diff --git a/docs/configuration/backends/kubernetes.md b/docs/configuration/backends/kubernetes.md index 632af9600..42cd00271 100644 --- a/docs/configuration/backends/kubernetes.md +++ b/docs/configuration/backends/kubernetes.md @@ -100,40 +100,80 @@ See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with- The following general annotations are applicable on the Ingress object: -- `traefik.frontend.rule.type: PathPrefixStrip` - Override the default frontend rule type. Default: `PathPrefix`. -- `traefik.frontend.priority: "3"` - Override the default frontend rule priority. -- `traefik.frontend.redirect.entryPoint: https`: - Enables Redirect to another entryPoint for that frontend (e.g. HTTPS). -- `traefik.frontend.redirect.regex: ^http://localhost/(.*)`: - Redirect to another URL for that frontend. Must be set with `traefik.frontend.redirect.replacement`. -- `traefik.frontend.redirect.replacement: http://mydomain/$1`: - Redirect to another URL for that frontend. Must be set with `traefik.frontend.redirect.regex`. -- `traefik.frontend.entryPoints: http,https` - Override the default frontend endpoints. -- `traefik.frontend.passTLSCert: true` - Override the default frontend PassTLSCert value. Default: `false`. -- `ingress.kubernetes.io/rewrite-target: /users` - Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header. -- `ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` - A comma-separated list of IP ranges permitted for access. all source IPs are permitted if the list is empty or a single range is ill-formatted. +| Annotation | Description | +|---------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------| +| `traefik.ingress.kubernetes.io/buffering: ` | (3) See [buffering](/configuration/commons/#buffering) section. | +| `traefik.ingress.kubernetes.io/error-pages: ` | (1) See [custom error pages](/configuration/commons/#custom-error-pages) section. | +| `traefik.ingress.kubernetes.io/frontend-entry-points: http,https` | Override the default frontend endpoints. | +| `traefik.ingress.kubernetes.io/pass-tls-cert: true` | Override the default frontend PassTLSCert value. Default: `false`. | +| `traefik.ingress.kubernetes.io/preserve-host: true` | Forward client `Host` header to the backend. | +| `traefik.ingress.kubernetes.io/priority: "3"` | Override the default frontend rule priority. | +| `traefik.ingress.kubernetes.io/rate-limit: ` | (2) See [custom error pages](/configuration/commons/#rate-limiting) section. | +| `traefik.ingress.kubernetes.io/redirect-entry-point: https` | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS). | +| `traefik.ingress.kubernetes.io/redirect-regex: ^http://localhost/(.*)` | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-replacement`. | +| `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1` | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`. | +| `traefik.ingress.kubernetes.io/rewrite-target: /users` | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header. | +| `traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip` | Override the default frontend rule type. Default: `PathPrefix`. | +| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access. all source IPs are permitted if the list is empty or a single range is ill-formatted. | + +<1> `traefik.ingress.kubernetes.io/error-pages` example: + +```yaml +foo: + status: + - "404" + backend: bar + query: /bar +fii: + status: + - "503" + - "500" + backend: bar + query: /bir +``` + +<2> `traefik.ingress.kubernetes.io/rate-limit` example: + +```yaml +extractorfunc: client.ip +rateset: + bar: + period: 3s + average: 6 + burst: 9 + foo: + period: 6s + average: 12 + burst: 18 +``` + +<3> `traefik.ingress.kubernetes.io/buffering` example: + +```yaml +maxrequestbodybytes: 10485760 +memrequestbodybytes: 2097153 +maxresponsebodybytes: 10485761 +memresponsebodybytes: 2097152 +retryexpression: IsNetworkError() && Attempts() <= 2 +``` !!! note - Please note that `traefik.frontend.redirect.regex` and `traefik.frontend.redirect.replacement` do not have to be set if `traefik.frontend.redirect.entryPoint` is defined for the redirection (they will not be used in this case). + Please note that `traefik.ingress.kubernetes.io/redirect-regex` and `traefik.ingress.kubernetes.io/redirect-replacement` do not have to be set if `traefik.ingress.kubernetes.io/redirect-entry-point` is defined for the redirection (they will not be used in this case). The following annotations are applicable on the Service object associated with a particular Ingress object: -- `traefik.backend.loadbalancer.method=drr` - Override the default `wrr` load balancer algorithm. -- `traefik.backend.loadbalancer.stickiness=true` - Enable backend sticky sessions. -- `traefik.backend.loadbalancer.stickiness.cookieName=NAME` - Manually set the cookie name for sticky sessions. -- `traefik.backend.loadbalancer.sticky=true` - Enable backend sticky sessions (DEPRECATED). -- `traefik.backend.circuitbreaker: ` - Set the circuit breaker expression for the backend. +| Annotation | Description | +|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `traefik.backend.loadbalancer.sticky=true` | Enable backend sticky sessions (DEPRECATED). | +| `traefik.ingress.kubernetes.io/affinity: true` | Enable backend sticky sessions. | +| `traefik.ingress.kubernetes.io/circuit-breaker-expression: ` | Set the circuit breaker expression for the backend. | +| `traefik.ingress.kubernetes.io/load-balancer-method: drr` | Override the default `wrr` load balancer algorithm. | +| `traefik.ingress.kubernetes.io/max-conn-amount: 10` | Set a maximum number of connections to the backend.
Must be used in conjunction with the below label to take effect. | +| `traefik.ingress.kubernetes.io/max-conn-extractor-func: client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by.
Must be used in conjunction with the above label to take effect. | +| `traefik.ingress.kubernetes.io/session-cookie-name: ` | Manually set the cookie name for sticky sessions. | + +!!! note + `traefik.ingress.kubernetes.io/` and `ingress.kubernetes.io/` are supported prefixes. ### Security annotations @@ -150,7 +190,7 @@ The following security annotations are applicable on the Ingress object: | `ingress.kubernetes.io/ssl-host:HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. | | `ingress.kubernetes.io/ssl-proxy-headers:EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: HEADER:value||HEADER2:value2 | | `ingress.kubernetes.io/hsts-max-age:315360000` | Sets the max-age of the HSTS header. | -| `ingress.kubernetes.io/hsts-include-subdomains:true` | Adds the IncludeSubdomains section of the STS header. | +| `ingress.kubernetes.io/hsts-include-subdomains:true` | Adds the IncludeSubdomains section of the STS header. | | `ingress.kubernetes.io/hsts-preload:true` | Adds the preload flag to the HSTS header. | | `ingress.kubernetes.io/force-hsts:false` | Adds the STS header to non-SSL requests. | | `ingress.kubernetes.io/frame-deny:false` | Adds the `X-Frame-Options` header with the value of `DENY`. | @@ -167,10 +207,10 @@ The following security annotations are applicable on the Ingress object: Is possible to add additional authentication annotations to the Ingress object. The source of the authentication is a Secret object that contains the credentials. -- `ingress.kubernetes.io/auth-type`: `basic` - Contains the authentication type. The only permitted type is `basic`. -- `ingress.kubernetes.io/auth-secret`: `mysecret` - Contains the username and password with access to the paths defined in the Ingress object. +| Annotation | Description | +|----------------------------------------------|--------------------------------------------------------------------------------------------| +| `ingress.kubernetes.io/auth-type:basic` | Contains the authentication type. The only permitted type is `basic`. | +| `ingress.kubernetes.io/auth-secret:mysecret` | Contains the username and password with access to the paths defined in the Ingress object. | The secret must be created in the same namespace as the Ingress object.