Ingress Options

These options can be set in an Ingress object’s metadata.annotations section to change how requests are routed for a particular service.

blacklist

Blocks given IP addresses and/or IP address ranges.

Values

  • Comma-separated list of IP addresses and/or CIDR ranges

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/blacklist: "192.168.1.0/24, 192.168.2.100"

check

Enables TCP level health checks on pods and attempts a TCP connection periodically.

Values

  • true
  • false

Default

  • true

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/check: "true"

check-http

Enables HTTP level health checks on pods and sends an HTTP request periodically. The check setting must be true.

Values

  • URI to make HTTP requests to, e.g. /health
  • URI with method, e.g. HEAD /health
  • URI, method and HTTP version, e.g. HEAD /health HTTP/1.1

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/check: "true"
    haproxy.org/check-http: "/health"

check-interval

Sets the interval between health checks when check is enabled.

Values

  • Integer with time unit suffix (1m = 1 minute, 10s = 10 seconds)

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/check: "true"
    haproxy.org/check-interval: "1m"

Enables persistent connections between a client and a pod by inserting a cookie into the client’s browser that is used to remember which backend pod they connected to before.

Values

  • A name for the cookie

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/cookie-persistence: "mycookie"

forwarded-for

Adds the X-Forwarded-For HTTP header to requests to capture and relay the client’s source IP address to backend pods.

Values

  • true
  • false

Default

  • true

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/forwarded-for: "true"

ingress.class

Targets an ingress controller by class name for this ingress to use.

Values

  • The ingress class name

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/ingress.class: "haproxy"

load-balance

Sets the load-balancing algorithm to use.

Values

  • roundrobin
  • static-rr
  • leastconn
  • first
  • source
  • uri
  • url_param
  • hdr([name])
  • random
  • random([draws])
  • rdp-cookie
  • rdp-cookie([name])

Default

  • roundrobin

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/load-balance: "leastconn"

path-rewrite

Replaces the entire URL path with the given value.

Values

  • A single path, such as “/”, to turn any path into “/”
  • Two parameters. A regular expression to match and a path to replace it with.

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/path-rewrite: "/"                        # replace all paths with /
    haproxy.org/path-rewrite: (.*) /foo\1                # add the prefix /foo... "/bar?q=1" into "/foo/bar?q=1"
    haproxy.org/path-rewrite: ([^?]*)(\?(.*))? \1/foo\2  # add the suffix /foo ... "/bar?q=1" into "/bar/foo?q=1"
    haproxy.org/path-rewrite: /foo/(.*) /\1              # strip /foo ... "/foo/bar?q=1" into "/bar?q=1"

rate-limit-period

Sets the period of time over which requests are tracked for a given source IP address.

Values

  • Integer with unit of time (1s = 1 second, 1m = 1 minute); Defaults to 1 second

Default

  • 1s

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/rate-limit-period: "1m"

rate-limit-requests

Sets the maximum number of requests that will be accepted from a source IP address during the rate-limit-period. To track the http requests rate, a stick-table named “Ratelimit-" will be created. Example, If the rate-limit-period is set to 2s the name of the table will be "Ratelimit-2000".

Values

  • An integer representing the maximum number of requests to accept

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/rate-limit-requests: 15

rate-limit-size

Sets how many source IP addresses to track, after which older entries are replaced by new entries.

Values

  • An integer defining how many IP addresses to track for rate limiting; Defaults to 100,000

Default

  • 100k

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/rate-limit-size: 1000000

request-capture

When you include %hr in the log-format string, which is included in the default log format, it captures custom information in the logs, which you define with this field. For example, you can capture specific cookie values or HTTP header values.

Values

  • A header value, e.g. hdr(header-name)
  • A cookie value, e.g. cookie(cookie-name)
  • Multiple expressions by using a multiline YAML string

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    # capture a single value
    haproxy.org/request-capture: cookie(my-cookie)
    
    # capture multiple values
    haproxy.org/request-capture: |
      cookie(my-cookie)
      hdr(Host)
      hdr(User-Agent)

request-capture-len

Sets how many characters to allocate for fields captured by request-capture.

Values

  • An integer representing the number of characters for captured fields; Defaults to 128

Default

  • 128

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/request-capture: cookie(my-cookie)
    haproxy.org/request-capture-len: 350

request-set-header

Sets an HTTP header in the request before it is passed to the backend service.

Values

  • The name of the field, following by its value, e.g. Ingress-ID abcd123
  • Multiple headers can be set using a multiline YAML string

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    # single header
    haproxy.org/request-set-header: Ingress-ID abcd123
    
    # multiple headers
    haproxy.org/request-set-header: |
      Ingress-ID abcd123
      Another-Header 12345

response-set-header

Sets an HTTP header in the response before it is passed to the client.

Values

  • The name of the field, following by its value, e.g. Cache-Control “no-store,no-cache,private”
  • Multiple headers can be set using a multiline YAML string

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    # single header
    haproxy.org/response-set-header: Cache-Control "no-store,no-cache,private"
    
    # multiple headers
    haproxy.org/response-set-header: |
      Cache-Control "no-store,no-cache,private"
      Strict-Transport-Security "max-age=31536000"

server-ssl

Enables SSL to pods.

Values

  • true
  • false

Default

  • false

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/server-ssl: "true"

set-host

Sets the Host header to send to backend services.

Values

  • The value of the Host header

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/set-host: "example.local"

ssl-passthrough

Passes SSL/TLS traffic through at Layer 4 directly to the backend service without Layer 7 inspection.

Values

  • true
  • false

Default

  • false

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/ssl-passthrough: "true"

ssl-redirect

Sets whether to redirect traffic from HTTP to HTTPS.

Values

  • true
  • false

Default

  • false

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/ssl-redirect: "false"
    haproxy.org/ssl-certificate: "default/tls-secret"

ssl-redirect-code

Sets the HTTP status code to use when ssl-redirect is true.

Values

  • 301
  • 302
  • 303

Default

  • 302

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/ssl-redirect: "true"
    haproxy.org/ssl-certificate: "default/tls-secret"
    haproxy.org/ssl-redirect-code: "301"

timeout-check

Sets an additional check timeout, but only after a connection has been already established.

Values

  • An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour)

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/timeout-check: 5s

whitelist

Blocks all IP addresses except the whitelisted ones (annotation value).

Values

  • Comma-separated list of IP addresses and/or CIDR ranges

Default

  • no default value

Example

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/whitelist: "192.168.1.0/24, 192.168.2.100"

Next up

Service