Enhanced Ingress Domain Functionality for Kubernetes Service, OpenShift and Satellite Clusters
5 min read
On 6 April 2023, the IBM Cloud Kubernetes Service enhanced the Ingress domain management functionality for IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud clusters.
The enhanced Ingress Domain functionality now supports the ability to expose your application with a custom domain, integrate with IBM Cloud Internet Services or leverage third-party DNS providers Akamai and Cloudflare to utilize existing domains.
Where can I find the new Ingress domain functionality?
You can use the new
ibmcloud ks ingress domain commands to manage the domains and associated resources for your cluster. The command is grouped under the ingress namespace to enable better discoverability and to co-locate it alongside sibling commands in the Ingress feature family:
We have standardized the command operations on a CRUD model and created a cluster-infrastructure-agnostic command structure in order to provide a more consistent and understandable user experience.
The CLI command
ibmcloud ks ingress domain create now supports custom domains, IBM Cloud Internet Services domains and third-party provider domains from Akamai and Cloudflare. If you do not specify a provider on the create domain command, the domain will be managed by IBM using the default domain provider:
ibmcloud ks ingress domain get and
ibmcloud ks ingress domain ls CLI commands have been updated to display more relevant data in the table output and condense the content to improve domain detail visibility:
The CLI Command
ibmcloud ks ingress domain update follows a PUT model to align more closely with the backend operations and reduce ambiguity in record updates:
The CLI command
ibmcloud ks ingress domain rm supports deleting a domain and all associated resources from your cluster:
How do I use the Ingress domain management functionality?
You can use the
ibmcloud ks ingress domain create functionality to create and register a custom domain, IBM Cloud Internet Services domain or a third-party DNS provider domain with any load balancer service in your cluster. We will fully manage the DNS registration and certificate lifecycle of this new domain on your behalf in the same way the existing domains are currently managed.
Creating a custom domain managed by IBM Cloud Kubernetes Service
Previously, all domains managed by IBM Cloud Kubernetes Service were created with the format
long-classic-k8s-1-23-1-1e7743ca80a399c9cff4eaf617434c72-0000.us-east.containers.appdomain.cloud), including the default domain for the cluster. The new Ingress domain functionality supports creating a managed domain with a custom subdomain.
To create a custom domain, specify the desired subdomain using the
--domain flag on the create command. Note that the DNS zone for the custom domains are still managed by IBM, so a provided custom subdomain of
test-custom-domain will result in a full domain
test-custom-domain.us-south.containers.appdomain.cloud. The custom domains are validated for uniqueness to ensure there are no noisy neighbor conflicts:
Protecting your applications with IBM Cloud Internet Services
The enhanced Ingress domain functionality supports the ability to create a domain for your cluster from an IBM Cloud Internet Services domain. This allows you to enable Web Application Firewalls, DDOS protection and global load balancing for your applications.
To create a domain from an existing IBM Cloud Internet Services domain, ensure that you have the appropriate service-to-service authorization policy in place. More details on creating this policy can be found here.
Once the service-to-service authorization is in place, you can use the
ibmcloud ks ingress domain create command with the
--crn flags to create a domain from an IBM Cloud Internet Services domain. More details on the benefits of using IBM Cloud Internet Services and how to create an instance can be found here:
Integrating with an existing third-party DNS providers
You can now integrate an existing third-party Akamai or Cloudflare domain with your cluster for global load balancing support. To create a domain from a third-party provider, set the appropriate credentials for your cluster and use the domain create command with the
--domain-provider flag. Note that you can only choose one active third-party provider for a cluster.
Adding the credentials to your cluster
To begin, ensure that you have created credentials with the required permissions:
- Akamai: Read-write permissions for the
To set the credentials for your cluster, use the
ibmcloud ks domain credential set command for the appropriate third-party provider:
You can use the additional
ibmcloud ks ingress domain credential commands to manage the lifecycle of your credential. You can remove the credential from your cluster at any point by using the
ibmcloud ks ingress domain credential rm command. If there are active domains for the provider still associated with your cluster, those domains will no longer receive record updates and will be marked with an error code in the Ingress status report. You can rotate the credential by re-running the
ibmcloud ks ingress domain credential set command and specifying a new credential.
ibmcloud ks ingress domain credential get command will supply credential metadata to help you keep track of which credential is in use for your cluster. Please note that once the credential is set, there is no way to view the actual credential:
Adding a domain to your cluster
Once you have set the third-party provider credential for your cluster you can use the
--domain-provider flag on the
ibmcloud ks ingress domain create command to create a domain for that provider. You can choose to create a brand-new domain based on the existing DNS zone or use a pre-existing domain for global load balancing (GLB).
To create a new custom domain based on an existing DNS zone in your third-party domain provider, supply the fully qualified domain with the
--domain flag on the create command. For example, if you have a DNS zone in your provider
testing-custom.com and you want to create a new domain for your cluster
new-custom.testing-custom.com, you would include
--domain new-custom.testing-custom.com on the create command.
To use an existing third-party domain with your cluster, create a cluster-associated domain with the
ibmcloud ks ingress domain create command and provide the existing domain. The IPs will be appended to the existing registration, which allows multiple clusters to use the same domain:
How to change the default domain for your cluster (and what it means)
A cluster’s default domain is the domain reserved for registering the ALBs or OpenShift Ingress Controllers that come by default with your cluster. In Red Hat OpenShift on IBM Cloud clusters, this domain is the domain that exposes the OpenShift console (as well as the other default routes in the cluster).
The current default domain can be found in the
Ingress Subdomain section of your cluster details or by listing the domains for your cluster using the
ibmcloud ks ingress domain ls command:
You can update the default domain for you cluster by using the
ibmcloud ks ingress domain default replace command or by specifying the
--is-default flag on the
ibmcloud ks ingress domain create command. To set a custom domain as the default domain for your cluster during cluster creation, use the
ibmcloud ks ingress domain create command immediately following the cluster create command with the new cluster ID.
For more information, check out our official documentation.
Learn more about IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud.
If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.
Follow IBM Cloud
Be the first to hear about news, product updates, and innovation from IBM Cloud.Email subscribeRSS