IngressNginxController
Scope: Cluster
- array of strings
IP or CIDR that is allowed to access the Ingress controller.
Regardless of the inlet type, the source IP address gets always verified (the
original_address
field in logs) (the address that the connection was established from) and not the “address of the client” that can be passed in some inlets via headers or using the proxy protocol.This parameter is implemented using the map module. If the source address is not in the list of allowed addresses, nginx closes the connection immediately using HTTP code 444.
By default, the connection to the controller can be made from any address.
- object
The section with the Ingress controller parameters.
You can specify any supported parameter in it in the
key: value (string)
format.Caution. An erroneous option may lead to the failure of the ingress controller;
Caution. The usage of this parameter is not recommended; the backward compatibility or operability of the ingress controller that uses this option is not guaranteed
- string
One of the supported NGINX Ingress controller versions.
By default: the version in the module settings is used.
Allowed values:
1.9
,1.10
,1.12
- object
The section with parameters of custom HTTP errors.
All parameters in this section are mandatory if it is defined. Changing any parameter leads to the restart of all NGINX Ingress controllers.
- array of strings
Required value
Error codes which should be redirected to custom errors backend.
- object
This certificate is used:
- for
catch-all
server requests (here, “catch-all server” refers to the nginx server directive. Requests for which there is no corresponding Ingress resource end up on thecatch-all
server. - for Ingress resources that do not have a
secretName
specified in thetls
section.
By default, a self-signed certificate is used.
Caution. This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. You can specify the certificate to be used in the Ingress resources of the Deckhouse modules with the modules.https.customCertificate global parameter.
- for
- boolean
Attach annotations to the controller pods to automatically inject Istio sidecar containers.
After setting this parameter, the
sidecar.istio.io/inject: "true"
andtraffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>"
annotations will be attached to the ingress-controller pods. During pod creation, the Istio’s mutating webhook will add the sidecar to it. After that, the sidecar will catch the network traffic to Service CIDR.To use this feature in your application, you must add these annotations to your Ingress resources:
nginx.ingress.kubernetes.io/service-upstream: "true"
— using this annotation, the ingress-controller sends requests to a single ClusterIP (from Service CIDR) while envoy load balances them. Istio sidecar containers only catching traffic directed to Service CIDR.nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc
— using this annotation, the sidecar can identify the application service that serves requests.
Caution. This parameter cannot be enabled if the Ingress controller inlet is set to
HostWithFailover
. - array of strings
A list of database editions to download at startup.
Default:
["GeoLite2-City","GeoLite2-ASN"]
- string
A license key to download the GeoIP2 database.
If the key is set, the module downloads the GeoIP2 database every time the controller is started. Click here to learn more about obtaining a license key.
- object
A section of parameters of the
HostPortWithSSLPassthrough
inlet. - string
The name of the Ingress class to use with the NGINX Ingress controller.
Using this option, you can create several controllers to use with a single ingress
Caution. If you set it to “nginx”, then Ingress resources lacking the
kubernetes.io/ingress.class
annotation orspec.ingressClassName
field will also be handled.Default:
"nginx"
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
Example:
ingressClass: nginx
- string
Required value
The way traffic from the external network is routed to the cluster. Once you have set the method, you cannot change it later.
LoadBalancer
— The Ingress controller is deployed, and aLoadBalancer
-type service is provisioned.LoadBalancerWithProxyProtocol
— The Ingress controller is deployed, and aLoadBalancer
-type service is provisioned. The Ingress controller uses the proxy-protocol to get a real IP address of the client.-
LoadBalancerWithSSLPassthrough
— The Ingress controller is deployed, and aLoadBalancer
-type service is provisioned. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.Caution. The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and routing it to a local TCP proxy. This implementation bypasses NGINX completely and introduces a significant performance penalty.
The SSL Passthrough protocol leverages SNI and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.
If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default: 442), which proxies the request to the default backend.
Caution. Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.
Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSLPassthrough makes it impossible to use other annotations configured on an Ingress object.
HostPort
— The Ingress controller is deployed and made available on node ports viahostPort
.-
HostPortWithProxyProtocol
— The Ingress controller is deployed and made available on node ports viahostPort
. The Ingress controller uses the proxy-protocol to get a real IP address of the client.Caution. When using this inlet, ensure that requests to the Ingress come from trusted sources only. One way to enforce this is by using the
acceptRequestsFrom
parameter. -
HostPortWithSSLPassthrough
- The Ingress controller is deployed and made available on node ports viahostPort
. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.Add settings to the
spec.HostPortWithSSLPassthrough
parameter section.The SSL Passthrough protocol leverages SNI and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.
