All Products
Search

This Product

    Container Service for Kubernetes:Annotations supported by MSE Ingress gateways

    Document Center

    Container Service for Kubernetes:Annotations supported by MSE Ingress gateways

    Last Updated:Mar 26, 2026

    MSE Ingress gateways support the core and common annotations of NGINX Ingress gateways, making migration straightforward. They also provide 40 additional annotations for advanced traffic management.

    Standard Kubernetes Ingress resources handle only Transport Layer Security (TLS) encryption and basic Layer-7 HTTP routing. NGINX Ingress controllers alone define more than 100 custom annotations to address real-world traffic management and security requirements. MSE Ingress gateways are compatible with the most common NGINX Ingress annotations so existing workloads migrate without rewriting Ingress configurations.

    Overview

    The following table summarizes annotation coverage at a glance.

    NGINX Ingress annotation coverage

    CategoryCountNotes
    Supported51Covers 90% of use cases
    No configuration required15Functionality is available without explicit configuration
    Planned48Applies to a small number of use cases
    Not supported5Tied to NGINX-specific code snippets
    MSE implements features differently from NGINX. NGINX variables used in NGINX Ingress annotations and code snippets are not compatible with their NGINX counterparts.

    Large request bodies: The nginx.ingress.kubernetes.io/proxy-body-size annotation sets a maximum request body size in NGINX, rejecting anything larger. MSE uses chunked transfer encoding instead, which handles large bodies automatically without a size limit. To set upstream connection buffer limits, configure the DownstreamConnectionBufferLimits parameter in the Parameter Settings pane of your MSE gateway.

    Redirects and NGINX variables: NGINX variables (such as $host or $request_uri) in redirect annotations may work in some NGINX Ingress versions but are not officially documented. Avoid using NGINX variables for redirects in NGINX Ingress — they are not compatible with MSE.

    MSE-exclusive annotations

    CategoryCountNotes
    Extended annotations40Adds traffic governance and security protection capabilities beyond NGINX Ingress

    Annotation scope

    Each annotation applies at one of three scopes:

    • Ingress — applies to the routing rules defined on the Ingress resource.

    • Domain — applies to the hostnames defined on the Ingress resource and also takes effect on the same hostnames of other Ingress resources.

    • Service — applies to the backend services referenced by the Ingress resource and also takes effect on the same services referenced by other Ingress resources.

    Annotation prefixes

    MSE-compatible annotations accept either the nginx or mse prefix. For example, nginx.ingress.kubernetes.io/ssl-redirect and mse.ingress.kubernetes.io/ssl-redirect are equivalent.

    MSE-exclusive annotations use only the mse prefix. Replacing mse with nginx for these annotations has no effect.

    Quick-reference index

    The following table lists all supported annotations with their compatibility status and category. Use this table to quickly check whether a specific annotation is supported before reading the full details below.

