Annotations

The Kong Ingress Controller supports these annotations on various resources.

Ingress resource

Following annotations are supported on Ingress resources:

kubernetes.io/ingress.class is required, and its value should match the value of the --ingress-class controller argument (kong by default).

Service resource

These annotations are supported on Service resources.

KongConsumer resource

These annotations are supported on KongConsumer resources.

kubernetes.io/ingress.class is normally required, and its value should match the value of the --ingress-class controller argument (kong by default).

Setting the --process-classless-kong-consumer controller flag removes that requirement. when it is enabled, the controller processes KongConsumers with no kubernetes.io/ingress.class annotation. Recommended best practice is to set the annotation and leave this flag disabled; the flag is primarily intended for older configurations, as controller versions prior to 0.10 processed classless KongConsumer resources by default.

Annotations

kubernetes.io/ingress.class

Kubernetes versions after 1.18 introduced the new ingressClassName field to the Ingress spec and deprecated the kubernetes.io/ingress.class annotation. Ingress resources should now use the ingressClassName field. Kong resources (KongConsumer, TCPIngress, etc.) still use the kubernetes.io/ingress.class annotation.

If you have multiple Ingress controllers in a single cluster, you can pick one by specifying the ingress.class annotation. Here is an example to create an Ingress with an annotation:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-1
  annotations:
    kubernetes.io/ingress.class: "gce"
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /test1
        backend:
          serviceName: echo
          servicePort: 80

This targets the GCE controller, forcing the Kong Ingress Controller to ignore it.

On the other hand, an annotation such as this, targets the Kong Ingress Controller, forcing the GCE controller to ignore it.

metadata:
  name: test-1
  annotations:
    kubernetes.io/ingress.class: "kong"

With the ingressClassName field instead of the annotation:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-1
spec:
  ingressClassName: kong
  rules:
  - host: example.com
    http:
      paths:
      - path: /test1
        backend:
          serviceName: echo
          servicePort: 80

The following resources require this annotation by default:

• Ingress
• KongConsumer
• TCPIngress
• UDPIngress
• KongClusterPlugin
• Secret resources with the ca-cert label

The ingress class used by the Kong Ingress Controller to filter Ingress resources can be changed using the CONTROLLER_INGRESS_CLASS environment variable.

spec:
  template:
     spec:
       containers:
         - name: kong-ingress-internal-controller
           env:
           - name: CONTROLLER_INGRESS_CLASS
             value: kong-internal

Multiple unrelated Kong Ingress Controllers

In some deployments, you might use multiple Kong Ingress Controllers in the same Kubernetes cluster. For example, one which serves public traffic, and one which serves “internal” traffic. For such deployments, ensure that in addition to different ingress-class, the --election-id is also different.

In such deployments, kubernetes.io/ingress.class annotation can be used on the following custom resources as well:

• KongPlugin: To configure (global) plugins only in one of the Kong clusters.
• KongConsumer: To create different consumers in different Kong clusters.

konghq.com/plugins

Available since controller 0.8

Kong’s power comes from its plugin architecture, where plugins can modify the request and response or impose certain policies on the requests as they are proxied to your service.

With the Kong Ingress Controller, plugins can be configured by creating KongPlugin Custom Resources and then associating them with an Ingress, Service, HTTPRoute, KongConsumer, KongConsumerGroup or a combination of those.

This is an example of how to use the annotation:

konghq.com/plugins: high-rate-limit, docs-site-cors

Here, high-rate-limit and docs-site-cors are the names of the KongPlugin resources which should be to be applied to the Ingress rules defined in the Ingress resource on which the annotation is being applied.

This annotation can also be applied to a Service resource in Kubernetes, which will result in the plugin being executed at Service-level in Kong, meaning the plugin will be executed for every request that is proxied, no matter which Route it came from.

This annotation can also be applied to a KongConsumer resource, which results in plugin being executed whenever the specific consumer is accessing any of the defined APIs.

Finally, this annotation can also be applied on a combination of the following resources:

• Ingress and KongConsumer If an Ingress resource and a KongConsumer resource share a plugin in the konghq.com/plugins annotation then the plugin will be created for the combination of those to resources in Kong.
• Service and KongConsumer Same as the above case, if you would like to give a specific consumer or client of your service some special treatment, you can do so by applying the same annotation to both of the resources.

konghq.com/path

Available since controller 0.8

This annotation can be used on a Service resource only. This annotation can be used to prepend an HTTP path of a request, before the request is forwarded.

