Kubernetes Ingress on OpenShift: A Practical Guide

Kubernetes Ingress on OpenShift is powerful, but it isn’t magic. It’s a gateway, a router, and a security checkpoint. It decides how traffic flows into your cluster. If it’s misconfigured, your apps stay invisible to the world. Even if you’ve been running OpenShift for years, fine-tuning Ingress can be the difference between smooth traffic routing and outages in production.

On OpenShift, the Ingress Controller runs inside the cluster. It manages routes, TLS termination, and load balancing. While Kubernetes Ingress is a general concept, OpenShift wraps it with its own Route API. This means you can work directly with standard Kubernetes Ingress resources, but it’s often more efficient to tap into OpenShift’s native routing layer. Still, the standard Ingress resource is essential when you want your configuration to stay portable and closer to upstream Kubernetes conventions.

Creating an Ingress resource in OpenShift starts with defining rules that map hostnames and paths to Services. You apply it with kubectl or oc. The Ingress Controller then consumes those rules and updates router configuration dynamically. You can run multiple Ingress Controllers for different workloads or environments, each with its own domain and certificate management. TLS in OpenShift can be configured per route or globally for the controller. Using Let’s Encrypt automation or internal PKI integration puts certificate rotation on autopilot.

Scaling Ingress in OpenShift is straightforward. The controller pods are stateless, so you just scale deployments to handle more concurrent requests. Horizontal Pod Autoscaling can adjust that capacity in real time. For heavy workloads, fine-tune the router pod’s tuning parameters, connection limits, and keepalive settings. Remember that back-end services also need the capacity to handle increased ingress load — bottlenecks here often appear in databases and APIs, not just the edge router.

Security hardening Ingress should be non-negotiable. Configure network policies, restrict exposed routes, enforce TLS 1.2 or higher, and ensure that you terminate traffic with modern cipher suites. OpenShift supports custom HAProxy templates for the router, giving you full control over timeouts, rate limits, and request filtering.

For workloads that need zero-downtime deployments, Ingress can route by path or subdomain to blue-green or canary versions of your app. You define these in your Ingress rules or OpenShift Routes, and the controller handles session persistence and failover automatically.

Observability is critical. Track request metrics, latency, and error rates from the router. OpenShift exposes these via Prometheus, so you can alert on spikes or anomalies before customers notice. Coupled with distributed tracing, you can follow a request from the edge to every microservice, identifying slow points in the chain.

If you want to see Kubernetes Ingress on OpenShift in action without setting up and tuning everything by hand, you can skip the manual deployment and test it live in minutes. Try it on hoop.dev and move straight from planning to working software without the wait.