    AnnotationStatusCategory
    nginx.ingress.kubernetes.io/canaryCompatibleCanary release
    nginx.ingress.kubernetes.io/canary-by-headerCompatibleCanary release
    nginx.ingress.kubernetes.io/canary-by-header-valueCompatibleCanary release
    nginx.ingress.kubernetes.io/canary-by-header-patternCompatibleCanary release
    mse.ingress.kubernetes.io/canary-by-queryMSE-exclusiveCanary release
    mse.ingress.kubernetes.io/canary-by-query-valueMSE-exclusiveCanary release
    mse.ingress.kubernetes.io/canary-by-query-patternMSE-exclusiveCanary release
    nginx.ingress.kubernetes.io/canary-by-cookieCompatibleCanary release
    mse.ingress.kubernetes.io/canary-by-cookie-valueMSE-exclusive (V1.2.30+)Canary release
    nginx.ingress.kubernetes.io/canary-weightCompatibleCanary release
    nginx.ingress.kubernetes.io/canary-weight-totalCompatibleCanary release
    mse.ingress.kubernetes.io/destinationMSE-exclusiveMulti-service routing
    mse.ingress.kubernetes.io/service-subsetMSE-exclusive (V1.2.25+)Service subset
    mse.ingress.kubernetes.io/subset-labelsMSE-exclusive (V1.2.25+)Service subset
    nginx.ingress.kubernetes.io/default-backendCompatibleFallback service
    nginx.ingress.kubernetes.io/custom-http-errorsCompatibleFallback service
    nginx.ingress.kubernetes.io/use-regexCompatibleRegex path matching
    nginx.ingress.kubernetes.io/rewrite-targetCompatiblePath rewrite
    nginx.ingress.kubernetes.io/upstream-vhostCompatiblePath rewrite
    nginx.ingress.kubernetes.io/ssl-redirectCompatibleRedirect
    nginx.ingress.kubernetes.io/force-ssl-redirectCompatibleRedirect
    nginx.ingress.kubernetes.io/permanent-redirectCompatibleRedirect
    nginx.ingress.kubernetes.io/permanent-redirect-codeCompatibleRedirect
    nginx.ingress.kubernetes.io/temporal-redirectCompatibleRedirect
    nginx.ingress.kubernetes.io/app-rootCompatibleRedirect
    nginx.ingress.kubernetes.io/enable-corsCompatibleCORS
    nginx.ingress.kubernetes.io/cors-allow-originCompatibleCORS
    nginx.ingress.kubernetes.io/cors-allow-methodsCompatibleCORS
    nginx.ingress.kubernetes.io/cors-allow-headersCompatibleCORS
    nginx.ingress.kubernetes.io/cors-expose-headersCompatibleCORS
    nginx.ingress.kubernetes.io/cors-allow-credentialsCompatibleCORS
    nginx.ingress.kubernetes.io/cors-max-ageCompatibleCORS
    mse.ingress.kubernetes.io/request-header-control-addMSE-exclusiveHeader control
    mse.ingress.kubernetes.io/request-header-control-updateMSE-exclusiveHeader control
    mse.ingress.kubernetes.io/request-header-control-removeMSE-exclusiveHeader control
    mse.ingress.kubernetes.io/response-header-control-addMSE-exclusiveHeader control
    mse.ingress.kubernetes.io/response-header-control-updateMSE-exclusiveHeader control
    mse.ingress.kubernetes.io/response-header-control-removeMSE-exclusiveHeader control
    mse.ingress.kubernetes.io/timeoutMSE-exclusiveTimeout
    nginx.ingress.kubernetes.io/proxy-next-upstream-triesCompatibleRetry
    nginx.ingress.kubernetes.io/proxy-next-upstream-timeoutCompatibleRetry
    nginx.ingress.kubernetes.io/proxy-next-upstreamCompatibleRetry
    mse.ingress.kubernetes.io/mirror-target-serviceMSE-exclusiveTraffic mirroring
    mse.ingress.kubernetes.io/mirror-percentageMSE-exclusive (V1.2.32+)Traffic mirroring
    nginx.ingress.kubernetes.io/server-aliasPartially compatible (V1.2.30+)Domain alias
    mse.ingress.kubernetes.io/route-limit-rpmMSE-exclusiveRate limiting (single-gateway, to be deprecated)
    mse.ingress.kubernetes.io/route-limit-rpsMSE-exclusiveRate limiting (single-gateway, to be deprecated)
    mse.ingress.kubernetes.io/route-limit-burst-multiplierMSE-exclusiveRate limiting (single-gateway, to be deprecated)
    mse.ingress.kubernetes.io/rate-limitMSE-exclusive (V1.2.25+)Rate limiting (global)
    mse.ingress.kubernetes.io/rate-limit-fallback-custom-response-codeMSE-exclusive (V1.2.25+)Rate limiting (global)
    mse.ingress.kubernetes.io/rate-limit-fallback-custom-response-body-typeMSE-exclusive (V1.2.25+)Rate limiting (global)
    mse.ingress.kubernetes.io/rate-limit-fallback-custom-response-bodyMSE-exclusive (V1.2.25+)Rate limiting (global)
    mse.ingress.kubernetes.io/rate-limit-fallback-redirect-urlMSE-exclusive (V1.2.25+)Rate limiting (global)
    mse.ingress.kubernetes.io/concurrency-limitMSE-exclusive (V1.2.25+)Concurrency control
    mse.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-codeMSE-exclusive (V1.2.25+)Concurrency control
    mse.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body-typeMSE-exclusive (V1.2.25+)Concurrency control
    mse.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-bodyMSE-exclusive (V1.2.25+)Concurrency control
    mse.ingress.kubernetes.io/concurrency-limit-fallback-redirect-urlMSE-exclusive (V1.2.25+)Concurrency control
    nginx.ingress.kubernetes.io/backend-protocolPartially compatibleBackend protocol
    nginx.ingress.kubernetes.io/load-balancePartially compatibleLoad balancing
    nginx.ingress.kubernetes.io/upstream-hash-byPartially compatibleLoad balancing
    mse.ingress.kubernetes.io/warmupMSE-exclusiveService warm-up
    nginx.ingress.kubernetes.io/affinityCompatibleCookie affinity
    nginx.ingress.kubernetes.io/affinity-modePartially compatibleCookie affinity
    nginx.ingress.kubernetes.io/session-cookie-nameCompatibleCookie affinity
    nginx.ingress.kubernetes.io/session-cookie-pathCompatibleCookie affinity
    nginx.ingress.kubernetes.io/session-cookie-max-ageCompatibleCookie affinity
    nginx.ingress.kubernetes.io/session-cookie-expiresCompatibleCookie affinity
    nginx.ingress.kubernetes.io/whitelist-source-rangeCompatibleIP access control
    nginx.ingress.kubernetes.io/denylist-source-rangeCompatible (V1.2.31+)IP access control
    mse.ingress.kubernetes.io/blacklist-source-rangeMSE-exclusiveIP access control
    mse.ingress.kubernetes.io/domain-whitelist-source-rangeMSE-exclusiveIP access control
    mse.ingress.kubernetes.io/domain-blacklist-source-rangeMSE-exclusiveIP access control
    mse.ingress.kubernetes.io/connection-policy-tcp-max-connectionMSE-exclusiveConnection pool
    mse.ingress.kubernetes.io/connection-policy-tcp-max-connection-per-endpointMSE-exclusiveConnection pool
    mse.ingress.kubernetes.io/connection-policy-http-max-request-per-connectionMSE-exclusiveConnection pool
    mse.ingress.kubernetes.io/tls-min-protocol-versionMSE-exclusiveTLS (client-to-gateway)
    mse.ingress.kubernetes.io/tls-max-protocol-versionMSE-exclusiveTLS (client-to-gateway)
    nginx.ingress.kubernetes.io/ssl-cipherCompatibleTLS (client-to-gateway)
    mse.ingress.kubernetes.io/auth-tls-secretPartially compatibleTLS (client-to-gateway)
    nginx.ingress.kubernetes.io/proxy-ssl-secretCompatibleTLS (gateway-to-backend)
    nginx.ingress.kubernetes.io/proxy-ssl-nameCompatibleTLS (gateway-to-backend)
    nginx.ingress.kubernetes.io/proxy-ssl-server-nameCompatibleTLS (gateway-to-backend)
    nginx.ingress.kubernetes.io/auth-typePartially compatibleAuthentication
    nginx.ingress.kubernetes.io/auth-secretCompatibleAuthentication
    nginx.ingress.kubernetes.io/auth-secret-typeCompatibleAuthentication
    nginx.ingress.kubernetes.io/auth-realmCompatibleAuthentication

