Bare-metal considerations ¶
In traditional cloud environments, where network load balancers are available on-demand, a single Kubernetes manifest suffices to provide a single point of contact to the Ingress-Nginx Controller to external clients and, indirectly, to any application running inside the cluster. Bare-metal environments lack this commodity, requiring a slightly different setup to offer the same kind of access to external consumers.
The rest of this document describes a few recommended approaches to deploying the Ingress-Nginx Controller inside a Kubernetes cluster running on bare-metal.
A pure software solution: MetalLB ¶
MetalLB provides a network load-balancer implementation for Kubernetes clusters that do not run on a supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster.
This section demonstrates how to use the Layer 2 configuration mode of MetalLB together with the NGINX Ingress controller in a Kubernetes cluster that has publicly accessible nodes. In this mode, one node attracts all the traffic for the ingress-nginx Service IP. See Traffic policies for more details.
Note
The description of other supported configuration modes is off-scope for this document.
Warning
MetalLB is currently in beta. Read about the Project maturity and make sure you inform yourself by reading the official documentation thoroughly.
MetalLB can be deployed either with a simple Kubernetes manifest or with Helm. The rest of this example assumes MetalLB was deployed following the Installation instructions, and that the Ingress-Nginx Controller was installed using the steps described in the quickstart section of the installation guide.
MetalLB requires a pool of IP addresses in order to be able to take ownership of the ingress-nginx Service. This pool can be defined through IPAddressPool objects in the same namespace as the MetalLB controller. This pool of IPs must be dedicated to MetalLB's use, you can't reuse the Kubernetes node IPs or IPs handed out by a DHCP server.
Example
Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal environments this value is <None>)
$ kubectl get node
+ Bare-metal considerations - Ingress-Nginx Controller Bare-metal considerations ¶
In traditional cloud environments, where network load balancers are available on-demand, a single Kubernetes manifest suffices to provide a single point of contact to the Ingress-Nginx Controller to external clients and, indirectly, to any application running inside the cluster. Bare-metal environments lack this commodity, requiring a slightly different setup to offer the same kind of access to external consumers.
The rest of this document describes a few recommended approaches to deploying the Ingress-Nginx Controller inside a Kubernetes cluster running on bare-metal.
A pure software solution: MetalLB ¶
MetalLB provides a network load-balancer implementation for Kubernetes clusters that do not run on a supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster.
This section demonstrates how to use the Layer 2 configuration mode of MetalLB together with the NGINX Ingress controller in a Kubernetes cluster that has publicly accessible nodes. In this mode, one node attracts all the traffic for the ingress-nginx Service IP. See Traffic policies for more details.
Note
The description of other supported configuration modes is off-scope for this document.
Warning
MetalLB is currently in beta. Read about the Project maturity and make sure you inform yourself by reading the official documentation thoroughly.
MetalLB can be deployed either with a simple Kubernetes manifest or with Helm. The rest of this example assumes MetalLB was deployed following the Installation instructions, and that the Ingress-Nginx Controller was installed using the steps described in the quickstart section of the installation guide.
MetalLB requires a pool of IP addresses in order to be able to take ownership of the ingress-nginx Service. This pool can be defined through IPAddressPool objects in the same namespace as the MetalLB controller. This pool of IPs must be dedicated to MetalLB's use, you can't reuse the Kubernetes node IPs or IPs handed out by a DHCP server.
Example
Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal environments this value is <None>)
$ kubectl get node
NAME STATUS ROLES EXTERNAL-IP
host-1 Ready master 203.0.113.1
host-2 Ready node 203.0.113.2
@@ -29,7 +29,7 @@
As soon as MetalLB sets the external IP address of the ingress-nginx LoadBalancer Service, the corresponding entries are created in the iptables NAT table and the node with the selected IP address starts responding to HTTP requests on the ports configured in the LoadBalancer Service:
$ curl -D- http://203.0.113.10 -H 'Host: myapp.example.com'
HTTP/1.1 200 OK
Server: nginx/1.15.2
-
Tip
In order to preserve the source IP address in HTTP requests sent to NGINX, it is necessary to use the Local traffic policy. Traffic policies are described in more details in Traffic policies as well as in the next section.
Over a NodePort Service ¶
Due to its simplicity, this is the setup a user will deploy by default when following the steps described in the installation guide.
Info
A Service of type NodePort exposes, via the kube-proxy component, the same unprivileged port (default: 30000-32767) on every Kubernetes node, masters included. For more information, see Services.
In this configuration, the NGINX container remains isolated from the host network. As a result, it can safely bind to any port, including the standard HTTP ports 80 and 443. However, due to the container namespace isolation, a client located outside the cluster network (e.g. on the public internet) is not able to access Ingress hosts directly on ports 80 and 443. Instead, the external client must append the NodePort allocated to the ingress-nginx Service to HTTP requests.
You can customize the exposed node port numbers by setting the controller.service.nodePorts.* Helm values, but they still have to be in the 30000-32767 range.
Example
Given the NodePort 30100 allocated to the ingress-nginx Service
$ kubectl -n ingress-nginx get svc
+
Tip
In order to preserve the source IP address in HTTP requests sent to NGINX, it is necessary to use the Local traffic policy. Traffic policies are described in more details in Traffic policies as well as in the next section.
Over a NodePort Service ¶
Due to its simplicity, this is the setup a user will deploy by default when following the steps described in the installation guide.
Info
A Service of type NodePort exposes, via the kube-proxy component, the same unprivileged port (default: 30000-32767) on every Kubernetes node, masters included. For more information, see Services.
In this configuration, the NGINX container remains isolated from the host network. As a result, it can safely bind to any port, including the standard HTTP ports 80 and 443. However, due to the container namespace isolation, a client located outside the cluster network (e.g. on the public internet) is not able to access Ingress hosts directly on ports 80 and 443. Instead, the external client must append the NodePort allocated to the ingress-nginx Service to HTTP requests.
Example
Given the NodePort 30100 allocated to the ingress-nginx Service
$ kubectl -n ingress-nginx get svc
NAME TYPE CLUSTER-IP PORT(S)
default-http-backend ClusterIP 10.0.64.249 80/TCP
ingress-nginx NodePort 10.0.220.217 80:30100/TCP,443:30101/TCP
@@ -38,7 +38,7 @@
host-1 Ready master 203.0.113.1
host-2 Ready node 203.0.113.2
host-3 Ready node 203.0.113.3
-
a client would reach an Ingress with host: myapp.example.com at http://myapp.example.com:30100, where the myapp.example.com subdomain resolves to the 203.0.113.2 IP address.
Impact on the host system
While it may sound tempting to reconfigure the NodePort range using the --service-node-port-range API server flag to include unprivileged ports and be able to expose ports 80 and 443, doing so may result in unexpected issues including (but not limited to) the use of ports otherwise reserved to system daemons and the necessity to grant kube-proxy privileges it may otherwise not require.
This practice is therefore discouraged. See the other approaches proposed in this page for alternatives.
This approach has a few other limitations one ought to be aware of:
Source IP address ¶
Services of type NodePort perform source address translation by default. This means the source IP of a HTTP request is always the IP address of the Kubernetes node that received the request from the perspective of NGINX.
The recommended way to preserve the source IP in a NodePort setup is to set the value of the externalTrafficPolicy field of the ingress-nginx Service spec to Local (example).
Warning
This setting effectively drops packets sent to Kubernetes nodes which are not running any instance of the NGINX Ingress controller. Consider assigning NGINX Pods to specific nodes in order to control on what nodes the Ingress-Nginx Controller should be scheduled or not scheduled.
Example
In a Kubernetes cluster composed of 3 nodes (the external IP is added as an example, in most bare-metal environments this value is <None>)
$ kubectl get node
+
a client would reach an Ingress with host: myapp.example.com at http://myapp.example.com:30100, where the myapp.example.com subdomain resolves to the 203.0.113.2 IP address.
Impact on the host system
While it may sound tempting to reconfigure the NodePort range using the --service-node-port-range API server flag to include unprivileged ports and be able to expose ports 80 and 443, doing so may result in unexpected issues including (but not limited to) the use of ports otherwise reserved to system daemons and the necessity to grant kube-proxy privileges it may otherwise not require.
This practice is therefore discouraged. See the other approaches proposed in this page for alternatives.
This approach has a few other limitations one ought to be aware of:
- Source IP address
Services of type NodePort perform source address translation by default. This means the source IP of a HTTP request is always the IP address of the Kubernetes node that received the request from the perspective of NGINX.