For example, if the annotation konghq.com/path: "/baz" is applied to a Kubernetes Service billings, then any request that is routed to the billings service will be prepended with /baz HTTP path. If the request contains /foo/something as the path, then the service will receive an HTTP request with path set as /baz/foo/something.

konghq.com/strip-path

Available since controller 0.8

This annotation can be applied to an Ingress resource and can take two values:

• "true": If set to true, the part of the path specified in the Ingress rule will be stripped out before the request is sent to the service. For example, if the Ingress rule has a path of /foo and the HTTP request that matches the Ingress rule has the path /foo/bar/something, then the request sent to the Kubernetes service will have the path /bar/something.
• "false": If set to false, no path manipulation is performed.

All other values are ignored. Please note the quotes (") around the boolean value.

Sample usage:

konghq.com/strip-path: "true"

konghq.com/preserve-host

Available since controller 0.8

This annotation can be applied to an Ingress resource and can take two values:

• "true": If set to true, the host header of the request will be sent as is to the Service in Kubernetes.
• "false": If set to false, the host header of the request is not preserved.

Note: The quotes (") around the boolean value is required.

Sample usage:

konghq.com/preserve-host: "true"

ingress.kubernetes.io/force-ssl-redirect

Available since controller 0.10

This annotation is used to enforce requests to be redirected to SSL protocol (HTTPS or GRPCS). The default status code for requests that need to be redirected is 302. This code can be configured by annotation konghq.com/https-redirect-status-code[#konghqcomhttps-redirect-status-code].

konghq.com/https-redirect-status-code

Available since controller 0.8

By default, Kong sends HTTP Status Code 426 for requests that need to be redirected to HTTPS. This can be changed using this annotations. Acceptable values are:

• 301
• 302
• 307
• 308
• 426

Any other value will be ignored.

Sample usage:

konghq.com/https-redirect-status-code: "301"

Please note the quotes (") around the integer value.

konghq.com/regex-priority

Available since controller 0.9

Sets the regex_priority setting to this value on the Kong route associated with the Ingress resource. This controls the matching evaluation order for regex-based routes. It accepts any integer value. Routes are evaluated in order of highest priority to lowest.

Sample usage:

konghq.com/regex-priority: "10"

Note: the quotes (") around the integer value is required.

konghq.com/methods

Available since controller 0.9

Sets the methods setting on the Kong route associated with the Ingress resource. This controls which request methods will match the route. Any uppercase alpha ASCII string is accepted, though most users will use only standard methods.

Sample usage:

konghq.com/methods: "GET,POST"

konghq.com/snis

Available since controller 1.1

Sets the snis match criteria on the Kong route associated with this Ingress. When using route-attached plugins that execute during the certificate phase (for example, Mutual TLS Authentication), the snis annotation allows route matching based on the server name indication information sent in a client’s TLS handshake.

Sample usage:

konghq.com/snis: "foo.example.com, bar.example.com"

konghq.com/request-buffering

Available since controller 1.2

Enables or disables request buffering on the Kong route associated with this Ingress.

Sample usage:

konghq.com/request-buffering: "false"

konghq.com/response-buffering

Available since controller 1.2

Enables or disables response buffering on the Kong route associated with this Ingress.

Sample usage:

konghq.com/response-buffering: "false"

konghq.com/host-aliases

Available since controller 1.3

Set additional hosts for routes created from rules on this Ingress.

Sample usage:

konghq.com/host-aliases: "example.com,example.net"

This annotation applies to all rules equally. An Ingress like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    konghq.com/host-aliases: "example.com,example.net"
spec:
  rules:
  - host: "foo.example"
    http:
      paths:
      - pathType: Prefix
        path: "/bar"
        backend:
          service:
            name: service1
            port:
              number: 80
  - host: "bar.example"
    http:
      paths:
      - pathType: Prefix
        path: "/bar"
        backend:
          service:
            name: service2
            port:
              number: 80

Results in two routes:

{"hosts":["foo.example", "example.com", "example.net"], "paths":["/foo"]}
{"hosts":["bar.example", "example.com", "example.net"], "paths":["/bar"]}

To avoid creating overlapping routes, don’t reuse the same path in multiple rules.

konghq.com/protocol

Available since controller 0.8

This annotation can be set on a Kubernetes Service resource and indicates the protocol that should be used by Kong to communicate with the service. In other words, the protocol is used for communication between a Kong Service and a Kubernetes Service, internally in the Kubernetes cluster.

