Bare-metal considerations ¶
In traditional cloud environments, where network load balancers are available on-demand, a single Kubernetes manifest suffices to provide a single point of contact to the NGINX Ingress controller to external clients and, indirectly, to any application running inside the cluster. Bare-metal environments lack this commodity, requiring a slightly different setup to offer the same kind of access to external consumers.
The rest of this document describes a few recommended approaches to deploying the NGINX Ingress controller inside a Kubernetes cluster running on bare-metal.
A pure software solution: MetalLB ¶
MetalLB provides a network load-balancer implementation for Kubernetes clusters that do not run on a supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster.
This section demonstrates how to use the Layer 2 configuration mode of MetalLB together with the NGINX Ingress controller in a Kubernetes cluster that has publicly accessible nodes. In this mode, one node attracts all the traffic for the ingress-nginx Service IP. See Traffic policies for more details.
Note
The description of other supported configuration modes is off-scope for this document.
Warning
MetalLB is currently in beta. Read about the Project maturity and make sure you inform yourself by reading the official documentation thoroughly.
MetalLB can be deployed either with a simple Kubernetes manifest or with Helm. The rest of this example assumes MetalLB was deployed following the Installation instructions.
MetalLB requires a pool of IP addresses in order to be able to take ownership of the ingress-nginx Service. This pool can be defined in a ConfigMap named config located in the same namespace as the MetalLB controller. This pool of IPs must be dedicated to MetalLB's use, you can't reuse the Kubernetes node IPs or IPs handed out by a DHCP server.
Example
Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal environments this value is <None>)
$ kubectl get node
+ Bare-metal considerations - NGINX Ingress Controller Bare-metal considerations ¶
In traditional cloud environments, where network load balancers are available on-demand, a single Kubernetes manifest suffices to provide a single point of contact to the NGINX Ingress controller to external clients and, indirectly, to any application running inside the cluster. Bare-metal environments lack this commodity, requiring a slightly different setup to offer the same kind of access to external consumers.
The rest of this document describes a few recommended approaches to deploying the NGINX Ingress controller inside a Kubernetes cluster running on bare-metal.
A pure software solution: MetalLB ¶
MetalLB provides a network load-balancer implementation for Kubernetes clusters that do not run on a supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster.
This section demonstrates how to use the Layer 2 configuration mode of MetalLB together with the NGINX Ingress controller in a Kubernetes cluster that has publicly accessible nodes. In this mode, one node attracts all the traffic for the ingress-nginx Service IP. See Traffic policies for more details.
Note
The description of other supported configuration modes is off-scope for this document.
Warning
MetalLB is currently in beta. Read about the Project maturity and make sure you inform yourself by reading the official documentation thoroughly.
MetalLB can be deployed either with a simple Kubernetes manifest or with Helm. The rest of this example assumes MetalLB was deployed following the Installation instructions.
MetalLB requires a pool of IP addresses in order to be able to take ownership of the ingress-nginx Service. This pool can be defined in a ConfigMap named config located in the same namespace as the MetalLB controller. This pool of IPs must be dedicated to MetalLB's use, you can't reuse the Kubernetes node IPs or IPs handed out by a DHCP server.
Example
Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal environments this value is <None>)
$ kubectl get node
NAME STATUS ROLES EXTERNAL-IP
host-1 Ready master 203.0.113.1
host-2 Ready node 203.0.113.2
diff --git a/deploy/hardening-guide/index.html b/deploy/hardening-guide/index.html
index 9747a1ac4..4acfca382 100644
--- a/deploy/hardening-guide/index.html
+++ b/deploy/hardening-guide/index.html
@@ -1,4 +1,4 @@
- Hardening guide - NGINX Ingress Controller Hardening Guide ¶
Overview ¶
There are several ways to do hardening and securing of nginx. In this documentation two guides are used, the guides are overlapping in some points:
- nginx CIS Benchmark
- cipherlist.eu (one of many forks of the now dead project cipherli.st)
This guide describes, what of the different configurations described in those guides is already implemented as default in the nginx implementation of kubernetes ingress, what needs to be configured, what is obsolete due to the fact that the nginx is running as container (the CIS benchmark relates to a non-containerized installation) and what is difficult or not possible.
Be aware that this is only a guide and you are responsible for your own implementation. Some of the configurations may lead to have specific clients unable to reach your site or similar consequences.
This guide refers to chapters in the CIS Benchmark. For full explanation you should refer to the benchmark document itself
Configuration Guide ¶
Chapter in CIS benchmark Status Default Action to do if not default 1 Initial Setup 1.1 Installation 1.1.1 Ensure NGINX is installed (Scored) OK done through helm charts / following documentation to deploy nginx ingress 1.1.2 Ensure NGINX is installed from source (Not Scored) OK done through helm charts / following documentation to deploy nginx ingress 1.2 Configure Software Updates 1.2.1 Ensure package manager repositories are properly configured (Not Scored) OK done via helm, nginx version could be overwritten, however compatibility is not ensured then 1.2.2 Ensure the latest software package is installed (Not Scored) ACTION NEEDED done via helm, nginx version could be overwritten, however compatibility is not ensured then Plan for periodic updates 2 Basic Configuration 2.1 Minimize NGINX Modules 2.1.1 Ensure only required modules are installed (Not Scored) OK Already only needed modules are installed, however proposals for further reduction are welcome 2.1.2 Ensure HTTP WebDAV module is not installed (Scored) OK 2.1.3 Ensure modules with gzip functionality are disabled (Scored) OK 2.1.4 Ensure the autoindex module is disabled (Scored) OK No autoindex configs so far in ingress defaults 2.2 Account Security 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Not Scored) OK Pod configured as user www-data: See this line in helm chart values. Compiled with user www-data: See this line in build script 2.2.2 Ensure the NGINX service account is locked (Scored) OK Docker design ensures this 2.2.3 Ensure the NGINX service account has an invalid shell (Scored) OK Shell is nologin: see this line in build script 2.3 Permissions and Ownership 2.3.1 Ensure NGINX directories and files are owned by root (Scored) OK Obsolete through docker-design and ingress controller needs to update the configs dynamically 2.3.2 Ensure access to NGINX directories and files is restricted (Scored) OK See previous answer 2.3.3 Ensure the NGINX process ID (PID) file is secured (Scored) OK No PID-File due to docker design 2.3.4 Ensure the core dump directory is secured (Not Scored) OK No working_directory configured by default 2.4 Network Configuration 2.4.1 Ensure NGINX only listens for network connections on authorized ports (Not Scored) OK Ensured by automatic nginx.conf configuration 2.4.2 Ensure requests for unknown host names are rejected (Not Scored) OK They are not rejected but send to the "default backend" delivering appropriate errors (mostly 404) 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored) ACTION NEEDED Default is 75s configure keep-alive to 10 seconds according to this documentation 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored) RISK TO BE ACCEPTED Not configured, however the nginx default is 60s Not configurable 2.5 Information Disclosure 2.5.1 Ensure server_tokens directive is set to off (Scored) OK server_tokens is configured to off by default 2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored) ACTION NEEDED 404 shows no version at all, 503 and 403 show "nginx", which is hardcoded see this line in nginx source code configure custom error pages at least for 403, 404 and 503 and 500 2.5.3 Ensure hidden file serving is disabled (Not Scored) ACTION NEEDED config not set configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored) ACTION NEEDED hide not configured configure hide-headers with array of "X-Powered-By" and "Server": according to this documentation 3 Logging 3.1 Ensure detailed logging is enabled (Not Scored) OK nginx ingress has a very detailed log format by default 3.2 Ensure access logging is enabled (Scored) OK Access log is enabled by default 3.3 Ensure error logging is enabled and set to the info logging level (Scored) OK Error log is configured by default. The log level does not matter, because it is all sent to STDOUT anyway 3.4 Ensure log files are rotated (Scored) OBSOLETE Log file handling is not part of the nginx ingress and should be handled separately 3.5 Ensure error logs are sent to a remote syslog server (Not Scored) OBSOLETE See previous answer 3.6 Ensure access logs are sent to a remote syslog server (Not Scored) OBSOLETE See previous answer 3.7 Ensure proxies pass source IP information (Scored) OK Headers are set by default 4 Encryption 4.1 TLS / SSL Configuration 4.1.1 Ensure HTTP is redirected to HTTPS (Scored) OK Redirect to TLS is default 4.1.2 Ensure a trusted certificate and trust chain is installed (Not Scored) ACTION NEEDED For installing certs there are enough manuals in the web. A good way is to use lets encrypt through cert-manager Install proper certificates or use lets encrypt with cert-manager 4.1.3 Ensure private key permissions are restricted (Scored) ACTION NEEDED See previous answer 4.1.4 Ensure only modern TLS protocols are used (Scored) OK/ACTION NEEDED Default is TLS 1.2 + 1.3, while this is okay for CIS Benchmark, cipherlist.eu only recommends 1.3. This may cut off old OS's Set controller.config.ssl-protocols to "TLSv1.3" 4.1.5 Disable weak ciphers (Scored) ACTION NEEDED Default ciphers are already good, but cipherlist.eu recommends even stronger ciphers Set controller.config.ssl-ciphers to "EECDH+AESGCM:EDH+AESGCM" 4.1.6 Ensure custom Diffie-Hellman parameters are used (Scored) ACTION NEEDED No custom DH parameters are generated Generate dh parameters for each ingress deployment you use - see here for a how to 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Scored) ACTION NEEDED Not enabled set via this configuration parameter 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored) OK HSTS is enabled by default 4.1.9 Ensure HTTP Public Key Pinning is enabled (Not Scored) ACTION NEEDED / RISK TO BE ACCEPTED HKPK not enabled by default If lets encrypt is not used, set correct HPKP header. There are several ways to implement this - with the helm charts it works via controller.add-headers. If lets encrypt is used, this is complicated, a solution here is yet unknown 4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored) DEPENDS ON BACKEND Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh If backend allows it, manual is here 4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored) DEPENDS ON BACKEND Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh If backend allows it, see configuration here 4.1.12 Ensure your domain is preloaded (Not Scored) ACTION NEEDED Preload is not active by default Set controller.config.hsts-preload to true 4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored) OK Session tickets are disabled by default 4.1.14 Ensure HTTP/2.0 is used (Not Scored) OK http2 is set by default 5 Request Filtering and Restrictions 5.1 Access Control 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored) OK/ACTION NEEDED Depends on use case, geo ip module is compiled into nginx ingress controller, there are several ways to use it If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!) 5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored) OK/ACTION NEEDED Depends on use case If required it can be set via config snippet 5.2 Request Limits 5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored) ACTION NEEDED Default timeout is 60s Set via this configuration parameter and respective body equivalent 5.2.2 Ensure the maximum request body size is set correctly (Scored) ACTION NEEDED Default is 1m set via this configuration parameter 5.2.3 Ensure the maximum buffer size for URIs is defined (Scored) ACTION NEEDED Default is 4 8k Set via this configuration parameter 5.2.4 Ensure the number of connections per IP address is limited (Not Scored) OK/ACTION NEEDED No limit set Depends on use case, limit can be set via these annotations 5.2.5 Ensure rate limits by IP address are set (Not Scored) OK/ACTION NEEDED No limit set Depends on use case, limit can be set via these annotations 5.3 Browser Security 5.3.1 Ensure X-Frame-Options header is configured and enabled (Scored) ACTION NEEDED Header not set by default Several ways to implement this - with the helm charts it works via controller.add-headers 5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Scored) ACTION NEEDED See previous answer See previous answer 5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly (Scored) ACTION NEEDED See previous answer See previous answer 5.3.4 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored) ACTION NEEDED See previous answer See previous answer 5.3.5 Ensure the Referrer Policy is enabled and configured properly (Not Scored) ACTION NEEDED Depends on application. It should be handled in the applications webserver itself, not in the load balancing ingress check backend webserver 6 Mandatory Access Control n/a too high level, depends on backends
Hardening Guide ¶
Overview ¶
There are several ways to do hardening and securing of nginx. In this documentation two guides are used, the guides are overlapping in some points:
- nginx CIS Benchmark
- cipherlist.eu (one of many forks of the now dead project cipherli.st)
This guide describes, what of the different configurations described in those guides is already implemented as default in the nginx implementation of kubernetes ingress, what needs to be configured, what is obsolete due to the fact that the nginx is running as container (the CIS benchmark relates to a non-containerized installation) and what is difficult or not possible.
Be aware that this is only a guide and you are responsible for your own implementation. Some of the configurations may lead to have specific clients unable to reach your site or similar consequences.
