APIG Ingress gateways support the core and common annotations of NGINX Ingress gateways, making it straightforward to migrate from NGINX Ingress. APIG Ingress gateways also extend annotation support with additional traffic governance controls.
Annotation support summary
| Category | Count | Description |
|---|---|---|
| NGINX Ingress compatible annotations | 51 | Cover 90% of use cases |
| Annotations with no functional effect | 15 | No configuration required |
| Annotations to be supported | 48 | Planned; used in limited scenarios |
| Unsupported annotations | 5 | Specific to NGINX Ingress internal code snippets |
| APIG extended annotations | 40 | Additional traffic governance and security controls beyond NGINX Ingress |
Quick reference
The following table lists all supported annotations. Click any annotation name to jump to the full description.
| Annotation | Scope | Status | Default | Category |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/canary |
Ingress | Compatible | — | Canary release |
nginx.ingress.kubernetes.io/canary-by-header |
Ingress | Compatible | — | Canary release |
nginx.ingress.kubernetes.io/canary-by-header-value |
Ingress | Compatible | — | Canary release |
nginx.ingress.kubernetes.io/canary-by-header-pattern |
Ingress | Compatible | — | Canary release |
higress.ingress.kubernetes.io/canary-by-query |
Ingress | Higress extension | — | Canary release |
higress.ingress.kubernetes.io/canary-by-query-value |
Ingress | Higress extension | — | Canary release |
higress.ingress.kubernetes.io/canary-by-query-pattern |
Ingress | Higress extension | — | Canary release |
nginx.ingress.kubernetes.io/canary-by-cookie |
Ingress | Compatible | — | Canary release |
higress.ingress.kubernetes.io/canary-by-cookie-value |
Ingress | Higress extension (V1.2.30+) | — | Canary release |
nginx.ingress.kubernetes.io/canary-weight |
Ingress | Compatible | — | Canary release |
nginx.ingress.kubernetes.io/canary-weight-total |
Ingress | Compatible | — | Canary release |
higress.ingress.kubernetes.io/destination |
Ingress | Higress extension | — | Multi-service routing |
higress.ingress.kubernetes.io/service-subset |
Ingress | Higress extension (V1.2.25+) | — | Service subsets |
higress.ingress.kubernetes.io/subset-labels |
Ingress | Higress extension (V1.2.25+) | — | Service subsets |
nginx.ingress.kubernetes.io/default-backend |
Ingress | Compatible | — | Fallback |
nginx.ingress.kubernetes.io/custom-http-errors |
Ingress | Compatible | — | Fallback |
nginx.ingress.kubernetes.io/use-regex |
Ingress | Compatible | — | Regex match |
nginx.ingress.kubernetes.io/rewrite-target |
Ingress | Compatible | — | Rewrite |
nginx.ingress.kubernetes.io/upstream-vhost |
Ingress | Compatible | — | Rewrite |
nginx.ingress.kubernetes.io/ssl-redirect |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/force-ssl-redirect |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/permanent-redirect |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/permanent-redirect-code |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/temporal-redirect |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/app-root |
Ingress | Compatible | — | Redirection |
nginx.ingress.kubernetes.io/enable-cors |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-allow-origin |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-allow-methods |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-allow-headers |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-expose-headers |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-allow-credentials |
Ingress | Compatible | — | CORS |
nginx.ingress.kubernetes.io/cors-max-age |
Ingress | Compatible | — | CORS |
higress.ingress.kubernetes.io/request-header-control-add |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/request-header-control-update |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/request-header-control-remove |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/response-header-control-add |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/response-header-control-update |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/response-header-control-remove |
Ingress | Higress extension | — | Header control |
higress.ingress.kubernetes.io/timeout |
Ingress | Higress extension | None | Timeout |
nginx.ingress.kubernetes.io/proxy-next-upstream-tries |
Ingress | Compatible | 3 |
