APIG Ingress gateways support 51 core NGINX Ingress annotations for seamless migration and provide 40 additional annotations for extended traffic governance and security controls.
Annotation support summary
| Category | Count | Description |
|---|---|---|
| NGINX Ingress compatible annotations | 51 | Cover 90% of use cases |
| Annotations with no functional effect | 15 | No configuration required |
| Annotations to be supported | 48 | Planned; used in limited scenarios |
| Unsupported annotations | 5 | Specific to NGINX Ingress internal code snippets |
| APIG extended annotations | 40 | Additional traffic governance and security controls beyond NGINX Ingress |
Quick reference
Click an annotation name to jump to its full description.
| Annotation | Scope | Status | Default | Category |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/canary |
Ingress | Compatible | — | Canary release |
nginx.ingress.kubernetes.io/canary-by-header |
Ingress | Compatible | — | Canary release |
nginx.ingress.kubernetes.io/canary-by-header-value |
Ingress | Compatible | — | Canary release |
nginx.ingress.kubernetes.io/canary-by-header-pattern |
Ingress | Compatible | — | Canary release |
higress.ingress.kubernetes.io/canary-by-query |
Ingress | Higress extension | — | Canary release |
higress.ingress.kubernetes.io/canary-by-query-value |
Ingress | Higress extension | — | Canary release |
higress.ingress.kubernetes.io/canary-by-query-pattern |
Ingress | Higress extension | — | Canary release |
nginx.ingress.kubernetes.io/canary-by-cookie |
Ingress | Compatible | — | Canary release |
higress.ingress.kubernetes.io/canary-by-cookie-value |
Ingress | Higress extension (V1.2.30+) | — | Canary release |
nginx.ingress.kubernetes.io/canary-weight |
Ingress | Compatible | — | Canary release |
nginx.ingress.kubernetes.io/canary-weight-total |
Ingress | Compatible | — | Canary release |
higress.ingress.kubernetes.io/destination |
Ingress | Higress extension | — | Multi-service routing |
higress.ingress.kubernetes.io/service-subset |
Ingress | Higress extension (V1.2.25+) | — | Service subsets |
higress.ingress.kubernetes.io/subset-labels |
Ingress | Higress extension (V1.2.25+) | — | Service subsets |
nginx.ingress.kubernetes.io/default-backend |
Ingress | Compatible | — | Fallback |
nginx.ingress.kubernetes.io/custom-http-errors |
Ingress | Compatible | — | Fallback |
nginx.ingress.kubernetes.io/use-regex |
Ingress | Compatible | — | Regex match |
nginx.ingress.kubernetes.io/rewrite-target |
Ingress | Compatible | — | Rewrite |
nginx.ingress.kubernetes.io/upstream-vhost |
Ingress | Compatible | — | Rewrite |
nginx.ingress.kubernetes.io/ssl-redirect |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/force-ssl-redirect |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/permanent-redirect |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/permanent-redirect-code |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/temporal-redirect |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/app-root |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/enable-cors |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-allow-origin |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-allow-methods |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-allow-headers |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-expose-headers |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-allow-credentials |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-max-age |
Ingress | Compatible | — | CORS |
higress.ingress.kubernetes.io/request-header-control-add |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/request-header-control-update |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/request-header-control-remove |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/response-header-control-add |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/response-header-control-update |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/response-header-control-remove |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/timeout |
Ingress | Higress extension | None | Timeout |
nginx.ingress.kubernetes.io/proxy-next-upstream-tries |
Ingress | Compatible | 3 |