This guide refers to chapters in the CIS Benchmark. For full explanation you should refer to the benchmark document itself
Configuration Guide ¶
Chapter in CIS benchmark Status Default Action to do if not default 1 Initial Setup 1.1 Installation 1.1.1 Ensure NGINX is installed (Scored) OK done through helm charts / following documentation to deploy nginx ingress 1.1.2 Ensure NGINX is installed from source (Not Scored) OK done through helm charts / following documentation to deploy nginx ingress 1.2 Configure Software Updates 1.2.1 Ensure package manager repositories are properly configured (Not Scored) OK done via helm, nginx version could be overwritten, however compatibility is not ensured then 1.2.2 Ensure the latest software package is installed (Not Scored) ACTION NEEDED done via helm, nginx version could be overwritten, however compatibility is not ensured then Plan for periodic updates 2 Basic Configuration 2.1 Minimize NGINX Modules 2.1.1 Ensure only required modules are installed (Not Scored) OK Already only needed modules are installed, however proposals for further reduction are welcome 2.1.2 Ensure HTTP WebDAV module is not installed (Scored) OK 2.1.3 Ensure modules with gzip functionality are disabled (Scored) OK 2.1.4 Ensure the autoindex module is disabled (Scored) OK No autoindex configs so far in ingress defaults 2.2 Account Security 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Not Scored) OK Pod configured as user www-data: See this line in helm chart values. Compiled with user www-data: See this line in build script 2.2.2 Ensure the NGINX service account is locked (Scored) OK Docker design ensures this 2.2.3 Ensure the NGINX service account has an invalid shell (Scored) OK Shell is nologin: see this line in build script 2.3 Permissions and Ownership 2.3.1 Ensure NGINX directories and files are owned by root (Scored) OK Obsolete through docker-design and ingress controller needs to update the configs dynamically 2.3.2 Ensure access to NGINX directories and files is restricted (Scored) OK See previous answer 2.3.3 Ensure the NGINX process ID (PID) file is secured (Scored) OK No PID-File due to docker design 2.3.4 Ensure the core dump directory is secured (Not Scored) OK No working_directory configured by default 2.4 Network Configuration 2.4.1 Ensure NGINX only listens for network connections on authorized ports (Not Scored) OK Ensured by automatic nginx.conf configuration 2.4.2 Ensure requests for unknown host names are rejected (Not Scored) OK They are not rejected but send to the "default backend" delivering appropriate errors (mostly 404) 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored) ACTION NEEDED Default is 75s configure keep-alive to 10 seconds according to this documentation 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored) RISK TO BE ACCEPTED Not configured, however the nginx default is 60s Not configurable 2.5 Information Disclosure 2.5.1 Ensure server_tokens directive is set to off (Scored) OK server_tokens is configured to off by default 2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored) ACTION NEEDED 404 shows no version at all, 503 and 403 show "nginx", which is hardcoded see this line in nginx source code configure custom error pages at least for 403, 404 and 503 and 500 2.5.3 Ensure hidden file serving is disabled (Not Scored) ACTION NEEDED config not set configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored) ACTION NEEDED hide not configured configure hide-headers with array of "X-Powered-By" and "Server": according to this documentation 3 Logging 3.1 Ensure detailed logging is enabled (Not Scored) OK nginx ingress has a very detailed log format by default 3.2 Ensure access logging is enabled (Scored) OK Access log is enabled by default 3.3 Ensure error logging is enabled and set to the info logging level (Scored) OK Error log is configured by default. The log level does not matter, because it is all sent to STDOUT anyway 3.4 Ensure log files are rotated (Scored) OBSOLETE Log file handling is not part of the nginx ingress and should be handled separately 3.5 Ensure error logs are sent to a remote syslog server (Not Scored) OBSOLETE See previous answer 3.6 Ensure access logs are sent to a remote syslog server (Not Scored) OBSOLETE See previous answer 3.7 Ensure proxies pass source IP information (Scored) OK Headers are set by default 4 Encryption 4.1 TLS / SSL Configuration 4.1.1 Ensure HTTP is redirected to HTTPS (Scored) OK Redirect to TLS is default 4.1.2 Ensure a trusted certificate and trust chain is installed (Not Scored) ACTION NEEDED For installing certs there are enough manuals in the web. A good way is to use lets encrypt through cert-manager Install proper certificates or use lets encrypt with cert-manager 4.1.3 Ensure private key permissions are restricted (Scored) ACTION NEEDED See previous answer 4.1.4 Ensure only modern TLS protocols are used (Scored) OK/ACTION NEEDED Default is TLS 1.2 + 1.3, while this is okay for CIS Benchmark, cipherlist.eu only recommends 1.3. This may cut off old OS's Set controller.config.ssl-protocols to "TLSv1.3" 4.1.5 Disable weak ciphers (Scored) ACTION NEEDED Default ciphers are already good, but cipherlist.eu recommends even stronger ciphers Set controller.config.ssl-ciphers to "EECDH+AESGCM:EDH+AESGCM" 4.1.6 Ensure custom Diffie-Hellman parameters are used (Scored) ACTION NEEDED No custom DH parameters are generated Generate dh parameters for each ingress deployment you use - see here for a how to 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Scored) ACTION NEEDED Not enabled set via this configuration parameter 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored) OK HSTS is enabled by default 4.1.9 Ensure HTTP Public Key Pinning is enabled (Not Scored) ACTION NEEDED / RISK TO BE ACCEPTED HKPK not enabled by default If lets encrypt is not used, set correct HPKP header. There are several ways to implement this - with the helm charts it works via controller.add-headers. If lets encrypt is used, this is complicated, a solution here is yet unknown 4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored) DEPENDS ON BACKEND Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh If backend allows it, manual is here 4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored) DEPENDS ON BACKEND Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh If backend allows it, see configuration here 4.1.12 Ensure your domain is preloaded (Not Scored) ACTION NEEDED Preload is not active by default Set controller.config.hsts-preload to true 4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored) OK Session tickets are disabled by default 4.1.14 Ensure HTTP/2.0 is used (Not Scored) OK http2 is set by default 5 Request Filtering and Restrictions 5.1 Access Control 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored) OK/ACTION NEEDED Depends on use case, geo ip module is compiled into nginx ingress controller, there are several ways to use it If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!) 5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored) OK/ACTION NEEDED Depends on use case If required it can be set via config snippet 5.2 Request Limits 5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored) ACTION NEEDED Default timeout is 60s Set via this configuration parameter and respective body equivalent 5.2.2 Ensure the maximum request body size is set correctly (Scored) ACTION NEEDED Default is 1m set via this configuration parameter 5.2.3 Ensure the maximum buffer size for URIs is defined (Scored) ACTION NEEDED Default is 4 8k Set via this configuration parameter 5.2.4 Ensure the number of connections per IP address is limited (Not Scored) OK/ACTION NEEDED No limit set Depends on use case, limit can be set via these annotations 5.2.5 Ensure rate limits by IP address are set (Not Scored) OK/ACTION NEEDED No limit set Depends on use case, limit can be set via these annotations 5.3 Browser Security 5.3.1 Ensure X-Frame-Options header is configured and enabled (Scored) ACTION NEEDED Header not set by default Several ways to implement this - with the helm charts it works via controller.add-headers 5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Scored) ACTION NEEDED See previous answer See previous answer 5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly (Scored) ACTION NEEDED See previous answer See previous answer 5.3.4 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored) ACTION NEEDED See previous answer See previous answer 5.3.5 Ensure the Referrer Policy is enabled and configured properly (Not Scored) ACTION NEEDED Depends on application. It should be handled in the applications webserver itself, not in the load balancing ingress check backend webserver 6 Mandatory Access Control n/a too high level, depends on backends
Installation Guide ¶
There are multiple ways to install the NGINX ingress controller:
- with Helm, using the project repository chart;
- with
kubectl apply, using YAML manifests; - with specific addons (e.g. for minikube or MicroK8s).
On most Kubernetes clusters, the ingress controller will work without requiring any extra configuration. If you want to get started as fast as possible, you can check the quick start instructions. However, in many environments, you can improve the performance or get better logs by enabling extra features. we recommend that you check the environment-specific instructions for details about optimizing the ingress controller for your particular environment or cloud provider.
Contents ¶
-
-
- ... Docker Desktop
- ... minikube
- ... MicroK8s
- ... AWS
- ... GCE - GKE
- ... Azure
- ... Digital Ocean
- ... Scaleway
- ... Exoscale
- ... Oracle Cloud Infrastructure
- ... Bare-metal
- Miscellaneous
Quick start ¶
If you have Helm, you can deploy the ingress controller with the following command:
helm upgrade --install ingress-nginx ingress-nginx \
+ Installation Guide - NGINX Ingress Controller Installation Guide ¶
There are multiple ways to install the NGINX ingress controller:
- with Helm, using the project repository chart;
- with
kubectl apply, using YAML manifests; - with specific addons (e.g. for minikube or MicroK8s).
On most Kubernetes clusters, the ingress controller will work without requiring any extra configuration. If you want to get started as fast as possible, you can check the quick start instructions. However, in many environments, you can improve the performance or get better logs by enabling extra features. we recommend that you check the environment-specific instructions for details about optimizing the ingress controller for your particular environment or cloud provider.
Contents ¶
-
-
- ... Docker Desktop
- ... minikube
- ... MicroK8s
- ... AWS
- ... GCE - GKE
- ... Azure
- ... Digital Ocean
- ... Scaleway
- ... Exoscale
- ... Oracle Cloud Infrastructure
- ... Bare-metal
- Miscellaneous
Quick start ¶
If you have Helm, you can deploy the ingress controller with the following command:
helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx --create-namespace
-
It will install the controller in the ingress-nginx namespace, creating that namespace if it doesn't already exist.
Info
This command is idempotent:
- if the ingress controller is not installed, it will install it,
- if the ingress controller is already installed, it will upgrade it.
If you don't have Helm or if you prefer to use a YAML manifest, you can run the following command instead:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
+
It will install the controller in the ingress-nginx namespace, creating that namespace if it doesn't already exist.
Info
This command is idempotent:
- if the ingress controller is not installed, it will install it,
- if the ingress controller is already installed, it will upgrade it.
If you don't have Helm or if you prefer to use a YAML manifest, you can run the following command instead:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
Info
The YAML manifest in the command above was generated with helm template, so you will end up with almost the same resources as if you had used Helm to install the controller.
If you are running an old version of Kubernetes (1.18 or earlier), please read this paragraph for specific instructions.
Pre-flight check ¶
A few pods should start in the ingress-nginx namespace:
kubectl get pods --namespace=ingress-nginx
After a while, they should all be running. The following command will wait for the ingress controller pod to be up, running, and ready:
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
@@ -19,22 +19,22 @@
--rule www.demo.io/=demo:80
You should then be able to see the "It works!" page when you connect to http://www.demo.io/. Congratulations, you are serving a public web site hosted on a Kubernetes cluster! 🎉
Environment-specific instructions ¶
Local development clusters ¶
minikube ¶
The ingress controller can be installed through minikube's addons system:
minikube addons enable ingress
MicroK8s ¶
The ingress controller can be installed through MicroK8s's addons system:
microk8s enable ingress
-
Please check the MicroK8s documentation page for details.
Docker Desktop ¶
Kubernetes is available in Docker Desktop:
- Mac, from version 18.06.0-ce
- Windows, from version 18.06.0-ce
First, make sure that Kubernetes is enabled in the Docker settings. The command kubectl get nodes should show a single node called docker-destkop.
The ingress controller can be installed on Docker Desktop using the default quick start instructions.
On most systems, if you don't have any other service of type LoadBalancer bound to port 80, the ingress controller will be assigned the EXTERNAL-IP of localhost, which means that it will be reachable on localhost:80. If that doesn't work, you might have to fall back to the kubectl port-forward method described in the local testing section.
Cloud deployments ¶
If the load balancers of your cloud provider do active healthchecks on their backends (most do), you can change the externalTrafficPolicy of the ingress controller Service to Local (instead of the default Cluster) to save an extra hop in some cases. If you're installing with Helm, this can be done by adding --set controller.service.externalTrafficPolicy=Local to the helm install or helm upgrade command.
Furthermore, if the load balancers of your cloud provider support the PROXY protocol, you can enable it, and it will let the ingress controller see the real IP address of the clients. Otherwise, it will generally see the IP address of the upstream load balancer. This must be done both in the ingress controller (with e.g. --set controller.config.use-proxy-protocol=true) and in the cloud provider's load balancer configuration to function correctly.
In the following sections, we provide YAML manifests that enable these options when possible, using the specific options of various cloud providers.
AWS ¶
In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of Type=LoadBalancer.
Info
The provided templates illustrate the setup for legacy in-tree service load balancer for AWS NLB. AWS provides the documentation on how to use Network load balancing on Amazon EKS with AWS Load Balancer Controller.
Network Load Balancer (NLB) ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy.yaml
-
TLS termination in AWS Load Balancer (NLB) ¶
By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS with using an NLB.
-
Download the the deploy-tls-termination.yaml template:
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml
+
Please check the MicroK8s documentation page for details.
Docker Desktop ¶
Kubernetes is available in Docker Desktop:
- Mac, from version 18.06.0-ce
- Windows, from version 18.06.0-ce
First, make sure that Kubernetes is enabled in the Docker settings. The command kubectl get nodes should show a single node called docker-destkop.
The ingress controller can be installed on Docker Desktop using the default quick start instructions.
On most systems, if you don't have any other service of type LoadBalancer bound to port 80, the ingress controller will be assigned the EXTERNAL-IP of localhost, which means that it will be reachable on localhost:80. If that doesn't work, you might have to fall back to the kubectl port-forward method described in the local testing section.
Cloud deployments ¶
If the load balancers of your cloud provider do active healthchecks on their backends (most do), you can change the externalTrafficPolicy of the ingress controller Service to Local (instead of the default Cluster) to save an extra hop in some cases. If you're installing with Helm, this can be done by adding --set controller.service.externalTrafficPolicy=Local to the helm install or helm upgrade command.
Furthermore, if the load balancers of your cloud provider support the PROXY protocol, you can enable it, and it will let the ingress controller see the real IP address of the clients. Otherwise, it will generally see the IP address of the upstream load balancer. This must be done both in the ingress controller (with e.g. --set controller.config.use-proxy-protocol=true) and in the cloud provider's load balancer configuration to function correctly.
In the following sections, we provide YAML manifests that enable these options when possible, using the specific options of various cloud providers.
AWS ¶
In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of Type=LoadBalancer.
Info
The provided templates illustrate the setup for legacy in-tree service load balancer for AWS NLB. AWS provides the documentation on how to use Network load balancing on Amazon EKS with AWS Load Balancer Controller.
Network Load Balancer (NLB) ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy.yaml
+
TLS termination in AWS Load Balancer (NLB) ¶
By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS with using an NLB.
-
Download the the deploy-tls-termination.yaml template:
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml
-
Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
proxy-real-ip-cidr: XXX.XXX.XXX/XX
-
Change the AWS Certificate Manager (ACM) ID as well:
arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
-
Deploy the manifest:
kubectl apply -f deploy-tls-termination.yaml
NLB Idle Timeouts ¶
Idle timeout value for TCP flows is 350 seconds and cannot be modified.
