[Yandex Cloud documentation](../../../index.md) > [Yandex Application Load Balancer](../../index.md) > [Tools for Managed Service for Kubernetes](../index.md) > Ingress controller > Overview

# Ingress controller for Managed Service for Kubernetes

{% note tip %}

We recommend using the new [Yandex Cloud Gwin](../gwin/index.md) controller instead of an ALB Ingress controller and Gateway API.

{% endnote %}

The ingress controller is an Application Load Balancer tool for creating and managing load balancers in [Yandex Managed Service for Kubernetes clusters](../../../managed-kubernetes/concepts/index.md#kubernetes-cluster).

Once you install an ingress controller in your cluster, it will automatically deploy [L7 load balancers](../../concepts/application-load-balancer.md) with all required Application Load Balancer components configured according to your [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) resource specifications.

For full configuration of the resources for the Application Load Balancer ingress controller, see the following sections:

* [Ingress](../../k8s-ref/ingress.md): Traffic routing and controller configuration.
* [HttpBackendGroup](../../k8s-ref/http-backend-group.md) and [GrpcBackendGroup](../../k8s-ref/grpc-backend-group.md): Combining backends into groups.
* [IngressClass](../../k8s-ref/ingress-class.md): Managing multiple ingress controllers in a Kubernetes cluster.
* [Service](../../k8s-ref/service-for-ingress.md): Description of Kubernetes services used as backends.

## Configuration example {#example}

Below you can see an abbreviated `Ingress` resource configuration example describing a load balancer that receives HTTPS requests and routes them to one of two service backends based on their URI paths.

{% cut "Example" %}

```yaml
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-demo-tls
spec:
  tls:
    - hosts:
        - <domain_name>
      secretName: yc-certmgr-cert-id-<certificate_ID>
  rules:
    - host: <domain_name>
      http:
        paths:
          - path: /app1
            pathType: Prefix
            backend:
              service:
                name: alb-demo-1
                port:
                  number: 80
          - path: /app2
            pathType: Prefix
            backend:
              service:
                name: alb-demo-2
                port:
                  number: 80
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-2
                port:
                  name: http
```

Where `secretName` is the Yandex Certificate Manager certificate ID.

{% endcut %}

In [ALB ingress controllers](https://yandex.cloud/en/marketplace/products/yc/alb-ingress-controller) v0.2.0+, this `Ingress` configuration maps [backend groups](../../concepts/backend-group.md) to the `backend.service` specification, while in versions 0.1.x, backend groups are defined through field combinations: `host`, `http.paths.path`, and `http.paths.pathType`. It may result in collisions during the ALB ingress controller upgrade. To avoid them, check the [upgrade restrictions](../../operations/k8s-ingress-controller-upgrade.md) for your infrastructure.

## Installation and requirements {#install}

To install the Application Load Balancer ingress controller, you need:

* Managed Service for Kubernetes cluster.
* Cluster node group.
* Cluster namespace to store your [service account](service-account.md) key.

To learn how to install the ingress controller, see [this guide](../../operations/k8s-ingress-controller-install.md).

## Logging settings {#log-options}

To set up logging for an L7 load balancer created via the Application Load Balancer ingress controller in a Managed Service for Kubernetes cluster, configure its ingress group settings in the `IngressGroupSettings` resource, specifying their name in the new `ingress.alb.yc.io/group-settings-name` annotation. For more information, see [Ingress resource annotations](../../k8s-ref/ingress.md#annotations).

## Yandex Smart Web Security integration {#smart-web-security}

In the ingress controller, you can enable [Yandex Smart Web Security](../../../smartwebsecurity/concepts/index.md), including DDoS protection, [WAF](../../../smartwebsecurity/concepts/waf.md), and [resource overload protection](../../../smartwebsecurity/concepts/arl.md).

This service checks HTTP requests to a protected resource through an L7 load balancer [virtual host](../../concepts/http-router.md#virtual-host). Depending on check results, it forwards the requests to the protected resource, blocks them, or sends them to [Yandex SmartCaptcha](../../../smartcaptcha/index.md) for additional verification.

To enable this service, specify the Smart Web Security [security profile](../../../smartwebsecurity/concepts/profiles.md) ID in the Ingress annotation:

```yaml
ingress.alb.yc.io/security-profile-id: <security_profile_ID>
```

This profile contains verification conditions and actions applied to incoming HTTP requests following the check results.

If you do not have a security profile, [create one](../../../smartwebsecurity/operations/profile-create.md).

## Traffic routing using multiple ingress controllers {#ingress-class}

You can deploy multiple ingress controllers, e.g., Application Load Balancer and NGINX, for a single application. For proper traffic routing isolation, define a dedicated [IngressClass](../../k8s-ref/ingress-class.md) resource for each ingress controller. Specify the `Ingress` resource’s `IngressClass` in its `spec.ingressClassName` field. Check out a GitHub [example](https://github.com/yandex-cloud-examples/yc-mk8s-with-ingress-class) for configuring `Ingress` resources and routing traffic with multiple ingress controllers.

#### See also {#see-also}

* [Controller operating principles](principles.md)
* [Security group configuration](security-groups.md) for a Kubernetes cluster and a load balancer
* [Service account](service-account.md) to support controller operation
* [ALB ingress Controller in Yandex Cloud Marketplace](https://yandex.cloud/en/marketplace/products/yc/alb-ingress-controller)