Skip to content

Update USP doc for routing to clusterIPs #2006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
bjee19 wants to merge 1 commit into
base: ngf-release-2.7
Choose a base branch
from
Draft

Update USP doc for routing to clusterIPs #2006

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 107 additions & 3 deletions content/ngf/traffic-management/upstream-settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,7 @@ spec:
kind: Service
name: tea
loadBalancingMethod: "hash consistent"
hashMethodKey: "$upstream_addr"
Copy link
Copy Markdown
Contributor Author

@bjee19 bjee19 May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't apply correctly without this change

Copy link
Copy Markdown
Contributor

@salonichf5 salonichf5 May 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the error message? Most definitely worked for me

Copy link
Copy Markdown
Contributor

@salonichf5 salonichf5 May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should update the examples folder in NGF too then

Copy link
Copy Markdown
Contributor Author

@bjee19 bjee19 May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

The UpstreamSettingsPolicy "lb-method-hash" is invalid: spec.hashMethodKey: Invalid value: "": spec.hashMethodKey in body should match '^\$[a-z_]+$'

I think for some reason in my terminal atleast, since its not escaped, the $ like causes it to evaluate the variable

hashMethodKey: "\$upstream_addr"
EOF
```

Expand Down Expand Up @@ -357,6 +357,7 @@ upstream default_tea_80 {

{{< call-out "note" >}}
NGINX Open Source supports the following load-balancing methods: `round_robin`, `least_conn`, `ip_hash`, `hash`, `hash consistent`, `random`, `random two`, and `random two least_conn`.

NGINX Plus supports all of the methods available in NGINX Open Source, and adds the following methods: `random two least_time=header`, `random two least_time=last_byte`, `least_time header`, `least_time last_byte`, `least_time header inflight`, and `least_time last_byte inflight`.
{{< /call-out >}}

Expand Down Expand Up @@ -513,7 +514,7 @@ kubectl apply -f - <<EOF
apiVersion: gateway.nginx.org/v1alpha1
kind: UpstreamSettingsPolicy
metadata:
name: upstream-unset-keepAlive
name: upstream-unset-keepalive
spec:
targetRefs:
- group: core
Expand All @@ -527,7 +528,7 @@ EOF
Verify that the `UpstreamSettingsPolicy` is Accepted:

```shell
kubectl describe upstreamsettingspolicies.gateway.nginx.org upstream-unset-keepAlive
kubectl describe upstreamsettingspolicies.gateway.nginx.org upstream-unset-keepalive
```

You should see the following status:
Expand Down Expand Up @@ -565,6 +566,109 @@ upstream default_tea_80 {
}
```

## Enable routing to Service ClusterIPs

The ability to configure NGINX to route to the Service ClusterIP and port instead of individual Pod IPs can be useful in service mesh scenarios or when working with other Kubernetes controllers/operators that require traffic to flow to the Service IP address.

View the IP address of the `coffee` backend pod and verify it matches the IP address in the `coffee` upstream:

```shell
kubectl get endpoints coffee
```

```text
NAME ENDPOINTS AGE
coffee 10.244.0.8:8080 13m
```

```shell
kubectl exec -it deployments/gateway-nginx -- nginx -T
```

```text
upstream default_coffee_80 {
random two least_conn;
zone default_coffee_80 1m;


server 10.244.0.8:8080;
keepalive 32;
}
```

The following example creates an `UpstreamSettingsPolicy` that configures NGINX to route to the coffee Service ClusterIP instead of the individual backend Pod IPs by using the `useClusterIP` field:

```yaml
kubectl apply -f - <<EOF
apiVersion: gateway.nginx.org/v1alpha1
kind: UpstreamSettingsPolicy
metadata:
name: upstream-clusterip
spec:
targetRefs:
- group: core
kind: Service
name: coffee
useClusterIP: true
EOF
```

Verify that the `UpstreamSettingsPolicy` is Accepted:

```shell
kubectl describe upstreamsettingspolicies.gateway.nginx.org upstream-keepalives
```

You should see the following status:

```text
Status:
Ancestors:
Ancestor Ref:
Group: gateway.networking.k8s.io
Kind: Gateway
Name: gateway
Namespace: default
Conditions:
Last Transition Time: 2026-05-28T21:49:20Z
Message: The Policy is accepted
Observed Generation: 1
Reason: Accepted
Status: True
Type: Accepted
Controller Name: gateway.nginx.org/nginx-gateway-controller
Events: <none>
```

{{< call-out "note" >}}This setting applies only when the target Service has a ClusterIP. For headless Services (ClusterIP: None) and ExternalName Services, normal endpoint resolution is used instead. Additionally, this setting is also not applied to L4/stream upstreams.{{< /call-out >}}

View the IP address of the `coffee` Service and verify it matches the IP address in the `coffee` upstream:

```shell
kubectl get service coffee
```

```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
coffee ClusterIP 10.96.23.26 <none> 80/TCP 16m
```


```shell
kubectl exec -it deployments/gateway-nginx -- nginx -T
```

```text
upstream default_coffee_80 {
random two least_conn;
zone default_coffee_80 1m;


server 10.96.23.26:80;
keepalive 32;
}
```

---

## Further reading
Expand Down
Loading