Contact UsGet started

Ingress resource fields and annotations

Written by
Updated at April 22, 2025

The Ingress resource defines rules for incoming traffic distribution between Kubernetes services. The Application Load Balancer Ingress controller uses these rules to create a load balancer, its listeners, and HTTP routers. You can specify Application Load Balancer backend services in Ingress directly or as part of HttpBackendGroup backend groups.

Ingress is a standard Kubernetes resource. Below, we describe its fields and annotations used by the Application Load Balancer Ingress controller. For resource configuration details, see the relevant Kubernetes article.

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: <ObjectMeta>
spec: <IngressSpec>

Field

Value / Type

Description

apiVersion

networking.k8s.io/v1

This is a required field.
Kubernetes API version.

kind

Ingress

Resource type

metadata

ObjectMeta

This is a required field.
Resource metadata.

spec

IngressSpec

This is a required field.
Resource specification.
Example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-demo-tls
  annotations:
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/external-ipv4-address: <auto_or_static_IP_address>
    ingress.alb.yc.io/group-name: my-ingress-group
spec:
  tls:
    - hosts:
        - <domain_name>
      secretName: yc-certmgr-cert-id-<TLS_certificate_ID>
  rules:
    - host: <domain_name>
      http:
        paths:
          - path: /app1
            pathType: Prefix
            backend:
              service:
                name: alb-demo-1
                port:
                  number: 80
          - path: /app2
            pathType: Prefix
            backend:
              service:
                name: alb-demo-2
                port:
                  number: 80
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-2
                port:
                  name: http

ObjectMeta

name: <string>
annotations:
  ingress.alb.yc.io/group-name: <string>
  ingress.alb.yc.io/subnets: <string>
  ingress.alb.yc.io/security-groups: <string>
  ingress.alb.yc.io/external-ipv4-address: <string>
  ingress.alb.yc.io/internal-ipv4-address: <string>
  ingress.alb.yc.io/internal-alb-subnet: <string>
  ingress.alb.yc.io/protocol: <string>
  ingress.alb.yc.io/group-settings-name: <string>
  ingress.alb.yc.io/group-order: <string>
  ingress.alb.yc.io/transport-security: <string> # Only for versions up to but not including 0.2.0.
  ingress.alb.yc.io/prefix-rewrite: <string>
  ingress.alb.yc.io/upgrade-types: <string>
  ingress.alb.yc.io/request-timeout: <string>
  ingress.alb.yc.io/idle-timeout: <string>
  ingress.alb.yc.io/modify-header-response-append: <string>
  ingress.alb.yc.io/modify-header-response-replace: <string>
  ingress.alb.yc.io/modify-header-response-rename: <string>
  ingress.alb.yc.io/modify-header-response-remove: <string>
  ingress.alb.yc.io/modify-header-request-append: <string>
  ingress.alb.yc.io/modify-header-request-replace: <string>
  ingress.alb.yc.io/modify-header-request-rename: <string>
  ingress.alb.yc.io/modify-header-request-remove: <string>
  ingress.alb.yc.io/security-profile-id: <string>
  ingress.alb.yc.io/use-regex: <string>
  ingress.alb.yc.io/balancing-panic-threshold: <string>
  ingress.alb.yc.io/balancing-locality-aware-routing: <string>
  ingress.alb.yc.io/autoscale-max-size: <string>
  ingress.alb.yc.io/autoscale-min-zone-size: <string>

Field

Value / Type

Description

name

string

This is a required field.
Resource name.
Do not mistake it for the Application Load Balancer load balancer name.

annotations

map[string]string

This is a required field.
Resource annotations.

Metadata.annotations

Annotations are collections of key:value pairs for assigning metadata to objects. Annotation values have string data type.

You can specify the annotation value as a comma separated list of multiple <key>=<value> pairs.

annotation: <key>=<value>,<key>=<value>,<key>=<value>

You can map one key to multiple values. For example, to add a noarchive,nofollow,noindex X-Robots response header, write the annotation as follows:

ingress.alb.yc.io/modify-header-response-replace: X-Robots-Tag=noarchive,X-Robots-Tag=nofollow,X-Robots-Tag=noindex

For more information on annotations, see the relevant Kubernetes article.