For this reason, you need to ensure the keepalive_timeout value is configured less than 350 seconds to work as expected.
By default NGINX keepalive_timeout is set to 75s.
More information with regards to timeouts can be found in the official AWS documentation
GCE-GKE ¶
First, your user needs to have cluster-admin permissions on the cluster. This can be done with the following command:
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud config get-value account)
-
Then, the ingress controller can be installed like this:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
-
Warning
For private clusters, you will need to either add an additional firewall rule that allows master nodes access to port 8443/tcp on worker nodes, or change the existing rule that allows access to ports 80/tcp, 443/tcp and 10254/tcp to also allow access to port 8443/tcp.
See the GKE documentation on adding rules and the Kubernetes issue for more detail.
Warning
Proxy protocol is not supported in GCE/GKE.
Azure ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
-
More information with regards to Azure annotations for ingress controller can be found in the official AKS documentation.
Digital Ocean ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/do/deploy.yaml
-
Scaleway ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/scw/deploy.yaml
+
Then, the ingress controller can be installed like this:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
+
Warning
For private clusters, you will need to either add an additional firewall rule that allows master nodes access to port 8443/tcp on worker nodes, or change the existing rule that allows access to ports 80/tcp, 443/tcp and 10254/tcp to also allow access to port 8443/tcp.
See the GKE documentation on adding rules and the Kubernetes issue for more detail.
Warning
Proxy protocol is not supported in GCE/GKE.
Azure ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
+
More information with regards to Azure annotations for ingress controller can be found in the official AKS documentation.
Digital Ocean ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/do/deploy.yaml
+
Scaleway ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/scw/deploy.yaml
Exoscale ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/exoscale/deploy.yaml
-
The full list of annotations supported by Exoscale is available in the Exoscale Cloud Controller Manager documentation.
Oracle Cloud Infrastructure ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
-
A complete list of available annotations for Oracle Cloud Infrastructure can be found in the OCI Cloud Controller Manager documentation.
Bare metal clusters ¶
This section is applicable to Kubernetes clusters deployed on bare metal servers, as well as "raw" VMs where Kubernetes was installed manually, using generic Linux distros (like CentOS, Ubuntu...)
For quick testing, you can use a NodePort. This should work on almost every cluster, but it will typically use a port in the range 30000-32767.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/baremetal/deploy.yaml
-
For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), see bare-metal considerations.
Miscellaneous ¶
Checking ingress controller version ¶
Run ingress-nginx-controller --version within the pod, for instance with kubectl exec:
POD_NAMESPACE=ingress-nginx
+
The full list of annotations supported by Exoscale is available in the Exoscale Cloud Controller Manager documentation.
Oracle Cloud Infrastructure ¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
+
A complete list of available annotations for Oracle Cloud Infrastructure can be found in the OCI Cloud Controller Manager documentation.
Bare metal clusters ¶
This section is applicable to Kubernetes clusters deployed on bare metal servers, as well as "raw" VMs where Kubernetes was installed manually, using generic Linux distros (like CentOS, Ubuntu...)
For quick testing, you can use a NodePort. This should work on almost every cluster, but it will typically use a port in the range 30000-32767.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/baremetal/deploy.yaml
+
For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), see bare-metal considerations.
Miscellaneous ¶
Checking ingress controller version ¶
Run /nginx-ingress-controller --version within the pod, for instance with kubectl exec:
POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o name)
kubectl exec $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
Scope ¶
By default, the controller watches Ingress objects from all namespaces. If you want to change this behavior, use the flag --watch-namespace or check the Helm chart value controller.scope to limit the controller to a single namespace.
See also “How to easily install multiple instances of the Ingress NGINX controller in the same cluster” for more details.
Webhook network access ¶
Warning
The controller uses an admission webhook to validate Ingress definitions. Make sure that you don't have Network policies or additional firewalls preventing connections from the API server to the ingress-nginx-controller-admission service.
Certificate generation ¶
Attention
The first time the ingress controller starts, two Jobs create the SSL Certificate used by the admission webhook.
THis can cause an initial delay of up to two minutes until it is possible to create and validate Ingress definitions.
You can wait until it is ready to run the next command:
kubectl wait --namespace ingress-nginx \
diff --git a/deploy/rbac/index.html b/deploy/rbac/index.html
index e27046aed..f0e2eef28 100644
--- a/deploy/rbac/index.html
+++ b/deploy/rbac/index.html
@@ -1,4 +1,4 @@
- Role Based Access Control (RBAC) - NGINX Ingress Controller Role Based Access Control (RBAC) ¶
Overview ¶
This example applies to ingress-nginx-controllers being deployed in an environment with RBAC enabled.
Role Based Access Control is comprised of four layers:
ClusterRole - permissions assigned to a role that apply to an entire clusterClusterRoleBinding - binding a ClusterRole to a specific accountRole - permissions assigned to a role that apply to a specific namespaceRoleBinding - binding a Role to a specific account
In order for RBAC to be applied to an ingress-nginx-controller, that controller should be assigned to a ServiceAccount. That ServiceAccount should be bound to the Roles and ClusterRoles defined for the ingress-nginx-controller.
Service Accounts created in this example ¶
One ServiceAccount is created in this example, ingress-nginx.
Permissions Granted in this example ¶
There are two sets of permissions defined in this example. Cluster-wide permissions defined by the ClusterRole named ingress-nginx, and namespace specific permissions defined by the Role named ingress-nginx.
Cluster Permissions ¶
These permissions are granted in order for the ingress-nginx-controller to be able to function as an ingress across the cluster. These permissions are granted to the ClusterRole named ingress-nginx
configmaps, endpoints, nodes, pods, secrets: list, watchnodes: getservices, ingresses: get, list, watchevents: create, patchingresses/status: update
Namespace Permissions ¶
These permissions are granted specific to the ingress-nginx namespace. These permissions are granted to the Role named ingress-nginx
configmaps, pods, secrets: getendpoints: get
Furthermore to support leader-election, the ingress-nginx-controller needs to have access to a configmap using the resourceName ingress-controller-leader-nginx
Note that resourceNames can NOT be used to limit requests using the “create” verb because authorizers only have access to information that can be obtained from the request URL, method, and headers (resource names in a “create” request are part of the request body).
configmaps: get, update (for resourceName ingress-controller-leader-nginx)configmaps: create
This resourceName is the concatenation of the election-id and the ingress-class as defined by the ingress-controller, which defaults to:
election-id: ingress-controller-leaderingress-class: nginxresourceName : <election-id>-<ingress-class>
Please adapt accordingly if you overwrite either parameter when launching the ingress-nginx-controller.
Bindings ¶
The ServiceAccount ingress-nginx is bound to the Role ingress-nginx and the ClusterRole ingress-nginx.
The serviceAccountName associated with the containers in the deployment must match the serviceAccount. The namespace references in the Deployment metadata, container arguments, and POD_NAMESPACE should be in the ingress-nginx namespace.
Role Based Access Control (RBAC) ¶
Overview ¶
This example applies to ingress-nginx-controllers being deployed in an environment with RBAC enabled.
Role Based Access Control is comprised of four layers:
ClusterRole - permissions assigned to a role that apply to an entire clusterClusterRoleBinding - binding a ClusterRole to a specific accountRole - permissions assigned to a role that apply to a specific namespaceRoleBinding - binding a Role to a specific account
In order for RBAC to be applied to an ingress-nginx-controller, that controller should be assigned to a ServiceAccount. That ServiceAccount should be bound to the Roles and ClusterRoles defined for the ingress-nginx-controller.
Service Accounts created in this example ¶
One ServiceAccount is created in this example, ingress-nginx.
Permissions Granted in this example ¶
There are two sets of permissions defined in this example. Cluster-wide permissions defined by the ClusterRole named ingress-nginx, and namespace specific permissions defined by the Role named ingress-nginx.
Cluster Permissions ¶
These permissions are granted in order for the ingress-nginx-controller to be able to function as an ingress across the cluster. These permissions are granted to the ClusterRole named ingress-nginx
configmaps, endpoints, nodes, pods, secrets: list, watchnodes: getservices, ingresses: get, list, watchevents: create, patchingresses/status: update
Namespace Permissions ¶
These permissions are granted specific to the ingress-nginx namespace. These permissions are granted to the Role named ingress-nginx
configmaps, pods, secrets: getendpoints: get
Furthermore to support leader-election, the ingress-nginx-controller needs to have access to a configmap using the resourceName ingress-controller-leader-nginx
Note that resourceNames can NOT be used to limit requests using the “create” verb because authorizers only have access to information that can be obtained from the request URL, method, and headers (resource names in a “create” request are part of the request body).
configmaps: get, update (for resourceName ingress-controller-leader-nginx)configmaps: create
This resourceName is the concatenation of the election-id and the ingress-class as defined by the ingress-controller, which defaults to:
election-id: ingress-controller-leaderingress-class: nginxresourceName : <election-id>-<ingress-class>
Please adapt accordingly if you overwrite either parameter when launching the ingress-nginx-controller.
Bindings ¶
The ServiceAccount ingress-nginx is bound to the Role ingress-nginx and the ClusterRole ingress-nginx.
The serviceAccountName associated with the containers in the deployment must match the serviceAccount. The namespace references in the Deployment metadata, container arguments, and POD_NAMESPACE should be in the ingress-nginx namespace.
Upgrading ¶
Important
No matter the method you use for upgrading, if you use template overrides, make sure your templates are compatible with the new version of ingress-nginx.
Without Helm ¶
To upgrade your ingress-nginx installation, it should be enough to change the version of the image in the controller Deployment.
I.e. if your deployment resource looks like (partial example):
kind: Deployment
+ Upgrade - NGINX Ingress Controller Upgrading ¶
Important
No matter the method you use for upgrading, if you use template overrides, make sure your templates are compatible with the new version of ingress-nginx.
Without Helm ¶
To upgrade your ingress-nginx installation, it should be enough to change the version of the image in the controller Deployment.
I.e. if your deployment resource looks like (partial example):
kind: Deployment
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
diff --git a/developer-guide/code-overview/index.html b/developer-guide/code-overview/index.html
index 42570df9c..a1e71960b 100644
--- a/developer-guide/code-overview/index.html
+++ b/developer-guide/code-overview/index.html
@@ -1,4 +1,4 @@
- Code Overview - NGINX Ingress Controller Ingress NGINX - Code Overview ¶
This document provides an overview of Ingress NGINX code.
Core Golang code ¶
This part of the code is responsible for the main logic of Ingress NGINX. It contains all the logics that parses Ingress Objects, annotations, watches Endpoints and turn them into usable nginx.conf configuration.
Core Sync Logics: ¶
Ingress-nginx has an internal model of the ingresses, secrets and endpoints in a given cluster. It maintains two copy of that (1) currently running configuration model and (2) the one generated in response to some changes in the cluster.
The sync logic diffs the two models and if there's a change it tries to converge the running configuration to the new one.
There are static and dynamic configuration changes.
All endpoints and certificate changes are handled dynamically by posting the payload to an internal NGINX endpoint that is handled by Lua.
The following parts of the code can be found:
Entrypoint ¶
Is the main package, responsible for starting ingress-nginx program.
It can be found in cmd/nginx directory.
Version ¶
Is the package of the code responsible for adding version subcommand, and can be found in version directory.
Internal code ¶
This part of the code contains the internal logics that compose Ingress NGINX Controller, and it's split in:
Admission Controller ¶
Contains the code of Kubernetes Admission Controller which validates the syntax of ingress objects before accepting it.
This code can be found in internal/admission/controller directory.
File functions ¶
Contains auxiliary codes that deal with files, such as generating the SHA1 checksum of a file, or creating required directories.
This code can be found in internal/file directory.
Ingress functions ¶
Contains all the logics from NGINX Ingress Controller, with some examples being:
- Expected Golang structures that will be used in templates and other parts of the codes - internal/ingress/types.go.
- supported annotations and its parsing logics - internal/ingress/annotations.
- reconciliation loops and logics - internal/ingress/controller
- Defaults - define the default struct.
- Error interface and types implementation - internal/ingress/errors
- Metrics collectors for Prometheus exporting - internal/ingress/metric.
- Resolver - Extracts information from a controller.
- Ingress Object status publisher - internal/ingress/status.
And other parts of the code that will be written in this document in a future.
K8s functions ¶
Contains helper functions for parsing Kubernetes objects.
This part of the code can be found in internal/k8s directory.
Networking functions ¶
Contains helper functions for networking, such as IPv4 and IPv6 parsing, SSL certificate parsing, etc.
This part of the code can be found in internal/net directory.
NGINX functions ¶
Contains helper function to deal with NGINX, such as verify if it's running and reading it's configuration file parts.
This part of the code can be found in internal/nginx directory.
Tasks / Queue ¶
Contains the functions responsible for the sync queue part of the controller.
This part of the code can be found in internal/task directory.
Other parts of internal ¶
Other parts of internal code might not be covered here, like runtime and watch but they can be added in a future.
E2E Test ¶
The e2e tests code is in test directory.
Other programs ¶
Describe here kubectl plugin, dbg, waitshutdown and cover the hack scripts.
Deploy files ¶
This directory contains the yaml deploy files used as examples or references in the docs to deploy Ingress NGINX and other components.
Those files are in deploy directory.
Helm Chart ¶
Used to generate the Helm chart published.
Code is in charts/ingress-nginx.
Documentation/Website ¶
The documentation used to generate the website https://kubernetes.github.io/ingress-nginx/
This code is available in docs and it's main "language" is Markdown, used by mkdocs file to generate static pages.
Container Images ¶
Container images used to run ingress-nginx, or to build the final image.