Retry |
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout |
Ingress | Compatible | None | Retry |
nginx.ingress.kubernetes.io/proxy-next-upstream |
Ingress | Compatible | — | Retry |
higress.ingress.kubernetes.io/mirror-target-service |
Ingress | Higress extension | — | Traffic mirroring |
higress.ingress.kubernetes.io/mirror-percentage |
Ingress | Higress extension (V1.2.32+) | 100 |
Traffic mirroring |
nginx.ingress.kubernetes.io/server-alias |
Domain name | Partially compatible (V1.2.30+) | — | Domain alias |
higress.ingress.kubernetes.io/route-limit-rpm |
Ingress | Higress extension | — | Rate limiting (deprecated) |
higress.ingress.kubernetes.io/route-limit-rps |
Ingress | Higress extension | — | Rate limiting (deprecated) |
higress.ingress.kubernetes.io/route-limit-burst-multiplier |
Ingress | Higress extension | 5 |
Rate limiting (deprecated) |
higress.ingress.kubernetes.io/rate-limit |
Ingress | Higress extension (V1.2.25+) | — | Global throttling |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-code |
Ingress | Higress extension (V1.2.25+) | 429 |
Global throttling |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body-type |
Ingress | Higress extension (V1.2.25+) | text |
Global throttling |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body |
Ingress | Higress extension (V1.2.25+) | sentinel rate limited |
Global throttling |
higress.ingress.kubernetes.io/rate-limit-fallback-redirect-url |
Ingress | Higress extension (V1.2.25+) | — | Global throttling |
higress.ingress.kubernetes.io/concurrency-limit |
Ingress | Higress extension (V1.2.25+) | — | Global concurrency |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-code |
Ingress | Higress extension (V1.2.25+) | 429 |
Global concurrency |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body-type |
Ingress | Higress extension (V1.2.25+) | text |
Global concurrency |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body |
Ingress | Higress extension (V1.2.25+) | sentinel rate limited |
Global concurrency |
higress.ingress.kubernetes.io/concurrency-limit-fallback-redirect-url |
Ingress | Higress extension (V1.2.25+) | — | Global concurrency |
nginx.ingress.kubernetes.io/backend-protocol |
Service | Partially compatible | HTTP |
Backend protocol |
nginx.ingress.kubernetes.io/load-balance |
Service | Partially compatible | round_robin |
Load balancing |
nginx.ingress.kubernetes.io/upstream-hash-by |
Service | Partially compatible | — | Load balancing |
higress.ingress.kubernetes.io/warmup |
Service | Higress extension | Disabled | Warmup |
nginx.ingress.kubernetes.io/affinity |
Service | Compatible | cookie |
Cookie affinity |
nginx.ingress.kubernetes.io/affinity-mode |
Service | Partially compatible | balanced |
Cookie affinity |
nginx.ingress.kubernetes.io/session-cookie-name |
Service | Compatible | — | Cookie affinity |
nginx.ingress.kubernetes.io/session-cookie-path |
Service | Compatible | / |
Cookie affinity |
nginx.ingress.kubernetes.io/session-cookie-max-age |
Service | Compatible | Session level | Cookie affinity |
nginx.ingress.kubernetes.io/session-cookie-expires |
Service | Compatible | Session level | Cookie affinity |
nginx.ingress.kubernetes.io/whitelist-source-range |
Ingress | Compatible | — | IP access control |
nginx.ingress.kubernetes.io/denylist-source-range |
Ingress | Compatible (V1.2.31+) | — | IP access control |
higress.ingress.kubernetes.io/blacklist-source-range |
Ingress | Higress extension | — | IP access control |
higress.ingress.kubernetes.io/domain-whitelist-source-range |
Ingress | Higress extension | — | IP access control |
higress.ingress.kubernetes.io/domain-blacklist-source-range |
Ingress | Higress extension | — | IP access control |
higress.ingress.kubernetes.io/connection-policy-tcp-max-connection |
Service | Higress extension | — | Connection pool |
higress.ingress.kubernetes.io/connection-policy-tcp-max-connection-per-endpoint |
Service | Higress extension | — | Connection pool |
higress.ingress.kubernetes.io/connection-policy-http-max-request-per-connection |
Service | Higress extension | — | Connection pool |
higress.ingress.kubernetes.io/tls-min-protocol-version |
Domain name | Higress extension | TLSv1.0 |