The recommended way to preserve the source IP in a NodePort setup is to set the value of the externalTrafficPolicy field of the ingress-nginx Service spec to Local (example).
Warning
This setting effectively drops packets sent to Kubernetes nodes which are not running any instance of the NGINX Ingress controller. Consider assigning NGINX Pods to specific nodes in order to control on what nodes the Ingress-Nginx Controller should be scheduled or not scheduled.
Example
In a Kubernetes cluster composed of 3 nodes (the external IP is added as an example, in most bare-metal environments this value is <None>)
$ kubectl get node
NAME STATUS ROLES EXTERNAL-IP
host-1 Ready master 203.0.113.1
host-2 Ready node 203.0.113.2
@@ -48,7 +48,7 @@
default-http-backend-7c5bc89cc9-p86md 1/1 Running 172.17.1.1 host-2
ingress-nginx-controller-cf9ff8c96-8vvf8 1/1 Running 172.17.0.3 host-3
ingress-nginx-controller-cf9ff8c96-pxsds 1/1 Running 172.17.1.4 host-2
-
Requests sent to host-2 and host-3 would be forwarded to NGINX and original client's IP would be preserved, while requests to host-1 would get dropped because there is no NGINX replica running on that node.
Other ways to preserve the source IP in a NodePort setup are described here: Source IP address.
Ingress status ¶
Because NodePort Services do not get a LoadBalancerIP assigned by definition, the Ingress-Nginx Controller does not update the status of Ingress objects it manages.
$ kubectl get ingress
+
Requests sent to host-2 and host-3 would be forwarded to NGINX and original client's IP would be preserved, while requests to host-1 would get dropped because there is no NGINX replica running on that node.
- Ingress status
Because NodePort Services do not get a LoadBalancerIP assigned by definition, the Ingress-Nginx Controller does not update the status of Ingress objects it manages.
$ kubectl get ingress
NAME HOSTS ADDRESS PORTS
test-ingress myapp.example.com 80
Despite the fact there is no load balancer providing a public IP address to the Ingress-Nginx Controller, it is possible to force the status update of all managed Ingress objects by setting the externalIPs field of the ingress-nginx Service.
Warning
There is more to setting externalIPs than just enabling the Ingress-Nginx Controller to update the status of Ingress objects. Please read about this option in the Services page of official Kubernetes documentation as well as the section about External IPs in this document for more information.
Example
Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal environments this value is <None>)
$ kubectl get node
@@ -64,7 +64,7 @@
which would in turn be reflected on Ingress objects as follows:
$ kubectl get ingress -o wide
NAME HOSTS ADDRESS PORTS
test-ingress myapp.example.com 203.0.113.1,203.0.113.2,203.0.113.3 80
-
Redirects ¶
As NGINX is not aware of the port translation operated by the NodePort Service, backend applications are responsible for generating redirect URLs that take into account the URL used by external clients, including the NodePort.
Example
Redirects generated by NGINX, for instance HTTP to HTTPS or domain to www.domain, are generated without NodePort:
$ curl -D- http://myapp.example.com:30100`
+
- Redirects
As NGINX is not aware of the port translation operated by the NodePort Service, backend applications are responsible for generating redirect URLs that take into account the URL used by external clients, including the NodePort.
Example
Redirects generated by NGINX, for instance HTTP to HTTPS or domain to www.domain, are generated without NodePort:
$ curl -D- http://myapp.example.com:30100`
HTTP/1.1 308 Permanent Redirect
Server: nginx/1.15.2
Location: https://myapp.example.com/ #-> missing NodePort in HTTPS redirect
@@ -82,7 +82,7 @@
Type Reason From Message
---- ------ ---- -------
Warning FailedScheduling default-scheduler 0/3 nodes are available: 3 node(s) didn't have free ports for the requested pod ports.
-
One way to ensure only schedulable Pods are created is to deploy the Ingress-Nginx Controller as a DaemonSet instead of a traditional Deployment.
Info
A DaemonSet schedules exactly one type of Pod per cluster node, masters included, unless a node is configured to repel those Pods. For more information, see DaemonSet.
Because most properties of DaemonSet objects are identical to Deployment objects, this documentation page leaves the configuration of the corresponding manifest at the user's discretion.
Like with NodePorts, this approach has a few quirks it is important to be aware of.
DNS resolution ¶
Pods configured with hostNetwork: true do not use the internal DNS resolver (i.e. kube-dns or CoreDNS), unless their dnsPolicy spec field is set to ClusterFirstWithHostNet. Consider using this setting if NGINX is expected to resolve internal names for any reason.
Ingress status ¶
Because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply and the status of all Ingress objects remains blank.
$ kubectl get ingress
+
One way to ensure only schedulable Pods are created is to deploy the Ingress-Nginx Controller as a DaemonSet instead of a traditional Deployment.
Info
A DaemonSet schedules exactly one type of Pod per cluster node, masters included, unless a node is configured to repel those Pods. For more information, see DaemonSet.
Because most properties of DaemonSet objects are identical to Deployment objects, this documentation page leaves the configuration of the corresponding manifest at the user's discretion.
Like with NodePorts, this approach has a few quirks it is important to be aware of.
- DNS resolution
Pods configured with hostNetwork: true do not use the internal DNS resolver (i.e. kube-dns or CoreDNS), unless their dnsPolicy spec field is set to ClusterFirstWithHostNet. Consider using this setting if NGINX is expected to resolve internal names for any reason.
- Ingress status
Because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply and the status of all Ingress objects remains blank.
$ kubectl get ingress
NAME HOSTS ADDRESS PORTS
test-ingress myapp.example.com 80
Instead, and because bare-metal nodes usually don't have an ExternalIP, one has to enable the --report-node-internal-ip-address flag, which sets the status of all Ingress objects to the internal IP address of all nodes running the Ingress-Nginx Controller.
Example
Given a ingress-nginx-controller DaemonSet composed of 2 replicas
$ kubectl -n ingress-nginx get pod -o wide
diff --git a/deploy/index.html b/deploy/index.html
index db9da3472..87441deec 100644
--- a/deploy/index.html
+++ b/deploy/index.html
@@ -24,7 +24,7 @@ free to use those subdirectories and get the manifest(s) related to their K8S ve
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "somebucket"
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: "ingress-nginx"
service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: "5"
-
If you don't have Helm or if you prefer to use a YAML manifest, you can run the following command instead:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
+
If you don't have Helm or if you prefer to use a YAML manifest, you can run the following command instead:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/cloud/deploy.yaml
Info
The YAML manifest in the command above was generated with helm template, so you will end up with almost the same resources as if you had used Helm to install the controller.
Attention
If you are running an old version of Kubernetes (1.18 or earlier), please read this paragraph for specific instructions. Because of api deprecations, the default manifest may not work on your cluster. Specific manifests for supported Kubernetes versions are available within a sub-folder of each provider.
Firewall configuration ¶
To check which ports are used by your installation of ingress-nginx, look at the output of kubectl -n ingress-nginx get pod -o yaml. In general, you need:
- Port 8443 open between all hosts on which the kubernetes nodes are running. This is used for the ingress-nginx admission controller.
- Port 80 (for HTTP) and/or 443 (for HTTPS) open to the public on the kubernetes nodes to which the DNS of your apps are pointing.
Pre-flight check ¶
A few pods should start in the ingress-nginx namespace:
kubectl get pods --namespace=ingress-nginx
After a while, they should all be running. The following command will wait for the ingress controller pod to be up, running, and ready:
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
@@ -43,24 +43,24 @@ free to use those subdirectories and get the manifest(s) related to their K8S ve
--rule www.demo.io/=demo:80
You should then be able to see the "It works!" page when you connect to http://www.demo.io/. Congratulations, you are serving a public website hosted on a Kubernetes cluster! 🎉
Environment-specific instructions ¶
Local development clusters ¶
minikube ¶
The ingress controller can be installed through minikube's addons system:
minikube addons enable ingress
MicroK8s ¶
The ingress controller can be installed through MicroK8s's addons system:
microk8s enable ingress
-
Please check the MicroK8s documentation page for details.
Docker Desktop ¶
Kubernetes is available in Docker Desktop:
- Mac, from version 18.06.0-ce
- Windows, from version 18.06.0-ce
First, make sure that Kubernetes is enabled in the Docker settings. The command kubectl get nodes should show a single node called docker-desktop.
The ingress controller can be installed on Docker Desktop using the default quick start instructions.
