Skip to content

Kubernetes Ingress

Key idea:

Ingress — a K8s resource describing HTTP(S) routing: which host/path goes to which Service. Requires an Ingress Controller (ingress-nginx, Traefik, HAProxy Ingress). cert-manager automatically issues Let's Encrypt certs. Controller annotations add rate-limit, CORS, basic-auth without a separate sidecar.

Below: details, example, related terms, FAQ.

Check your site's security →

Details

  • Install nginx-ingress via helm: helm install ingress-nginx ingress-nginx/ingress-nginx
  • cert-manager + ClusterIssuer issues certs automatically
  • Path-based routing: /api → api-svc, /web → web-svc
  • Rate-limit: nginx.ingress.kubernetes.io/limit-rps: "10"
  • Alternative: Gateway API (K8s 1.29+) — more expressive, will replace Ingress

Example

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: api
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/limit-rps: "10"
spec:
  ingressClassName: nginx
  tls:
    - hosts: [api.example.com]
      secretName: api-tls
  rules:
    - host: api.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service: { name: api-svc, port: { number: 80 } }

Related

TL;DR

To configure Ingress in Kubernetes, you must first deploy an Ingress controller, define an Ingress resource with the appropriate rules to route traffic, and ensure your services are accessible. This allows external HTTP/S traffic to reach your Kubernetes services based on defined hostnames and paths.

Deploying an Ingress Controller

Before you can set up Ingress resources, you need to deploy an Ingress controller. The Ingress controller is responsible for managing the traffic routing rules defined in your Ingress resources. Popular options include NGINX Ingress Controller and Traefik. Below is an example of deploying the NGINX Ingress Controller using Helm:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install my-nginx ingress-nginx/ingress-nginx

This command installs the NGINX Ingress Controller with the release name `my-nginx`. You can verify the installation with:

kubectl get pods -n ingress-nginx

Make sure your Kubernetes cluster has the necessary permissions and configurations to allow this deployment. After the installation, the Ingress controller will create a service of type LoadBalancer (if running on a cloud provider) to expose the ingress traffic.

Creating Ingress Resources

Once the Ingress controller is up and running, you can create Ingress resources to define how requests should be routed to your services. Here’s an example of an Ingress resource definition:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  namespace: default
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port:
              number: 80

In this example, the Ingress resource named `my-ingress` routes traffic for `myapp.example.com` to a service named `my-service` on port 80. The `pathType` is set to `Prefix`, meaning any request starting with `/` will be directed to the defined backend service.

To apply this configuration, save the above YAML to a file named `ingress.yaml` and run:

kubectl apply -f ingress.yaml

After applying, you can check the Ingress resource status using:

kubectl get ingress my-ingress

Ensure that your DNS is configured to point `myapp.example.com` to the external IP of the Ingress controller service. You can find the external IP using:

kubectl get services -n ingress-nginx

By following these steps, you will successfully configure Ingress in Kubernetes, allowing external traffic to reach your services based on specified rules.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Ingress vs Service LoadBalancer?

LoadBalancer — one external IP per Service (expensive in cloud). Ingress — one LB for the whole cluster + L7 routing to multiple Services.

Do I need Gateway API?

New clusters — consider it. Existing — Ingress is stable and production-grade, migration is not a priority.

Is cert-manager required?

No, you can paste TLS secrets by hand. But with 3+ domains cert-manager saves hours per month.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.