    Supported annotations

    Traffic governance

    Canary release

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/canaryIngressCompatibleEnables canary release for the Ingress.
    nginx.ingress.kubernetes.io/canary-by-headerIngressCompatibleSplits traffic by request header key.
    nginx.ingress.kubernetes.io/canary-by-header-valueIngressCompatibleSplits traffic by request header value. Supports exact matching.
    nginx.ingress.kubernetes.io/canary-by-header-patternIngressCompatibleSplits traffic by request header value. Supports regular expression matching.
    mse.ingress.kubernetes.io/canary-by-queryIngressMSE-exclusiveSplits traffic by URL query parameter key.
    mse.ingress.kubernetes.io/canary-by-query-valueIngressMSE-exclusiveSplits traffic by URL query parameter value. Supports exact matching.
    mse.ingress.kubernetes.io/canary-by-query-patternIngressMSE-exclusiveSplits traffic by URL query parameter value. Supports regular expression matching.
    nginx.ingress.kubernetes.io/canary-by-cookieIngressCompatibleSplits traffic by cookie key.
    mse.ingress.kubernetes.io/canary-by-cookie-valueIngressMSE-exclusive (requires gateway V1.2.30 or later)Splits traffic by cookie value. Supports exact matching.
    nginx.ingress.kubernetes.io/canary-weightIngressCompatibleSets the traffic weight for the canary service.
    nginx.ingress.kubernetes.io/canary-weight-totalIngressCompatibleSets the total weight used for traffic splitting calculations.

