NatronTech Logo
NetworkingIngress NGINX

Ingress NGINX

Availability
Extended tier
Stage
Experimental
Requires
KubernetesNetworking

Important Notice: Ingress NGINX Retirement

As per the Official Kubernetes Blog, the ingress-nginx project is being retired and will no longer receive updates or support after March 2026. Natron is actively working on transitioning to alternative ingress solutions. We recommend users to start planning their migration to supported ingress controllers such as Traefik or Istio. For assistance with this transition, please contact Natron Support.

Ingress NGINX is a widely used Ingress controller for Kubernetes that manages external access to services within a cluster, typically HTTP and HTTPS traffic. It provides features such as load balancing, SSL termination, and name-based virtual hosting.

Key Features

  • Load Balancing: Distributes incoming traffic across multiple backend services to ensure high availability and reliability.
  • SSL/TLS Termination: Handles SSL/TLS encryption and decryption, allowing secure communication between clients and services.
  • Path-based Routing: Routes traffic based on URL paths, enabling multiple services to be accessed through a single IP address.
  • Custom Annotations: Supports custom annotations to configure various aspects of the Ingress controller behavior.
  • Health Checks: Monitors the health of backend services and routes traffic only to healthy instances.

Security & WAF

Web Application Firewall (ModSecurity)

You can enable the ModSecurity WAF in Detection or Enforcement mode per Ingress.

Enable Detection Mode (Snippet):

metadata:
  annotations:
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine DetectionOnly
      SecAuditEngine RelevantOnly
      SecStatusEngine Off

Note: This requires annotations-risk-level: "Critical" to be set on the controller, which is configured by default in Natron clusters.

Enforcement Mode:

metadata:
  annotations:
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine On

Requests detected as malicious (e.g., XSS) will be denied with a 403 Forbidden.

TLS Configuration

For a detailed guide on setting up Cert-Manager, including Let's Encrypt, DNS challenges, and Wildcard certificates, please refer to the Cert-Manager Documentation.

Use the following annotations to secure your Ingress with Cert-Manager:

metadata:
  annotations:
    # Force SSL Redirect
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    # Cert-Manager Issuer
    cert-manager.io/cluster-issuer: <issuer-name>
    # Security Best Practices
    cert-manager.io/private-key-rotation-policy: Always
    cert-manager.io/private-key-algorithm: ECDSA

Common Use Cases

TCP Passthrough

To expose non-HTTP services (e.g., SSH, Database), use TCP Passthrough. Note: This requires adding the port map to the Ingress Controller's Helm values first (tcp: { "22222": "namespace/service:port" }).

Basic Authentication

Secure an endpoint with Basic Auth:

  1. Create a "htpasswd" secret: kubectl create secret generic basic-auth --from-file=auth
  2. Annotate the Ingress: 
    nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"

GeoIP2 Restrictions

Natron automates the distribution of MaxMind GeoLite2 databases. To use GeoIP data in your Ingress (e.g., for logging or restriction), verify the maxmind-edition-ids and use the following variables in your custom log format: $geoip2_country_code, $geoip2_country_name.

Proxy to External Website

To proxy traffic to an external site (e.g., example.com), use an ExternalName Service and an Ingress with backend-protocol: "HTTPS".

apiVersion: v1
kind: Service
metadata: { name: external }
spec:
  type: ExternalName
  externalName: example.com
  ports: [{ port: 443 }]
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

Session Affinity (Sticky Sessions)

Enable cookie-based session affinity for stateful applications. Note: Do not use Service-level sessionAffinity: ClientIP when using Ingress, as it breaks load balancing behind the controller.

nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
nginx.ingress.kubernetes.io/session-cookie-expires: "172800"

Advanced Configuration

Proxy Customization

  • Proxy Body Size: Increase max file upload size. nginx.ingress.kubernetes.io/proxy-body-size: 50m
  • Proxy Buffers: Fix "502 upstream sent too big header". nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"

Snippet Annotations

The following annotations are available but require "Critical" risk level acceptance:

  • server-snippet
  • configuration-snippet
  • modsecurity-snippet

Blocked Keywords

The following keywords are strictly prohibited in snippets for security reasons and will cause strict validation failures:

load_module, lua_package, _by_lua, location, root, proxy_pass, serviceaccount, {, }, ', "

Services & Static IPs

Previous Page

Cert-Manager & Certificates

Next Page

On this page

Important Notice: Ingress NGINX RetirementKey FeaturesSecurity & WAFWeb Application Firewall (ModSecurity)TLS ConfigurationCommon Use CasesTCP PassthroughBasic AuthenticationGeoIP2 RestrictionsProxy to External WebsiteSession Affinity (Sticky Sessions)Advanced ConfigurationProxy CustomizationSnippet Annotations