Client-to-gateway TLS |
higress.ingress.kubernetes.io/tls-max-protocol-version |
Domain name | Higress extension | TLSv1.3 |
Client-to-gateway TLS |
nginx.ingress.kubernetes.io/ssl-cipher |
Domain name | Compatible | See description | Client-to-gateway TLS |
higress.ingress.kubernetes.io/auth-tls-secret |
Domain name | Partially compatible | — | Client-to-gateway TLS |
nginx.ingress.kubernetes.io/proxy-ssl-secret |
Service | Compatible | — | Gateway-to-backend TLS |
nginx.ingress.kubernetes.io/proxy-ssl-name |
Service | Compatible | — | Gateway-to-backend TLS |
nginx.ingress.kubernetes.io/proxy-ssl-server-name |
Service | Compatible | — | Gateway-to-backend TLS |
nginx.ingress.kubernetes.io/auth-type |
Ingress | Partially compatible | — | Basic authentication |
nginx.ingress.kubernetes.io/auth-secret |
Ingress | Compatible | — | Basic authentication |
nginx.ingress.kubernetes.io/auth-secret-type |
Ingress | Compatible | — | Basic authentication |
nginx.ingress.kubernetes.io/auth-realm |
Ingress | Compatible | — | Basic authentication |
Scope
Annotations apply to one of these scopes:
-
Ingress — Applies to routing rules on the Ingress resource where the annotation is set.
-
Domain name — Applies to all Ingress resources that share the same hosts.
-
Service — Applies to all Ingress resources that share the same services.
Annotation prefixes
For annotations with equivalent functionality in both NGINX Ingress and APIG Ingress, these prefixes are interchangeable:
-
nginx.ingress.kubernetes.io/xxx -
higress.ingress.kubernetes.io/xxx
Annotations marked Higress extension require the higress prefix and cannot use the nginx prefix.
Compatibility notes
Key behavioral differences when migrating from NGINX Ingress:
-
NGINX variables: Variables in NGINX Ingress annotations and code snippets are not compatible with APIG Ingress. Review annotations that rely on NGINX variables before migrating.
-
Request body size: NGINX Ingress uses
nginx.ingress.kubernetes.io/proxy-body-sizeto enforce a hard limit and returns an error when exceeded. APIG Ingress uses block-based streaming and does not require a preset body size limit. For ultra-large file transfers, adjustDownstreamConnectionBufferLimitsin the gateway instance configuration.
Traffic governance annotations
Canary release
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/canary |
Ingress | Compatible | Enables or disables canary release for a route. |
nginx.ingress.kubernetes.io/canary-by-header |
Ingress | Compatible | Request header key used for traffic splitting. |
nginx.ingress.kubernetes.io/canary-by-header-value |
Ingress | Compatible | Request header value for traffic splitting. Supports exact match. |
nginx.ingress.kubernetes.io/canary-by-header-pattern |
Ingress | Compatible | Request header value for traffic splitting. Supports regex match. |
higress.ingress.kubernetes.io/canary-by-query |
Ingress | Higress extension | URL query parameter key used for traffic splitting. |
higress.ingress.kubernetes.io/canary-by-query-value |
Ingress | Higress extension | URL query parameter value for traffic splitting. Supports exact match. |
higress.ingress.kubernetes.io/canary-by-query-pattern |
Ingress | Higress extension | URL query parameter value for traffic splitting. Supports regex match. |
nginx.ingress.kubernetes.io/canary-by-cookie |
Ingress | Compatible | Cookie key used for traffic splitting. |
higress.ingress.kubernetes.io/canary-by-cookie-value |
Ingress | Higress extension (V1.2.30+) | Cookie value for traffic splitting. Supports exact match. |
nginx.ingress.kubernetes.io/canary-weight |
Ingress | Compatible | Service weight used for traffic splitting. |
nginx.ingress.kubernetes.io/canary-weight-total |
Ingress | Compatible | Total weight for traffic splitting. |
Multi-service routing
| Annotation | Scope | Status | Description |
|---|---|---|---|
higress.ingress.kubernetes.io/destination |
Ingress | Higress extension | Distributes traffic across multiple services by weight. Syntax: {weight}% {serviceName}.{serviceNamespace}.svc.cluster.local:{port} |
Setting this annotation changes the destination for all routing rules on the Ingress. If the syntax is invalid, the annotation is ignored and routing is unchanged.