You can add the following annotations to ObjectMeta:

  • ingress.alb.yc.io/group-name

    Ingress resource group name. The system will create a separate load balancer for each group. You can combine Ingress resources into a group to avoid creating load balancers for each individual resource. For more information about the group name format, see the relevant Kubernetes article.

    This is a required field even for one Ingress resource in a group.

  • ingress.alb.yc.io/subnets

    Virtual Private Cloud subnets where the load balancer resides. This is a comma separated list of subnet IDs, e.g.:

    ingress.alb.yc.io/subnets: b0c2kotoidco********,e2lnhhdj9a0a********,e9bud5itjnl8********

    This field is required for at least one Ingress in a group, i.e., ingress.alb.yc.io/group-name annotation, to create one load balancer. The load balancer will use all subnets specified in the relevant Ingress resources.

    A load balancer’s subnets must all be in the same network. You cannot specify more than one network per availability zone.

  • ingress.alb.yc.io/security-groups

    Load balancer Virtual Private Cloud security groups. This is a comma separated list of group IDs, e.g.:

    ingress.alb.yc.io/security-groups: b0c2kotoidco********,e2lnhhdj9a0a********,e9bud5itjnl8********

    A load balancer created for a group of Ingress resources, i.e., ingress.alb.yc.io/group-name, uses all security groups specified in their annotations.

    For the proper load balancer and Ingress controller operation, make sure to configure security groups as specified in Configuring security groups for Application Load Balancer tools for Managed Service for Kubernetes.

  • ingress.alb.yc.io/external-ipv4-address

    Specifying the load balancer public IP address.

    To use your reserved IP address, specify it in the load balancer annotation. To enable automatic IP assignment for the load balancer, specify auto.

    With auto setting, deleting the Ingress controller will also remove its associated IP address from the cloud. To avoid this, use a reserved IP address.

    A load balancer must be configured with either an external or internal IP address, i.e., ingress.alb.yc.io/internal-ipv4-address annotation, but not both.

  • ingress.alb.yc.io/internal-ipv4-address

    Configuring a load balancer with an internal IP address.

    The IP address must belong to the subnet specified in the ingress.alb.yc.io/internal-alb-subnet annotation. To use an IP address from this subnet, specify it in the annotation. To enable automatic IP assignment for the load balancer, specify auto.

    A load balancer must be configured with either an internal or external IP address, i.e., ingress.alb.yc.io/external-ipv4-address annotation, but not both.

  • ingress.alb.yc.io/internal-alb-subnet

    Load balancer IP subnet ID.

    This field is required if you configure your load balancer with an internal IP address, i.e., ingress.alb.yc.io/internal-ipv4-address annotation.

  • ingress.alb.yc.io/protocol

    Protocol for connections between the load balancer and Ingress-defined backends:

    • http: HTTP/1.1. Default.
    • http2: HTTP/2.
    • grpc: gRPC.

  • ingress.alb.yc.io/group-settings-name

    Name for the Ingress resource group settings.

    To specify these settings, create the IngressGroupSettings resource.

  • ingress.alb.yc.io/group-order

    Ingress resource number. Ingress group resource numbers will define the order in which internal traffic routes will be added. Ingress resources are sorted in non-decreasing order.

    This annotation does not apply to routes specified in a single Ingress resource.

    Specify an integer value for this annotation. The default value is 0.

  • ingress.alb.yc.io/transport-security

    Warning

    For ALB Ingress Controllers v0.2.0 or later, you can only use this annotation in the Service object.

    Annotations applied to Ingress resources sharing the same service and backend group settings will be processed correctly. However, this mechanism is obsolete and will not be supported going forward.

    Encryption protocol for connections between the load balancer and backends specified in Ingress directly, as opposed to the HttpBackendGroup.

    The acceptable annotation value is tls: TLS without certificate validation.

    If this annotation is omitted, the load balancer will connect to the backends without encryption.