If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default: 442), which proxies the request to the default backend.
Caution. The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and routing it to a local TCP proxy. This implementation bypasses NGINX completely and introduces a significant performance penalty.
Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.
Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSLPassthrough makes it impossible to use other annotations configured on an Ingress object.
-
HostWithFailover
— Two Ingress controllers are deployed: a primary and a backup. The primary controller runs in a hostNetwork. If the primary controller pods are unavailable, traffic is routed to the backup controller.Caution. There can be only one controller with this inlet type on a single host.
Caution. The following ports must be available on the node: 80, 81, 443, 444, 4207, 4208.
Caution. To change inlet, remove the iptables rules and restart the
kube-proxy
pods or reboot the nodes hosting Ingress controllers.Caution. This inlet cannot be used if the
enableIstioSidecar
parameter is enabled.
Allowed values:
LoadBalancer
,LoadBalancerWithSSLPassthrough
,LoadBalancerWithProxyProtocol
,HostPort
,HostPortWithSSLPassthrough
,HostPortWithProxyProtocol
,HostWithFailover
- boolean
Enable outdated versions of the TLS protocol and cipher suites.
Enables the following TLS protocol versions:
TLSv1
,TLSv1.1
,TLSv1.2
,TLSv1.3
.Enables the following combinations of cipher suites in order from the strongest to the weakest:
ECDHE-ECDSA-AES256-GCM-SHA384
,ECDHE-RSA-AES256-GCM-SHA384
,ECDHE-ECDSA-CHACHA20-POLY1305
,ECDHE-RSA-CHACHA20-POLY1305
,ECDHE-ECDSA-AES128-GCM-SHA256
,ECDHE-RSA-AES128-GCM-SHA256
,ECDHE-ECDSA-AES256-SHA384
,ECDHE-RSA-AES256-SHA384
,ECDHE-ECDSA-AES128-SHA256
,ECDHE-RSA-AES128-SHA256
,ECDHE-ECDSA-AES256-SHA
,ECDHE-RSA-AES256-SHA
,ECDHE-ECDSA-AES128-SHA
,ECDHE-RSA-AES128-SHA
,AES256-GCM-SHA384
,AES128-GCM-SHA256
,AES256-SHA256
,AES128-SHA256
,AES256-SHA
,AES128-SHA
.By default, only
TLSv1.2
andTLSv1.3
with the newest cipher suites are enabled. - object
Annotations to assign to the service for flexible configuration of the load balancer.
Caution. The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate
IngressNginxController
(or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service. - array of strings
IP ranges (CIDR) that are allowed to access the load balancer.
Caution. The cloud provider may not support this option or ignore it. Providers supporting the option: AWS, GCP, Azure. Providers ignoring the option: YandexCloud. For other cloud providers, the behavior may depend on the specifics of the cloud implementation. Testing is recommended before use of the option in production.
- object
Not required value.
A section of parameters of the
LoadBalancerWithProxyProtocol
inlet.- object
Annotations that will be passed to service with type load balancer to configure it.
Caution. The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate
IngressNginxController
(or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service. - array of strings
IP ranges (CIDR) that are allowed to access the load balancer.
Caution. The cloud provider may not support this option or ignore it. Providers supporting the option: AWS, GCP, Azure. Providers ignoring the option: YandexCloud. For other cloud providers, the behavior may depend on the specifics of the cloud implementation. Testing is recommended before use of the option in production.
- object
Not required value.
A section of parameters of the
LoadBalancerWithSSLPassthrough
inlet.- object
Annotations that will be passed to service with type load balancer to configure it.
Caution. The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate
IngressNginxController
(or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service. - array of strings
IP ranges (CIDR) that are allowed to access the load balancer.
Caution. The cloud provider may not support this option or ignore it. Providers supporting the option: AWS, GCP, Azure. Providers ignoring the option: Yandex Cloud. For other cloud providers, the behavior may depend on the specifics of the cloud implementation. Testing is recommended before use of the option in production.
- object
The same as in the pods’
spec.nodeSelector
parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically.Format: the standard
nodeSelector
list. Instance pods inherit this field as is. - object
Max amounts of CPU and memory resources that the pod can request when selecting a node (if the VPA is disabled, then these values become the default ones).