    Multi-service routing

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/destinationIngressMSE-exclusiveDistributes traffic across multiple services by weight.

    Syntax: {weight}% {serviceName}.{serviceNamespace}.svc.cluster.local:{port}

    Configuring this annotation overrides the destination services for all routing rules on the Ingress. If the syntax is invalid, the annotation is ignored and the original routing rules remain in effect.

    Example:

    annotations:
  # Route 60% of traffic to foo and 40% to bar
  mse.ingress.kubernetes.io/destination: |
    60% foo.default.svc.cluster.local:8080
    40% bar.default.svc.cluster.local:9090

    Service subset

    Use service subsets when a single Kubernetes Service manages multiple deployments — for example, a stable version and a canary version. A subset directs requests to a specific group of pods.

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/service-subsetIngressMSE-exclusive (requires gateway V1.2.25 or later)Routes requests to a pod subset of the target service. When mse.ingress.kubernetes.io/subset-labels is not set, the routing behavior depends on this annotation's value: set it to "" or base to target pods with opensergo.io/canary: "" or pods without the opensergo.io/canary label prefix; set it to any other value (for example, gray) to target pods with the label opensergo.io/canary-gray: gray. When mse.ingress.kubernetes.io/subset-labels is set, requests are forwarded only to pods whose labels match the key-value pairs defined there. If no pods match the label, requests fall back to all pods of the service.
    mse.ingress.kubernetes.io/subset-labelsIngressMSE-exclusive (requires gateway V1.2.25 or later)Optional. Use with mse.ingress.kubernetes.io/service-subset to specify the labels that define the pod subset.

    Fallback service

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/default-backendIngressCompatibleSpecifies a fallback service. If no nodes are available for the service defined in an Ingress rule, requests are forwarded to this service.
    nginx.ingress.kubernetes.io/custom-http-errorsIngressCompatibleWorks with nginx.ingress.kubernetes.io/default-backend. When a backend returns one of the specified HTTP status codes, the request is forwarded to the fallback service with the path rewritten to /.

    Regex path matching

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/use-regexIngressCompatibleEnables regular expression matching for the path defined in the Ingress rule. Uses RE2 syntax.

    Path rewrite

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/rewrite-targetIngressCompatibleRewrites the request path before forwarding to the backend. Supports capture groups.
    nginx.ingress.kubernetes.io/upstream-vhostIngressCompatibleRewrites the Host header to the specified value when forwarding requests to the backend.

    Redirect

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/ssl-redirectIngressCompatibleRedirects HTTP requests to HTTPS.
    nginx.ingress.kubernetes.io/force-ssl-redirectIngressCompatibleForcibly redirects HTTP requests to HTTPS.
    nginx.ingress.kubernetes.io/permanent-redirectIngressCompatibleRedirects requests to the specified URL with a permanent redirect.
    nginx.ingress.kubernetes.io/permanent-redirect-codeIngressCompatibleSets the HTTP status code for permanent redirects.
    nginx.ingress.kubernetes.io/temporal-redirectIngressCompatibleRedirects requests to the specified URL with a temporary redirect.
    nginx.ingress.kubernetes.io/app-rootIngressCompatibleRedirects requests from / to the specified application root path.