Retry |
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout |
Ingress | Compatible | None | Retry |
nginx.ingress.kubernetes.io/proxy-next-upstream |
Ingress | Compatible | — | Retry |
higress.ingress.kubernetes.io/mirror-target-service |
Ingress | Higress extension | — | Traffic mirroring |
higress.ingress.kubernetes.io/mirror-percentage |
Ingress | Higress extension (V1.2.32+) | 100 |
Traffic mirroring |
nginx.ingress.kubernetes.io/server-alias |
Domain name | Partially compatible (V1.2.30+) | — | Domain alias |
higress.ingress.kubernetes.io/route-limit-rpm |
Ingress | Higress extension | — | Rate limiting (deprecated) |
higress.ingress.kubernetes.io/route-limit-rps |
Ingress | Higress extension | — | Rate limiting (deprecated) |
higress.ingress.kubernetes.io/route-limit-burst-multiplier |
Ingress | Higress extension | 5 |
Rate limiting (deprecated) |
higress.ingress.kubernetes.io/rate-limit |
Ingress | Higress extension (V1.2.25+) | — | Global throttling |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-code |
Ingress | Higress extension (V1.2.25+) | 429 |
Global throttling |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body-type |
Ingress | Higress extension (V1.2.25+) | text |
Global throttling |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body |
Ingress | Higress extension (V1.2.25+) | sentinel rate limited |
Global throttling |
higress.ingress.kubernetes.io/rate-limit-fallback-redirect-url |
Ingress | Higress extension (V1.2.25+) | — | Global throttling |
higress.ingress.kubernetes.io/concurrency-limit |
Ingress | Higress extension (V1.2.25+) | — | Global concurrency |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-code |
Ingress | Higress extension (V1.2.25+) | 429 |
Global concurrency |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body-type |
Ingress | Higress extension (V1.2.25+) | text |
Global concurrency |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body |
Ingress | Higress extension (V1.2.25+) | sentinel rate limited |
Global concurrency |
higress.ingress.kubernetes.io/concurrency-limit-fallback-redirect-url |
Ingress | Higress extension (V1.2.25+) | — | Global concurrency |
nginx.ingress.kubernetes.io/backend-protocol |
Service | Partially compatible | HTTP |
Backend protocol |
nginx.ingress.kubernetes.io/load-balance |
Service | Partially compatible | round_robin |
Load balancing |
nginx.ingress.kubernetes.io/upstream-hash-by |
Service | Partially compatible | — | Load balancing |
higress.ingress.kubernetes.io/warmup |
Service | Higress extension | Disabled | Warmup |
nginx.ingress.kubernetes.io/affinity |
Service | Compatible | cookie |
Cookie affinity |
nginx.ingress.kubernetes.io/affinity-mode |
Service | Partially compatible | balanced |
Cookie affinity |
nginx.ingress.kubernetes.io/session-cookie-name |
Service | Compatible | — | Cookie affinity |
nginx.ingress.kubernetes.io/session-cookie-path |
Service | Compatible | / |
Cookie affinity |
nginx.ingress.kubernetes.io/session-cookie-max-age |
Service | Compatible | Session level | Cookie affinity |
nginx.ingress.kubernetes.io/session-cookie-expires |
Service | Compatible | Session level | Cookie affinity |
nginx.ingress.kubernetes.io/whitelist-source-range |
Ingress | Compatible | — | IP access control |
nginx.ingress.kubernetes.io/denylist-source-range |
Ingress | Compatible (V1.2.31+) | — | IP access control |
higress.ingress.kubernetes.io/blacklist-source-range |
Ingress | Higress extension | — | IP access control |
higress.ingress.kubernetes.io/domain-whitelist-source-range |
Ingress | Higress extension | — | IP access control |
higress.ingress.kubernetes.io/domain-blacklist-source-range |
Ingress | Higress extension | — | IP access control |
higress.ingress.kubernetes.io/connection-policy-tcp-max-connection |
Service | Higress extension | — | Connection pool |
higress.ingress.kubernetes.io/connection-policy-tcp-max-connection-per-endpoint |
Service | Higress extension | — | Connection pool |
higress.ingress.kubernetes.io/connection-policy-http-max-request-per-connection |
Service | Higress extension | — | Connection pool |
higress.ingress.kubernetes.io/tls-min-protocol-version |
Domain name | Higress extension | TLSv1.0 |
Client-to-gateway TLS |
higress.ingress.kubernetes.io/tls-max-protocol-version |
Domain name | Higress extension | TLSv1.3 |
Client-to-gateway TLS |