Accepted values are:

• http
• https
• grpc
• grpcs
• tcp
• tls

konghq.com/protocols

Available since controller 0.8

This annotation sets the list of acceptable protocols for the all the rules defined in the Ingress resource. The protocols are used for communication between the Kong and the external client/user of the Service.

You usually want to set this annotation for the following two use-cases:

• You want to redirect HTTP traffic to HTTPS, in which case you will use konghq.com/protocols: "https"
• You want to define gRPC routing, in which case you should use konghq.com/protocols: "grpc,grpcs"

konghq.com/client-cert

Available since controller 0.8

This annotation sets the certificate and key-pair Kong should use to authenticate itself against the upstream service, if the upstream service is performing mutual-TLS (mTLS) authentication.

The value of this annotation should be the name of the Kubernetes TLS Secret resource which contains the TLS cert and key pair.

Under the hood, the controller creates a Certificate in Kong and then sets the service.client_certificate for the service.

konghq.com/host-header

Available since controller 0.9

Sets the host_header setting on the Kong upstream created to represent a Kubernetes Service. By default, Kong upstreams set Host to the hostname or IP address of an individual target (the Pod IP for controller-managed configuration). This annotation overrides the default behavior and sends the annotation value as the Host header value.

If konghq.com/preserve-host: true is present on an Ingress (or route.preserve_host: true is present in a linked KongIngress), it will take precedence over this annotation, and requests to the application will use the hostname in the Ingress rule.

Sample usage:

konghq.com/host-header: "test.example.com"

ingress.kubernetes.io/service-upstream

Available since controller 0.6

By default, the Kong Ingress Controller distributes traffic amongst all the Pods of a Kubernetes Service by forwarding the requests directly to Pod IP addresses. One can choose the load-balancing strategy to use by specifying a KongIngress resource.

However, in some use-cases, the load-balancing should be left up to kube-proxy, or a sidecar component in the case of Service Mesh deployments.

Setting this annotation to a Service resource in Kubernetes will configure the Kong Ingress Controller to directly forward the traffic outbound for this Service to the IP address of the service (usually the ClusterIP).

kube-proxy can then decide how it wants to handle the request and route the traffic accordingly. If a sidecar intercepts the traffic from the controller, it can also route traffic as it sees fit in this case.

Following is an example snippet you can use to configure this annotation on a Service resource in Kubernetes, (please note the quotes around true):

annotations:
  ingress.kubernetes.io/service-upstream: "true"

konghq.com/regex-prefix

Available since controller 2.7

Sets the prefix of regex matched path to be some string other than /~. In Kong 3.0 and later, paths with regex match must start with ~, so in ingresses, /~ prefix used by default to annotate that the path is using regex match. If the annotation is set, paths with the specified prefix is considered as paths with regex match and will be translated to ~ started path in Kong. For example, if an ingress has annotation konghq.com/regex-prefix: "/@", paths started with /@ are considered as paths using regex match. See: upgrade-to-kong-3x

konghq.com/path-handling

Available since controller 2.8

Sets the path handling algorithm, which controls how Kong Gateway combines the service and route path fields (the Service’s path annotation value and Ingress rule’s path field) are combined into the path sent upstream.

konghq.com/headers.*

Available since controller 2.8

Sets header values that are required for requests to match rules in an Ingress.

Unlike most annotations, konghq.com/headers.* includes part of the configuration in the annotation name. The string after the . in the annotation name is the header, and the value is a CSV of allowed header values.