Example:
annotations:
# 60% of traffic goes to foo, 40% to bar
higress.ingress.kubernetes.io/destination: |
60% foo.default.svc.cluster.local:8080
40% bar.default.svc.cluster.local:9090Service subsets
Use service subsets to route requests to a specific subset of Pods when a single service manages multiple Deployments.
| Annotation | Scope | Status | Description |
|---|---|---|---|
higress.ingress.kubernetes.io/service-subset |
Ingress | Higress extension (V1.2.25+) | Identifies the Pod subset to route requests to. |
higress.ingress.kubernetes.io/subset-labels |
Ingress | Higress extension (V1.2.25+) | (Optional) Label selector used with service-subset to classify Pods into subsets. |
Routing behavior for `service-subset`:
-
If
subset-labelsis not set:-
Set to
""orbase— routes to Pods labeledopensergo.io/canary: ""or Pods without anyopensergo.io/canarylabel key. -
Set to any other value (for example,
gray) — routes to Pods labeledopensergo.io/canary-gray: gray.
-
-
If
subset-labelsis set — routes only to Pods whose labels match the key-value pairs defined insubset-labels.
If no Pods match the specified label, requests are automatically forwarded to all Pods in the service.
Example:
annotations:
# Route to the "gray" subset of Pods
higress.ingress.kubernetes.io/service-subset: "gray"Fallback
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/default-backend |
Ingress | Compatible | Fallback service to use when no healthy nodes are available for the primary service. |
nginx.ingress.kubernetes.io/custom-http-errors |
Ingress | Compatible | When the backend returns one of the specified HTTP status codes, the request is forwarded to the fallback service. |
Important
When a request is forwarded to the fallback service, the request path is rewritten to /. This matches the behavior of NGINX Ingress.
Regular expression match
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/use-regex |
Ingress | Compatible | Enables regex path matching on the Ingress using RE2 syntax. |
Rewrite
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/rewrite-target |
Ingress | Compatible | Destination path for URL rewrite. Capture groups are supported. |
nginx.ingress.kubernetes.io/upstream-vhost |
Ingress | Compatible | Rewrites the Host header in requests forwarded to a backend service. |
Redirection
Using NGINX variables for redirection is not documented in NGINX Ingress and may pose compatibility risks. We recommend that you do not use NGINX variables for redirection.
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/ssl-redirect |
Ingress | Compatible | Redirects HTTP to HTTPS. |
nginx.ingress.kubernetes.io/force-ssl-redirect |
Ingress | Compatible | Forcefully redirects HTTP to HTTPS. |
nginx.ingress.kubernetes.io/permanent-redirect |
Ingress | Compatible | Sends a permanent redirect to the specified URL. |
nginx.ingress.kubernetes.io/permanent-redirect-code |
Ingress | Compatible | HTTP status code used for permanent redirects. |
nginx.ingress.kubernetes.io/temporal-redirect |
Ingress | Compatible | Sends a temporary redirect to the specified URL. |
nginx.ingress.kubernetes.io/app-root |
Ingress | Compatible | Redirects requests from / to the specified application root path. |
CORS
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/enable-cors |
Ingress | Compatible | Enables cross-origin resource sharing (CORS). |
nginx.ingress.kubernetes.io/cors-allow-origin |
Ingress | Compatible | Allowed origins for CORS requests. |
nginx.ingress.kubernetes.io/cors-allow-methods |
Ingress | Compatible | Allowed HTTP methods for CORS. Includes GET, POST, and PUT. |
nginx.ingress.kubernetes.io/cors-allow-headers |
Ingress | Compatible | Allowed request headers for CORS. |
nginx.ingress.kubernetes.io/cors-expose-headers |
Ingress | Compatible | Response headers exposed to browsers. |
nginx.ingress.kubernetes.io/cors-allow-credentials |
Ingress | Compatible | Whether credentials can be included in CORS requests. |
nginx.ingress.kubernetes.io/cors-max-age |
Ingress | Compatible | How long (in seconds) preflight results are cached. |
Header control
Header control annotations on base routes and canary routes are independent and validated separately. Configure different header policies for base and canary traffic using these annotations.