On most systems, if you don't have any other service of type LoadBalancer bound to port 80, the ingress controller will be assigned the EXTERNAL-IP of localhost, which means that it will be reachable on localhost:80. If that doesn't work, you might have to fall back to the kubectl port-forward method described in the local testing section.
Rancher Desktop ¶
Rancher Desktop provides Kubernetes and Container Management on the desktop. Kubernetes is enabled by default in Rancher Desktop.
Rancher Desktop uses K3s under the hood, which in turn uses Traefik as the default ingress controller for the Kubernetes cluster. To use Ingress-Nginx Controller in place of the default Traefik, disable Traefik from Preference > Kubernetes menu.
Once traefik is disabled, the Ingress-Nginx Controller can be installed on Rancher Desktop using the default quick start instructions. Follow the instructions described in the local testing section to try a sample.
Cloud deployments ¶
If the load balancers of your cloud provider do active healthchecks on their backends (most do), you can change the externalTrafficPolicy of the ingress controller Service to Local (instead of the default Cluster) to save an extra hop in some cases. If you're installing with Helm, this can be done by adding --set controller.service.externalTrafficPolicy=Local to the helm install or helm upgrade command.
Furthermore, if the load balancers of your cloud provider support the PROXY protocol, you can enable it, and it will let the ingress controller see the real IP address of the clients. Otherwise, it will generally see the IP address of the upstream load balancer. This must be done both in the ingress controller (with e.g. --set controller.config.use-proxy-protocol=true) and in the cloud provider's load balancer configuration to function correctly.
In the following sections, we provide YAML manifests that enable these options when possible, using the specific options of various cloud providers.
AWS ¶
In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Controller behind a Service of Type=LoadBalancer.
Info
The provided templates illustrate the setup for legacy in-tree service load balancer for AWS NLB. AWS provides the documentation on how to use Network load balancing on Amazon EKS with AWS Load Balancer Controller.
Network Load Balancer (NLB) ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/deploy.yaml
-
TLS termination in AWS Load Balancer (NLB) ¶
By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB.
- Download the deploy.yaml template
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+
Please check the MicroK8s documentation page for details.
Docker Desktop ¶
Kubernetes is available in Docker Desktop:
- Mac, from version 18.06.0-ce
- Windows, from version 18.06.0-ce
First, make sure that Kubernetes is enabled in the Docker settings. The command kubectl get nodes should show a single node called docker-desktop.
The ingress controller can be installed on Docker Desktop using the default quick start instructions.
On most systems, if you don't have any other service of type LoadBalancer bound to port 80, the ingress controller will be assigned the EXTERNAL-IP of localhost, which means that it will be reachable on localhost:80. If that doesn't work, you might have to fall back to the kubectl port-forward method described in the local testing section.
Rancher Desktop ¶
Rancher Desktop provides Kubernetes and Container Management on the desktop. Kubernetes is enabled by default in Rancher Desktop.
Rancher Desktop uses K3s under the hood, which in turn uses Traefik as the default ingress controller for the Kubernetes cluster. To use Ingress-Nginx Controller in place of the default Traefik, disable Traefik from Preference > Kubernetes menu.
Once traefik is disabled, the Ingress-Nginx Controller can be installed on Rancher Desktop using the default quick start instructions. Follow the instructions described in the local testing section to try a sample.
Cloud deployments ¶
If the load balancers of your cloud provider do active healthchecks on their backends (most do), you can change the externalTrafficPolicy of the ingress controller Service to Local (instead of the default Cluster) to save an extra hop in some cases. If you're installing with Helm, this can be done by adding --set controller.service.externalTrafficPolicy=Local to the helm install or helm upgrade command.
Furthermore, if the load balancers of your cloud provider support the PROXY protocol, you can enable it, and it will let the ingress controller see the real IP address of the clients. Otherwise, it will generally see the IP address of the upstream load balancer. This must be done both in the ingress controller (with e.g. --set controller.config.use-proxy-protocol=true) and in the cloud provider's load balancer configuration to function correctly.
In the following sections, we provide YAML manifests that enable these options when possible, using the specific options of various cloud providers.
AWS ¶
In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Controller behind a Service of Type=LoadBalancer.
Info
The provided templates illustrate the setup for legacy in-tree service load balancer for AWS NLB. AWS provides the documentation on how to use Network load balancing on Amazon EKS with AWS Load Balancer Controller.
Network Load Balancer (NLB) ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/aws/deploy.yaml
+
TLS termination in AWS Load Balancer (NLB) ¶
By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB.
- Download the deploy.yaml template
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
- Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
proxy-real-ip-cidr: XXX.XXX.XXX/XX
- Change the AWS Certificate Manager (ACM) ID as well:
arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
- Deploy the manifest:
kubectl apply -f deploy.yaml
NLB Idle Timeouts ¶
Idle timeout value for TCP flows is 350 seconds and cannot be modified.
For this reason, you need to ensure the keepalive_timeout value is configured less than 350 seconds to work as expected.
By default, NGINX keepalive_timeout is set to 75s.
More information with regard to timeouts can be found in the official AWS documentation
GCE-GKE ¶
First, your user needs to have cluster-admin permissions on the cluster. This can be done with the following command:
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud config get-value account)
-
Then, the ingress controller can be installed like this:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
-
Warning
For private clusters, you will need to either add a firewall rule that allows master nodes access to port 8443/tcp on worker nodes, or change the existing rule that allows access to port 80/tcp, 443/tcp and 10254/tcp to also allow access to port 8443/tcp. More information can be found in the Official GCP Documentation.
See the GKE documentation on adding rules and the Kubernetes issue for more detail.
Proxy-protocol is supported in GCE check the Official Documentations on how to enable.
Azure ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
-
More information with regard to Azure annotations for ingress controller can be found in the official AKS documentation.
Digital Ocean ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/do/deploy.yaml
-
- By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true". While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows no data, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in this issue. Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data.
Scaleway ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/scw/deploy.yaml
+
Then, the ingress controller can be installed like this:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/cloud/deploy.yaml
+
Warning
For private clusters, you will need to either add a firewall rule that allows master nodes access to port 8443/tcp on worker nodes, or change the existing rule that allows access to port 80/tcp, 443/tcp and 10254/tcp to also allow access to port 8443/tcp. More information can be found in the Official GCP Documentation.
See the GKE documentation on adding rules and the Kubernetes issue for more detail.
Proxy-protocol is supported in GCE check the Official Documentations on how to enable.
Azure ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/cloud/deploy.yaml
+
More information with regard to Azure annotations for ingress controller can be found in the official AKS documentation.
Digital Ocean ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/do/deploy.yaml
+
- By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true". While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows no data, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in this issue. Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data.
Scaleway ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/scw/deploy.yaml
Refer to the dedicated tutorial in the Scaleway documentation for configuring the proxy protocol for ingress-nginx with the Scaleway load balancer.
Exoscale ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/exoscale/deploy.yaml
-
The full list of annotations supported by Exoscale is available in the Exoscale Cloud Controller Manager documentation.
Oracle Cloud Infrastructure ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
+
The full list of annotations supported by Exoscale is available in the Exoscale Cloud Controller Manager documentation.
Oracle Cloud Infrastructure ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/cloud/deploy.yaml
A complete list of available annotations for Oracle Cloud Infrastructure can be found in the OCI Cloud Controller Manager documentation.
OVHcloud ¶
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm -n ingress-nginx install ingress-nginx ingress-nginx/ingress-nginx --create-namespace
-
You can find the complete tutorial.
Bare metal clusters ¶
This section is applicable to Kubernetes clusters deployed on bare metal servers, as well as "raw" VMs where Kubernetes was installed manually, using generic Linux distros (like CentOS, Ubuntu...)
For quick testing, you can use a NodePort. This should work on almost every cluster, but it will typically use a port in the range 30000-32767.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/baremetal/deploy.yaml
+
You can find the complete tutorial.
Bare metal clusters ¶
This section is applicable to Kubernetes clusters deployed on bare metal servers, as well as "raw" VMs where Kubernetes was installed manually, using generic Linux distros (like CentOS, Ubuntu...)
For quick testing, you can use a NodePort. This should work on almost every cluster, but it will typically use a port in the range 30000-32767.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0-beta.0/deploy/static/provider/baremetal/deploy.yaml
For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), see bare-metal considerations.
