[Yandex Cloud documentation](../../index.md) > [Yandex Application Load Balancer](../index.md) > Tools for Managed Service for Kubernetes > Ingress controller > Installing an ingress controller

# Installing an Application Load Balancer Ingress controller for Managed Service for Kubernetes

# Installing an Application Load Balancer ingress controller

{% note tip %}

We recommend using the new [Yandex Cloud Gwin](../tools/gwin/index.md) controller instead of an ALB Ingress controller and Gateway API.

{% endnote %}

To balance the load and distribute traffic between Kubernetes applications, you can use an [Yandex Application Load Balancer](../tools/k8s-ingress-controller/index.md) ingress controller. It will launch the L7 load balancer and its auxiliary resources when you create an `Ingress` resource in a Managed Service for Kubernetes cluster.

{% note warning %}

Do not modify or delete the network load balancer and its child resources created using Managed Service for Kubernetes via the Yandex Cloud interfaces (the management console, Terraform, CLI, or API). This may cause incorrect operation of the cluster.

{% endnote %}

## Getting started {#before-you-begin}

1. If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

   The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

1. [Make sure](../../managed-kubernetes/operations/connect/security-groups.md) the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If a rule is missing, [add it](../../vpc/operations/security-group-add-rule.md).

    [Make sure](../tools/k8s-ingress-controller/security-groups.md) you have configured security groups for Application Load Balancer as well.

    {% note warning %}
    
    The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
    
    {% endnote %}

1. Create an ingress controller [service account](../../iam/operations/sa/create.md) and [assign it the following roles for the folder](../../iam/operations/sa/assign-role-for-sa.md):
   * [alb.editor](../security/index.md#alb-editor): To create Application Load Balancer resources.
   * [vpc.publicAdmin](../../vpc/security/index.md#vpc-public-admin): To manage external network connectivity.
   * [certificate-manager.certificates.downloader](../../certificate-manager/security/index.md#certificate-manager-certificates-downloader): To use certificates registered in [Yandex Certificate Manager](../../certificate-manager/index.md).
   * [compute.viewer](../../compute/security/index.md#compute-viewer): To use Managed Service for Kubernetes cluster nodes in the L7 load balancer [target groups](../concepts/target-group.md).
   * [smart-web-security.editor](../../smartwebsecurity/security/index.md#smart-web-security-editor): To connect your Yandex Smart Web Security [security profile](../../smartwebsecurity/concepts/profiles.md) to the L7 load balancer virtual host. This is an optional setting.
1. [Create an authorized access key](../../iam/operations/authentication/manage-authorized-keys.md#create-authorized-key) for the service account in JSON format and save it to the `sa-key.json` file:

   ```bash
   yc iam key create \
     --service-account-name <name_of_service_account_for_ingress_controller> \
     --output sa-key.json
   ```

## Installation from Yandex Cloud Marketplace {#marketplace-install}

{% list tabs group=instructions %}

- Management console {#console}

  1. Go to the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) page.
  1. Navigate to **Managed Service for&nbsp;Kubernetes**.
  1. Click the name of your cluster and select the ![Marketplace](../../_assets/console-icons/shopping-cart.svg) **Marketplace** tab.
  1. Under **Application available for installation**, select [ALB ingress controller](https://yandex.cloud/en/marketplace/products/yc/alb-ingress-controller) and click **Go to install**.
  1. Configure the application:

     * **Namespace**: Create a new [namespace](../../managed-kubernetes/concepts/index.md#namespace), e.g., `alb-ingress-controller-space`. If you leave the default namespace, the ALB ingress controller may work incorrectly.
     * **Application name**: Specify the application name.
     * **Folder ID**: Specify the [folder ID](../../resource-manager/operations/folder/get-id.md).
     * **Cluster ID**: Specify the [cluster ID](../../managed-kubernetes/operations/kubernetes-cluster/kubernetes-cluster-list.md).
     * **Service account key**: Paste the contents of the `sa-key.json` file.
     * **Enable default health checks**: Select this option to install [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) in the node group network for application health checks.

        DaemonSet adds pods with traffic monitoring agents to each node. As a result, node and namespace isolation does not affect monitoring process, which means you get accurate traffic monitoring data. If the number of cluster nodes scales up or down, DaemonSet adds or removes monitoring agents, respectively.

        You can skip this option if you do not need to run cluster health checks or if you are using your own health check solution. For more information on configuring health checks manually, see [Health checking applications in a Yandex Managed Service for Kubernetes cluster via a Yandex Application Load Balancer](../tutorials/custom-health-checks.md).

  1. Click **Install**.
  1. Wait for the application to change its status to `Deployed`.

{% endlist %}

## Installation using a Helm chart {#install-alb-helm}

1. [Install Helm](https://helm.sh/docs/intro/install/) v3.8.0 or higher.

1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](../../managed-kubernetes/operations/connect/index.md#kubectl-connect).

1. Install [`jq`](https://stedolan.github.io/jq/) for stream processing of JSON files:

   ```bash
   sudo apt update && sudo apt install jq
   ```

1. To install a [Helm chart](https://helm.sh/docs/topics/charts/) with an ingress controller, run this command:

   ```bash
   cat sa-key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \
   helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/yc-alb-ingress/yc-alb-ingress-controller-chart \
     --version v0.2.26 \
     --untar && \
   helm install \
     --namespace <namespace> \
     --create-namespace \
     --set folderId=<folder_ID> \
     --set clusterId=<cluster_ID> \
     --set enableDefaultHealthChecks=<true_or_false> \
     --set-file saKeySecretKey=sa-key.json \
     yc-alb-ingress-controller ./yc-alb-ingress-controller-chart/
   ```

   {% note info %}
   
   If you are using a Helm version below 3.8.0, add the `export HELM_EXPERIMENTAL_OCI=1 && \` string at the beginning of the command to enable [Open Container Initiative](https://opencontainers.org/) (OCI) support in the Helm client.
   
   {% endnote %}

   If you set `namespace` to the default namespace, the ALB ingress controller may work incorrectly. We recommend specifying a value different from all the existing namespaces, e.g., `alb-ingress-controller-space`.

   The `enableDefaultHealthChecks` option enables application health checks in a cluster. With this option selected, the ALB ingress controller installs [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) in the node group network.

   DaemonSet adds pods with traffic monitoring agents to each node. As a result, node and namespace isolation does not affect monitoring process, which means you get accurate traffic monitoring data. If the number of cluster nodes scales up or down, DaemonSet adds or removes monitoring agents, respectively.

   You can skip this option if you do not need to run cluster health checks or if you are using your own health check solution. For more information on configuring health checks manually, see [Health checking applications in a Yandex Managed Service for Kubernetes cluster via a Yandex Application Load Balancer](../../managed-kubernetes/tutorials/custom-health-checks.md).

## Use cases {#examples}

* [Setting up an Application Load Balancer ingress controller](../../managed-kubernetes/tutorials/alb-ingress-controller.md).
* [Logging settings for Application Load Balancer ingress controllers](../../managed-kubernetes/tutorials/alb-ingress-controller-log-options.md).

## See also {#see-also}

* [Description of Ingress controllers in the Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
* [Restrictions when updating the ALB Ingress Controller](k8s-ingress-controller-upgrade.md)