Ingress & Ingress Controllers
Ingress is a Kubernetes resource that defines HTTP/HTTPS routing rules. An Ingress Controller (nginx, traefik, AWS ALB) implements those rules.
Ingress = the hotel front desk that routes guests to rooms. 'api.example.com/v1' goes to Room 101 (service A), '/v2' goes to Room 202 (service B). Without an Ingress Controller, the front desk is just an empty counter with no receptionist.
Ingress routes external HTTP traffic to Services based on hostname and path. TLS termination via secretName in the TLS block. path types: Prefix (/api matches /api, /api/v1) vs Exact (/api only matches /api). ingressClassName specifies which controller handles this Ingress. Multiple controllers can run in the same cluster with different classes. Ingress aggregates multiple Services behind one load balancer — vs one LoadBalancer Service per app.
The Ingress resource is just a spec — it does nothing without an Ingress Controller. nginx-ingress watches Ingress objects and dynamically updates nginx.conf. AWS ALB Ingress Controller provisions an Application Load Balancer per Ingress. Cert-manager automates TLS certificate issuance (Let's Encrypt) via annotations on Ingress resources. Rate limiting, auth, CORS — all configurable via controller-specific annotations. Gateway API (new): more expressive than Ingress, splits responsibilities into GatewayClass, Gateway, HTTPRoute — designed to replace Ingress long-term.
Ingress decouples routing rules from infrastructure — you define host/path routing in YAML, the Ingress Controller implements it in nginx/envoy/ALB. This lets you have hundreds of services behind one cloud load balancer instead of one LB per service. TLS is handled at the Ingress Controller — your backend services speak plain HTTP. Cert-manager + Ingress is the standard for automated Let's Encrypt certificates. For production, use nginx-ingress or the cloud-native controller (ALB, GCE).
Creating an Ingress resource without an Ingress Controller installed does nothing — the resource exists but no routing is configured. This is a common source of confusion when setting up a new cluster.