Miscellaneous ¶
Checking ingress controller version ¶
Run /nginx-ingress-controller --version within the pod, for instance with kubectl exec:
POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o name)
kubectl exec $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
diff --git a/e2e-tests/index.html b/e2e-tests/index.html
index 0f71deb34..df936be0d 100644
--- a/e2e-tests/index.html
+++ b/e2e-tests/index.html
@@ -1,4 +1,4 @@
- E2e tests - Ingress-Nginx Controller kubernetes/ingress-nginx e2e test suite for Ingress NGINX Controller ¶
[Admission] admission controller ¶
- should not allow overlaps of host and paths without canary annotations
- should allow overlaps of host and paths with canary annotation
- should block ingress with invalid path
- should return an error if there is an error validating the ingress definition
- should return an error if there is an invalid value in some annotation
- should return an error if there is a forbidden value in some annotation
- should return an error if there is an invalid path and wrong pathType is set
- should not return an error if the Ingress V1 definition is valid with Ingress Class
- should not return an error if the Ingress V1 definition is valid with IngressClass annotation
- should return an error if the Ingress V1 definition contains invalid annotations
- should not return an error for an invalid Ingress when it has unknown class
affinity session-cookie-name ¶
- should set sticky cookie SERVERID
- should change cookie name on ingress definition change
- should set the path to /something on the generated cookie
- does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
- should set cookie with expires
- should set cookie with domain
- should not set cookie without domain annotation
- should work with use-regex annotation and session-cookie-path
- should warn user when use-regex is true and session-cookie-path is not set
- should not set affinity across all server locations when using separate ingresses
- should set sticky cookie without host
- should work with server-alias annotation
- should set secure in cookie with provided true annotation on http
- should not set secure in cookie with provided false annotation on http
- should set secure in cookie with provided false annotation on https
affinitymode ¶
server-alias ¶
- should return status code 200 for host 'foo' and 404 for 'bar'
- should return status code 200 for host 'foo' and 'bar'
- should return status code 200 for hosts defined in two ingresses, different path with one alias
app-root ¶
auth-* ¶
- should return status code 200 when no authentication is configured
- should return status code 503 when authentication is configured with an invalid secret
- should return status code 401 when authentication is configured but Authorization header is not configured
- should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
- should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured
- should return status code 200 when authentication is configured and Authorization header is sent
- should return status code 200 when authentication is configured with a map and Authorization header is sent
- should return status code 401 when authentication is configured with invalid content and Authorization header is sent
- proxy_set_header My-Custom-Header 42;
- proxy_set_header My-Custom-Header 42;
- proxy_set_header 'My-Custom-Header' '42';
- user retains cookie by default
- user does not retain cookie if upstream returns error status code
- user with annotated ingress retains cookie if upstream returns error status code
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should overwrite Foo header with auth response
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in after auth backend is deleted
- should deny login for different location on same server
- should deny login for different servers
- should redirect to signin url when not signed in
- should return 503 (location was denied)
- should add error to the config
auth-tls-* ¶
- should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret
- should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
- should 302 redirect to error page instead of 400 when auth-tls-error-page is set
- should pass URL-encoded certificate to upstream
- should validate auth-tls-verify-client
- should return 403 using auth-tls-match-cn with no matching CN from client
- should return 200 using auth-tls-match-cn with matching CN from client
- should reload the nginx config when auth-tls-match-cn is updated
- should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client
backend-protocol ¶
- should set backend protocol to https:// and use proxy_pass
- should set backend protocol to https:// and use proxy_pass with lowercase annotation
- should set backend protocol to $scheme:// and use proxy_pass
- should set backend protocol to grpc:// and use grpc_pass
- should set backend protocol to grpcs:// and use grpc_pass
- should set backend protocol to '' and use fastcgi_pass
canary-* ¶
- should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
- should return 404 status for requests to the canary if no matching ingress is found
- should return the correct status codes when endpoints are unavailable
- should route requests to the correct upstream if mainline ingress is created before the canary ingress
- should route requests to the correct upstream if mainline ingress is created after the canary ingress
- should route requests to the correct upstream if the mainline ingress is modified
- should route requests to the correct upstream if the canary ingress is modified
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should routes to mainline upstream when the given Regex causes error
- should route requests to the correct upstream
- respects always and never values
- should route requests only to mainline if canary weight is 0
- should route requests only to canary if canary weight is 100
- should route requests only to canary if canary weight is equal to canary weight total
- should route requests split between mainline and canary if canary weight is 50
- should route requests split between mainline and canary if canary weight is 100 and weight total is 200
- should not use canary as a catch-all server
- should not use canary with domain as a server
- does not crash when canary ingress has multiple paths to the same non-matching backend
- always routes traffic to canary if first request was affinitized to canary (default behavior)
- always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)
- routes traffic to either mainline or canary backend (legacy behavior)
client-body-buffer-size ¶
- should set client_body_buffer_size to 1000
- should set client_body_buffer_size to 1K
- should set client_body_buffer_size to 1k
- should set client_body_buffer_size to 1m
- should set client_body_buffer_size to 1M
- should not set client_body_buffer_size to invalid 1b
connection-proxy-header ¶
cors-* ¶
- should enable cors
- should set cors methods to only allow POST, GET
- should set cors max-age
- should disable cors allow credentials
- should allow origin for cors
- should allow headers for cors
- should expose headers for cors
- should allow - single origin for multiple cors values
- should not allow - single origin for multiple cors values
- should allow correct origins - single origin for multiple cors values
- should not break functionality
- should not break functionality - without
* - should not break functionality with extra domain
- should not match
- should allow - single origin with required port
- should not allow - single origin with port and origin without port
- should not allow - single origin without port and origin with required port
- should allow - matching origin with wildcard origin (2 subdomains)
- should not allow - unmatching origin with wildcard origin (2 subdomains)
- should allow - matching origin+port with wildcard origin
- should not allow - portless origin with wildcard origin
- should allow correct origins - missing subdomain + origin with wildcard origin and correct origin
- should allow - missing origins (should allow all origins)
- should allow correct origin but not others - cors allow origin annotations contain trailing comma
- should allow - origins with non-http[s] protocols
custom-headers-* ¶
- should return status code 200 when no custom-headers is configured
- should return status code 503 when custom-headers is configured with an invalid secret
- more_set_headers 'My-Custom-Header' '42';
custom-http-errors ¶
default-backend ¶
disable-access-log disable-http-access-log disable-stream-access-log ¶
- disable-access-log set access_log off
- disable-http-access-log set access_log off
- disable-stream-access-log set access_log off
disable-proxy-intercept-errors ¶
backend-protocol - FastCGI ¶
- should use fastcgi_pass in the configuration file
- should add fastcgi_index in the configuration file
- should add fastcgi_param in the configuration file
- should return OK for service with backend protocol FastCGI
force-ssl-redirect ¶
from-to-www-redirect ¶
backend-protocol - GRPC ¶
- should use grpc_pass in the configuration file
- should return OK for service with backend protocol GRPC
- authorization metadata should be overwritten by external auth response headers
- should return OK for service with backend protocol GRPCS
- should return OK when request not exceed timeout
- should return Error when request exceed timeout
http2-push-preload ¶
allowlist-source-range ¶
denylist-source-range ¶
- only deny explicitly denied IPs, allow all others
- only allow explicitly allowed IPs, deny all others
Annotation - limit-connections ¶
limit-rate ¶
enable-access-log enable-rewrite-log ¶
mirror-* ¶
- should set mirror-target to http://localhost/mirror
- should set mirror-target to https://test.env.com/$request_uri
- should disable mirror-request-body
modsecurity owasp ¶
- should enable modsecurity
- should enable modsecurity with transaction ID and OWASP rules
- should disable modsecurity
- should enable modsecurity with snippet
- should enable modsecurity without using 'modsecurity on;'
- should disable modsecurity using 'modsecurity off;'
- should enable modsecurity with snippet and block requests
- should enable modsecurity globally and with modsecurity-snippet block requests