Base Images ¶
Contains the Dockerfiles and scripts used to build base images that are used in other parts of the repo. They are present in images repo. Some examples: * nginx - The base NGINX image ingress-nginx uses is not a vanilla NGINX. It bundles many libraries together and it is a job in itself to maintain that and keep things up-to-date. * custom-error-pages - Used on the custom error page examples.
There are other images inside this directory.
Ingress Controller Image ¶
The image used to build the final ingress controller, used in deploy scripts and Helm charts.
This is NGINX with some Lua enhancement. We do dynamic certificate, endpoints handling, canary traffic split, custom load balancing etc at this component. One can also add new functionalities using Lua plugin system.
The files are in rootfs directory and contains:
- The Dockerfile
- Auxiliary scripts
Ingress NGINX Lua Scripts ¶
Ingress NGINX uses Lua Scripts to enable features like hot reloading, rate limiting and monitoring. Some are written using the OpenResty helper.
The directory containing Lua scripts is rootfs/etc/nginx/lua.
Nginx Go template file ¶
One of the functions of Ingress NGINX is to turn Ingress objects into nginx.conf file.
To do so, the final step is to apply those configurations in nginx.tmpl turning it into a final nginx.conf file.
Ingress NGINX - Code Overview ¶
This document provides an overview of Ingress NGINX code.
Core Golang code ¶
This part of the code is responsible for the main logic of Ingress NGINX. It contains all the logics that parses Ingress Objects, annotations, watches Endpoints and turn them into usable nginx.conf configuration.
Core Sync Logics: ¶
Ingress-nginx has an internal model of the ingresses, secrets and endpoints in a given cluster. It maintains two copy of that (1) currently running configuration model and (2) the one generated in response to some changes in the cluster.
The sync logic diffs the two models and if there's a change it tries to converge the running configuration to the new one.
There are static and dynamic configuration changes.
All endpoints and certificate changes are handled dynamically by posting the payload to an internal NGINX endpoint that is handled by Lua.
The following parts of the code can be found:
Entrypoint ¶
Is the main package, responsible for starting ingress-nginx program.
It can be found in cmd/nginx directory.
Version ¶
Is the package of the code responsible for adding version subcommand, and can be found in version directory.
Internal code ¶
This part of the code contains the internal logics that compose Ingress NGINX Controller, and it's split in:
Admission Controller ¶
Contains the code of Kubernetes Admission Controller which validates the syntax of ingress objects before accepting it.
This code can be found in internal/admission/controller directory.
File functions ¶
Contains auxiliary codes that deal with files, such as generating the SHA1 checksum of a file, or creating required directories.
This code can be found in internal/file directory.
Ingress functions ¶
Contains all the logics from NGINX Ingress Controller, with some examples being:
- Expected Golang structures that will be used in templates and other parts of the codes - internal/ingress/types.go.
- supported annotations and its parsing logics - internal/ingress/annotations.
- reconciliation loops and logics - internal/ingress/controller
- Defaults - define the default struct.
- Error interface and types implementation - internal/ingress/errors
- Metrics collectors for Prometheus exporting - internal/ingress/metric.
- Resolver - Extracts information from a controller.
- Ingress Object status publisher - internal/ingress/status.
And other parts of the code that will be written in this document in a future.
K8s functions ¶
Contains helper functions for parsing Kubernetes objects.
This part of the code can be found in internal/k8s directory.
Networking functions ¶
Contains helper functions for networking, such as IPv4 and IPv6 parsing, SSL certificate parsing, etc.
This part of the code can be found in internal/net directory.
NGINX functions ¶
Contains helper function to deal with NGINX, such as verify if it's running and reading it's configuration file parts.
This part of the code can be found in internal/nginx directory.
Tasks / Queue ¶
Contains the functions responsible for the sync queue part of the controller.
This part of the code can be found in internal/task directory.
Other parts of internal ¶
Other parts of internal code might not be covered here, like runtime and watch but they can be added in a future.
E2E Test ¶
The e2e tests code is in test directory.
Other programs ¶
Describe here kubectl plugin, dbg, waitshutdown and cover the hack scripts.
Deploy files ¶
This directory contains the yaml deploy files used as examples or references in the docs to deploy Ingress NGINX and other components.
Those files are in deploy directory.
Helm Chart ¶
Used to generate the Helm chart published.
Code is in charts/ingress-nginx.
Documentation/Website ¶
The documentation used to generate the website https://kubernetes.github.io/ingress-nginx/
This code is available in docs and it's main "language" is Markdown, used by mkdocs file to generate static pages.
Container Images ¶
Container images used to run ingress-nginx, or to build the final image.
Base Images ¶
Contains the Dockerfiles and scripts used to build base images that are used in other parts of the repo. They are present in images repo. Some examples: * nginx - The base NGINX image ingress-nginx uses is not a vanilla NGINX. It bundles many libraries together and it is a job in itself to maintain that and keep things up-to-date. * custom-error-pages - Used on the custom error page examples.
There are other images inside this directory.
Ingress Controller Image ¶
The image used to build the final ingress controller, used in deploy scripts and Helm charts.
This is NGINX with some Lua enhancement. We do dynamic certificate, endpoints handling, canary traffic split, custom load balancing etc at this component. One can also add new functionalities using Lua plugin system.
The files are in rootfs directory and contains:
- The Dockerfile
- Auxiliary scripts
Ingress NGINX Lua Scripts ¶
Ingress NGINX uses Lua Scripts to enable features like hot reloading, rate limiting and monitoring. Some are written using the OpenResty helper.
The directory containing Lua scripts is rootfs/etc/nginx/lua.
Nginx Go template file ¶
One of the functions of Ingress NGINX is to turn Ingress objects into nginx.conf file.
To do so, the final step is to apply those configurations in nginx.tmpl turning it into a final nginx.conf file.
Developing for NGINX Ingress Controller ¶
This document explains how to get started with developing for NGINX Ingress controller.
Prerequisites ¶
Install Go 1.14 or later.
Note
The project uses Go Modules
Install Docker (v19.03.0 or later with experimental feature on)
Important
The majority of make tasks run as docker containers
Quick Start ¶
- Fork the repository
- Clone the repository to any location in your work station
- Add a
GO111MODULE environment variable with export GO111MODULE=on - Run
go mod download to install dependencies
Local build ¶
Start a local Kubernetes cluster using kind, build and deploy the ingress controller
make dev-env
+ Getting Started - NGINX Ingress Controller Developing for NGINX Ingress Controller ¶
This document explains how to get started with developing for NGINX Ingress controller.
Prerequisites ¶
Install Go 1.14 or later.
Note
The project uses Go Modules
Install Docker (v19.03.0 or later with experimental feature on)
Important
The majority of make tasks run as docker containers
Quick Start ¶
- Fork the repository
- Clone the repository to any location in your work station
- Add a
GO111MODULE environment variable with export GO111MODULE=on - Run
go mod download to install dependencies
Local build ¶
Start a local Kubernetes cluster using kind, build and deploy the ingress controller
make dev-env
- If you are working on the v1.x.x version of this controller, and you want to create a cluster with kubernetes version 1.22, then please visit the documentation for kind, and look for how to set a custom image for the kind node (image: kindest/node...), in the kind config file. Testing ¶
Run go unit tests
make test
Run unit-tests for lua code
make lua-test
Lua tests are located in the directory rootfs/etc/nginx/lua/test
Important
Test files must follow the naming convention <mytest>_test.lua or it will be ignored
Run e2e test suite
make kind-e2e-test
diff --git a/e2e-tests/index.html b/e2e-tests/index.html
index 625bff226..ab23fb974 100644
--- a/e2e-tests/index.html
+++ b/e2e-tests/index.html
@@ -1,4 +1,4 @@
- e2e test suite for [NGINX Ingress Controller](https://github.com/kubernetes/ingress-nginx/tree/main/) - NGINX Ingress Controller e2e test suite for NGINX Ingress Controller ¶
[Default Backend] change default settings ¶
[Default Backend] ¶
- should return 404 sending requests when only a default backend is running
- enables access logging for default backend
- disables access logging for default backend
[Default Backend] custom service ¶
[Default Backend] SSL ¶
[TCP] tcp-services ¶
auth-* ¶
- should return status code 200 when no authentication is configured
- should return status code 503 when authentication is configured with an invalid secret
- should return status code 401 when authentication is configured but Authorization header is not configured
- should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
- should return status code 200 when authentication is configured and Authorization header is sent
- should return status code 200 when authentication is configured with a map and Authorization header is sent
- should return status code 401 when authentication is configured with invalid content and Authorization header is sent
- proxy_set_header My-Custom-Header 42;
- proxy_set_header My-Custom-Header 42;
- proxy_set_header 'My-Custom-Header' '42';
- retains cookie set by external authentication server
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in after auth backend is deleted
- should deny login for different location on same server
- should deny login for different servers
- should redirect to signin url when not signed in
affinitymode ¶
proxy-* ¶
- should set proxy_redirect to off
- should set proxy_redirect to default
- should set proxy_redirect to hello.com goodbye.com
- should set proxy client-max-body-size to 8m
- should not set proxy client-max-body-size to incorrect value
- should set valid proxy timeouts
- should not set invalid proxy timeouts
- should turn on proxy-buffering
- should turn off proxy-request-buffering
- should build proxy next upstream
- should setup proxy cookies
- should change the default proxy HTTP version
affinity session-cookie-name ¶
- should set sticky cookie SERVERID
- should change cookie name on ingress definition change
- should set the path to /something on the generated cookie
- does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
- should set cookie with expires
- should work with use-regex annotation and session-cookie-path
- should warn user when use-regex is true and session-cookie-path is not set
- should not set affinity across all server locations when using separate ingresses
- should set sticky cookie without host
- should work with server-alias annotation
mirror-* ¶
- should set mirror-target to http://localhost/mirror
- should set mirror-target to https://test.env.com/$request_uri
- should disable mirror-request-body
canary-* ¶
- should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
- should return 404 status for requests to the canary if no matching ingress is found
- should return the correct status codes when endpoints are unavailable
- should route requests to the correct upstream if mainline ingress is created before the canary ingress
- should route requests to the correct upstream if mainline ingress is created after the canary ingress
- should route requests to the correct upstream if the mainline ingress is modified
- should route requests to the correct upstream if the canary ingress is modified
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should routes to mainline upstream when the given Regex causes error
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should not use canary as a catch-all server
- should not use canary with domain as a server
- does not crash when canary ingress has multiple paths to the same non-matching backend
limit-rate ¶
force-ssl-redirect ¶
http2-push-preload ¶
proxy-ssl-* ¶
- should set valid proxy-ssl-secret
- should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
- should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
- should set valid proxy-ssl-secret, proxy-ssl-protocols
- proxy-ssl-location-only flag should change the nginx config server part
modsecurity owasp ¶
- should enable modsecurity
- should enable modsecurity with transaction ID and OWASP rules
- should disable modsecurity
- should enable modsecurity with snippet
- should enable modsecurity without using 'modsecurity on;'
- should disable modsecurity using 'modsecurity off;'
- should enable modsecurity with snippet and block requests
- should enable modsecurity globally and with modsecurity-snippet block requests
backend-protocol - GRPC ¶
- should use grpc_pass in the configuration file
- should return OK for service with backend protocol GRPC
- should return OK for service with backend protocol GRPCS
cors-* ¶
- should enable cors
- should set cors methods to only allow POST, GET
- should set cors max-age
- should disable cors allow credentials
- should allow origin for cors
- should allow headers for cors
- should expose headers for cors
influxdb-* ¶
Annotation - limit-connections ¶
client-body-buffer-size ¶
- should set client_body_buffer_size to 1000
- should set client_body_buffer_size to 1K
- should set client_body_buffer_size to 1k
- should set client_body_buffer_size to 1m
- should set client_body_buffer_size to 1M
- should not set client_body_buffer_size to invalid 1b
default-backend ¶
connection-proxy-header ¶
upstream-vhost ¶
custom-http-errors ¶
disable-access-log disable-http-access-log disable-stream-access-log ¶
server-snippet ¶
rewrite-target use-regex enable-rewrite-log ¶
- should write rewrite logs
- should use correct longest path match
- should use ~* location modifier if regex annotation is present
- should fail to use longest match for documented warning
- should allow for custom rewrite parameters
app-root ¶
whitelist-source-range ¶
enable-access-log enable-rewrite-log ¶
x-forwarded-prefix ¶
- should set the X-Forwarded-Prefix to the annotation value
- should not add X-Forwarded-Prefix if the annotation value is empty
configuration-snippet ¶
backend-protocol - FastCGI ¶
- should use fastcgi_pass in the configuration file
- should add fastcgi_index in the configuration file
- should add fastcgi_param in the configuration file
- should return OK for service with backend protocol FastCGI
from-to-www-redirect ¶
permanent-redirect permanent-redirect-code ¶
upstream-hash-by-* ¶
annotation-global-rate-limit ¶
backend-protocol ¶
- should set backend protocol to https:// and use proxy_pass
- should set backend protocol to grpc:// and use grpc_pass
- should set backend protocol to grpcs:// and use grpc_pass
- should set backend protocol to '' and use fastcgi_pass
- should set backend protocol to '' and use ajp_pass
satisfy ¶
server-alias ¶
- should return status code 200 for host 'foo' and 404 for 'bar'
- should return status code 200 for host 'foo' and 'bar'
- should return status code 200 for hosts defined in two ingresses, different path with one alias
ssl-ciphers ¶
auth-tls-* ¶
- should set valid auth-tls-secret
- should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
- should set valid auth-tls-secret, pass certificate to upstream, and error page
- should validate auth-tls-verify-client
[Status] status update ¶
Debug CLI ¶
- should list the backend servers
- should get information for a specific backend server
- should produce valid JSON for /dbg general
[Memory Leak] Dynamic Certificates ¶
[Ingress] [PathType] mix Exact and Prefix paths ¶
[Ingress] definition without host ¶
- should set ingress details variables for ingresses without a host
- should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
single ingress - multiple hosts ¶
[Ingress] [PathType] exact ¶
[Ingress] [PathType] prefix checks ¶
[Security] request smuggling ¶
[SSL] [Flag] default-ssl-certificate ¶
- uses default ssl certificate for catch-all ingress
- uses default ssl certificate for host based ingress when configured certificate does not match host
enable-real-ip ¶
- trusts X-Forwarded-For header only when setting is true
- should not trust X-Forwarded-For header when setting is false
access-log ¶
- use the default configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
[Lua] lua-shared-dicts ¶
server-tokens ¶
- should not exists Server header in the response
- should exists Server header in the response when is enabled
use-proxy-protocol ¶
- should respect port passed by the PROXY Protocol
- should respect proto passed by the PROXY Protocol server port
- should enable PROXY Protocol for HTTPS
- should enable PROXY Protocol for TCP
[Flag] custom HTTP and HTTPS ports ¶
- should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
- should set X-Forwarded-Port header to 443
- should set the X-Forwarded-Port header to 443
[Security] no-auth-locations ¶
- should return status code 401 when accessing '/' unauthentication
- should return status code 200 when accessing '/' authentication
- should return status code 200 when accessing '/noauth' unauthenticated
Dynamic $proxy_host ¶
proxy-connect-timeout ¶
- should set valid proxy timeouts using configmap values
- should not set invalid proxy timeouts using configmap values
[Security] Pod Security Policies ¶
Geoip2 ¶
[Security] Pod Security Policies with volumes ¶
enable-multi-accept ¶
- should be enabled by default
- should be enabled when set to true
- should be disabled when set to false
log-format-* ¶
- should disable the log-format-escape-json by default