| Annotation | Scope | Status | Description |
|---|---|---|---|
higress.ingress.kubernetes.io/request-header-control-add |
Ingress | Higress extension | Adds a header to forwarded requests. If the header already exists, the new value is appended to the original. |
higress.ingress.kubernetes.io/request-header-control-update |
Ingress | Higress extension | Modifies a header in forwarded requests. If the header already exists, the new value overwrites the original. |
higress.ingress.kubernetes.io/request-header-control-remove |
Ingress | Higress extension | Removes a header from forwarded requests. |
higress.ingress.kubernetes.io/response-header-control-add |
Ingress | Higress extension | Adds a header to responses before they are returned to the client. If the header already exists, the new value is appended. |
higress.ingress.kubernetes.io/response-header-control-update |
Ingress | Higress extension | Modifies a header in responses before they are returned to the client. Overwrites the existing value. |
higress.ingress.kubernetes.io/response-header-control-remove |
Ingress | Higress extension | Removes a header from responses before they are returned to the client. |
Syntax:
-
Single header (add/update): Use a key-value pair. Example:
X-Custom-Header: value -
Multiple headers (add/update): Use a YAML block scalar (
|). Each key-value pair on a separate line. -
Single header (remove): Use the header key only.
-
Multiple headers (remove): Comma-separated header keys.
Example — add a request header:
annotations:
higress.ingress.kubernetes.io/request-header-control-add: "X-Request-Id: abc123"Example — add multiple response headers:
annotations:
higress.ingress.kubernetes.io/response-header-control-add: |
X-Custom-Header: value1
X-Another-Header: value2Example — remove multiple request headers:
annotations:
higress.ingress.kubernetes.io/request-header-control-remove: "X-Forwarded-For,X-Real-IP"Timeout
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/timeout |
Ingress | Higress extension | None | Request timeout in seconds. |
This timeout applies at the application layer (HTTP), not at the TCP transport layer.
Retry
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/proxy-next-upstream-tries |
Ingress | Compatible | 3 |
Maximum number of retry attempts. |
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout |
Ingress | Compatible | None | Timeout for retry attempts, in seconds. |
nginx.ingress.kubernetes.io/proxy-next-upstream |
Ingress | Compatible | — | Retry conditions. See the NGINX retry mechanism for valid values. |
Traffic mirroring
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/mirror-target-service |
Ingress | Higress extension | — | Service to which mirrored traffic is forwarded. Format: namespace/name:port. namespace defaults to the Ingress gateway namespace; port defaults to the first port. name is required. |
higress.ingress.kubernetes.io/mirror-percentage |
Ingress | Higress extension (V1.2.32+) | 100 |
Percentage of traffic to mirror. Valid values: 0–100. |
Example:
annotations:
# Mirror 20% of traffic to the shadow service
higress.ingress.kubernetes.io/mirror-target-service: "default/shadow-service:8080"
higress.ingress.kubernetes.io/mirror-percentage: "20"Domain alias
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/server-alias |
Domain name | Partially compatible (V1.2.30+) | Alias domain that shares the TLS, routing, and traffic governance configuration of the primary domain. Supports exact-match and wildcard domains only. |
Rate limiting (deprecated)
These annotations are deprecated. Use global throttling control instead.