nginx.ingress.kubernetes.io/ssl-cipher |
Domain name | Compatible | See description | Client-to-gateway TLS |
higress.ingress.kubernetes.io/auth-tls-secret |
Domain name | Partially compatible | — | Client-to-gateway TLS |
nginx.ingress.kubernetes.io/proxy-ssl-secret |
Service | Compatible | — | Gateway-to-backend TLS |
nginx.ingress.kubernetes.io/proxy-ssl-name |
Service | Compatible | — | Gateway-to-backend TLS |
nginx.ingress.kubernetes.io/proxy-ssl-server-name |
Service | Compatible | — | Gateway-to-backend TLS |
nginx.ingress.kubernetes.io/auth-type |
Ingress | Partially compatible | — | Basic authentication |
nginx.ingress.kubernetes.io/auth-secret |
Ingress | Compatible | — | Basic authentication |
nginx.ingress.kubernetes.io/auth-secret-type |
Ingress | Compatible | — | Basic authentication |
nginx.ingress.kubernetes.io/auth-realm |
Ingress | Compatible | — | Basic authentication |
Scope
Each annotation applies to one of the following scopes:
-
Ingress — Applies to the routing rules defined on the Ingress resource where you set the annotation.
-
Domain name — Applies to the hosts defined by the Ingress resource. Also takes effect on other Ingress resources that use the same hosts.
-
Service — Applies to the services defined by the Ingress resource. Also takes effect on other Ingress resources that use the same services.
Annotation prefixes
For annotations that have equivalent functionality in both NGINX Ingress and APIG Ingress, the two prefixes are interchangeable:
-
nginx.ingress.kubernetes.io/xxx -
higress.ingress.kubernetes.io/xxx
For annotations that are exclusive to APIG Ingress (marked as Higress extension in the tables below), the higress prefix cannot be replaced with the nginx prefix.
Compatibility notes
When migrating from NGINX Ingress, note the following behavioral differences:
-
NGINX variables: Variables configured in NGINX Ingress annotations and code snippets are not compatible with APIG Ingress (Higress). Review any annotations that rely on NGINX variables before migrating.
-
Request body size: NGINX Ingress uses
nginx.ingress.kubernetes.io/proxy-body-sizeto set a hard limit on client request body size, returning an error when the limit is exceeded. APIG Ingress uses block-based streaming and does not require a preset body size limit. For ultra-large file transfers, adjust theDownstreamConnectionBufferLimitsparameter in the gateway instance configuration.
Traffic governance annotations
Canary release
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/canary |
Ingress | Compatible | Enables or disables canary release for a route. |
nginx.ingress.kubernetes.io/canary-by-header |
Ingress | Compatible | Request header key used for traffic splitting. |
nginx.ingress.kubernetes.io/canary-by-header-value |
Ingress | Compatible | Request header value for traffic splitting. Supports exact match. |
nginx.ingress.kubernetes.io/canary-by-header-pattern |
Ingress | Compatible | Request header value for traffic splitting. Supports regex match. |
higress.ingress.kubernetes.io/canary-by-query |
Ingress | Higress extension | URL query parameter key used for traffic splitting. |
higress.ingress.kubernetes.io/canary-by-query-value |
Ingress | Higress extension | URL query parameter value for traffic splitting. Supports exact match. |
higress.ingress.kubernetes.io/canary-by-query-pattern |
Ingress | Higress extension | URL query parameter value for traffic splitting. Supports regex match. |
nginx.ingress.kubernetes.io/canary-by-cookie |
Ingress | Compatible | Cookie key used for traffic splitting. |
higress.ingress.kubernetes.io/canary-by-cookie-value |
Ingress | Higress extension (V1.2.30+) | Cookie value for traffic splitting. Supports exact match. |
nginx.ingress.kubernetes.io/canary-weight |
Ingress | Compatible | Service weight used for traffic splitting. |
nginx.ingress.kubernetes.io/canary-weight-total |
Ingress | Compatible | Total weight for traffic splitting. |
Multi-service routing
| Annotation | Scope | Status | Description |
|---|---|---|---|
higress.ingress.kubernetes.io/destination |
Ingress | Higress extension | Distributes traffic across multiple services by weight. Syntax: {weight}% {serviceName}.{serviceNamespace}.svc.cluster.local:{port} |
Setting this annotation changes the destination for all routing rules on the Ingress. If the syntax is invalid, the annotation is ignored and routing is unchanged.