    Cross-origin resource sharing (CORS)

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/enable-corsIngressCompatibleEnables cross-origin resource sharing (CORS).
    nginx.ingress.kubernetes.io/cors-allow-originIngressCompatibleSets the allowed origins for CORS requests.
    nginx.ingress.kubernetes.io/cors-allow-methodsIngressCompatibleSets the allowed HTTP methods for CORS requests, such as GET, POST, and PUT.
    nginx.ingress.kubernetes.io/cors-allow-headersIngressCompatibleSets the allowed request headers for CORS requests.
    nginx.ingress.kubernetes.io/cors-expose-headersIngressCompatibleSets the response headers exposed to browsers in CORS responses.
    nginx.ingress.kubernetes.io/cors-allow-credentialsIngressCompatibleSpecifies whether credentials can be included in CORS requests.
    nginx.ingress.kubernetes.io/cors-max-ageIngressCompatibleSets the duration for which preflight request results are cached.

    Header control

    Header control annotations on base routes and canary routes are independent and validated separately. Configure different header policies for base-route traffic and canary-route traffic as needed.
    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/request-header-control-addIngressMSE-exclusiveAdds a header to requests before forwarding to the backend. If the header already exists, the new value is appended to the original. For a single header, use a key-value pair. For multiple headers, use a YAML literal block (|) with one key-value pair per line.
    mse.ingress.kubernetes.io/request-header-control-updateIngressMSE-exclusiveModifies a header in requests before forwarding to the backend. If the header exists, the new value overwrites the original. Same syntax as request-header-control-add.
    mse.ingress.kubernetes.io/request-header-control-removeIngressMSE-exclusiveRemoves headers from requests before forwarding to the backend. For a single header, specify the key. For multiple headers, separate keys with commas.
    mse.ingress.kubernetes.io/response-header-control-addIngressMSE-exclusiveAdds a header to responses before forwarding to the client. If the header already exists, the new value is appended to the original. Same syntax as request-header-control-add.
    mse.ingress.kubernetes.io/response-header-control-updateIngressMSE-exclusiveModifies a header in responses before forwarding to the client. If the header exists, the new value overwrites the original. Same syntax as request-header-control-add.
    mse.ingress.kubernetes.io/response-header-control-removeIngressMSE-exclusiveRemoves headers from responses before forwarding to the client. For a single header, specify the key. For multiple headers, separate keys with commas.

    Timeout

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/timeoutIngressMSE-exclusiveSets the request timeout in seconds. No timeout is applied by default. Applies at the application layer, not at the TCP transport layer.

    Retry

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/proxy-next-upstream-triesIngressCompatibleSets the maximum number of retry attempts. Default: 3.
    nginx.ingress.kubernetes.io/proxy-next-upstream-timeoutIngressCompatibleSets the timeout for retry attempts in seconds. No timeout is applied by default.
    nginx.ingress.kubernetes.io/proxy-next-upstreamIngressCompatibleSets the conditions that trigger a retry. See NGINX retry mechanism for supported values.

    Traffic mirroring

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/mirror-target-serviceIngressMSE-exclusiveForwards a copy of incoming traffic to the specified service. Format: namespace/name:port. The namespace defaults to the Ingress gateway's namespace. The port defaults to the first port of the service.
    mse.ingress.kubernetes.io/mirror-percentageIngressMSE-exclusive (requires gateway V1.2.32 or later)Sets the percentage of traffic to mirror. Valid values: 0–100. Default: 100.

    Domain alias

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/server-aliasDomainPartially compatible — exact match domains and wildcard domains only (requires gateway V1.2.30 or later)Defines a domain alias for the hostname in the Ingress spec. The alias inherits the TLS, routing, and traffic governance configuration of the source domain.

    Rate limiting (single-gateway, to be deprecated)

    When throttling is triggered, the response body is local_rate_limited. The response status code depends on gateway version: gateways earlier than V1.2.23 return 503; V1.2.23 and later return 429.

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/route-limit-rpmIngressMSE-exclusiveSets the maximum requests per minute (RPM) on a route. The burst limit equals this value multiplied by mse.ingress.kubernetes.io/route-limit-burst-multiplier.
    mse.ingress.kubernetes.io/route-limit-rpsIngressMSE-exclusiveSets the maximum requests per second (RPS) on a route. The burst limit equals this value multiplied by mse.ingress.kubernetes.io/route-limit-burst-multiplier.
    mse.ingress.kubernetes.io/route-limit-burst-multiplierIngressMSE-exclusiveSets the burst limit multiplier. Default: 5.