For example, setting konghq.com/headers.x-routing: alpha,bravo will only match requests that include an x-routing header whose value is either alpha or bravo.

konghq.com/headers-separator

Available since controller 3.2

Sets the separator for the konghq.com/headers.* annotation to be something other than default ,. This is useful when the header values themselves contain commas. For example, setting konghq.com/headers-separator: ";" will allow header values to be separated by ; instead of ,.

konghq.com/connect-timeout

Available since controller 2.8

Sets the connect timeout, in milliseconds. For example, setting this annotation to 60000 will instruct the proxy to wait up to 60 seconds to complete the initial TCP connection to the upstream service.

konghq.com/read-timeout

Available since controller 2.8

Sets the read timeout, in milliseconds. For example, setting this annotation to 60000 will instruct the proxy to wait up to 60 seconds after sending a request before timing out and returning a 504 response to the client.

konghq.com/write-timeout

Available since controller 2.8

Sets the write timeout, in milliseconds. For example, setting this annotation to 60000 will instruct the proxy to wait up to 60 seconds without writing data before closing a kept-alive connection.

konghq.com/retries

Available since controller 2.8

Sets the max retries on a request. For example, setting this annotation to 3 will re-send the request up to three times if it encounters a failure, such as a timeout.

konghq.com/tags

Available since controller 2.9

This annotation can be used to assign custom tags to Kong entities generated out of a resource the annotation is applied to. The value of the annotation is a comma-separated list of tags. For example, setting this annotation to tag1,tag2 will assign the tags tag1 and tag2 to the Kong entity.

konghq.com/rewrite

Available since controller 2.12

Rewrite a URL path. This annotation is a shorthand method of applying a request-transformer plugin with a replace.uri action. It cannot be combined with a konghq.com/plugins annotation that applies a request-transformer plugin as such.

The annotation can rebuild URLs using segments captured from a regular expression path. A $n in the annotation path represents the nth capture group in the Ingress rule path, starting from 1. For example, combining an Ingress rule with path /~/v(.*)/(.*) and a konghq.com/rewrite: /api/$1/foo/svc_$2 would send an upstream request to /api/2/foo/svc_pricing upstream when an inbound request is made to /v2/pricing (the /~ prefix instructs Kong to treat the path as a regular expression, and isn’t used in the actual request).

Annotations apply at the Ingress level and not modify individual rules. As such, this annotation should only be used on Ingresses with a single rule, or on Ingresses whose rules paths all match the rewrite pattern.

Note that this annotation overrides strip_path and Service path annotations. The value of the konghq.com/rewrite annotation will be the entire path sent upstream. You must include path segments you would normally place in a Service konghq.com/path annotation at the start of your konghq.com/rewrite annotation.

konghq.com/upstream-policy

Available since controller 3.0

This annotation can be used to attach KongUpstreamPolicy resources to Services. The value of the annotation is the name of the KongUpstreamPolicy object in the same namespace as the Service. Please refer to the KongUpstreamPolicy reference for details on how to configure the KongUpstreamPolicy resource.

konghq.com/tls-verify

Available since controller 3.4

This annotation can be used to enable or disable verification of the upstream service’s TLS certificates. The value of the annotation should be either true or false. By default, the verification is disabled.

See TLS verification of Upstream Service guide for more information.

konghq.com/tls-verify-depth

Available since controller 3.4

This annotation can be used to set the maximal depth of a certificate chain when verifying the upstream service’s TLS certificates. The value of the annotation should be an integer. If not set, a system default value is used.

See TLS verification of Upstream Service guide for more information.

konghq.com/ca-certificates-secrets

Available since controller 3.4

This annotation can be used to assign CA certificates to be used for the upstream service’s TLS certificates verification. The value of the annotation should be a comma-separated list of Secrets containing CA certificates.

konghq.com/ca-certificates-configmaps

Available since controller 3.4

This annotation can be used to assign CA certificates to be used for the upstream service’s TLS certificates verification. The value of the annotation should be a comma-separated list of ConfigMaps containing CA certificates.

CA certificates in Kong are provisioned by creating Secret or ConfigMap resource in Kubernetes. Resources holding CA certificates must have the following properties:

• the konghq.com/ca-cert: "true" label applied.
• a cert or ca.crt data property which contains a valid CA certificate in PEM format.
• a kubernetes.io/ingress.class annotation whose value matches the value of the controller’s --ingress-class argument. By default, that value is kong.
• an id data property which contains a random UUID.

Each CA certificate that you create needs a unique ID. Any random UUID should suffice here and it doesn’t have a security implication. You can use uuidgen (Linux, OS X) or New-Guid (Windows) to generate an ID.

See TLS verification of Upstream Service guide for more information.