- should enable modsecurity when enable-owasp-modsecurity-crs is set to true
- should enable modsecurity through the config map
- should enable modsecurity through the config map but ignore snippet as disabled by admin
- should disable default modsecurity conf setting when modsecurity-snippet is specified
preserve-trailing-slash ¶
proxy-* ¶
- should set proxy_redirect to off
- should set proxy_redirect to default
- should set proxy_redirect to hello.com goodbye.com
- should set proxy client-max-body-size to 8m
- should not set proxy client-max-body-size to incorrect value
- should set valid proxy timeouts
- should not set invalid proxy timeouts
- should turn on proxy-buffering
- should turn off proxy-request-buffering
- should build proxy next upstream
- should setup proxy cookies
- should change the default proxy HTTP version
proxy-ssl-* ¶
- should set valid proxy-ssl-secret
- should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
- should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
- should set valid proxy-ssl-secret, proxy-ssl-protocols
- proxy-ssl-location-only flag should change the nginx config server part
permanent-redirect permanent-redirect-code ¶
relative-redirects ¶
- configures Nginx correctly
- should respond with absolute URL in Location
- should respond with relative URL in Location
rewrite-target use-regex enable-rewrite-log ¶
- should write rewrite logs
- should use correct longest path match
- should use ~* location modifier if regex annotation is present
- should fail to use longest match for documented warning
- should allow for custom rewrite parameters
satisfy ¶
server-snippet ¶
service-upstream ¶
- should use the Service Cluster IP and Port
- should use the Service Cluster IP and Port
- should not use the Service Cluster IP and Port
configuration-snippet ¶
- set snippet more_set_headers in all locations
- drops snippet more_set_header in all locations if disabled by admin
ssl-ciphers ¶
stream-snippet ¶
- should add value of stream-snippet to nginx config
- should add stream-snippet and drop annotations per admin config
upstream-hash-by-* ¶
upstream-vhost ¶
x-forwarded-prefix ¶
- should set the X-Forwarded-Prefix to the annotation value
- should not add X-Forwarded-Prefix if the annotation value is empty
[CGroups] cgroups ¶
Debug CLI ¶
- should list the backend servers
- should get information for a specific backend server
- should produce valid JSON for /dbg general
[Default Backend] custom service ¶
[Default Backend] ¶
- should return 404 sending requests when only a default backend is running
- enables access logging for default backend
- disables access logging for default backend
[Default Backend] SSL ¶
[Default Backend] change default settings ¶
[Disable Leader] Routing works when leader election was disabled ¶
[Endpointslices] long service name ¶
[TopologyHints] topology aware routing ¶
[Shutdown] Grace period shutdown ¶
[Shutdown] ingress controller ¶
[Shutdown] Graceful shutdown with pending request ¶
[Ingress] DeepInspection ¶
single ingress - multiple hosts ¶
[Ingress] [PathType] exact ¶
[Ingress] [PathType] mix Exact and Prefix paths ¶
[Ingress] [PathType] prefix checks ¶
- should return 404 when prefix /aaa does not match request /aaaccc
- should test prefix path using simple regex pattern for /id/{int}
- should test prefix path using regex pattern for /id/{int} ignoring non-digits characters at end of string
- should test prefix path using fixed path size regex pattern /id/{int}{3}
- should correctly route multi-segment path patterns
[Ingress] definition without host ¶
- should set ingress details variables for ingresses without a host
- should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
[Memory Leak] Dynamic Certificates ¶
[Load Balancer] load-balance ¶
[Load Balancer] EWMA ¶
[Load Balancer] round-robin ¶
[Lua] dynamic certificates ¶
- picks up the certificate when we add TLS spec to existing ingress
- picks up the previously missing secret for a given ingress without reloading
- supports requests with domain with trailing dot
- picks up the updated certificate without reloading
- falls back to using default certificate when secret gets deleted without reloading
- picks up a non-certificate only change
- removes HTTPS configuration when we delete TLS spec
[Lua] dynamic configuration ¶
- configures balancer Lua middleware correctly
- handles endpoints only changes
- handles endpoints only changes (down scaling of replicas)
- handles endpoints only changes consistently (down scaling of replicas vs. empty service)
- handles an annotation change
[metrics] exported prometheus metrics ¶
- exclude socket request metrics are absent
- exclude socket request metrics are present
- request metrics per undefined host are present when flag is set
- request metrics per undefined host are not present when flag is not set
nginx-configuration ¶
- start nginx with default configuration
- fails when using alias directive
- fails when using root directive
[Security] request smuggling ¶
[Service] backend status code 503 ¶
- should return 503 when backend service does not exist
- should return 503 when all backend service endpoints are unavailable
[Service] Type ExternalName ¶
- works with external name set to incomplete fqdn
- should return 200 for service type=ExternalName without a port defined
- should return 200 for service type=ExternalName with a port defined
- should return status 502 for service type=ExternalName with an invalid host
- should return 200 for service type=ExternalName using a port name
- should return 200 for service type=ExternalName using FQDN with trailing dot
- should update the external name after a service update
- should sync ingress on external name service addition/deletion
[Service] Nil Service Backend ¶
access-log ¶
- use the default configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
aio-write ¶
- should be enabled by default
- should be enabled when setting is true
- should be disabled when setting is false
Bad annotation values ¶
- [BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation
- [BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation
- [BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place
- [BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass
brotli ¶
Configmap change ¶
add-headers ¶
[SSL] [Flag] default-ssl-certificate ¶
- uses default ssl certificate for catch-all ingress
- uses default ssl certificate for host based ingress when configured certificate does not match host
[Flag] disable-catch-all ¶
- should ignore catch all Ingress with backend
- should ignore catch all Ingress with backend and rules
- should delete Ingress updated to catch-all
- should allow Ingress with rules
[Flag] disable-service-external-name ¶
[Flag] disable-sync-events ¶
enable-real-ip ¶
- trusts X-Forwarded-For header only when setting is true
- should not trust X-Forwarded-For header when setting is false
use-forwarded-headers ¶
- should trust X-Forwarded headers when setting is true
- should not trust X-Forwarded headers when setting is false
Geoip2 ¶
- should include geoip2 line in config when enabled and db file exists
- should only allow requests from specific countries
- should up and running nginx controller using autoreload flag
[Security] block-* ¶
- should block CIDRs defined in the ConfigMap
- should block User-Agents defined in the ConfigMap
- should block Referers defined in the ConfigMap
[Security] global-auth-url ¶
- should return status code 401 when request any protected service
- should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
- should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
- should still return status code 200 after auth backend is deleted using cache
- user retains cookie by default
- user does not retain cookie if upstream returns error status code
- user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code
global-options ¶
- should have worker_rlimit_nofile option
- should have worker_rlimit_nofile option and be independent on amount of worker processes
GRPC ¶
gzip ¶
- should be disabled by default
- should be enabled with default settings
- should set gzip_comp_level to 4
- should set gzip_disable to msie6
- should set gzip_min_length to 100
- should set gzip_types to text/html
hash size ¶
- should set server_names_hash_bucket_size
- should set server_names_hash_max_size
- should set proxy-headers-hash-bucket-size
- should set proxy-headers-hash-max-size
- should set variables-hash-bucket-size
- should set variables-hash-max-size
- should set vmap-hash-bucket-size
[Flag] ingress-class ¶
- should ignore Ingress with a different class annotation
- should ignore Ingress with different controller class
- should accept both Ingresses with default IngressClassName and IngressClass annotation
- should ignore Ingress without IngressClass configuration
- should delete Ingress when class is removed
- should serve Ingress when class is added
- should serve Ingress when class is updated between annotation and ingressClassName
- should ignore Ingress with no class and accept the correctly configured Ingresses
- should watch Ingress with no class and ignore ingress with a different class
- should watch Ingress that uses the class name even if spec is different
- should watch Ingress with correct annotation
- should ignore Ingress with only IngressClassName
keep-alive keep-alive-requests ¶
- should set keepalive_timeout
- should set keepalive_requests
- should set keepalive connection to upstream server
- should set keep alive connection timeout to upstream server
- should set keepalive time to upstream server
- should set the request count to upstream server through one keep alive connection
Configmap - limit-rate ¶
[Flag] custom HTTP and HTTPS ports ¶
- should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
- should set X-Forwarded-Port header to 443
- should set the X-Forwarded-Port header to 443
log-format-* ¶
- should not configure log-format escape by default
- should enable the log-format-escape-json
- should disable the log-format-escape-json
- should enable the log-format-escape-none
- should disable the log-format-escape-none
- log-format-escape-json enabled
- log-format default escape
- log-format-escape-none enabled
[Lua] lua-shared-dicts ¶
main-snippet ¶