- should enable the log-format-escape-json
- should disable the log-format-escape-json
- log-format-escape-json enabled
- log-format-escape-json disabled
[Flag] ingress-class ¶
- should ignore Ingress with class
- should ignore Ingress with no class
- should delete Ingress when class is removed
- check scenarios for IngressClass and ingress.class annotation
ssl-ciphers ¶
proxy-next-upstream ¶
[Security] global-auth-url ¶
- should return status code 401 when request any protected service
- should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
- should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
- should still return status code 200 after auth backend is deleted using cache
[Security] block-* ¶
- should block CIDRs defined in the ConfigMap
- should block User-Agents defined in the ConfigMap
- should block Referers defined in the ConfigMap
plugins ¶
Configmap - limit-rate ¶
Configure OpenTracing ¶
- should not exists opentracing directive
- should exists opentracing directive when is enabled
- should not exists opentracing_operation_name directive when is empty
- should exists opentracing_operation_name directive when is configured
- should not exists opentracing_location_operation_name directive when is empty
- should exists opentracing_location_operation_name directive when is configured
- should enable opentracing using zipkin
- should enable opentracing using jaeger
- should enable opentracing using jaeger with sampler host
- should propagate the w3c header when configured with jaeger
- should enable opentracing using datadog
use-forwarded-headers ¶
- should trust X-Forwarded headers when setting is true
- should not trust X-Forwarded headers when setting is false
proxy-send-timeout ¶
- should set valid proxy send timeouts using configmap values
- should not set invalid proxy send timeouts using configmap values
Add no tls redirect locations ¶
settings-global-rate-limit ¶
add-headers ¶
hash size ¶
- should set server_names_hash_bucket_size
- should set server_names_hash_max_size
- should set proxy-headers-hash-bucket-size
- should set proxy-headers-hash-max-size
- should set variables-hash-bucket-size
- should set variables-hash-max-size
- should set vmap-hash-bucket-size
keep-alive keep-alive-requests ¶
- should set keepalive_timeout
- should set keepalive_requests
- should set keepalive connection to upstream server
- should set keep alive connection timeout to upstream server
- should set the request count to upstream server through one keep alive connection
[Flag] disable-catch-all ¶
- should ignore catch all Ingress
- should delete Ingress updated to catch-all
- should allow Ingress with both a default backend and rules
main-snippet ¶
[SSL] TLS protocols, ciphers and headers) ¶
- setting cipher suite
- enforcing TLS v1.0
- setting max-age parameter
- setting includeSubDomains parameter
- setting preload parameter
- overriding what's set from the upstream
- should not use ports during the HTTP to HTTPS redirection
- should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
Configmap change ¶
proxy-read-timeout ¶
- should set valid proxy read timeouts using configmap values
- should not set invalid proxy read timeouts using configmap values
[Security] modsecurity-snippet ¶
OCSP ¶
reuse-port ¶
[Shutdown] Graceful shutdown with pending request ¶
[Shutdown] ingress controller ¶
- should shutdown in less than 60 secons without pending connections
- should shutdown after waiting 60 seconds for pending connections to be closed
- should shutdown after waiting 150 seconds for pending connections to be closed
[Service] backend status code 503 ¶
- should return 503 when backend service does not exist
- should return 503 when all backend service endpoints are unavailable
[Service] Type ExternalName ¶
- works with external name set to incomplete fqdn
- should return 200 for service type=ExternalName without a port defined
- should return 200 for service type=ExternalName with a port defined
- should return status 502 for service type=ExternalName with an invalid host
- should return 200 for service type=ExternalName using a port name
- should return 200 for service type=ExternalName using FQDN with trailing dot
- should update the external name after a service update
e2e test suite for NGINX Ingress Controller ¶
[Default Backend] change default settings ¶
[Default Backend] ¶
- should return 404 sending requests when only a default backend is running
- enables access logging for default backend
- disables access logging for default backend
[Default Backend] custom service ¶
[Default Backend] SSL ¶
[TCP] tcp-services ¶
auth-* ¶
- should return status code 200 when no authentication is configured
- should return status code 503 when authentication is configured with an invalid secret
- should return status code 401 when authentication is configured but Authorization header is not configured
- should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
- should return status code 200 when authentication is configured and Authorization header is sent
- should return status code 200 when authentication is configured with a map and Authorization header is sent
- should return status code 401 when authentication is configured with invalid content and Authorization header is sent
- proxy_set_header My-Custom-Header 42;
- proxy_set_header My-Custom-Header 42;
- proxy_set_header 'My-Custom-Header' '42';
- retains cookie set by external authentication server
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in after auth backend is deleted
- should deny login for different location on same server
- should deny login for different servers
- should redirect to signin url when not signed in
affinitymode ¶
proxy-* ¶
- should set proxy_redirect to off
- should set proxy_redirect to default
- should set proxy_redirect to hello.com goodbye.com
- should set proxy client-max-body-size to 8m
- should not set proxy client-max-body-size to incorrect value
- should set valid proxy timeouts
- should not set invalid proxy timeouts
- should turn on proxy-buffering
- should turn off proxy-request-buffering
- should build proxy next upstream
- should setup proxy cookies
- should change the default proxy HTTP version
affinity session-cookie-name ¶
- should set sticky cookie SERVERID
- should change cookie name on ingress definition change
- should set the path to /something on the generated cookie
- does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
- should set cookie with expires
- should work with use-regex annotation and session-cookie-path
- should warn user when use-regex is true and session-cookie-path is not set
- should not set affinity across all server locations when using separate ingresses
- should set sticky cookie without host
- should work with server-alias annotation
mirror-* ¶
- should set mirror-target to http://localhost/mirror
- should set mirror-target to https://test.env.com/$request_uri
- should disable mirror-request-body
canary-* ¶
- should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
- should return 404 status for requests to the canary if no matching ingress is found
- should return the correct status codes when endpoints are unavailable
- should route requests to the correct upstream if mainline ingress is created before the canary ingress
- should route requests to the correct upstream if mainline ingress is created after the canary ingress
- should route requests to the correct upstream if the mainline ingress is modified
- should route requests to the correct upstream if the canary ingress is modified
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should routes to mainline upstream when the given Regex causes error
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should not use canary as a catch-all server
- should not use canary with domain as a server
- does not crash when canary ingress has multiple paths to the same non-matching backend
limit-rate ¶
force-ssl-redirect ¶
http2-push-preload ¶
proxy-ssl-* ¶
- should set valid proxy-ssl-secret
- should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
- should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
- should set valid proxy-ssl-secret, proxy-ssl-protocols
- proxy-ssl-location-only flag should change the nginx config server part
modsecurity owasp ¶
- should enable modsecurity
- should enable modsecurity with transaction ID and OWASP rules
- should disable modsecurity
- should enable modsecurity with snippet
- should enable modsecurity without using 'modsecurity on;'
- should disable modsecurity using 'modsecurity off;'
- should enable modsecurity with snippet and block requests
- should enable modsecurity globally and with modsecurity-snippet block requests
backend-protocol - GRPC ¶
- should use grpc_pass in the configuration file
- should return OK for service with backend protocol GRPC
- should return OK for service with backend protocol GRPCS
cors-* ¶
- should enable cors
- should set cors methods to only allow POST, GET
- should set cors max-age
- should disable cors allow credentials
- should allow origin for cors
- should allow headers for cors
- should expose headers for cors
influxdb-* ¶
Annotation - limit-connections ¶
client-body-buffer-size ¶
- should set client_body_buffer_size to 1000
- should set client_body_buffer_size to 1K
- should set client_body_buffer_size to 1k
- should set client_body_buffer_size to 1m
- should set client_body_buffer_size to 1M
- should not set client_body_buffer_size to invalid 1b
default-backend ¶
connection-proxy-header ¶
upstream-vhost ¶
custom-http-errors ¶
disable-access-log disable-http-access-log disable-stream-access-log ¶
server-snippet ¶
rewrite-target use-regex enable-rewrite-log ¶
- should write rewrite logs
- should use correct longest path match
- should use ~* location modifier if regex annotation is present
- should fail to use longest match for documented warning
- should allow for custom rewrite parameters
app-root ¶
whitelist-source-range ¶
enable-access-log enable-rewrite-log ¶
x-forwarded-prefix ¶
- should set the X-Forwarded-Prefix to the annotation value
- should not add X-Forwarded-Prefix if the annotation value is empty
configuration-snippet ¶
backend-protocol - FastCGI ¶
- should use fastcgi_pass in the configuration file
- should add fastcgi_index in the configuration file
- should add fastcgi_param in the configuration file
- should return OK for service with backend protocol FastCGI
from-to-www-redirect ¶
permanent-redirect permanent-redirect-code ¶
upstream-hash-by-* ¶
annotation-global-rate-limit ¶
backend-protocol ¶
- should set backend protocol to https:// and use proxy_pass
- should set backend protocol to grpc:// and use grpc_pass
- should set backend protocol to grpcs:// and use grpc_pass
- should set backend protocol to '' and use fastcgi_pass
- should set backend protocol to '' and use ajp_pass
satisfy ¶
server-alias ¶
- should return status code 200 for host 'foo' and 404 for 'bar'
- should return status code 200 for host 'foo' and 'bar'
- should return status code 200 for hosts defined in two ingresses, different path with one alias
ssl-ciphers ¶
auth-tls-* ¶
- should set valid auth-tls-secret
- should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
- should set valid auth-tls-secret, pass certificate to upstream, and error page
- should validate auth-tls-verify-client
[Status] status update ¶
Debug CLI ¶
- should list the backend servers
- should get information for a specific backend server
- should produce valid JSON for /dbg general
[Memory Leak] Dynamic Certificates ¶
[Ingress] [PathType] mix Exact and Prefix paths ¶
[Ingress] definition without host ¶
- should set ingress details variables for ingresses without a host
- should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
single ingress - multiple hosts ¶
[Ingress] [PathType] exact ¶
[Ingress] [PathType] prefix checks ¶
[Security] request smuggling ¶
[SSL] [Flag] default-ssl-certificate ¶
- uses default ssl certificate for catch-all ingress
- uses default ssl certificate for host based ingress when configured certificate does not match host
enable-real-ip ¶
- trusts X-Forwarded-For header only when setting is true
- should not trust X-Forwarded-For header when setting is false
access-log ¶
- use the default configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
[Lua] lua-shared-dicts ¶
server-tokens ¶
- should not exists Server header in the response
- should exists Server header in the response when is enabled
use-proxy-protocol ¶
- should respect port passed by the PROXY Protocol
- should respect proto passed by the PROXY Protocol server port
- should enable PROXY Protocol for HTTPS
- should enable PROXY Protocol for TCP
[Flag] custom HTTP and HTTPS ports ¶
- should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
- should set X-Forwarded-Port header to 443
- should set the X-Forwarded-Port header to 443
[Security] no-auth-locations ¶
- should return status code 401 when accessing '/' unauthentication
- should return status code 200 when accessing '/' authentication
- should return status code 200 when accessing '/noauth' unauthenticated
Dynamic $proxy_host ¶
proxy-connect-timeout ¶
- should set valid proxy timeouts using configmap values
- should not set invalid proxy timeouts using configmap values
[Security] Pod Security Policies ¶
Geoip2 ¶
[Security] Pod Security Policies with volumes ¶
enable-multi-accept ¶
- should be enabled by default
- should be enabled when set to true
- should be disabled when set to false
log-format-* ¶
- should disable the log-format-escape-json by default
- should enable the log-format-escape-json
- should disable the log-format-escape-json
- log-format-escape-json enabled
- log-format-escape-json disabled
[Flag] ingress-class ¶
- should ignore Ingress with class
- should ignore Ingress with no class
- should delete Ingress when class is removed
- check scenarios for IngressClass and ingress.class annotation
ssl-ciphers ¶
proxy-next-upstream ¶
[Security] global-auth-url ¶
- should return status code 401 when request any protected service
- should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
- should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
- should still return status code 200 after auth backend is deleted using cache
[Security] block-* ¶
- should block CIDRs defined in the ConfigMap
- should block User-Agents defined in the ConfigMap
- should block Referers defined in the ConfigMap
plugins ¶
Configmap - limit-rate ¶
Configure OpenTracing ¶
- should not exists opentracing directive
- should exists opentracing directive when is enabled
- should not exists opentracing_operation_name directive when is empty
- should exists opentracing_operation_name directive when is configured
- should not exists opentracing_location_operation_name directive when is empty
- should exists opentracing_location_operation_name directive when is configured
- should enable opentracing using zipkin
- should enable opentracing using jaeger
- should enable opentracing using jaeger with sampler host
- should propagate the w3c header when configured with jaeger
- should enable opentracing using datadog
use-forwarded-headers ¶
- should trust X-Forwarded headers when setting is true
- should not trust X-Forwarded headers when setting is false
proxy-send-timeout ¶
- should set valid proxy send timeouts using configmap values
- should not set invalid proxy send timeouts using configmap values
Add no tls redirect locations ¶
settings-global-rate-limit ¶
add-headers ¶
hash size ¶
- should set server_names_hash_bucket_size
- should set server_names_hash_max_size
- should set proxy-headers-hash-bucket-size
- should set proxy-headers-hash-max-size
- should set variables-hash-bucket-size
- should set variables-hash-max-size
- should set vmap-hash-bucket-size
keep-alive keep-alive-requests ¶
- should set keepalive_timeout
- should set keepalive_requests
- should set keepalive connection to upstream server
- should set keep alive connection timeout to upstream server
- should set the request count to upstream server through one keep alive connection
[Flag] disable-catch-all ¶
- should ignore catch all Ingress
- should delete Ingress updated to catch-all
- should allow Ingress with both a default backend and rules
main-snippet ¶
[SSL] TLS protocols, ciphers and headers) ¶
- setting cipher suite
- enforcing TLS v1.0
- setting max-age parameter
- setting includeSubDomains parameter
- setting preload parameter
- overriding what's set from the upstream
- should not use ports during the HTTP to HTTPS redirection
- should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
Configmap change ¶
proxy-read-timeout ¶
- should set valid proxy read timeouts using configmap values
- should not set invalid proxy read timeouts using configmap values
[Security] modsecurity-snippet ¶
OCSP ¶
reuse-port ¶
[Shutdown] Graceful shutdown with pending request ¶
[Shutdown] ingress controller ¶
- should shutdown in less than 60 secons without pending connections
- should shutdown after waiting 60 seconds for pending connections to be closed
- should shutdown after waiting 150 seconds for pending connections to be closed
[Service] backend status code 503 ¶
- should return 503 when backend service does not exist
- should return 503 when all backend service endpoints are unavailable
[Service] Type ExternalName ¶
- works with external name set to incomplete fqdn
- should return 200 for service type=ExternalName without a port defined
- should return 200 for service type=ExternalName with a port defined
- should return status 502 for service type=ExternalName with an invalid host
- should return 200 for service type=ExternalName using a port name
- should return 200 for service type=ExternalName using FQDN with trailing dot
- should update the external name after a service update
Remove static SSL configuration mode ¶
Table of Contents ¶
- Summary
- Motivation
- Goals
- Non-Goals
- Proposal
- Implementation Details/Notes/Constraints
- Drawbacks
- Alternatives
Summary ¶
Since release 0.19.0 is possible to configure SSL certificates without the need of NGINX reloads (thanks to lua) and after release 0.24.0 the default enabled mode is dynamic.