    Rate limiting (global, recommended)

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/rate-limitIngressMSE-exclusive (requires gateway V1.2.25 or later)Sets the maximum RPS for global rate limiting on a route.
    mse.ingress.kubernetes.io/rate-limit-fallback-custom-response-codeIngressMSE-exclusive (requires gateway V1.2.25 or later)Sets the HTTP response code returned when rate limiting is triggered. Default: 429. Mutually exclusive with mse.ingress.kubernetes.io/rate-limit-fallback-redirect-url.
    mse.ingress.kubernetes.io/rate-limit-fallback-custom-response-body-typeIngressMSE-exclusive (requires gateway V1.2.25 or later)Sets the format of the rate-limit response body. Default: text. Setting text returns Content-Type: text/plain; charset=UTF-8. Setting JSON returns Content-Type: application/json; charset=UTF-8.
    mse.ingress.kubernetes.io/rate-limit-fallback-custom-response-bodyIngressMSE-exclusive (requires gateway V1.2.25 or later)Sets the body content of the rate-limit response. Default: sentinel rate limited.
    mse.ingress.kubernetes.io/rate-limit-fallback-redirect-urlIngressMSE-exclusive (requires gateway V1.2.25 or later)Redirects requests to the specified URL when rate limiting is triggered. Mutually exclusive with mse.ingress.kubernetes.io/rate-limit-fallback-custom-response-code.

    Concurrency control (global)

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/concurrency-limitIngressMSE-exclusive (requires gateway V1.2.25 or later)Sets the maximum number of concurrent requests on a route.
    mse.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-codeIngressMSE-exclusive (requires gateway V1.2.25 or later)Sets the HTTP response code when concurrency control is triggered. Default: 429. Mutually exclusive with mse.ingress.kubernetes.io/concurrency-limit-fallback-redirect-url.
    mse.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-body-typeIngressMSE-exclusive (requires gateway V1.2.25 or later)Sets the format of the concurrency-limit response body. Default: text. Setting text returns Content-Type: text/plain; charset=UTF-8. Setting JSON returns Content-Type: application/json; charset=UTF-8.
    mse.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-bodyIngressMSE-exclusive (requires gateway V1.2.25 or later)Sets the body content of the concurrency-limit response. Default: sentinel rate limited.
    mse.ingress.kubernetes.io/concurrency-limit-fallback-redirect-urlIngressMSE-exclusive (requires gateway V1.2.25 or later)Redirects requests to the specified URL when concurrency control is triggered. Mutually exclusive with mse.ingress.kubernetes.io/concurrency-limit-fallback-custom-response-code.

    Backend protocol

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/backend-protocolServicePartially compatible — AJP and FCGI are not supportedSets the protocol used to communicate with backend services. Default: HTTP. Supported values: HTTP, HTTP2, HTTPS, gRPC, gRPCS.

    Load balancing

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/load-balanceServicePartially compatible — the Exponentially Weighted Moving Average (EWMA) algorithm is not supported and falls back to round-robinSets the load balancing algorithm. Default: round_robin. Supported values: round_robin, least_conn, random.
    nginx.ingress.kubernetes.io/upstream-hash-byServicePartially compatible — combining NGINX variables with constants is not supportedEnables consistent hashing. Supported hash key types: $request_uri (request path, including path parameters), $host (request hostname), $remote_addr (client IP address), $http_<headerName> (request header value), $arg_<varName> (URL query parameter value).

    Service warm-up (graceful start)

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/warmupServiceMSE-exclusiveSets the warm-up duration in seconds. Disabled by default. Supported only with round_robin and least_conn load balancing algorithms.

    Cookie affinity

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/affinityServiceCompatibleSets the affinity type. The only valid value is cookie.
    nginx.ingress.kubernetes.io/affinity-modeServicePartially compatible — persistent mode is not supportedSets the affinity mode. The only valid value is balanced.
    nginx.ingress.kubernetes.io/session-cookie-nameServiceCompatibleSets the cookie name used as the hash key for session affinity.
    nginx.ingress.kubernetes.io/session-cookie-pathServiceCompatibleSets the path attribute of the generated session cookie. Default: /.
    nginx.ingress.kubernetes.io/session-cookie-max-ageServiceCompatibleSets the Max-Age of the generated session cookie in seconds. Defaults to session-level expiration.
    nginx.ingress.kubernetes.io/session-cookie-expiresServiceCompatibleSets the Expires attribute of the generated session cookie in seconds. Defaults to session-level expiration.

