX, or HAProxy route, you will eventually want to consider your options.
Note that Envoy is the only CNCF Open-Source solution within “the Big Three” and the only open source solution that is a multi-company project not owned by a single commercial entity.
Tetrate offers enterprise support and enablement for a 100% upstream distribution of Envoy Gateway, allowing you to benefit from a high-velocity open source project to which Tetrate is the biggest contributor.
For NGINX and HAProxy, the best place to get enterprise support will be from the respective commercial entities, F5 and HAProxy Technologies, which own them.
Conclusion
Remember, there is no one-size-fits-all solution for handling ingress traffic in Kubernetes. The ideal choice depends on your specific needs and the trade-offs you are willing to accept. Envoy, NGINX, and HAProxy each have their strengths and weaknesses. The key is to select the right tool for your primary use cases while considering potential challenges.
Considering support options is crucial in an enterprise setting. Envoy benefits from multi-company contributions and support from Tetrate, while NGINX and HAProxy have enterprise support offerings from F5 and HAProxy Technologies, respectively.
Choose the problems you are willing to solve, not just the solutions, and ensure your Kubernetes ingress strategy aligns with your overall architectural goals.