Example:
annotations:
# 60% of traffic goes to foo, 40% to bar
higress.ingress.kubernetes.io/destination: |
60% foo.default.svc.cluster.local:8080
40% bar.default.svc.cluster.local:9090Service subsets
Service subsets are useful when a single service manages multiple Deployments and you need to route requests to a specific subset of Pods.
| Annotation | Scope | Status | Description |
|---|---|---|---|
higress.ingress.kubernetes.io/service-subset |
Ingress | Higress extension (V1.2.25+) | Identifies the Pod subset to route requests to. |
higress.ingress.kubernetes.io/subset-labels |
Ingress | Higress extension (V1.2.25+) | (Optional) Label selector used with service-subset to classify Pods into subsets. |
Routing behavior for `service-subset`:
-
If
subset-labelsis not set:-
Set to
""orbase— routes to Pods labeledopensergo.io/canary: ""or Pods without anyopensergo.io/canarylabel key. -
Set to any other value (for example,
gray) — routes to Pods labeledopensergo.io/canary-gray: gray.
-
-
If
subset-labelsis set — routes only to Pods whose labels match the key-value pairs defined insubset-labels.
If no Pods match the specified label, requests are automatically forwarded to all Pods in the service.
Example:
annotations:
# Route to the "gray" subset of Pods
higress.ingress.kubernetes.io/service-subset: "gray"Fallback
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/default-backend |
Ingress | Compatible | Fallback service to use when no healthy nodes are available for the primary service. |
nginx.ingress.kubernetes.io/custom-http-errors |
Ingress | Compatible | When the backend returns one of the specified HTTP status codes, the request is forwarded to the fallback service. |
Important
When a request is forwarded to the fallback service, the request path is rewritten to /. This matches the behavior of NGINX Ingress.
Regular expression match
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/use-regex |
Ingress | Compatible | Enables regex path matching on the Ingress using RE2 syntax. |
Rewrite
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/rewrite-target |
Ingress | Compatible | Destination path for URL rewrite. Capture groups are supported. |
nginx.ingress.kubernetes.io/upstream-vhost |
Ingress | Compatible | Rewrites the Host header in requests forwarded to a backend service. |
Redirection
Using NGINX variables for redirection is not documented in NGINX Ingress and may pose compatibility risks. We recommend that you do not use NGINX variables for redirection.
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/ssl-redirect |
Ingress | Compatible | Redirects HTTP to HTTPS. |
nginx.ingress.kubernetes.io/force-ssl-redirect |
Ingress | Compatible | Forcefully redirects HTTP to HTTPS. |
nginx.ingress.kubernetes.io/permanent-redirect |
Ingress | Compatible | Sends a permanent redirect to the specified URL. |
nginx.ingress.kubernetes.io/permanent-redirect-code |
Ingress | Compatible | HTTP status code used for permanent redirects. |
nginx.ingress.kubernetes.io/temporal-redirect |
Ingress | Compatible | Sends a temporary redirect to the specified URL. |
nginx.ingress.kubernetes.io/app-root |
Ingress | Compatible | Redirects requests from / to the specified application root path. |
CORS
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/enable-cors |
Ingress | Compatible | Enables cross-origin resource sharing (CORS). |
nginx.ingress.kubernetes.io/cors-allow-origin |
Ingress | Compatible | Allowed origins for CORS requests. |
nginx.ingress.kubernetes.io/cors-allow-methods |
Ingress | Compatible | Allowed HTTP methods for CORS. Includes GET, POST, and PUT. |
nginx.ingress.kubernetes.io/cors-allow-headers |
Ingress | Compatible | Allowed request headers for CORS. |
nginx.ingress.kubernetes.io/cors-expose-headers |
Ingress | Compatible | Response headers exposed to browsers. |
nginx.ingress.kubernetes.io/cors-allow-credentials |
Ingress | Compatible | Whether credentials can be included in CORS requests. |
nginx.ingress.kubernetes.io/cors-max-age |
Ingress | Compatible | How long (in seconds) preflight results are cached. |
Header control
Header control annotations on base routes and canary routes are independent and validated separately. Configure different header policies for base and canary traffic using these annotations.