    IP address-based access control

    Route-level allowlists take precedence over domain-level allowlists. Route-level blocklists take precedence over domain-level blocklists.

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/whitelist-source-rangeIngressCompatibleSets an IP allowlist for the route. Accepts IP addresses and CIDR blocks, separated by commas.
    nginx.ingress.kubernetes.io/denylist-source-rangeIngressCompatible (requires gateway V1.2.31 or later)Sets an IP blocklist for the route. Accepts IP addresses and CIDR blocks, separated by commas. Takes precedence over mse.ingress.kubernetes.io/blacklist-source-range.
    mse.ingress.kubernetes.io/blacklist-source-rangeIngressMSE-exclusiveSets an IP blocklist for the route. Accepts IP addresses and CIDR blocks, separated by commas.
    mse.ingress.kubernetes.io/domain-whitelist-source-rangeIngressMSE-exclusiveSets an IP allowlist at the domain level. Accepts IP addresses and CIDR blocks, separated by commas.
    mse.ingress.kubernetes.io/domain-blacklist-source-rangeIngressMSE-exclusiveSets an IP blocklist at the domain level. Accepts IP addresses and CIDR blocks, separated by commas.

    Connection pool (gateway to backend)

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/connection-policy-tcp-max-connectionServiceMSE-exclusiveSets the maximum number of TCP connections between the gateway and the backend service.
    mse.ingress.kubernetes.io/connection-policy-tcp-max-connection-per-endpointServiceMSE-exclusiveSets the maximum number of TCP connections between the gateway and a single backend pod.
    mse.ingress.kubernetes.io/connection-policy-http-max-request-per-connectionServiceMSE-exclusiveSets the maximum number of HTTP requests per connection between the gateway and the backend service.

    Security protection

    TLS between clients and the gateway

    AnnotationScopeSupport statusDescription
    mse.ingress.kubernetes.io/tls-min-protocol-versionDomainMSE-exclusiveSets the minimum TLS version. Default: TLSv1.0. Valid values: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3.
    mse.ingress.kubernetes.io/tls-max-protocol-versionDomainMSE-exclusiveSets the maximum TLS version. Default: TLSv1.3. Valid values: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3.
    nginx.ingress.kubernetes.io/ssl-cipherDomainCompatibleSets the TLS cipher suites, separated by commas. Takes effect only for TLS 1.0–1.2 handshakes. Default cipher suites: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA.
    mse.ingress.kubernetes.io/auth-tls-secretDomainPartially compatible — the secret name must follow the format <domain-certificate-secret-name>-cacertSpecifies the CA certificate the gateway uses to verify client certificates during mutual TLS (mTLS) handshakes.

    TLS between the gateway and backend services

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/proxy-ssl-secretServiceCompatibleSpecifies the client certificate the gateway presents to backend services during TLS handshakes.
    nginx.ingress.kubernetes.io/proxy-ssl-nameServiceCompatibleSets the Server Name Indication (SNI) value used during the TLS handshake with the backend.
    nginx.ingress.kubernetes.io/proxy-ssl-server-nameServiceCompatibleEnables or disables SNI during the TLS handshake with the backend.

    Authentication

    Basic authentication

    AnnotationScopeSupport statusDescription
    nginx.ingress.kubernetes.io/auth-typeIngressPartially compatible — only basic authentication is supportedSets the authentication type.
    nginx.ingress.kubernetes.io/auth-secretIngressCompatibleSpecifies the secret that contains credentials for the route. Format: <namespace>/<name>.
    nginx.ingress.kubernetes.io/auth-secret-typeIngressCompatibleSets the format of the secret data. auth-file: the auth key holds newline-separated username:password pairs. auth-map: each key is a username and its value is the password.
    nginx.ingress.kubernetes.io/auth-realmIngressCompatibleSets the authentication realm. Credentials are shared within a realm.

    For the full list of NGINX Ingress annotations, see Annotations.