Kong Ingress Controller with Internet-Facing NLB / AWS EKS


Kubernetes Version: 1.27
Cloud Provider / Platform: AWS EKS

I have followed the installation instructions provided by Kong Konnect to create a new runtime group using the Kong Ingress Controller method. I am using the default Helm values provided, and successfully install Kong Ingress Controller in EKS.

You can see the pods are up and healthy (using Istio as well, so 2/2 containers are shown):

kubectl get pods -n kong
NAME                                                 READY   STATUS    RESTARTS      AGE
kong-ingress-controller-controller-c4d8d9576-rm5dr   2/2     Running   1 (15h ago)   15h
kong-ingress-controller-gateway-74fc5c5965-tdmc8     2/2     Running   0             15h
kong-ingress-controller-postgresql-0                 2/2     Running   0             17h

Similarly, you can see that AWS allocated a load balancer to the Kong gateway proxy:

kubectl get svc -n kong
NAME                                                    TYPE           CLUSTER-IP       EXTERNAL-IP                              PORT(S)                      AGE
kong-ingress-controller-controller-validation-webhook   ClusterIP     <none>                                   443/TCP                      4d1h
kong-ingress-controller-gateway-admin                   ClusterIP      None             <none>                                   8444/TCP                     4d1h
kong-ingress-controller-gateway-proxy                   LoadBalancer     <REDACTED>.elb.us-east-2.amazonaws.com   80:31323/TCP,443:30937/TCP   4d1h
kong-ingress-controller-postgresql                      ClusterIP    <none>                                   5432/TCP                     4d1h
kong-ingress-controller-postgresql-hl                   ClusterIP      None             <none>                                   5432/TCP                     4d1h

The Problem: Kong seems to be requesting a load balancer with scheme: internal as opposed to scheme: internet-facing.

I am coming from Istio, where you annotate the Istio IngressGateway in the Helm values to make it internet-facing:

# Istio IngressGateway values.yaml
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-type: nlb

How can I make Kong request an scheme: internet-facing load balancer instead of scheme: internal so I can bring internet traffic into my cluster?

Thanks in advance.