| Annotation | Scope | Status | Description |
|---|---|---|---|
higress.ingress.kubernetes.io/request-header-control-add |
Ingress | Higress extension | Adds a header to forwarded requests. If the header already exists, the new value is appended to the original. |
higress.ingress.kubernetes.io/request-header-control-update |
Ingress | Higress extension | Modifies a header in forwarded requests. If the header already exists, the new value overwrites the original. |
higress.ingress.kubernetes.io/request-header-control-remove |
Ingress | Higress extension | Removes a header from forwarded requests. |
higress.ingress.kubernetes.io/response-header-control-add |
Ingress | Higress extension | Adds a header to responses before they are returned to the client. If the header already exists, the new value is appended. |
higress.ingress.kubernetes.io/response-header-control-update |
Ingress | Higress extension | Modifies a header in responses before they are returned to the client. Overwrites the existing value. |
higress.ingress.kubernetes.io/response-header-control-remove |
Ingress | Higress extension | Removes a header from responses before they are returned to the client. |
Syntax:
-
Single header (add/update): Use a key-value pair. Example:
X-Custom-Header: value -
Multiple headers (add/update): Use a YAML block scalar (
|). Each key-value pair on a separate line. -
Single header (remove): Use the header key only.
-
Multiple headers (remove): Comma-separated header keys.
Example — add a request header:
annotations:
higress.ingress.kubernetes.io/request-header-control-add: "X-Request-Id: abc123"Example — add multiple response headers:
annotations:
higress.ingress.kubernetes.io/response-header-control-add: |
X-Custom-Header: value1
X-Another-Header: value2Example — remove multiple request headers:
annotations:
higress.ingress.kubernetes.io/request-header-control-remove: "X-Forwarded-For,X-Real-IP"Timeout
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/timeout |
Ingress | Higress extension | None | Request timeout in seconds. |
This timeout applies at the application layer (HTTP), not at the TCP transport layer.
Retry
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/proxy-next-upstream-tries |
Ingress | Compatible | 3 |
Maximum number of retry attempts. |
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout |
Ingress | Compatible | None | Timeout for retry attempts, in seconds. |
nginx.ingress.kubernetes.io/proxy-next-upstream |
Ingress | Compatible | — | Retry conditions. See the NGINX retry mechanism for valid values. |
Traffic mirroring
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/mirror-target-service |
Ingress | Higress extension | — | Service to which mirrored traffic is forwarded. Format: namespace/name:port. namespace defaults to the Ingress gateway namespace; port defaults to the first port. name is required. |
higress.ingress.kubernetes.io/mirror-percentage |
Ingress | Higress extension (V1.2.32+) | 100 |
Percentage of traffic to mirror. Valid values: 0–100. |
Example:
annotations:
# Mirror 20% of traffic to the shadow service
higress.ingress.kubernetes.io/mirror-target-service: "default/shadow-service:8080"
higress.ingress.kubernetes.io/mirror-percentage: "20"Domain alias
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/server-alias |
Domain name | Partially compatible (V1.2.30+) | Alias domain that shares the TLS, routing, and traffic governance configuration of the primary domain. Supports exact-match and wildcard domains only. |
Rate limiting (deprecated)
These annotations are deprecated. Use global throttling control instead.