Motivation ¶
The static configuration implies reloads, something that affects the majority of the users.
Goals ¶
- Deprecation of the flag
--enable-dynamic-certificates. - Cleanup of the codebase.
Non-Goals ¶
- Features related to certificate authentication are not changed in any way.
Proposal ¶
- Remove static SSL configuration
Implementation Details/Notes/Constraints ¶
- Deprecate the flag Move the directives
ssl_certificate and ssl_certificate_key from each server block to the http section. These settings are required to avoid NGINX errors in the logs. - Remove any action of the flag
--enable-dynamic-certificates
Drawbacks ¶
Alternatives ¶
Keep both implementations
Remove static SSL configuration mode ¶
Table of Contents ¶
- Summary
- Motivation
- Goals
- Non-Goals
- Proposal
- Implementation Details/Notes/Constraints
- Drawbacks
- Alternatives
Summary ¶
Since release 0.19.0 is possible to configure SSL certificates without the need of NGINX reloads (thanks to lua) and after release 0.24.0 the default enabled mode is dynamic.
Motivation ¶
The static configuration implies reloads, something that affects the majority of the users.
Goals ¶
- Deprecation of the flag
--enable-dynamic-certificates. - Cleanup of the codebase.
Non-Goals ¶
- Features related to certificate authentication are not changed in any way.
Proposal ¶
- Remove static SSL configuration
Implementation Details/Notes/Constraints ¶
- Deprecate the flag Move the directives
ssl_certificate and ssl_certificate_key from each server block to the http section. These settings are required to avoid NGINX errors in the logs. - Remove any action of the flag
--enable-dynamic-certificates
Drawbacks ¶
Alternatives ¶
Keep both implementations
Availability zone aware routing ¶
Table of Contents ¶
Summary ¶
Teach ingress-nginx about availability zones where endpoints are running in. This way ingress-nginx pod will do its best to proxy to zone-local endpoint.
Motivation ¶
When users run their services across multiple availability zones they usually pay for egress traffic between zones. Providers such as GCP, and Amazon EC2 usually charge extra for this feature. ingress-nginx when picking an endpoint to route request to does not consider whether the endpoint is in a different zone or the same one. That means it's at least equally likely that it will pick an endpoint from another zone and proxy the request to it. In this situation response from the endpoint to the ingress-nginx pod is considered inter-zone traffic and usually costs extra money.
At the time of this writing, GCP charges $0.01 per GB of inter-zone egress traffic according to https://cloud.google.com/compute/network-pricing. According to https://datapath.io/resources/blog/what-are-aws-data-transfer-costs-and-how-to-minimize-them/ Amazon also charges the same amount of money as GCP for cross-zone, egress traffic.
This can be a lot of money depending on once's traffic. By teaching ingress-nginx about zones we can eliminate or at least decrease this cost.
Arguably inter-zone network latency should also be better than cross-zone.
Goals ¶
- Given a regional cluster running ingress-nginx, ingress-nginx should do best-effort to pick a zone-local endpoint when proxying
- This should not impact canary feature
- ingress-nginx should be able to operate successfully if there are no zonal endpoints
Non-Goals ¶
- This feature inherently assumes that endpoints are distributed across zones in a way that they can handle all the traffic from ingress-nginx pod(s) in that zone
- This feature will be relying on https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/#failure-domainbetakubernetesiozone, it is not this KEP's goal to support other cases
Proposal ¶
The idea here is to have the controller part of ingress-nginx (1) detect what zone its current pod is running in and (2) detect the zone for every endpoint it knows about. After that, it will post that data as part of endpoints to Lua land. When picking an endpoint, the Lua balancer will try to pick zone-local endpoint first and if there is no zone-local endpoint then it will fall back to current behavior.
Initially, this feature should be optional since it is going to make it harder to reason about the load balancing and not everyone might want that.
How does controller know what zone it runs in? We can have the pod spec pass the node name using downward API as an environment variable. Upon startup, the controller can get node details from the API based on the node name. Once the node details are obtained we can extract the zone from the failure-domain.beta.kubernetes.io/zone annotation. Then we can pass that value to Lua land through Nginx configuration when loading lua_ingress.lua module in init_by_lua phase.
How do we extract zones for endpoints? We can have the controller watch create and update events on nodes in the entire cluster and based on that keep the map of nodes to zones in the memory. And when we generate endpoints list, we can access node name using .subsets.addresses[i].nodeName and based on that fetch zone from the map in memory and store it as a field on the endpoint. This solution assumes failure-domain.beta.kubernetes.io/zone annotation does not change until the end of the node's life. Otherwise, we have to watch update events as well on the nodes and that'll add even more overhead.
Alternatively, we can get the list of nodes only when there's no node in the memory for the given node name. This is probably a better solution because then we would avoid watching for API changes on node resources. We can eagerly fetch all the nodes and build node name to zone mapping on start. From there on, it will sync during endpoint building in the main event loop if there's no existing entry for the node of an endpoint. This means an extra API call in case cluster has expanded.
How do we make sure we do our best to choose zone-local endpoint? This will be done on the Lua side. For every backend, we will initialize two balancer instances: (1) with all endpoints (2) with all endpoints corresponding to the current zone for the backend. Then given the request once we choose what backend needs to serve the request, we will first try to use a zonal balancer for that backend. If a zonal balancer does not exist (i.e. there's no zonal endpoint) then we will use a general balancer. In case of zonal outages, we assume that the readiness probe will fail and the controller will see no endpoints for the backend and therefore we will use a general balancer.
We can enable the feature using a configmap setting. Doing it this way makes it easier to rollback in case of a problem.
Implementation History ¶
- initial version of KEP is shipped
- proposal and implementation details are done
Drawbacks [optional] ¶
More load on the Kubernetes API server.
Availability zone aware routing ¶
Table of Contents ¶
Summary ¶
Teach ingress-nginx about availability zones where endpoints are running in. This way ingress-nginx pod will do its best to proxy to zone-local endpoint.
Motivation ¶
When users run their services across multiple availability zones they usually pay for egress traffic between zones. Providers such as GCP, and Amazon EC2 usually charge extra for this feature. ingress-nginx when picking an endpoint to route request to does not consider whether the endpoint is in a different zone or the same one. That means it's at least equally likely that it will pick an endpoint from another zone and proxy the request to it. In this situation response from the endpoint to the ingress-nginx pod is considered inter-zone traffic and usually costs extra money.
At the time of this writing, GCP charges $0.01 per GB of inter-zone egress traffic according to https://cloud.google.com/compute/network-pricing. According to https://datapath.io/resources/blog/what-are-aws-data-transfer-costs-and-how-to-minimize-them/ Amazon also charges the same amount of money as GCP for cross-zone, egress traffic.
This can be a lot of money depending on once's traffic. By teaching ingress-nginx about zones we can eliminate or at least decrease this cost.
Arguably inter-zone network latency should also be better than cross-zone.
Goals ¶
- Given a regional cluster running ingress-nginx, ingress-nginx should do best-effort to pick a zone-local endpoint when proxying
- This should not impact canary feature
- ingress-nginx should be able to operate successfully if there are no zonal endpoints
Non-Goals ¶
- This feature inherently assumes that endpoints are distributed across zones in a way that they can handle all the traffic from ingress-nginx pod(s) in that zone
- This feature will be relying on https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/#failure-domainbetakubernetesiozone, it is not this KEP's goal to support other cases
Proposal ¶
The idea here is to have the controller part of ingress-nginx (1) detect what zone its current pod is running in and (2) detect the zone for every endpoint it knows about. After that, it will post that data as part of endpoints to Lua land. When picking an endpoint, the Lua balancer will try to pick zone-local endpoint first and if there is no zone-local endpoint then it will fall back to current behavior.
Initially, this feature should be optional since it is going to make it harder to reason about the load balancing and not everyone might want that.
How does controller know what zone it runs in? We can have the pod spec pass the node name using downward API as an environment variable. Upon startup, the controller can get node details from the API based on the node name. Once the node details are obtained we can extract the zone from the failure-domain.beta.kubernetes.io/zone annotation. Then we can pass that value to Lua land through Nginx configuration when loading lua_ingress.lua module in init_by_lua phase.
How do we extract zones for endpoints? We can have the controller watch create and update events on nodes in the entire cluster and based on that keep the map of nodes to zones in the memory. And when we generate endpoints list, we can access node name using .subsets.addresses[i].nodeName and based on that fetch zone from the map in memory and store it as a field on the endpoint. This solution assumes failure-domain.beta.kubernetes.io/zone annotation does not change until the end of the node's life. Otherwise, we have to watch update events as well on the nodes and that'll add even more overhead.
Alternatively, we can get the list of nodes only when there's no node in the memory for the given node name. This is probably a better solution because then we would avoid watching for API changes on node resources. We can eagerly fetch all the nodes and build node name to zone mapping on start. From there on, it will sync during endpoint building in the main event loop if there's no existing entry for the node of an endpoint. This means an extra API call in case cluster has expanded.
How do we make sure we do our best to choose zone-local endpoint? This will be done on the Lua side. For every backend, we will initialize two balancer instances: (1) with all endpoints (2) with all endpoints corresponding to the current zone for the backend. Then given the request once we choose what backend needs to serve the request, we will first try to use a zonal balancer for that backend. If a zonal balancer does not exist (i.e. there's no zonal endpoint) then we will use a general balancer. In case of zonal outages, we assume that the readiness probe will fail and the controller will see no endpoints for the backend and therefore we will use a general balancer.
We can enable the feature using a configmap setting. Doing it this way makes it easier to rollback in case of a problem.
Implementation History ¶
- initial version of KEP is shipped
- proposal and implementation details are done
Drawbacks [optional] ¶
More load on the Kubernetes API server.
Title ¶
This is the title of the KEP. Keep it simple and descriptive. A good title can help communicate what the KEP is and should be considered as part of any review.
The title should be lowercased and spaces/punctuation should be replaced with -.
To get started with this template:
- Make a copy of this template. Create a copy of this template and name it
YYYYMMDD-my-title.md, where YYYYMMDD is the date the KEP was first drafted. - Fill out the "overview" sections. This includes the Summary and Motivation sections. These should be easy if you've preflighted the idea of the KEP in an issue.
- Create a PR. Assign it to folks that are sponsoring this process.
- Create an issue When filing an enhancement tracking issue, please ensure to complete all fields in the template.
- Merge early. Avoid getting hung up on specific details and instead aim to get the goal of the KEP merged quickly. The best way to do this is to just start with the "Overview" sections and fill out details incrementally in follow on PRs. View anything marked as a
provisional as a working document and subject to change. Aim for single topic PRs to keep discussions focused. If you disagree with what is already in a document, open a new PR with suggested changes.
