Manage the Kubernetes Ingress configuration in Citrix ADM

Kubernetes (K8s) is an open source container orchestration engine where you can automate the deployment, scaling, and management of containerized applications.

Kubernetes uses the Ingress feature through which the client traffic accesses the microservices of an application. The Citrix ADC instances can act as Ingress to the applications running inside a Kubernetes cluster. The Citrix ADC instances become load balancer and proxy to the (North-South) traffic from the clients to the microservices inside the Kubernetes cluster. And the instances, update the endpoints for the microservices as and when they change in the Kubernetes environment.


  • Citrix ADM supports the Ingress feature on the clusters with Kubernetes version 1.14.
  • Citrix ADM supports Citrix ADC VPX and MPX appliances as Ingress devices.
  • In Kubernetes environment, the Citrix ADC instance load balances only the “NodePort” service type.

You can configure multiple ADC instances to act as an Ingress, and assign each ADC to different applications based on the Ingress policy. Specify the following to deploy an Ingress configuration:

  • Cluster – A Kubernetes cluster to which you want to deploy an Ingress configuration. While adding a cluster in Citrix ADM, specify the Kubernetes API server information. And, select an agent from which you want to manage the Ingress configurations.

  • Policies – The policies decide the ADC instance, cluster, and namespace to deploy an Ingress configuration. Specify the cluster, site, and instance information to add a policy.

  • Ingress Configuration – This configuration includes the content switching rules and the corresponding URL paths of the microservices and their ports. You can also specify the SSL/TLS certificates using a Kubernetes secret to offload HTTPS traffic on the ADC instance.

The Citrix ADM automatically maps the Ingress configurations and ADC instances. The Citrix ADM selects the ADC instance and hosts an Ingress configuration depending on the specified Ingress policies.

For each successful Ingress configuration, the Citrix ADM generates a StyleBooks ConfigPack. The ConfigPack represents the ADC configuration applied to the ADC instance that corresponds to the Ingress configuration. To view the configpack, navigate to Applications > StyleBooks > Configurations.

Before you begin

To orchestrate Citrix ADC instances on Kubernetes cluster, ensure you have:

  • Kubernetes cluster.

  • Citrix ADM agent installed and configured to enable communication between Citrix ADM and Kubernetes cluster or managed instances in your data center or cloud.

  • Kubernetes cluster added on Citrix ADM.

Configure Citrix ADM agent to register with Kubernetes cluster

To enable communication between Kubernetes cluster and Citrix ADM, you must install and configure a Citrix ADM agent. You can configure an agent using the following:

  • Hypervisor

  • Public cloud services (such as Microsoft Azure, AWS)

  • Built-in agent available on Citrix ADC instances (ideal for HA deployments).

Follow the procedure to configure an agent.


You can also use an existing agent.

Configure the Citrix ADM with a secret token to manage a Kubernetes cluster

The Kubernetes adapter is built to manage the Ingress configuration for a Kubernetes cluster. This adapter requires a cluster wide access to the Kubernetes API’s. To do so, add a service account for Citrix ADM and configure the service account with necessary RBAC permissions.

  1. Create a service account for Citrix ADM. For example, the service account name can be citrixadm-sa. To create a service account, see Use Multiple Service Accounts.

  2. Use the cluster-admin role to bind the Citrix ADM account. This binding grants a ClusterRole across the cluster to a service account. The following is an example command to bind a cluster-admin role to the service account.

    kubectl create clusterrolebinding citrixadm-sa-admin --clusterrole=cluster-admin --serviceaccount=default:citrixadm-sa

    After binding the Citrix ADM account to the cluster-admin role, the service account has the cluster-wide access. For more information, see kubectl create clusterrolebinding.

  3. Obtain the token from the created service account.

    For example, run the following command to view the token for the citrixadm-sa service account:

    kubectl describe sa citrixadm-sa
  4. Run the following command to obtain the secret string of the token:

    kubectl describe secret <token-name>

Add the Kubernetes cluster in Citrix ADM

After you configure a Citrix ADM agent and configure static routes, you must add the Kubernetes cluster in Citrix ADM.

To add the Kubernetes cluster:

  1. Log on to Citrix ADM with administrator credentials.

  2. Navigate to Orchestration > Kubernetes > Cluster. The Clusters page is displayed.

  3. Click Add.

  4. In the Add Cluster page, specify the following parameters:

    1. Name - Specify a name of your choice.

    2. API Server URL - You can get the API Server URL details from the Kubernetes Master node.

      1. On the Kubernetes master node, run the command kubectl cluster-info.

        API Server URL

      2. Enter the URL that displays for “Kubernetes master is running at.”

    3. Authentication Token - Specify the authentication token. The authentication token is required to validate access for communication between Kubernetes cluster and Citrix ADM. To generate an authentication token:

      1. On the Kubernetes master node, run the following commands:

        kubectl get secrets | grep ^default

        kubectl describe secret <SECRET_NAME>


        You can also create RBAC role and service account YAMLs for your Kubernetes cluster, and create an authentication token for the admin user.

      2. Copy the token that is generated.

        For more information, see Kubernetes documentation.

    4. Select the agent from the list.

    5. Click Create.

      add cluster

      You can deploy Ingress configuration, after enabling the auto-select virtual servers for licensing.

Define an Ingress policy

The Ingress policy decides the Kubernetes cluster and VPX instances to deploy the Ingress configuration. Define the conditions in the Ingress policy and specify the infrastructure details to execute the policy.

  1. Navigate to Orchestration > Kubernetes > Policy.

  2. Click Add to create a policy.

    1. Specify the policy name.

    2. Define Conditions to deploy the Ingress configuration on a Kubernetes cluster.

    3. In the Infrastructure panel,

      • Site - Select a site from the list.

      • Instance - Select an instance from the list.

      The Site and Instance lists populate the options based on the cluster selection in the Conditions panel.

      These lists display the sites or instances that are associated with the Citrix ADM agent configured with the Kubernetes cluster.

    4. Click Create.

Deploy the Ingress configuration

Specify the details that are required to deploy an Ingress configuration.

  1. Navigate to Orchestration > Kubernetes > Ingress.

  2. Click Add.

  3. In the Create Ingress field, specify the following details:

    1. Specify the name of the Ingress.

    2. In Cluster, select the Kubernetes cluster on which you want to deploy an Ingress.

    3. Select the Cluster Namespace from the list. This field lists the namespaces that are present in the specified Kubernetes cluster.

    4. In the Frontend IP address field, specify the virtual IP address of the Ingress device.

    5. If you want to manage the HTTPS traffic on Kubernetes cluster:

      1. Select Yes in the Enable TLS field.

      2. In the TLS secret field, select the secret information from the list.

      A HTTPS Ingress requires a TLS based secret configured on the Kubernetes cluster. Specify the tls.crt and tls.key fields to include the server certificate and the certificate key respectively.

    6. Specify the URL paths and its Kubernetes service and ports. Click Add to add more URL paths and ports to the Ingress configuration.

      After deployment, the Ingress configuration redirects the client traffic to the specific services when the defined URL paths are requested.

    7. Optional, specify an Ingress Description and click Deploy.

      if you want to review the configuration before you deploy, click Generate Ingress Spec. The specified Ingress configuration appears in the YAML format. After reviewing the configuration, click Deploy.