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/route-limit-rpm |
Ingress | Higress extension | — | Maximum requests per minute (RPM) per gateway. Burst limit = value × route-limit-burst-multiplier. When triggered, the response body is local_rate_limited. Returns 503 before V1.2.23, 429 on V1.2.23+. |
higress.ingress.kubernetes.io/route-limit-rps |
Ingress | Higress extension | — | Maximum requests per second (RPS) per gateway. Same burst and response behavior as route-limit-rpm. |
higress.ingress.kubernetes.io/route-limit-burst-multiplier |
Ingress | Higress extension | 5 |
Burst limit multiplier. |
Global throttling control (recommended)
All annotations in this section require gateway version V1.2.25 or later.
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/rate-limit |
Ingress | Higress extension | — | Maximum RPS for the route. Used for global rate limiting. |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-code |
Ingress | Higress extension | 429 |
HTTP response code when rate limiting is triggered. |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body-type |
Ingress | Higress extension | text |
Response body content type when rate limiting is triggered. Set to json to return application/json; charset=UTF-8. |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body |
Ingress | Higress extension | sentinel rate limited |
Response body when rate limiting is triggered. |
higress.ingress.kubernetes.io/rate-limit-fallback-redirect-url |
Ingress | Higress extension | — | Redirect URL when rate limiting is triggered. |
rate-limit-fallback-custom-response-codeandrate-limit-fallback-redirect-urlare mutually exclusive. Set only one.
Example — return a custom JSON response when rate limiting is triggered:
annotations:
higress.ingress.kubernetes.io/rate-limit: "100"
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-code: "429"
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body-type: "json"
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body: '{"error":"rate limit exceeded"}'Global concurrency control
All annotations in this section require gateway version V1.2.25 or later.
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/concurrency-limit |
Ingress | Higress extension | — | Maximum number of concurrent requests on the route. |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-code |
Ingress | Higress extension | 429 |
HTTP response code when concurrency control is triggered. |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body-type |
Ingress | Higress extension | text |
Response body content type when concurrency control is triggered. Set to json to return application/json; charset=UTF-8. |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body |
Ingress | Higress extension | sentinel rate limited |
Response body when concurrency control is triggered. |
higress.ingress.kubernetes.io/concurrency-limit-fallback-redirect-url |
Ingress | Higress extension | — | Redirect URL when concurrency control is triggered. |
concurrency-limit-fallback-custom-response-codeandconcurrency-limit-fallback-redirect-urlare mutually exclusive. Set only one.
Backend protocol
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/backend-protocol |
Service | Partially compatible | HTTP |
Protocol used by the backend service. AJP and FCGI are not supported. Valid values: HTTP, HTTP2, HTTPS, gRPC, gRPCS. |
Load balancing
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/load-balance |
Service | Partially compatible | round_robin |
Load balancing algorithm. Exponentially Weighted Moving Average (EWMA) is not supported; falls back to round_robin. Valid values: round_robin, least_conn, random. |
nginx.ingress.kubernetes.io/upstream-hash-by |
Service | Partially compatible | — | Consistent hashing algorithm. Combining NGINX variables with constants is not supported. Supports hashing by NGINX variable ($request_uri, $host, $remote_addr), request header ($http_headerName), or query parameter ($arg_varName). |
Warmup (graceful start)
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/warmup |
Service | Higress extension | Disabled | Duration of the warmup period in seconds. |
Important
Warmup requires a round_robin or least_conn load balancing algorithm. It is not supported with other algorithms.