[Security] modsecurity-snippet ¶
enable-multi-accept ¶
- should be enabled by default
- should be enabled when set to true
- should be disabled when set to false
[Flag] watch namespace selector ¶
[Security] no-auth-locations ¶
- should return status code 401 when accessing '/' unauthentication
- should return status code 200 when accessing '/' authentication
- should return status code 200 when accessing '/noauth' unauthenticated
Add no tls redirect locations ¶
OCSP ¶
Configure Opentelemetry ¶
- should not exists opentelemetry directive
- should exists opentelemetry directive when is enabled
- should include opentelemetry_trust_incoming_spans on directive when enabled
- should not exists opentelemetry_operation_name directive when is empty
- should exists opentelemetry_operation_name directive when is configured
proxy-connect-timeout ¶
- should set valid proxy timeouts using configmap values
- should not set invalid proxy timeouts using configmap values
Dynamic $proxy_host ¶
proxy-next-upstream ¶
use-proxy-protocol ¶
- should respect port passed by the PROXY Protocol
- should respect proto passed by the PROXY Protocol server port
- should enable PROXY Protocol for HTTPS
- should enable PROXY Protocol for TCP
proxy-read-timeout ¶
- should set valid proxy read timeouts using configmap values
- should not set invalid proxy read timeouts using configmap values
proxy-send-timeout ¶
- should set valid proxy send timeouts using configmap values
- should not set invalid proxy send timeouts using configmap values
reuse-port ¶
configmap server-snippet ¶
- should add value of server-snippet setting to all ingress config
- should add global server-snippet and drop annotations per admin config
server-tokens ¶
- should not exists Server header in the response
- should exists Server header in the response when is enabled
ssl-ciphers ¶
[Flag] enable-ssl-passthrough ¶
With enable-ssl-passthrough enabled ¶
- should enable ssl-passthrough-proxy-port on a different port
- should pass unknown traffic to default backend and handle known traffic
configmap stream-snippet ¶
[SSL] TLS protocols, ciphers and headers ¶
- setting cipher suite
- setting max-age parameter
- setting includeSubDomains parameter
- setting preload parameter
- overriding what's set from the upstream
- should not use ports during the HTTP to HTTPS redirection
- should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
annotation validations ¶
- should allow ingress based on their risk on webhooks
- should allow ingress based on their risk on webhooks
[SSL] redirect to HTTPS ¶
[SSL] secret update ¶
- should not appear references to secret updates not used in ingress rules
- should return the fake SSL certificate if the secret is invalid
[Status] status update ¶
[TCP] tcp-services ¶
\ No newline at end of file
+--> e2e test suite for Ingress NGINX Controller ¶
[Admission] admission controller ¶
- should not allow overlaps of host and paths without canary annotations
- should allow overlaps of host and paths with canary annotation
- should block ingress with invalid path
- should return an error if there is an error validating the ingress definition
- should return an error if there is an invalid value in some annotation
- should return an error if there is a forbidden value in some annotation
- should return an error if there is an invalid path and wrong pathType is set
- should not return an error if the Ingress V1 definition is valid with Ingress Class
- should not return an error if the Ingress V1 definition is valid with IngressClass annotation
- should return an error if the Ingress V1 definition contains invalid annotations
- should not return an error for an invalid Ingress when it has unknown class
affinity session-cookie-name ¶
- should set sticky cookie SERVERID
- should change cookie name on ingress definition change
- should set the path to /something on the generated cookie
- does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
- should set cookie with expires
- should set cookie with domain
- should not set cookie without domain annotation
- should work with use-regex annotation and session-cookie-path
- should warn user when use-regex is true and session-cookie-path is not set
- should not set affinity across all server locations when using separate ingresses
- should set sticky cookie without host
- should work with server-alias annotation
- should set secure in cookie with provided true annotation on http
- should not set secure in cookie with provided false annotation on http
- should set secure in cookie with provided false annotation on https
affinitymode ¶
server-alias ¶
- should return status code 200 for host 'foo' and 404 for 'bar'
- should return status code 200 for host 'foo' and 'bar'
- should return status code 200 for hosts defined in two ingresses, different path with one alias
app-root ¶
auth-* ¶
- should return status code 200 when no authentication is configured
- should return status code 503 when authentication is configured with an invalid secret
- should return status code 401 when authentication is configured but Authorization header is not configured
- should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
- should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured
- should return status code 200 when authentication is configured and Authorization header is sent
- should return status code 200 when authentication is configured with a map and Authorization header is sent
- should return status code 401 when authentication is configured with invalid content and Authorization header is sent
- proxy_set_header My-Custom-Header 42;
- proxy_set_header My-Custom-Header 42;
- proxy_set_header 'My-Custom-Header' '42';
- user retains cookie by default
- user does not retain cookie if upstream returns error status code
- user with annotated ingress retains cookie if upstream returns error status code
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should overwrite Foo header with auth response
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in after auth backend is deleted
- should deny login for different location on same server
- should deny login for different servers
- should redirect to signin url when not signed in
- should return 503 (location was denied)
- should add error to the config
auth-tls-* ¶
- should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret
- should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
- should 302 redirect to error page instead of 400 when auth-tls-error-page is set
- should pass URL-encoded certificate to upstream
- should validate auth-tls-verify-client
- should return 403 using auth-tls-match-cn with no matching CN from client
- should return 200 using auth-tls-match-cn with matching CN from client
- should reload the nginx config when auth-tls-match-cn is updated
- should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client
backend-protocol ¶
- should set backend protocol to https:// and use proxy_pass
- should set backend protocol to https:// and use proxy_pass with lowercase annotation
- should set backend protocol to $scheme:// and use proxy_pass
- should set backend protocol to grpc:// and use grpc_pass
- should set backend protocol to grpcs:// and use grpc_pass
- should set backend protocol to '' and use fastcgi_pass
canary-* ¶
- should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
- should return 404 status for requests to the canary if no matching ingress is found
- should return the correct status codes when endpoints are unavailable
- should route requests to the correct upstream if mainline ingress is created before the canary ingress
- should route requests to the correct upstream if mainline ingress is created after the canary ingress
- should route requests to the correct upstream if the mainline ingress is modified
- should route requests to the correct upstream if the canary ingress is modified
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should routes to mainline upstream when the given Regex causes error
- should route requests to the correct upstream
- respects always and never values
- should route requests only to mainline if canary weight is 0
- should route requests only to canary if canary weight is 100
- should route requests only to canary if canary weight is equal to canary weight total
- should route requests split between mainline and canary if canary weight is 50
- should route requests split between mainline and canary if canary weight is 100 and weight total is 200
- should not use canary as a catch-all server
- should not use canary with domain as a server
- does not crash when canary ingress has multiple paths to the same non-matching backend
- always routes traffic to canary if first request was affinitized to canary (default behavior)
- always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)
- routes traffic to either mainline or canary backend (legacy behavior)
client-body-buffer-size ¶
- should set client_body_buffer_size to 1000
- should set client_body_buffer_size to 1K
- should set client_body_buffer_size to 1k
- should set client_body_buffer_size to 1m
- should set client_body_buffer_size to 1M
- should not set client_body_buffer_size to invalid 1b
connection-proxy-header ¶
cors-* ¶
- should enable cors
- should set cors methods to only allow POST, GET
- should set cors max-age
- should disable cors allow credentials
- should allow origin for cors
- should allow headers for cors
- should expose headers for cors
- should allow - single origin for multiple cors values
- should not allow - single origin for multiple cors values
- should allow correct origins - single origin for multiple cors values
- should not break functionality
- should not break functionality - without
* - should not break functionality with extra domain
- should not match
- should allow - single origin with required port
- should not allow - single origin with port and origin without port
- should not allow - single origin without port and origin with required port
- should allow - matching origin with wildcard origin (2 subdomains)
- should not allow - unmatching origin with wildcard origin (2 subdomains)
- should allow - matching origin+port with wildcard origin
- should not allow - portless origin with wildcard origin