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/route-limit-rpm |
Ingress | Higress extension | — | Maximum requests per minute (RPM) per gateway. Burst limit = value × route-limit-burst-multiplier. When triggered, the response body is local_rate_limited. Returns 503 before V1.2.23, 429 on V1.2.23+. |
higress.ingress.kubernetes.io/route-limit-rps |
Ingress | Higress extension | — | Maximum requests per second (RPS) per gateway. Same burst and response behavior as route-limit-rpm. |
higress.ingress.kubernetes.io/route-limit-burst-multiplier |
Ingress | Higress extension | 5 |
Burst limit multiplier. |
Global throttling control (recommended)
All annotations in this section require gateway version V1.2.25 or later.
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/rate-limit |
Ingress | Higress extension | — | Maximum RPS for the route. Used for global rate limiting. |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-code |
Ingress | Higress extension | 429 |
HTTP response code when rate limiting is triggered. |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body-type |
Ingress | Higress extension | text |
Response body content type when rate limiting is triggered. Set to json to return application/json; charset=UTF-8. |
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body |
Ingress | Higress extension | sentinel rate limited |
Response body when rate limiting is triggered. |
higress.ingress.kubernetes.io/rate-limit-fallback-redirect-url |
Ingress | Higress extension | — | Redirect URL when rate limiting is triggered. |
rate-limit-fallback-custom-response-codeandrate-limit-fallback-redirect-urlare mutually exclusive. Set only one.
Example — return a custom JSON response when rate limiting is triggered:
annotations:
higress.ingress.kubernetes.io/rate-limit: "100"
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-code: "429"
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body-type: "json"
higress.ingress.kubernetes.io/rate-limit-fallback-custom-response-body: '{"error":"rate limit exceeded"}'Global concurrency control
All annotations in this section require gateway version V1.2.25 or later.
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/concurrency-limit |
Ingress | Higress extension | — | Maximum number of concurrent requests on the route. |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-code |
Ingress | Higress extension | 429 |
HTTP response code when concurrency control is triggered. |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body-type |
Ingress | Higress extension | text |
Response body content type when concurrency control is triggered. Set to json to return application/json; charset=UTF-8. |
higress.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body |
Ingress | Higress extension | sentinel rate limited |
Response body when concurrency control is triggered. |
higress.ingress.kubernetes.io/concurrency-limit-fallback-redirect-url |
Ingress | Higress extension | — | Redirect URL when concurrency control is triggered. |
concurrency-limit-fallback-custom-response-codeandconcurrency-limit-fallback-redirect-urlare mutually exclusive. Set only one.
Backend protocol
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/backend-protocol |
Service | Partially compatible | HTTP |
Protocol used by the backend service. AJP and FCGI are not supported. Valid values: HTTP, HTTP2, HTTPS, gRPC, gRPCS. |
Load balancing
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/load-balance |
Service | Partially compatible | round_robin |
Load balancing algorithm. Exponentially Weighted Moving Average (EWMA) is not supported; falls back to round_robin. Valid values: round_robin, least_conn, random. |
nginx.ingress.kubernetes.io/upstream-hash-by |
Service | Partially compatible | — | Consistent hashing algorithm. Combining NGINX variables with constants is not supported. Supports hashing by NGINX variable ($request_uri, $host, $remote_addr), request header ($http_headerName), or query parameter ($arg_varName). |
Warmup (graceful start)
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/warmup |
Service | Higress extension | Disabled | Duration of the warmup period in seconds. |
Important
Warmup requires a round_robin or least_conn load balancing algorithm. It is not supported with other algorithms.
