🚀 Introduction
When interviewing for Kubernetes or DevOps roles, one question almost always comes up:
“How does a Kubernetes Ingress Controller work?”
And yet, most candidates get it wrong.
Why?
Because they don’t differentiate between Ingress Resource and Ingress Controller, or understand how reverse proxy routing and service discovery actually tie together.
In this article, we’ll fix that — permanently.
Let’s break down exactly what happens from the moment a request hits your Kubernetes cluster until it reaches your application pod.
🧩 1. What is Kubernetes Ingress?
Kubernetes Ingress is a native API object that defines rules for external HTTP(S) traffic to reach services inside your cluster.
In simpler terms —
➡️ You don’t expose every service directly.
➡️ Instead, you define an Ingress that maps hostnames and paths to services.
Example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-ingress
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
This tells Kubernetes:
“For requests to
app.example.com, send traffic tomy-app-service.”
But remember — Ingress by itself does nothing.
It only defines the routing rules.
You still need something to enforce them.
That’s where the Ingress Controller comes in.
⚙️ 2. What is a Kubernetes Ingress Controller?
The Ingress Controller is the brain that reads those Ingress rules and actually configures the network routing.
It’s a reverse proxy + load balancer that runs inside your cluster, watching for changes to Ingress Resources.
Popular Ingress Controllers:
- 🌐 Nginx Ingress Controller
- ⚡ HAProxy Ingress
- 🐙 Traefik
- 🌀 Istio Ingress Gateway (for service meshes)
- ☁️ AWS/GCP/Azure native Ingress Controllers
Each uses a different proxy engine (Nginx, Envoy, HAProxy), but the concept remains identical.
🧠 3. How Does a Kubernetes Ingress Controller Work (Step-by-Step)?
Let’s visualize the traffic flow.
🧭 Step 1: External Request Hits Cluster
- A user visits
app.example.com - DNS resolves to the external IP of the Ingress Controller’s Service (usually a LoadBalancer type).
🧭 Step 2: Load Balancer → Ingress Controller Pod
- The request is forwarded to one of the Ingress Controller pods inside the cluster.
- Typically deployed in the
ingress-nginxorkube-systemnamespace.
🧭 Step 3: Controller Reads Ingress Rules
- The controller continuously watches the Kubernetes API for new or updated Ingress Resources.
- It dynamically reconfigures its underlying reverse proxy (e.g., Nginx, Envoy) with those rules.
🧭 Step 4: Reverse Proxy Routing
- Based on the Ingress rule (hostname, path), the proxy forwards traffic to the correct Kubernetes Service.
- Example:
/→my-app-service:80/api→api-service:8080
🧭 Step 5: Service → Pod Communication
- The target Service uses kube-proxy or iptables rules to send traffic to the right pod endpoints.
🧭 Step 6: Response Back to Client
- The pod processes the request and sends a response through the reverse proxy → load balancer → user browser.
✅ Result: External traffic seamlessly reaches the correct pod, following your Ingress rules.
🏗️ 4. Ingress & Ingress Controller Architecture
Here’s a simplified architecture view 👇
Client → LoadBalancer → Ingress Controller Pod → Kubernetes Service → Application Pod
Visually:
The Ingress Resource defines the rules,
The Ingress Controller enforces those rules via a reverse proxy.
🔍 5. Key Difference: Ingress Resource vs Ingress Controller
| Concept | Description | Example |
|---|---|---|
| Ingress Resource | Defines routing rules (host/path → service) | YAML manifest in cluster |
| Ingress Controller | Reads Ingress rules and implements routing | Nginx, HAProxy, Traefik |
Think of it like this 👇
Ingress Resource = “Traffic Map”
Ingress Controller = “The Driver Following the Map”
Without a controller, your Ingress rules are just instructions with no executor.
🧩 6. List of Popular Kubernetes Ingress Controllers
| Ingress Controller | Proxy Engine | Notable Feature |
|---|---|---|
| Nginx Ingress Controller | Nginx | Stable, widely used |
| HAProxy Ingress | HAProxy | High performance, robust TLS |
| Traefik | Built-in | Auto-discovery, dashboard |
| Kong Ingress | Nginx + Lua | API gateway capabilities |
| Istio Ingress Gateway | Envoy | Integrated with service mesh |
| AWS ALB Ingress Controller | AWS ALB | Native cloud integration |
🧭 7. Real-World Debugging Tips
✅ Check Ingress rules:
kubectl get ingress -A
✅ Describe a specific Ingress:
kubectl describe ingress my-app-ingress
✅ Verify Ingress Controller pods:
kubectl get pods -n ingress-nginx
kubectl logs -n ingress-nginx <controller-pod-name>
✅ Test routing locally:
curl -H "Host: app.example.com" http://<load-balancer-ip>
🧠 8. Summary
| Component | Purpose |
|---|---|
| Ingress Resource | Defines DNS and routing rules |
| Ingress Controller | Reads and applies those rules via reverse proxy |
| Service | Routes traffic to pods |
| Pod | Hosts the actual application |
👉 Without the Ingress Controller, your Ingress resource is just metadata.
👉 Without the Ingress Resource, the controller has no rules to follow.
Together, they form the gateway between the outside world and your Kubernetes applications.
🧰 Conclusion
Understanding Kubernetes Ingress isn’t just about memorizing YAML — it’s about knowing how traffic flows and how controllers interpret routing rules behind the scenes.
Next time someone asks “What does an Ingress Controller do?”,
you’ll not only explain it — you can draw the architecture and trace every packet like a pro.