- should allow correct origins - missing subdomain + origin with wildcard origin and correct origin
- should allow - missing origins (should allow all origins)
- should allow correct origin but not others - cors allow origin annotations contain trailing comma
- should allow - origins with non-http[s] protocols
custom-headers-* ¶
- should return status code 200 when no custom-headers is configured
- should return status code 503 when custom-headers is configured with an invalid secret
- more_set_headers 'My-Custom-Header' '42';
custom-http-errors ¶
default-backend ¶
disable-access-log disable-http-access-log disable-stream-access-log ¶
- disable-access-log set access_log off
- disable-http-access-log set access_log off
- disable-stream-access-log set access_log off
disable-proxy-intercept-errors ¶
backend-protocol - FastCGI ¶
- should use fastcgi_pass in the configuration file
- should add fastcgi_index in the configuration file
- should add fastcgi_param in the configuration file
- should return OK for service with backend protocol FastCGI
force-ssl-redirect ¶
from-to-www-redirect ¶
backend-protocol - GRPC ¶
- should use grpc_pass in the configuration file
- should return OK for service with backend protocol GRPC
- authorization metadata should be overwritten by external auth response headers
- should return OK for service with backend protocol GRPCS
- should return OK when request not exceed timeout
- should return Error when request exceed timeout
http2-push-preload ¶
allowlist-source-range ¶
denylist-source-range ¶
- only deny explicitly denied IPs, allow all others
- only allow explicitly allowed IPs, deny all others
Annotation - limit-connections ¶
limit-rate ¶
enable-access-log enable-rewrite-log ¶
mirror-* ¶
- should set mirror-target to http://localhost/mirror
- should set mirror-target to https://test.env.com/$request_uri
- should disable mirror-request-body
modsecurity owasp ¶
- should enable modsecurity
- should enable modsecurity with transaction ID and OWASP rules
- should disable modsecurity
- should enable modsecurity with snippet
- should enable modsecurity without using 'modsecurity on;'
- should disable modsecurity using 'modsecurity off;'
- should enable modsecurity with snippet and block requests
- should enable modsecurity globally and with modsecurity-snippet block requests
- should enable modsecurity when enable-owasp-modsecurity-crs is set to true
- should enable modsecurity through the config map
- should enable modsecurity through the config map but ignore snippet as disabled by admin
- should disable default modsecurity conf setting when modsecurity-snippet is specified
preserve-trailing-slash ¶
proxy-* ¶
- should set proxy_redirect to off
- should set proxy_redirect to default
- should set proxy_redirect to hello.com goodbye.com
- should set proxy client-max-body-size to 8m
- should not set proxy client-max-body-size to incorrect value
- should set valid proxy timeouts
- should not set invalid proxy timeouts
- should turn on proxy-buffering
- should turn off proxy-request-buffering
- should build proxy next upstream
- should setup proxy cookies
- should change the default proxy HTTP version
proxy-ssl-* ¶
- should set valid proxy-ssl-secret
- should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
- should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
- should set valid proxy-ssl-secret, proxy-ssl-protocols
- proxy-ssl-location-only flag should change the nginx config server part
permanent-redirect permanent-redirect-code ¶
rewrite-target use-regex enable-rewrite-log ¶
- should write rewrite logs
- should use correct longest path match
- should use ~* location modifier if regex annotation is present
- should fail to use longest match for documented warning
- should allow for custom rewrite parameters
satisfy ¶
server-snippet ¶
service-upstream ¶
- should use the Service Cluster IP and Port
- should use the Service Cluster IP and Port
- should not use the Service Cluster IP and Port
configuration-snippet ¶
- set snippet more_set_headers in all locations
- drops snippet more_set_header in all locations if disabled by admin
ssl-ciphers ¶
stream-snippet ¶
- should add value of stream-snippet to nginx config
- should add stream-snippet and drop annotations per admin config
upstream-hash-by-* ¶
upstream-vhost ¶
x-forwarded-prefix ¶
- should set the X-Forwarded-Prefix to the annotation value
- should not add X-Forwarded-Prefix if the annotation value is empty
[CGroups] cgroups ¶
Debug CLI ¶
- should list the backend servers
- should get information for a specific backend server
- should produce valid JSON for /dbg general
[Default Backend] custom service ¶
[Default Backend] ¶
- should return 404 sending requests when only a default backend is running
- enables access logging for default backend
- disables access logging for default backend
[Default Backend] SSL ¶
[Default Backend] change default settings ¶
[Disable Leader] Routing works when leader election was disabled ¶
[Endpointslices] long service name ¶
[TopologyHints] topology aware routing ¶
[Shutdown] Grace period shutdown ¶
[Shutdown] ingress controller ¶
[Shutdown] Graceful shutdown with pending request ¶
[Ingress] DeepInspection ¶
single ingress - multiple hosts ¶
[Ingress] [PathType] exact ¶
[Ingress] [PathType] mix Exact and Prefix paths ¶
[Ingress] [PathType] prefix checks ¶
- should return 404 when prefix /aaa does not match request /aaaccc
- should test prefix path using simple regex pattern for /id/{int}
- should test prefix path using regex pattern for /id/{int} ignoring non-digits characters at end of string
- should test prefix path using fixed path size regex pattern /id/{int}{3}
- should correctly route multi-segment path patterns
[Ingress] definition without host ¶
- should set ingress details variables for ingresses without a host
- should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
[Memory Leak] Dynamic Certificates ¶
[Load Balancer] load-balance ¶
[Load Balancer] EWMA ¶
[Load Balancer] round-robin ¶
[Lua] dynamic certificates ¶
- picks up the certificate when we add TLS spec to existing ingress
- picks up the previously missing secret for a given ingress without reloading
- supports requests with domain with trailing dot
- picks up the updated certificate without reloading
- falls back to using default certificate when secret gets deleted without reloading
- picks up a non-certificate only change
- removes HTTPS configuration when we delete TLS spec
[Lua] dynamic configuration ¶
- configures balancer Lua middleware correctly
- handles endpoints only changes
- handles endpoints only changes (down scaling of replicas)
- handles endpoints only changes consistently (down scaling of replicas vs. empty service)
- handles an annotation change
[metrics] exported prometheus metrics ¶
- exclude socket request metrics are absent
- exclude socket request metrics are present
- request metrics per undefined host are present when flag is set
- request metrics per undefined host are not present when flag is not set
nginx-configuration ¶
- start nginx with default configuration
- fails when using alias directive
- fails when using root directive
[Security] request smuggling ¶
[Service] backend status code 503 ¶
- should return 503 when backend service does not exist
- should return 503 when all backend service endpoints are unavailable
[Service] Type ExternalName ¶
- works with external name set to incomplete fqdn
- should return 200 for service type=ExternalName without a port defined
- should return 200 for service type=ExternalName with a port defined
- should return status 502 for service type=ExternalName with an invalid host
- should return 200 for service type=ExternalName using a port name
- should return 200 for service type=ExternalName using FQDN with trailing dot
- should update the external name after a service update
- should sync ingress on external name service addition/deletion
[Service] Nil Service Backend ¶
access-log ¶
- use the default configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
aio-write ¶
- should be enabled by default
- should be enabled when setting is true
- should be disabled when setting is false
Bad annotation values ¶
- [BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation
- [BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation
- [BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place
- [BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass
brotli ¶
Configmap change ¶
add-headers ¶
[SSL] [Flag] default-ssl-certificate ¶
- uses default ssl certificate for catch-all ingress
- uses default ssl certificate for host based ingress when configured certificate does not match host
[Flag] disable-catch-all ¶
- should ignore catch all Ingress with backend
- should ignore catch all Ingress with backend and rules
- should delete Ingress updated to catch-all
- should allow Ingress with rules
[Flag] disable-service-external-name ¶
[Flag] disable-sync-events ¶
enable-real-ip ¶
- trusts X-Forwarded-For header only when setting is true
- should not trust X-Forwarded-For header when setting is false
use-forwarded-headers ¶
- should trust X-Forwarded headers when setting is true
- should not trust X-Forwarded headers when setting is false
Geoip2 ¶
- should include geoip2 line in config when enabled and db file exists
- should only allow requests from specific countries
- should up and running nginx controller using autoreload flag
[Security] block-* ¶
- should block CIDRs defined in the ConfigMap
- should block User-Agents defined in the ConfigMap
- should block Referers defined in the ConfigMap
[Security] global-auth-url ¶
- should return status code 401 when request any protected service
- should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
- should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
- should still return status code 200 after auth backend is deleted using cache
- user retains cookie by default
- user does not retain cookie if upstream returns error status code
- user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code
global-options ¶
- should have worker_rlimit_nofile option
- should have worker_rlimit_nofile option and be independent on amount of worker processes
GRPC ¶
gzip ¶
- should be disabled by default
