IBM Cloud Kubernetes Service Ingress/ALB Cheat Sheet #1 Basics

Are you looking for an easy to use and managed Kubernetes service? Sign up and start your Kubernetes Cluster right now. Once up and running you will see your Clusters here, you have been guided through the steps of installing the ibmcloud CLI and kubectl CLI.

Let’s dive into the IKS Ingress Controller or ALB details. (I am sorry, the maximum snippet width of medium is very narrow) :(

Get the ingress hostname

Let’s assume my cluster-name is arpad-ipvs-test-aug14.

$ ibmcloud ks cluster-get arpad-ipvs-test-aug14 |grep Ingress

Query the ALBs

I have a multizone setup, I have multiple ALBs in multiple zones, this comes really handy to see which ALB is listening on what IP address:

$ ibmcloud ks albs --cluster arpad-ipvs-test-aug14

Note: You can have a third zone as well, all commands apply, you will just have a third ALB and third IP.

Check the IKS ALB logs

Get the IDs of the ALB pods in your cluster:

$ kubectl get pods -n kube-system |grep alb

Pick the ALB you want to check the logs for of and:

$ kubectl logs <ingress_pod_ID> nginx-ingress -n kube-system

What is in DNS?

In case I have a multizone setup, I have multiple ALBs in multiple zones registered under the same host name:

$ host

I also can check how my Kubernetes Ingress resource is configured to see if anything is off there:

$ kubectl get ingress -o wide

Note the IP addresses there as well. See IKS help docs for further detail.

Get pods sorted by which node they are running on (in kube-system namespace)

$ kubectl get pods --namespace kube-system \
--sort-by=.spec.nodeName \
-o jsonpath='{range .items[*]}{.spec.nodeName}{"\t"}{}{"\n"}{end}'

Get only ALB pods:

$ kubectl get pods --namespace kube-system \
--sort-by=.spec.nodeName \
-o jsonpath='{range .items[*]}{.spec.nodeName}{"\t"}{}{"\n"}{end}' |grep alb

Dealing with edge nodes

You can find documentation how to create edge nodes and why here.

Get edge nodes:

$ kubectl get nodes -L publicVLAN,privateVLAN,dedicated

With ibmcloud ks (requires you have an edge worker-pool):

$ ibmcloud ks workers <YOUR CLUSTER NAME> --worker-pool=edge \
--json | jq '.[] | {edgenode: .privateIP}'

Find the node selectors for ALB:

$ kubectl get pods --namespace kube-system \
--sort-by=.spec.nodeName \
-o jsonpath='{range .items[*]}{.spec.nodeSelector}{"\t"}{}{"\n"}{end}' | grep alb

How can I test if the health check is successful?

Note: This healthcheck support is only available for clusters that have ingress subdomain with the latest domain:

If your cluster is still using you can either order a new cluster to get the latest subdomain or convert your existing single AZ cluster to a MZR (Multizone Region) cluster in which case you will get the subdomain with domain in addition to the existing Official docs here.

$ curl -X GET -H \

Note: I am using HTTP and the “albhealth….” host to do the check. This host is configured in the IKS ALB to respond “healthy”.

I can run the same command for the subsequent IP(s):

$ curl -X GET -H \

How to check if ingress resource has been successfully applied to ALB?

Let’s say I want to apply the following ingress yaml to my cluster.

Apply the yaml (kubectl apply -f <yaml name>) to the cluster to create the ingress resource. After applying the yaml and creating the ingress resource there is an easy way to verify if the resource was successfully processed by the albs, if there were any errors in the annotation format. This can be done by checking the events on the ingress resource.

$ kubectl describe ing test-ingress

Checking for errors

Any error while processing the resource and annotations will show up in the events too. For example if I apply this ingress resource yaml with the wrong annotation format:

Descrbing the ingress will now show the error:

$ kubectl describe ing test-ingress

Testing Customer workload (My application I want to expose)

If I want to run test against an HTTPS host, like my application workload on selected ALBs individually, I have to specify to curl what hostname to resolve to, so it posts the right host as SNI header during TLS handshake (to get the right certificate):

curl -X GET --resolve \

This is for today, will follow up with a few additional commands and cheats. :)

Cheers! :)

Further useful articles:
- IKS ALB/Ingress Controller Timeouts, Dropped Websocket Connections
- How Can I Isolate, do Maintenance and Debug an ALB/Ingress Controller