Ingress and Load Balancing on OKE
A workload running inside a cluster is useless if nothing outside can reach it. Getting traffic from a user on the internet to the right pod, spread across replicas, encrypted and routed by hostname or path, is the job of ingress and load balancing. On OKE this involves both the OCI load balancer and the Kubernetes ingress layer, and understanding how the two fit together is what makes external access reliable. This article explains the moving parts and how to use them well.
It is part of our OKE and containers series and builds on OKE networking explained.
From the internet to a pod
Traffic to a clustered application makes several hops. It arrives at an OCI load balancer with a public address, which spreads connections across healthy targets. Inside the cluster a Kubernetes service gives a stable address to a set of pods that come and go. An ingress controller, where you use one, applies routing rules so that a hostname or URL path reaches the right service. Each layer has a job, and problems are easier to diagnose once you know which layer owns which behaviour.
| Layer | What it does |
|---|---|
| OCI load balancer | Public entry point, spreads traffic, terminates TLS |
| Kubernetes service | Stable internal address for a set of pods |
| Ingress controller | Routes by hostname and path to services |
Services and how pods get exposed
Inside Kubernetes a service is the stable front for a group of pods. Because pods are ephemeral and their addresses change, the service gives clients one address that always points at the current healthy pods. A service of the load balancer type tells OKE to provision an OCI load balancer automatically and wire it to those pods, which is the simplest way to put a single workload on the internet. For many small applications that is all you need.
Why ingress exists
Giving every service its own load balancer works until you have many services, at which point the cost and management of all those load balancers becomes a burden. Ingress solves this by letting one load balancer serve many services, routing requests to the right one based on hostname and path. Instead of one public endpoint per service you run a single front door with rules behind it, which is cheaper and easier to manage. This consolidation also helps the cost picture described in OKE cost optimization.
TLS and certificates
Almost all external traffic should be encrypted, which means terminating TLS somewhere and managing certificates. The OCI load balancer can terminate TLS at the edge, and your ingress configuration decides how certificates are presented and where encryption ends. Decide deliberately whether traffic is encrypted only to the load balancer or all the way to the pod, since some compliance requirements demand the latter. Getting certificate management automated rather than manual avoids the classic outage caused by an expired certificate nobody renewed.
Health checks and resilience
Load balancing only helps if the load balancer knows which targets are healthy. Health checks let it stop sending traffic to a pod that is failing and resume once it recovers, which is what keeps a bad replica from taking down the user experience. Configure health checks that genuinely reflect whether the application can serve requests, not just whether the process is alive, because a process that is up but unable to serve is worse than one that is cleanly down. This ties directly to the readiness signals Kubernetes already tracks.
Spreading traffic across availability domains
For resilience, the pods behind a service should be spread across availability domains so that the loss of one does not take the workload down, and the load balancer should distribute traffic accordingly. This is the external traffic side of the wider high availability thinking, and it pairs with spreading the worker nodes themselves, covered in OKE cluster architecture. A load balanced front end over pods that all sit in one availability domain is only as resilient as that one domain.
An ingress and load balancing framework
- One workload, one load balancer service is fine to start.
- Many workloads, one ingress to consolidate the front door and cut cost.
- Encrypt external traffic and automate certificate renewal.
- Decide where TLS ends, at the edge or all the way to the pod.
- Configure real health checks that reflect ability to serve.
- Spread targets across availability domains for resilience.
Bringing it together
Ingress and load balancing on OKE is a layered story: the OCI load balancer as the public entry point, Kubernetes services as stable internal addresses, and ingress to route many services through one front door. Encrypt the traffic, health check the targets honestly, and spread across availability domains, and external access becomes reliable rather than fragile. Continue with OKE networking explained, OKE cluster architecture and service mesh on OKE. The OCI networking solution practice designs cluster ingress and load balancing on a fixed project fee.
Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.