Cookie affinity
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/affinity |
Service | Compatible | cookie |
Affinity type. Default and only valid value: cookie. |
nginx.ingress.kubernetes.io/affinity-mode |
Service | Partially compatible | balanced |
Affinity mode. persistent mode is not supported. Default and only valid value: balanced. |
nginx.ingress.kubernetes.io/session-cookie-name |
Service | Compatible | — | Name of the cookie used as the hash key. |
nginx.ingress.kubernetes.io/session-cookie-path |
Service | Compatible | / |
Path of the cookie generated when the specified cookie does not exist. |
nginx.ingress.kubernetes.io/session-cookie-max-age |
Service | Compatible | Session level | Expiration time of the generated cookie, in seconds. |
nginx.ingress.kubernetes.io/session-cookie-expires |
Service | Compatible | Session level | Expiration time of the generated cookie, in seconds. |
IP address access control
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/whitelist-source-range |
Ingress | Compatible | Allowlist of IP addresses and CIDR blocks for the route. Comma-separated. |
nginx.ingress.kubernetes.io/denylist-source-range |
Ingress | Compatible (V1.2.31+) | Denylist of IP addresses and CIDR blocks for the route. Comma-separated. Takes precedence over higress.ingress.kubernetes.io/blacklist-source-range. |
higress.ingress.kubernetes.io/blacklist-source-range |
Ingress | Higress extension | Denylist of IP addresses and CIDR blocks for the route. Comma-separated. |
higress.ingress.kubernetes.io/domain-whitelist-source-range |
Ingress | Higress extension | Allowlist of IP addresses and CIDR blocks for the domain. Route-level allowlists take precedence over domain-level allowlists. Comma-separated. |
higress.ingress.kubernetes.io/domain-blacklist-source-range |
Ingress | Higress extension | Denylist of IP addresses and CIDR blocks for the domain. Route-level denylists take precedence over domain-level denylists. Comma-separated. |
Connection pool (gateway to backend)
| Annotation | Scope | Status | Description |
|---|---|---|---|
higress.ingress.kubernetes.io/connection-policy-tcp-max-connection |
Service | Higress extension | Maximum total TCP connections between the gateway and the backend service. |
higress.ingress.kubernetes.io/connection-policy-tcp-max-connection-per-endpoint |
Service | Higress extension | Maximum TCP connections between the gateway and a single backend endpoint. |
higress.ingress.kubernetes.io/connection-policy-http-max-request-per-connection |
Service | Higress extension | Maximum HTTP requests per connection between the gateway and the backend service. |
Security annotations
Client-to-gateway TLS
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/tls-min-protocol-version |
Domain name | Higress extension | TLSv1.0 |
Minimum TLS version. Valid values: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3. |
higress.ingress.kubernetes.io/tls-max-protocol-version |
Domain name | Higress extension | TLSv1.3 |
Maximum TLS version. Valid values: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3. |
nginx.ingress.kubernetes.io/ssl-cipher |
Domain name | Compatible | See below | TLS cipher suites, comma-separated. Applies to TLS v1.0–v1.2 only (not v1.3). |
higress.ingress.kubernetes.io/auth-tls-secret |
Domain name | Partially compatible | — | CA certificate the gateway uses to verify the client certificate during mutual TLS (mTLS) handshake. The secret name must follow the format {domain-certificate-secret-name}-cacert. |
Default cipher suites for ssl-cipher: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA.
Gateway-to-backend TLS
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/proxy-ssl-secret |
Service | Compatible | Client certificate used by the gateway for backend authentication. |
nginx.ingress.kubernetes.io/proxy-ssl-name |
Service | Compatible | Server Name Indication (SNI) sent during the TLS handshake with the backend. |
nginx.ingress.kubernetes.io/proxy-ssl-server-name |
Service | Compatible | Enables or disables SNI during the TLS handshake with the backend. |
Basic authentication
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/auth-type |
Ingress | Partially compatible | Authentication type. Only basic is supported. |
nginx.ingress.kubernetes.io/auth-secret |
Ingress | Compatible | Secret containing the credentials for the route. Format: <namespace>/<name>. |
nginx.ingress.kubernetes.io/auth-secret-type |
Ingress | Compatible | Format of the secret data. auth-file: key is auth, value is username:password (one entry per line). auth-map: key is username, value is password. |
nginx.ingress.kubernetes.io/auth-realm |
Ingress | Compatible | Authentication realm. Credentials are shared within a realm. |
Full NGINX Ingress annotation reference: Annotations.
该文章对您有帮助吗?