- array of objects
The same as in the pods’
spec.tolerations
parameter in Kubernetes;If the parameter is omitted or
false
, it will be determined automatically.Format: the standard toleration list. Instance pods inherit this field as is.
- boolean
Determines whether underscores are allowed in headers. Learn more….
This tutorial sheds light on why you should not enable it without careful consideration.
Default:
false
- integer
The number of seconds before the /healthz location will start to return a 500 code when the pod enters the Terminating state. This parameter has default values:
- 0s - for HostWithFailover
- 60s - for HostPort, HostPortWithProxyProtocol and HostPortWithSSLPassthrough
- 120s - for LoadBalancer, LoadBalancerWithProxyProtocol and LoadBalancerWithSSLPassthrough
Deprecated resource. Support for the resource might be removed in a later release.
- array of strings
IP or CIDR that is allowed to access the Ingress controller.
Regardless of the inlet type, the source IP address gets always verified (the
original_address
field in logs) (the address that the connection was established from) and not the “address of the client” that can be passed in some inlets via headers or using the proxy protocol.This parameter is implemented using the map module. If the source address is not in the list of allowed addresses, nginx closes the connection immediately using HTTP code 444.
By default, the connection to the controller can be made from any address.
- object
The section with the Ingress controller parameters.
You can specify any supported parameter in it in the
key: value (string)
format.Caution. An erroneous option may lead to the failure of the ingress controller;
Caution. The usage of this parameter is not recommended; the backward compatibility or operability of the ingress controller that uses this option is not guaranteed
- string
One of the supported NGINX Ingress controller versions.
By default: the version in the module settings is used.
Allowed values:
1.9
,1.10
,1.12
- object
The section with parameters of custom HTTP errors.
All parameters in this section are mandatory if it is defined. Changing any parameter leads to the restart of all NGINX Ingress controllers.
- array of strings
Required value
Error codes which should be redirected to custom errors backend.
- object
This certificate is used:
- for
catch-all
server requests (here, “catch-all server” refers to the nginx server directive. Requests for which there is no corresponding Ingress resource end up on thecatch-all
server. - for Ingress resources that do not have a
secretName
specified in thetls
section.
By default, a self-signed certificate is used.
Caution. This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. You can specify the certificate to be used in the Ingress resources of the Deckhouse modules with the modules.https.customCertificate global parameter.
- for
- boolean
Attach annotations to the controller pods to automatically inject Istio sidecar containers.
After setting this parameter, the
sidecar.istio.io/inject: "true"
andtraffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>"
annotations will be attached to the ingress-controller pods. During pod creation, the Istio’s mutating webhook will add the sidecar to it. After that, the sidecar will catch the network traffic to Service CIDR.To use this feature in your application, you must add these annotations to your Ingress resources:
nginx.ingress.kubernetes.io/service-upstream: "true"
— using this annotation, the ingress-controller sends requests to a single ClusterIP (from Service CIDR) while envoy load balances them. Istio sidecar containers only catching traffic directed to Service CIDR.nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc
— using this annotation, the sidecar can identify the application service that serves requests.
Caution. This parameter cannot be enabled if the Ingress controller inlet is set to
HostWithFailover
. - array of strings
A list of database editions to download at startup.
Default:
["GeoLite2-City","GeoLite2-ASN"]
- string
A license key to download the GeoIP2 database.
If the key is set, the module downloads the GeoIP2 database every time the controller is started. Click here to learn more about obtaining a license key.
- string
The name of the Ingress class to use with the NGINX Ingress controller.
Using this option, you can create several controllers to use with a single ingress
Caution. If you set it to “nginx”, then Ingress resources lacking the
kubernetes.io/ingress.class
annotation orspec.ingressClassName
field will also be handled.Default:
"nginx"
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
Example:
ingressClass: nginx
- string
Required value
The way traffic from the external network is routed to the cluster. Once you have set the method, you cannot change it later.
LoadBalancer
— Ingress controller is deployed and the service ofLoadBalancer
type is provisioned.LoadBalancerWithProxyProtocol
— Ingress controller is deployed and the service ofLoadBalancer
type is provisioned. Ingress controller uses proxy-protocol to get a real IP of the client.-
HostPort
— Ingress controller is deployed and available through nodes’ ports viahostPort
;Settings are required in spec.HostPort.
