Skip to main content
Ingresses expose HTTP and HTTPS routes from outside the cluster to services within the cluster. They provide load balancing, SSL/TLS termination, and name-based virtual hosting.

Key Concepts

Ingress

A resource that defines rules for routing external HTTP/HTTPS traffic to services.

Ingress Controller

A controller (like NGINX, Traefik) that implements the Ingress rules.

Ingress Class

Specifies which controller should handle the Ingress.

TLS/SSL

Configuration for HTTPS termination using certificates stored in Secrets.

Required Permissions

ActionPermission
View ingressesiam:project:infrastructure:kubernetes:read
Create ingressiam:project:infrastructure:kubernetes:write
Edit ingressiam:project:infrastructure:kubernetes:write
Delete ingressiam:project:infrastructure:kubernetes:delete

Ingress Status Values

StatusDescription
ActiveLoad balancer IP or hostname has been assigned
PendingWaiting for load balancer address assignment
Status is determined by the presence of a load balancer address. An Ingress with no assigned address shows as Pending until the Ingress controller provisions it.

How to View Ingresses

1

Select Cluster

Choose a cluster from the cluster dropdown.
2

Select Namespace

Choose a namespace or select “all” to view ingresses across all namespaces.
3

Filter and Search

Use the search box to find ingresses by name, namespace, host, or class. Filter by status (Active, Pending).

How to View Ingress Details

1

Find the Ingress

Locate the ingress in the list.
2

Click Ingress Name

Click on the ingress name to open the detail drawer.
3

Review Details

View comprehensive ingress information including:
  • Overview: Name, namespace, status, ingress class, age
  • Address: Load balancer IP or hostname
  • Rules: Host-based routing with paths and backend services
  • TLS: SSL/TLS configuration with secret references
  • Default Backend: Fallback service for unmatched requests
  • Labels & Annotations: Metadata and controller-specific settings
  • Events: Recent events from the ingress controller

How to Create an Ingress

1

Click Create Ingress

Click the Create Ingress button in the page header.
2

Write YAML

Enter the Ingress manifest in YAML format. Key fields:
  • spec.ingressClassName - Which ingress controller to use
  • spec.rules - Host and path routing rules
  • spec.tls - TLS/SSL configuration
3

Select Namespace

Choose the target namespace for the ingress.
4

Create

Click Create to apply the manifest.
Ensure an Ingress Controller is installed in your cluster before creating Ingresses. Common controllers include NGINX Ingress Controller, Traefik, and HAProxy.

How to Edit an Ingress

1

Open Actions Menu

Click the actions menu (three dots) on the ingress row.
2

Click Edit Ingress

Select Edit Ingress to open the YAML editor.
3

Modify Spec

Edit the ingress specification. Common changes:
  • Add or modify routing rules
  • Update TLS configuration
  • Change backend services
  • Add controller-specific annotations
4

Save

Click Update to apply changes.

How to Delete an Ingress

1

Open Actions Menu

Click the actions menu on the ingress row.
2

Click Delete

Select Delete from the menu.
3

Confirm

Confirm the deletion. External traffic using this ingress will no longer be routed.
Deleting an Ingress removes the routing rules. External traffic to the configured hosts will no longer reach your services until a new Ingress is created.

Routing Rules

Ingress rules define how traffic is routed based on host and path:
FieldDescription
hostDomain name for the rule (e.g., api.example.com)
pathURL path to match (e.g., /api, /v1)
pathTypeHow path matching works: Prefix, Exact, or ImplementationSpecific
backendTarget service and port for matched requests

Path Types

TypeDescription
PrefixMatches URL paths that begin with the specified path
ExactMatches the exact URL path only
ImplementationSpecificMatching behavior depends on the ingress controller

TLS Configuration

TLS enables HTTPS for your ingress: 
spec:
  tls:
    - hosts:
        - example.com
        - www.example.com
      secretName: example-tls-secret
FieldDescription
hostsDomains that use this TLS certificate
secretNameKubernetes Secret containing the TLS certificate and key
The Secret must contain tls.crt (certificate) and tls.key (private key) fields. Use kubectl create secret tls to create it from certificate files.

Common Annotations

Annotations configure controller-specific behavior. Examples for NGINX Ingress Controller:
AnnotationDescription
nginx.ingress.kubernetes.io/rewrite-targetRewrite the URL path
nginx.ingress.kubernetes.io/ssl-redirectForce HTTPS redirect
nginx.ingress.kubernetes.io/proxy-body-sizeMaximum request body size
nginx.ingress.kubernetes.io/proxy-connect-timeoutBackend connection timeout
nginx.ingress.kubernetes.io/affinityEnable session affinity
Annotations vary by ingress controller. Check your controller’s documentation for available options.

Troubleshooting

  • Verify an Ingress Controller is installed and running
  • Check the ingress controller pods for errors
  • Verify the ingressClassName matches your controller
  • Review ingress events for provisioning errors
  • Verify the backend service exists and has endpoints
  • Check service port matches the ingress backend port
  • Ensure pods are running and ready
  • Verify network policies allow traffic
  • Check host header matches the ingress rule
  • Verify path matches the configured pathType
  • Test without host to check default backend
  • Review ingress controller logs
  • Verify the TLS secret exists in the same namespace
  • Check secret has tls.crt and tls.key fields
  • Ensure hosts in TLS config match the rules
  • Verify certificate is valid and not expired
  • Check ingress controller has external IP or LoadBalancer
  • Verify cloud provider integration for LoadBalancer services
  • For bare metal, check MetalLB or similar is configured
  • Review ingress controller service status
  • Ingress controllers may cache configurations
  • Check ingress controller logs for reload events
  • Verify the ingress resource was actually updated
  • Some changes may require controller restart
  • Check path specificity - more specific paths should be listed first
  • Verify pathType matches your routing needs
  • Check for conflicting ingress rules
  • Review controller-specific path matching behavior

FAQ

Yes. Ingress resources alone don’t do anything. You need an Ingress Controller (NGINX, Traefik, etc.) to implement the routing rules. The controller watches for Ingress resources and configures the underlying load balancer.
LoadBalancer exposes a single service on a dedicated IP. Ingress can route to multiple services based on host/path, use a single IP for multiple domains, and provides features like SSL termination and path-based routing.
Yes. Use ingressClassName to specify which controller handles each Ingress. This allows different controllers for different use cases (e.g., internal vs external traffic).
Add a tls section with your hosts and a Secret containing the certificate. The controller handles SSL termination. For automatic certificates, consider cert-manager with Let’s Encrypt.
The default backend handles requests that don’t match any rule. It’s optional but useful for returning custom 404 pages or catching misrouted traffic.
Define multiple paths in your rules. Use pathType: Prefix for prefix matching (e.g., /api matches /api/users) or pathType: Exact for exact path matching.
Yes, but behavior depends on the controller. Most controllers merge rules from multiple Ingresses for the same host. Be careful to avoid conflicting paths.
Use controller-specific annotations. For NGINX: nginx.ingress.kubernetes.io/ssl-redirect: "true". Most controllers support automatic HTTP to HTTPS redirection.
The ingress controller typically returns a 503 Service Unavailable error. Configure health checks and proper readiness probes on your pods for better availability.