The canonical place for the latest set of instructions (and the likely source of this file) is here.
The Metadata section above is intended to support the creation of tooling around the KEP process. This will be a YAML section that is fenced as a code block. See the KEP process for details on each of these items.
Table of Contents ¶
A table of contents is helpful for quickly jumping to sections of a KEP and for highlighting any additional information provided beyond the standard KEP template.
Ensure the TOC is wrapped with <!-- toc --&rt;<!-- /toc --&rt; tags, and then generate with hack/update-toc.sh.
- Summary
- Motivation
- Goals
- Non-Goals
- Proposal
- User Stories [optional]
- Implementation Details/Notes/Constraints [optional]
- Risks and Mitigations
- Design Details
- Test Plan
- Implementation History
- Drawbacks [optional]
- Alternatives [optional]
Summary ¶
The Summary section is incredibly important for producing high quality user-focused documentation such as release notes or a development roadmap. It should be possible to collect this information before implementation begins in order to avoid requiring implementers to split their attention between writing release notes and implementing the feature itself.
A good summary is probably at least a paragraph in length.
Motivation ¶
This section is for explicitly listing the motivation, goals and non-goals of this KEP. Describe why the change is important and the benefits to users. The motivation section can optionally provide links to experience reports to demonstrate the interest in a KEP within the wider Kubernetes community.
Goals ¶
List the specific goals of the KEP. How will we know that this has succeeded?
Non-Goals ¶
What is out of scope for this KEP? Listing non-goals helps to focus discussion and make progress.
Proposal ¶
This is where we get down to the nitty gritty of what the proposal actually is.
User Stories [optional] ¶
Detail the things that people will be able to do if this KEP is implemented. Include as much detail as possible so that people can understand the "how" of the system. The goal here is to make this feel real for users without getting bogged down.
Story 1 ¶
Story 2 ¶
Implementation Details/Notes/Constraints [optional] ¶
What are the caveats to the implementation? What are some important details that didn't come across above. Go in to as much detail as necessary here. This might be a good place to talk about core concepts and how they relate.
Risks and Mitigations ¶
What are the risks of this proposal and how do we mitigate. Think broadly. For example, consider both security and how this will impact the larger kubernetes ecosystem.
How will security be reviewed and by whom? How will UX be reviewed and by whom?
Consider including folks that also work outside project.
Design Details ¶
Test Plan ¶
Note: Section not required until targeted at a release.
Consider the following in developing a test plan for this enhancement:
- Will there be e2e and integration tests, in addition to unit tests?
- How will it be tested in isolation vs with other components?
No need to outline all of the test cases, just the general strategy. Anything that would count as tricky in the implementation and anything particularly challenging to test should be called out.
All code is expected to have adequate tests (eventually with coverage expectations). Please adhere to the Kubernetes testing guidelines when drafting this test plan.
Removing a deprecated flag ¶
- Announce deprecation and support policy of the existing flag
- Two versions passed since introducing the functionality which deprecates the flag (to address version skew)
- Address feedback on usage/changed behavior, provided on GitHub issues
- Deprecate the flag
Implementation History ¶
Major milestones in the life cycle of a KEP should be tracked in Implementation History. Major milestones might include
- the
Summary and Motivation sections being merged signaling acceptance - the
Proposal section being merged signaling agreement on a proposed design - the date implementation started
- the first Kubernetes release where an initial version of the KEP was available
- the version of Kubernetes where the KEP graduated to general availability
- when the KEP was retired or superseded
Drawbacks [optional] ¶
Why should this KEP not be implemented.
Alternatives [optional] ¶
Similar to the Drawbacks section the Alternatives section is used to highlight and record other possible approaches to delivering the value proposed by a KEP.
Title ¶
This is the title of the KEP. Keep it simple and descriptive. A good title can help communicate what the KEP is and should be considered as part of any review.
The title should be lowercased and spaces/punctuation should be replaced with -.
To get started with this template:
- Make a copy of this template. Create a copy of this template and name it
YYYYMMDD-my-title.md, where YYYYMMDD is the date the KEP was first drafted. - Fill out the "overview" sections. This includes the Summary and Motivation sections. These should be easy if you've preflighted the idea of the KEP in an issue.
- Create a PR. Assign it to folks that are sponsoring this process.
- Create an issue When filing an enhancement tracking issue, please ensure to complete all fields in the template.
- Merge early. Avoid getting hung up on specific details and instead aim to get the goal of the KEP merged quickly. The best way to do this is to just start with the "Overview" sections and fill out details incrementally in follow on PRs. View anything marked as a
provisional as a working document and subject to change. Aim for single topic PRs to keep discussions focused. If you disagree with what is already in a document, open a new PR with suggested changes.
The canonical place for the latest set of instructions (and the likely source of this file) is here.
The Metadata section above is intended to support the creation of tooling around the KEP process. This will be a YAML section that is fenced as a code block. See the KEP process for details on each of these items.
Table of Contents ¶
A table of contents is helpful for quickly jumping to sections of a KEP and for highlighting any additional information provided beyond the standard KEP template.
Ensure the TOC is wrapped with <!-- toc --&rt;<!-- /toc --&rt; tags, and then generate with hack/update-toc.sh.
- Summary
- Motivation
- Goals
- Non-Goals
- Proposal
- User Stories [optional]
- Implementation Details/Notes/Constraints [optional]
- Risks and Mitigations
- Design Details
- Test Plan
- Implementation History
- Drawbacks [optional]
- Alternatives [optional]
Summary ¶
The Summary section is incredibly important for producing high quality user-focused documentation such as release notes or a development roadmap. It should be possible to collect this information before implementation begins in order to avoid requiring implementers to split their attention between writing release notes and implementing the feature itself.
A good summary is probably at least a paragraph in length.
Motivation ¶
This section is for explicitly listing the motivation, goals and non-goals of this KEP. Describe why the change is important and the benefits to users. The motivation section can optionally provide links to experience reports to demonstrate the interest in a KEP within the wider Kubernetes community.
Goals ¶
List the specific goals of the KEP. How will we know that this has succeeded?
Non-Goals ¶
What is out of scope for this KEP? Listing non-goals helps to focus discussion and make progress.
Proposal ¶
This is where we get down to the nitty gritty of what the proposal actually is.
User Stories [optional] ¶
Detail the things that people will be able to do if this KEP is implemented. Include as much detail as possible so that people can understand the "how" of the system. The goal here is to make this feel real for users without getting bogged down.
Story 1 ¶
Story 2 ¶
Implementation Details/Notes/Constraints [optional] ¶
What are the caveats to the implementation? What are some important details that didn't come across above. Go in to as much detail as necessary here. This might be a good place to talk about core concepts and how they relate.
Risks and Mitigations ¶
What are the risks of this proposal and how do we mitigate. Think broadly. For example, consider both security and how this will impact the larger kubernetes ecosystem.
How will security be reviewed and by whom? How will UX be reviewed and by whom?
Consider including folks that also work outside project.
Design Details ¶
Test Plan ¶
Note: Section not required until targeted at a release.
Consider the following in developing a test plan for this enhancement:
- Will there be e2e and integration tests, in addition to unit tests?
- How will it be tested in isolation vs with other components?
No need to outline all of the test cases, just the general strategy. Anything that would count as tricky in the implementation and anything particularly challenging to test should be called out.
All code is expected to have adequate tests (eventually with coverage expectations). Please adhere to the Kubernetes testing guidelines when drafting this test plan.
Removing a deprecated flag ¶
- Announce deprecation and support policy of the existing flag
- Two versions passed since introducing the functionality which deprecates the flag (to address version skew)
- Address feedback on usage/changed behavior, provided on GitHub issues
- Deprecate the flag
Implementation History ¶
Major milestones in the life cycle of a KEP should be tracked in Implementation History. Major milestones might include
- the
Summary and Motivation sections being merged signaling acceptance - the
Proposal section being merged signaling agreement on a proposed design - the date implementation started
- the first Kubernetes release where an initial version of the KEP was available
- the version of Kubernetes where the KEP graduated to general availability
- when the KEP was retired or superseded
Drawbacks [optional] ¶
Why should this KEP not be implemented.
Alternatives [optional] ¶
Similar to the Drawbacks section the Alternatives section is used to highlight and record other possible approaches to delivering the value proposed by a KEP.
Kubernetes Enhancement Proposals (KEPs) ¶
A Kubernetes Enhancement Proposal (KEP) is a way to propose, communicate and coordinate on new efforts for the Kubernetes project. For this reason, the ingress-nginx project is adopting it.
Quick start for the KEP process ¶
Follow the process outlined in the KEP template
Do I have to use the KEP process? ¶
No... but we hope that you will. Over time having a rich set of KEPs in one place will make it easier for people to track what is going on in the community and find a structured historic record.
KEPs are only required when the changes are wide ranging and impact most of the project.
Why would I want to use the KEP process? ¶
Our aim with KEPs is to clearly communicate new efforts to the Kubernetes contributor community. As such, we want to build a well curated set of clear proposals in a common format with useful metadata.
Benefits to KEP users (in the limit):
- Exposure on a kubernetes blessed web site that is findable via web search engines.
- Cross indexing of KEPs so that users can find connections and the current status of any KEP.
- A clear process with approvers and reviewers for making decisions. This will lead to more structured decisions that stick as there is a discoverable record around the decisions.
We are inspired by IETF RFCs, Python PEPs, and Rust RFCs.
Kubernetes Enhancement Proposals (KEPs) ¶
A Kubernetes Enhancement Proposal (KEP) is a way to propose, communicate and coordinate on new efforts for the Kubernetes project. For this reason, the ingress-nginx project is adopting it.
Quick start for the KEP process ¶
Follow the process outlined in the KEP template
Do I have to use the KEP process? ¶
No... but we hope that you will. Over time having a rich set of KEPs in one place will make it easier for people to track what is going on in the community and find a structured historic record.
KEPs are only required when the changes are wide ranging and impact most of the project.
Why would I want to use the KEP process? ¶
Our aim with KEPs is to clearly communicate new efforts to the Kubernetes contributor community. As such, we want to build a well curated set of clear proposals in a common format with useful metadata.
Benefits to KEP users (in the limit):
- Exposure on a kubernetes blessed web site that is findable via web search engines.
- Cross indexing of KEPs so that users can find connections and the current status of any KEP.
- A clear process with approvers and reviewers for making decisions. This will lead to more structured decisions that stick as there is a discoverable record around the decisions.
We are inspired by IETF RFCs, Python PEPs, and Rust RFCs.
Prerequisites ¶
Many of the examples in this directory have common prerequisites.
TLS certificates ¶
Unless otherwise mentioned, the TLS secret used in examples is a 2048 bit RSA key/cert pair with an arbitrarily chosen hostname, created as follows
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
+ Prerequisites - NGINX Ingress Controller Prerequisites ¶
Many of the examples in this directory have common prerequisites.
TLS certificates ¶
Unless otherwise mentioned, the TLS secret used in examples is a 2048 bit RSA key/cert pair with an arbitrarily chosen hostname, created as follows
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
Generating a 2048 bit RSA private key
................+++
................+++
diff --git a/examples/affinity/cookie/index.html b/examples/affinity/cookie/index.html
index 80347a18b..d64627ec3 100644
--- a/examples/affinity/cookie/index.html
+++ b/examples/affinity/cookie/index.html
@@ -1,4 +1,4 @@
- Sticky Sessions - NGINX Ingress Controller Sticky sessions ¶
This example demonstrates how to achieve session affinity using cookies.
Deployment ¶
Session affinity can be configured using the following annotations:
Name Description Value nginx.ingress.kubernetes.io/affinity Type of the affinity, set this to cookie to enable session affinity string (NGINX only supports cookie) nginx.ingress.kubernetes.io/affinity-mode The affinity mode defines how sticky a session is. Use balanced to redistribute some sessions when scaling pods or persistent for maximum stickiness. balanced (default) or persistent nginx.ingress.kubernetes.io/affinity-canary-behavior Defines session affinity behavior of canaries. By default the behavior is sticky, and canaries respect session affinity configuration. Set this to legacy to restore original canary behavior, when session affinity parameters were not respected. sticky (default) or legacy nginx.ingress.kubernetes.io/session-cookie-name Name of the cookie that will be created string (defaults to INGRESSCOOKIE) nginx.ingress.kubernetes.io/session-cookie-secure Set the cookie as secure regardless the protocol of the incoming request "true" or "false" nginx.ingress.kubernetes.io/session-cookie-path Path that will be set on the cookie (required if your Ingress paths use regular expressions) string (defaults to the currently matched path) nginx.ingress.kubernetes.io/session-cookie-samesite SameSite attribute to apply to the cookie Browser accepted values are None, Lax, and Strict nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none Will omit SameSite=None attribute for older browsers which reject the more-recently defined SameSite=None value "true" or "false" nginx.ingress.kubernetes.io/session-cookie-max-age Time until the cookie expires, corresponds to the Max-Age cookie directive number of seconds nginx.ingress.kubernetes.io/session-cookie-expires Legacy version of the previous annotation for compatibility with older browsers, generates an Expires cookie directive by adding the seconds to the current date number of seconds nginx.ingress.kubernetes.io/session-cookie-change-on-failure When set to false nginx ingress will send request to upstream pointed by sticky cookie even if previous attempt failed. When set to true and previous attempt failed, sticky cookie will be changed to point to another upstream. true or false (defaults to false)
You can create the example Ingress to test this:
kubectl create -f ingress.yaml
+ Sticky Sessions - NGINX Ingress Controller Sticky sessions ¶
This example demonstrates how to achieve session affinity using cookies.