-
HostPortWithProxyProtocol
— Ingress controller is deployed and available through nodes’ ports via `hostPort, it uses proxy-protocol to get a real IP of the client;Settings are required in spec.HostPortWithProxyProtocol.
Caution. Make sure that requests to the Ingress are sent from trusted sources when using this inlet. The acceptRequestsFrom parameter can help you with defining trusted sources.
-
HostWithFailover
— installs two ingress controllers, the primary and the backup one. The primary controller runs in a hostNetwork. If the pods of the primary controller are not available, the traffic is routed to the backup one;Caution. There can be only one controller with this inlet type on a host.
Caution. The following ports must be available on the node: 80, 81, 443, 444, 4207, 4208.
Caution. To change inlet, remove the iptables rules and restart the
kube-proxy
pods or reboot the nodes hosting Ingress controllers.Caution. This inlet cannot be used if the
enableIstioSidecar
parameter is enabled.
Allowed values:
LoadBalancer
,LoadBalancerWithProxyProtocol
,HostPort
,HostPortWithProxyProtocol
,HostWithFailover
- boolean
Enable outdated versions of the TLS protocol and cipher suites.
Enables the following TLS protocol versions:
TLSv1
,TLSv1.1
,TLSv1.2
,TLSv1.3
.Enables the following combinations of cipher suites in order from the strongest to the weakest:
ECDHE-ECDSA-AES256-GCM-SHA384
,ECDHE-RSA-AES256-GCM-SHA384
,ECDHE-ECDSA-CHACHA20-POLY1305
,ECDHE-RSA-CHACHA20-POLY1305
,ECDHE-ECDSA-AES128-GCM-SHA256
,ECDHE-RSA-AES128-GCM-SHA256
,ECDHE-ECDSA-AES256-SHA384
,ECDHE-RSA-AES256-SHA384
,ECDHE-ECDSA-AES128-SHA256
,ECDHE-RSA-AES128-SHA256
,ECDHE-ECDSA-AES256-SHA
,ECDHE-RSA-AES256-SHA
,ECDHE-ECDSA-AES128-SHA
,ECDHE-RSA-AES128-SHA
,AES256-GCM-SHA384
,AES128-GCM-SHA256
,AES256-SHA256
,AES128-SHA256
,AES256-SHA
,AES128-SHA
.By default, only
TLSv1.2
andTLSv1.3
with the newest cipher suites are enabled. - object
Annotations to assign to the service for flexible configuration of the load balancer.
Caution. The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate
IngressNginxController
(or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service. - array of strings
IP ranges (CIDR) that are allowed to access the load balancer.
Caution. The cloud provider may not support this option or ignore it. Providers supporting the option: AWS, GCP, Azure. Providers ignoring the option: YandexCloud. For other cloud providers, the behavior may depend on the specifics of the cloud implementation. Testing is recommended before use of the option in production.
- object
Not required value.
A section of parameters of the
LoadBalancerWithProxyProtocol
inlet.- object
Annotations that will be passed to service with type load balancer to configure it.
Caution. The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate
IngressNginxController
(or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service. - array of strings
IP ranges (CIDR) that are allowed to access the load balancer.
Caution. The cloud provider may not support this option or ignore it. Providers supporting the option: AWS, GCP, Azure. Providers ignoring the option: YandexCloud. For other cloud providers, the behavior may depend on the specifics of the cloud implementation. Testing is recommended before use of the option in production.
- object
The same as in the pods’
spec.nodeSelector
parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically.Format: the standard
nodeSelector
list. Instance pods inherit this field as is. - object
Max amounts of CPU and memory resources that the pod can request when selecting a node (if the VPA is disabled, then these values become the default ones).
- array of objects
The same as in the pods’
spec.tolerations
parameter in Kubernetes;If the parameter is omitted or
false
, it will be determined automatically.Format: the standard toleration list. Instance pods inherit this field as is.
- boolean
Determines whether underscores are allowed in headers. Learn more….
This tutorial sheds light on why you should not enable it without careful consideration.
Default:
false
- integer
The number of seconds before the /healthz location will start to return a 500 code when the pod enters the Terminating state. This parameter has default values:
- 0s - for HostWithFailover
- 60s - for HostPort and HostPortWithProxyProtocol
- 120s - for LoadBalancer and LoadBalancerWithProxyProtocol