Cookie affinity
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
nginx.ingress.kubernetes.io/affinity |
Service | Compatible | cookie |
Affinity type. Default and only valid value: cookie. |
nginx.ingress.kubernetes.io/affinity-mode |
Service | Partially compatible | balanced |
Affinity mode. persistent mode is not supported. Default and only valid value: balanced. |
nginx.ingress.kubernetes.io/session-cookie-name |
Service | Compatible | — | Name of the cookie used as the hash key. |
nginx.ingress.kubernetes.io/session-cookie-path |
Service | Compatible | / |
Path of the cookie generated when the specified cookie does not exist. |
nginx.ingress.kubernetes.io/session-cookie-max-age |
Service | Compatible | Session level | Expiration time of the generated cookie, in seconds. |
nginx.ingress.kubernetes.io/session-cookie-expires |
Service | Compatible | Session level | Expiration time of the generated cookie, in seconds. |
IP address access control
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/whitelist-source-range |
Ingress | Compatible | Allowlist of IP addresses and CIDR blocks for the route. Comma-separated. |
nginx.ingress.kubernetes.io/denylist-source-range |
Ingress | Compatible (V1.2.31+) | Denylist of IP addresses and CIDR blocks for the route. Comma-separated. Takes precedence over higress.ingress.kubernetes.io/blacklist-source-range. |
higress.ingress.kubernetes.io/blacklist-source-range |
Ingress | Higress extension | Denylist of IP addresses and CIDR blocks for the route. Comma-separated. |
higress.ingress.kubernetes.io/domain-whitelist-source-range |
Ingress | Higress extension | Allowlist of IP addresses and CIDR blocks for the domain. Route-level allowlists take precedence over domain-level allowlists. Comma-separated. |
higress.ingress.kubernetes.io/domain-blacklist-source-range |
Ingress | Higress extension | Denylist of IP addresses and CIDR blocks for the domain. Route-level denylists take precedence over domain-level denylists. Comma-separated. |
Connection pool (gateway to backend)
| Annotation | Scope | Status | Description |
|---|---|---|---|
higress.ingress.kubernetes.io/connection-policy-tcp-max-connection |
Service | Higress extension | Maximum total TCP connections between the gateway and the backend service. |
higress.ingress.kubernetes.io/connection-policy-tcp-max-connection-per-endpoint |
Service | Higress extension | Maximum TCP connections between the gateway and a single backend endpoint. |
higress.ingress.kubernetes.io/connection-policy-http-max-request-per-connection |
Service | Higress extension | Maximum HTTP requests per connection between the gateway and the backend service. |
Security annotations
Client-to-gateway TLS
| Annotation | Scope | Status | Default | Description |
|---|---|---|---|---|
higress.ingress.kubernetes.io/tls-min-protocol-version |
Domain name | Higress extension | TLSv1.0 |
Minimum TLS version. Valid values: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3. |
higress.ingress.kubernetes.io/tls-max-protocol-version |
Domain name | Higress extension | TLSv1.3 |
Maximum TLS version. Valid values: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3. |
nginx.ingress.kubernetes.io/ssl-cipher |
Domain name | Compatible | See below | TLS cipher suites, comma-separated. Applies to TLS v1.0–v1.2 only (not v1.3). |
higress.ingress.kubernetes.io/auth-tls-secret |
Domain name | Partially compatible | — | CA certificate the gateway uses to verify the client certificate during mutual TLS (mTLS) handshake. The secret name must follow the format {domain-certificate-secret-name}-cacert. |
Default cipher suites for ssl-cipher: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA.
Gateway-to-backend TLS
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/proxy-ssl-secret |
Service | Compatible | Client certificate used by the gateway for backend authentication. |
nginx.ingress.kubernetes.io/proxy-ssl-name |
Service | Compatible | Server Name Indication (SNI) sent during the TLS handshake with the backend. |
nginx.ingress.kubernetes.io/proxy-ssl-server-name |
Service | Compatible | Enables or disables SNI during the TLS handshake with the backend. |
Basic authentication
| Annotation | Scope | Status | Description |
|---|---|---|---|
nginx.ingress.kubernetes.io/auth-type |
Ingress | Partially compatible | Authentication type. Only basic is supported. |
nginx.ingress.kubernetes.io/auth-secret |
Ingress | Compatible | Secret containing the credentials for the route. Format: <namespace>/<name>. |
nginx.ingress.kubernetes.io/auth-secret-type |
Ingress | Compatible | Format of the secret data. auth-file: key is auth, value is username:password (one entry per line). auth-map: key is username, value is password. |
nginx.ingress.kubernetes.io/auth-realm |
Ingress | Compatible | Authentication realm. Credentials are shared within a realm. |
For more information about NGINX Ingress annotations, see Annotations.