Deployment ¶
Session affinity can be configured using the following annotations:
Name Description Value nginx.ingress.kubernetes.io/affinity Type of the affinity, set this to cookie to enable session affinity string (NGINX only supports cookie) nginx.ingress.kubernetes.io/affinity-mode The affinity mode defines how sticky a session is. Use balanced to redistribute some sessions when scaling pods or persistent for maximum stickiness. balanced (default) or persistent nginx.ingress.kubernetes.io/affinity-canary-behavior Defines session affinity behavior of canaries. By default the behavior is sticky, and canaries respect session affinity configuration. Set this to legacy to restore original canary behavior, when session affinity parameters were not respected. sticky (default) or legacy nginx.ingress.kubernetes.io/session-cookie-name Name of the cookie that will be created string (defaults to INGRESSCOOKIE) nginx.ingress.kubernetes.io/session-cookie-secure Set the cookie as secure regardless the protocol of the incoming request "true" or "false" nginx.ingress.kubernetes.io/session-cookie-path Path that will be set on the cookie (required if your Ingress paths use regular expressions) string (defaults to the currently matched path) nginx.ingress.kubernetes.io/session-cookie-samesite SameSite attribute to apply to the cookie Browser accepted values are None, Lax, and Strict nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none Will omit SameSite=None attribute for older browsers which reject the more-recently defined SameSite=None value "true" or "false" nginx.ingress.kubernetes.io/session-cookie-max-age Time until the cookie expires, corresponds to the Max-Age cookie directive number of seconds nginx.ingress.kubernetes.io/session-cookie-expires Legacy version of the previous annotation for compatibility with older browsers, generates an Expires cookie directive by adding the seconds to the current date number of seconds nginx.ingress.kubernetes.io/session-cookie-change-on-failure When set to false nginx ingress will send request to upstream pointed by sticky cookie even if previous attempt failed. When set to true and previous attempt failed, sticky cookie will be changed to point to another upstream. true or false (defaults to false)
You can create the example Ingress to test this:
kubectl create -f ingress.yaml
Validation ¶
You can confirm that the Ingress works:
$ kubectl describe ing nginx-test
Name: nginx-test
Namespace: default
diff --git a/examples/auth/basic/index.html b/examples/auth/basic/index.html
index c1a24f46e..ca925f137 100644
--- a/examples/auth/basic/index.html
+++ b/examples/auth/basic/index.html
@@ -1,4 +1,4 @@
- Basic Authentication - NGINX Ingress Controller Basic Authentication ¶
This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with htpasswd. It's important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.
$ htpasswd -c auth foo
+ Basic Authentication - NGINX Ingress Controller Basic Authentication ¶
This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with htpasswd. It's important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.
$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
diff --git a/examples/auth/client-certs/index.html b/examples/auth/client-certs/index.html
index 6e012723d..9104063ad 100644
--- a/examples/auth/client-certs/index.html
+++ b/examples/auth/client-certs/index.html
@@ -1,4 +1,4 @@
- Client Certificate Authentication - NGINX Ingress Controller Client Certificate Authentication ¶
It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource. Before getting started you must have the following Certificates Setup:
- CA certificate and Key(Intermediate Certs need to be in CA)
- Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)
- Client Certificate(Signed by CA) and Key
For more details on the generation process, checkout the Prerequisite docs.
You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:
openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
+ Client Certificate Authentication - NGINX Ingress Controller Client Certificate Authentication ¶
It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource. Before getting started you must have the following Certificates Setup:
- CA certificate and Key(Intermediate Certs need to be in CA)
- Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)
- Client Certificate(Signed by CA) and Key
For more details on the generation process, checkout the Prerequisite docs.
You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:
openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
Then, you can concatenate them all in only one file, named 'ca.crt' as the following:
cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt
Note: Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5 for each certificate generated. Otherwise you will receive an error.
Creating Certificate Secrets ¶
There are many different ways of configuring your secrets to enable Client-Certificate Authentication to work properly.
-
You can create a secret containing just the CA certificate and another Secret containing the Server Certificate which is Signed by the CA.
kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt
kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key
diff --git a/examples/auth/external-auth/index.html b/examples/auth/external-auth/index.html
index 2a5a08363..fac44e73f 100644
--- a/examples/auth/external-auth/index.html
+++ b/examples/auth/external-auth/index.html
@@ -1,4 +1,4 @@
- External Basic Authentication - NGINX Ingress Controller External Basic Authentication ¶
Example 1: ¶
Use an external service (Basic Auth) located in https://httpbin.org
$ kubectl create -f ingress.yaml
+ External Basic Authentication - NGINX Ingress Controller External Basic Authentication ¶
Example 1: ¶
Use an external service (Basic Auth) located in https://httpbin.org
$ kubectl create -f ingress.yaml
ingress "external-auth" created
$ kubectl get ing external-auth
diff --git a/examples/auth/oauth-external-auth/index.html b/examples/auth/oauth-external-auth/index.html
index 5ce407ef1..899a92609 100644
--- a/examples/auth/oauth-external-auth/index.html
+++ b/examples/auth/oauth-external-auth/index.html
@@ -1,4 +1,4 @@
- External OAUTH Authentication - NGINX Ingress Controller External OAUTH Authentication ¶
Overview ¶
The auth-url and auth-signin annotations allow you to use an external authentication provider to protect your Ingress resources.
Important
This annotation requires ingress-nginx-controller v0.9.0 or greater.)
Key Detail ¶
This functionality is enabled by deploying multiple Ingress objects for a single host. One Ingress object has no special annotations and handles authentication.
Other Ingress objects can then be annotated in such a way that require the user to authenticate against the first Ingress's endpoint, and can redirect 401s to the same endpoint.
Sample:
...
+ External OAUTH Authentication - NGINX Ingress Controller External OAUTH Authentication ¶
Overview ¶
The auth-url and auth-signin annotations allow you to use an external authentication provider to protect your Ingress resources.
Important
This annotation requires ingress-nginx-controller v0.9.0 or greater.)
Key Detail ¶
This functionality is enabled by deploying multiple Ingress objects for a single host. One Ingress object has no special annotations and handles authentication.
Other Ingress objects can then be annotated in such a way that require the user to authenticate against the first Ingress's endpoint, and can redirect 401s to the same endpoint.
Sample:
...
metadata:
name: application
annotations:
diff --git a/examples/customization/configuration-snippets/index.html b/examples/customization/configuration-snippets/index.html
index e059d0ef9..56ab03ee8 100644
--- a/examples/customization/configuration-snippets/index.html
+++ b/examples/customization/configuration-snippets/index.html
@@ -1,4 +1,4 @@
- Configuration Snippets - NGINX Ingress Controller Configuration Snippets ¶
Ingress ¶
The Ingress in this example adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at this example.
$ kubectl apply -f ingress.yaml
+ Configuration Snippets - NGINX Ingress Controller Configuration Snippets ¶
Ingress ¶
The Ingress in this example adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at this example.
$ kubectl apply -f ingress.yaml
Test ¶
Check if the contents of the annotation are present in the nginx.conf file using: kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf
Custom Configuration ¶
Using a ConfigMap is possible to customize the NGINX configuration
For example, if we want to change the timeouts we need to create a ConfigMap:
$ cat configmap.yaml
+ Custom Configuration - NGINX Ingress Controller Custom Configuration ¶
Using a ConfigMap is possible to customize the NGINX configuration
For example, if we want to change the timeouts we need to create a ConfigMap:
$ cat configmap.yaml
apiVersion: v1
data:
proxy-connect-timeout: "10"
diff --git a/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml b/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml
new file mode 100644
index 000000000..86b1c44e8
--- /dev/null
+++ b/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml
@@ -0,0 +1,19 @@
+# Custom error page configMap
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: custom_error_pages
+data:
+ 404: |
+
+
+ PAGE NOT FOUND
+ PAGE NOT FOUND
+
+ 503: |
+
+
+ CUSTOM SERVICE UNAVAILABLE
+ CUSTOM SERVICE UNAVAILABLE
+
diff --git a/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
new file mode 100644
index 000000000..ce42bb9b5
--- /dev/null
+++ b/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
@@ -0,0 +1,20 @@
+controller:
+ custom-http-errors: "404,503"
+defaultBackend:
+ enabled: true
+ image:
+ registry: k8s.gcr.io
+ image: ingress-nginx/nginx-errors
+ tag: "0.48.1"
+ extraVolumes:
+ - name: custom_error_pages
+ configMap:
+ name: custom_error_pages
+ items:
+ - key: "404"
+ path: "404.html"
+ - key: "503"
+ path: "503.html"
+ extraVolumeMounts:
+ - name: custom_error_pages
+ mountPath: /www
diff --git a/examples/customization/custom-errors/custom-default-backend.yaml b/examples/customization/custom-errors/custom-default-backend.yaml
index 579e48544..4b40d36e7 100644
--- a/examples/customization/custom-errors/custom-default-backend.yaml
+++ b/examples/customization/custom-errors/custom-default-backend.yaml
@@ -44,3 +44,19 @@ spec:
# env:
# - name: DEBUG
# value: "true"
+
+ # Mounting custom error page from configMap
+ # volumeMounts:
+ # - name: custom_error_pages
+ # mountPath: /www
+
+ # Mounting custom error page from configMap
+ # volumes:
+ # - name: custom_error_pages
+ # configMap:
+ # name: custom_error_pages
+ # items:
+ # - key: "404"
+ # path: "404.html"
+ # - key: "503"
+ # path: "503.html"
diff --git a/examples/customization/custom-errors/index.html b/examples/customization/custom-errors/index.html
index 25cad0682..36c8e4fd1 100644
--- a/examples/customization/custom-errors/index.html
+++ b/examples/customization/custom-errors/index.html
@@ -1,4 +1,4 @@
- Custom Errors - NGINX Ingress Controller Custom Errors ¶
This example demonstrates how to use a custom backend to render custom error pages.
Customized default backend ¶
First, create the custom default-backend. It will be used by the Ingress controller later on.
To do that, you can take a look at the example manifest in this project's GitHub repository.
$ kubectl create -f custom-default-backend.yaml
+ Custom Errors - NGINX Ingress Controller Custom Errors ¶
This example demonstrates how to use a custom backend to render custom error pages.
If you are using Helm Chart, look at example values and don't forget to add configMap to your deployment, otherwise continue with Customized default backend manual deployment.
Customized default backend ¶
First, create the custom default-backend. It will be used by the Ingress controller later on.
To do that, you can take a look at the example manifest in this project's GitHub repository.
$ kubectl create -f custom-default-backend.yaml
service "nginx-errors" created
deployment.apps "nginx-errors" created
This should have created a Deployment and a Service with the name nginx-errors.
$ kubectl get deploy,svc
diff --git a/examples/customization/custom-headers/index.html b/examples/customization/custom-headers/index.html
index d7a77cdee..5070c6897 100644
--- a/examples/customization/custom-headers/index.html
+++ b/examples/customization/custom-headers/index.html
@@ -1,4 +1,4 @@
- Custom Headers - NGINX Ingress Controller Custom Headers ¶
This example demonstrates configuration of the nginx ingress controller via a ConfigMap to pass a custom list of headers to the upstream server.
custom-headers.yaml defines a ConfigMap in the ingress-nginx namespace named custom-headers, holding several custom X-prefixed HTTP headers.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/custom-headers.yaml
+ Custom Headers - NGINX Ingress Controller Custom Headers ¶
This example demonstrates configuration of the nginx ingress controller via a ConfigMap to pass a custom list of headers to the upstream server.
custom-headers.yaml defines a ConfigMap in the ingress-nginx namespace named custom-headers, holding several custom X-prefixed HTTP headers.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/custom-headers.yaml
configmap.yaml defines a ConfigMap in the ingress-nginx namespace named ingress-nginx-controller. This controls the global configuration of the ingress controller, and already exists in a standard installation. The key proxy-set-headers is set to cite the previously-created ingress-nginx/custom-headers ConfigMap.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/configmap.yaml
The nginx ingress controller will read the ingress-nginx/ingress-nginx-controller ConfigMap, find the proxy-set-headers key, read HTTP headers from the ingress-nginx/custom-headers ConfigMap, and include those HTTP headers in all requests flowing from nginx to the backends.
The above example was for passing a custom list of headers to the upstream server. To pass the custom headers before sending response traffic to the client, use the add-headers key:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/configmap-client-response.yaml
Test ¶
Check the contents of the ConfigMaps are present in the nginx.conf file using: kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf
External authentication, authentication service response headers propagation ¶
This example demonstrates propagation of selected authentication service response headers to backend service.
Sample configuration includes:
- Sample authentication service producing several response headers
- Authentication logic is based on HTTP header: requests with header
User containing string internal are considered authenticated - After successful authentication service generates response headers
UserID and UserRole - Sample echo service displaying header information
- Two ingress objects pointing to echo service
- Public, which allows access from unauthenticated users
- Private, which allows access from authenticated users only
You can deploy the controller as follows:
$ kubectl create -f deploy/
+ External authentication - NGINX Ingress Controller External authentication, authentication service response headers propagation ¶
This example demonstrates propagation of selected authentication service response headers to backend service.
Sample configuration includes:
- Sample authentication service producing several response headers
- Authentication logic is based on HTTP header: requests with header
User containing string internal are considered authenticated - After successful authentication service generates response headers
UserID and UserRole - Sample echo service displaying header information
- Two ingress objects pointing to echo service
- Public, which allows access from unauthenticated users
- Private, which allows access from authenticated users only
You can deploy the controller as follows:
$ kubectl create -f deploy/
deployment "demo-auth-service" created
service "demo-auth-service" created
ingress "demo-auth-service" created
diff --git a/examples/customization/jwt/index.html b/examples/customization/jwt/index.html
new file mode 100644
index 000000000..fd12273c4
--- /dev/null
+++ b/examples/customization/jwt/index.html
@@ -0,0 +1,21 @@
+ Accommodation for JWT - NGINX Ingress Controller