- should be enabled with default settings
- should set gzip_comp_level to 4
- should set gzip_disable to msie6
- should set gzip_min_length to 100
- should set gzip_types to text/html
hash size ¶
- should set server_names_hash_bucket_size
- should set server_names_hash_max_size
- should set proxy-headers-hash-bucket-size
- should set proxy-headers-hash-max-size
- should set variables-hash-bucket-size
- should set variables-hash-max-size
- should set vmap-hash-bucket-size
[Flag] ingress-class ¶
- should ignore Ingress with a different class annotation
- should ignore Ingress with different controller class
- should accept both Ingresses with default IngressClassName and IngressClass annotation
- should ignore Ingress without IngressClass configuration
- should delete Ingress when class is removed
- should serve Ingress when class is added
- should serve Ingress when class is updated between annotation and ingressClassName
- should ignore Ingress with no class and accept the correctly configured Ingresses
- should watch Ingress with no class and ignore ingress with a different class
- should watch Ingress that uses the class name even if spec is different
- should watch Ingress with correct annotation
- should ignore Ingress with only IngressClassName
keep-alive keep-alive-requests ¶
- should set keepalive_timeout
- should set keepalive_requests
- should set keepalive connection to upstream server
- should set keep alive connection timeout to upstream server
- should set keepalive time to upstream server
- should set the request count to upstream server through one keep alive connection
Configmap - limit-rate ¶
[Flag] custom HTTP and HTTPS ports ¶
- should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
- should set X-Forwarded-Port header to 443
- should set the X-Forwarded-Port header to 443
log-format-* ¶
- should not configure log-format escape by default
- should enable the log-format-escape-json
- should disable the log-format-escape-json
- should enable the log-format-escape-none
- should disable the log-format-escape-none
- log-format-escape-json enabled
- log-format default escape
- log-format-escape-none enabled
[Lua] lua-shared-dicts ¶
main-snippet ¶
[Security] modsecurity-snippet ¶
enable-multi-accept ¶
- should be enabled by default
- should be enabled when set to true
- should be disabled when set to false
[Flag] watch namespace selector ¶
[Security] no-auth-locations ¶
- should return status code 401 when accessing '/' unauthentication
- should return status code 200 when accessing '/' authentication
- should return status code 200 when accessing '/noauth' unauthenticated
Add no tls redirect locations ¶
OCSP ¶
Configure Opentelemetry ¶
- should not exists opentelemetry directive
- should exists opentelemetry directive when is enabled
- should include opentelemetry_trust_incoming_spans on directive when enabled
- should not exists opentelemetry_operation_name directive when is empty
- should exists opentelemetry_operation_name directive when is configured
proxy-connect-timeout ¶
- should set valid proxy timeouts using configmap values
- should not set invalid proxy timeouts using configmap values
Dynamic $proxy_host ¶
proxy-next-upstream ¶
use-proxy-protocol ¶
- should respect port passed by the PROXY Protocol
- should respect proto passed by the PROXY Protocol server port
- should enable PROXY Protocol for HTTPS
- should enable PROXY Protocol for TCP
proxy-read-timeout ¶
- should set valid proxy read timeouts using configmap values
- should not set invalid proxy read timeouts using configmap values
proxy-send-timeout ¶
- should set valid proxy send timeouts using configmap values
- should not set invalid proxy send timeouts using configmap values
reuse-port ¶
configmap server-snippet ¶
- should add value of server-snippet setting to all ingress config
- should add global server-snippet and drop annotations per admin config
server-tokens ¶
- should not exists Server header in the response
- should exists Server header in the response when is enabled
ssl-ciphers ¶
[Flag] enable-ssl-passthrough ¶
With enable-ssl-passthrough enabled ¶
- should enable ssl-passthrough-proxy-port on a different port
- should pass unknown traffic to default backend and handle known traffic
configmap stream-snippet ¶
[SSL] TLS protocols, ciphers and headers ¶
- setting cipher suite
- setting max-age parameter
- setting includeSubDomains parameter
- setting preload parameter
- overriding what's set from the upstream
- should not use ports during the HTTP to HTTPS redirection
- should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
annotation validations ¶
- should allow ingress based on their risk on webhooks
- should allow ingress based on their risk on webhooks
[SSL] redirect to HTTPS ¶
[SSL] secret update ¶
- should not appear references to secret updates not used in ingress rules
- should return the fake SSL certificate if the secret is invalid
[Status] status update ¶
[TCP] tcp-services ¶
\ No newline at end of file
diff --git a/examples/canary/index.html b/examples/canary/index.html
index 93ff0a1b6..43676cb19 100644
--- a/examples/canary/index.html
+++ b/examples/canary/index.html
@@ -19,7 +19,7 @@
spec:
containers:
- name: production
- image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef
+ image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.0.1@sha256:1cec65aa768720290d05d65ab1c297ca46b39930e56bc9488259f9114fcd30e2
ports:
- containerPort: 80
env:
@@ -77,7 +77,7 @@
spec:
containers:
- name: canary
- image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef
+ image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.0.1@sha256:1cec65aa768720290d05d65ab1c297ca46b39930e56bc9488259f9114fcd30e2
ports:
- containerPort: 80
env:
diff --git a/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
index d72001d58..fb07ac9fe 100644
--- a/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
+++ b/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
@@ -6,7 +6,7 @@ defaultBackend:
image:
registry: registry.k8s.io
image: ingress-nginx/custom-error-pages
- tag: v1.1.1@sha256:8c10776191ae44b5c387b8c7696d8bc17ceec90d7184a3a38b89ac8434b6c56b
+ tag: v1.0.2@sha256:b2259cf6bfda813548a64bded551b1854cb600c4f095738b49b4c5cdf8ab9d21
extraVolumes:
- name: custom-error-pages
configMap:
diff --git a/examples/customization/custom-errors/custom-default-backend.yaml b/examples/customization/custom-errors/custom-default-backend.yaml
index 088ca1374..805cf90ab 100644
--- a/examples/customization/custom-errors/custom-default-backend.yaml
+++ b/examples/customization/custom-errors/custom-default-backend.yaml
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: nginx-error-server
- image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.1.1@sha256:8c10776191ae44b5c387b8c7696d8bc17ceec90d7184a3a38b89ac8434b6c56b
+ image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.0.2@sha256:b2259cf6bfda813548a64bded551b1854cb600c4f095738b49b4c5cdf8ab9d21
ports:
- containerPort: 8080
# Setting the environment variable DEBUG we can see the headers sent
diff --git a/examples/customization/external-auth-headers/echo-service.yaml b/examples/customization/external-auth-headers/echo-service.yaml
index 10244458d..9f597a7f5 100644
--- a/examples/customization/external-auth-headers/echo-service.yaml
+++ b/examples/customization/external-auth-headers/echo-service.yaml
@@ -18,7 +18,7 @@ spec:
terminationGracePeriodSeconds: 60
containers:
- name: echo-service
- image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef
+ image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.0.1@sha256:1cec65aa768720290d05d65ab1c297ca46b39930e56bc9488259f9114fcd30e2
ports:
- containerPort: 8080
resources:
diff --git a/faq/index.html b/faq/index.html
index c3ff14321..619db5431 100644
--- a/faq/index.html
+++ b/faq/index.html
@@ -52,4 +52,4 @@ log_format main '$remote_addr - $remote_user [$time_local] "$request&qu
'host=$host x-forwarded-for=$http_x_forwarded_for';
access_log /var/log/nginx/access.log main;
- Kubernetes v1.22 Migration ¶
If you are using Ingress objects in your cluster (running Kubernetes older than version 1.22), and you plan to upgrade your Kubernetes version to K8S 1.22 or above, then please read the migration guide here.
Validation Of path ¶
-
For improving security and also following desired standards on Kubernetes API spec, the next release, scheduled for v1.8.0, will include a new & optional feature of validating the value for the key ingress.spec.rules.http.paths.path.
-
This behavior will be disabled by default on the 1.8.0 release and enabled by default on the next breaking change release, set for 2.0.0.
-
When "ingress.spec.rules.http.pathType=Exact" or "pathType=Prefix", this validation will limit the characters accepted on the field "ingress.spec.rules.http.paths.path", to "alphanumeric characters", and "/", "_", "-". Also, in this case, the path should start with "/".
-
When the ingress resource path contains other characters (like on rewrite configurations), the pathType value should be "ImplementationSpecific".
-
API Spec on pathType is documented here
-
When this option is enabled, the validation will happen on the Admission Webhook. So if any new ingress object contains characters other than alphanumeric characters, and, "/", "_", "-", in the path field, but is not using pathType value as ImplementationSpecific, then the ingress object will be denied admission.
-
The cluster admin should establish validation rules using mechanisms like "Open Policy Agent", to validate that only authorized users can use ImplementationSpecific pathType and that only the authorized characters can be used. The configmap value is here
-
A complete example of an Openpolicyagent gatekeeper rule is available here
-
If you have any issues or concerns, please do one of the following:
- Open a GitHub issue
- Comment in our Dev Slack Channel
- Open a thread in our Google Group ingress-nginx-dev@kubernetes.io
Why is chunking not working since controller v1.10 ? ¶
-
If your code is setting the HTTP header "Transfer-Encoding: chunked" and the controller log messages show an error about duplicate header, it is because of this change http://hg.nginx.org/nginx/rev/2bf7792c262e
-
More details are available in this issue https://github.com/kubernetes/ingress-nginx/issues/11162