    This annotation is ignored for grouped backends. To configure encryption for connections between a load balancer and grouped backends, use spec.backend.tls field of the HttpBackendGroup resource. For more information, see the HttpBackendGroup resource reference.

  • ingress.alb.yc.io/prefix-rewrite

    URI path / gRPC method name replacements applied when routing requests to backends. The relevant paths and names are listed in the Ingress rules.http.paths field.

    The system will overwrite the entire path / name or its prefix based on the pathType value: pathType: Exact or pathType: Prefix, respectively.

    Example

    Specify the replacement instructing the load balancer to route incoming requests to backends with specific API versions:

    ...
metadata:
  annotations:
    ingress.alb.yc.io/prefix-rewrite: /api/v4/
...
spec:
  rules:
    - host: <domain_name>
      http:
        paths:
          - path: /api/
            pathType: Prefix
            ...

    Application Load Balancer will apply this replacement rule to all HTTP routers created for the Ingress resource.

  • ingress.alb.yc.io/upgrade-types

    The Upgrade HTTP header values of incoming requests supported by the load balancer. Specify them as a comma-separated list.

    For example, you can use this annotation to enable WebSocket support:

    ingress.alb.yc.io/upgrade-types: WebSocket

    Application Load Balancer will apply the Upgrade configuration to all HTTP routers created for the Ingress resource.

  • ingress.alb.yc.io/request-timeout

    Maximum duration for a connection between a load balancer node and a backend. Once this time expires, the load balancer will respond to the client with 504 Gateway Timeout.

    The default value is 60s.

    Application Load Balancer will apply this timeout configuration to all HTTP routers created for the Ingress resource.

  • ingress.alb.yc.io/idle-timeout

    Maximum inactivity time for a connection between a load balancer node and a backend. Once this time expires, the load balancer will respond to the client with 504 Gateway Timeout.

    If this annotation is omitted, a connection can remain idle for any length of time before the timeout, i.e., ingress.alb.yc.io/request-timeout annotation.

    Application Load Balancer will apply this timeout configuration to all HTTP routers created for the Ingress resource.

  • ingress.alb.yc.io/modify-header-response-append

    Appends a string value to the response header. Specify the target header and the string to append in the following format:

    ingress.alb.yc.io/modify-header-response-append: <key>=<value>

    Where:

    • <key>: Response header.
    • <value>: String to append.

  • ingress.alb.yc.io/modify-header-response-replace

    Overwrites the response header value. Specify the target header and its replacement value in the following format:

    ingress.alb.yc.io/modify-header-response-replace: <key>=<value>

    Where:

    • <key>: Response header.
    • <value>: New header value.

  • ingress.alb.yc.io/modify-header-response-rename

    Renames the response header. Specify the target header and its new name in the following format:

    ingress.alb.yc.io/modify-header-response-rename: <key>=<value>

    Where:

    • <key>: Response header.
    • <value>: New header name.

  • ingress.alb.yc.io/modify-header-response-remove

    Removes the response header. Specify the header to be removed in the following format:

    ingress.alb.yc.io/modify-header-response-remove: <key>=true

    Where <key> is the name of the header to be removed.

  • ingress.alb.yc.io/modify-header-request-append

    Appends a string value to the request header. Specify the target header and the string to append in the following format:

    ingress.alb.yc.io/modify-header-request-append: <key>=<value>

    Where:

    • <key>: Response header.
    • <value>: String to append.

  • ingress.alb.yc.io/modify-header-request-replace

    Replaces the request header value. Specify the target header and its replacement value in the following format:

    ingress.alb.yc.io/modify-header-request-replace: <key>=<value>

    Where:

    • <key>: Response header.
    • <value>: New header value.

  • ingress.alb.yc.io/modify-header-request-rename

    Renames the request header. Specify the target header and its new name in the following format:

    ingress.alb.yc.io/modify-header-request-rename: <key>=<value>

    Where:

    • <key>: Response header.
    • <value>: New header name.

  • ingress.alb.yc.io/modify-header-request-remove

    Removes the request header. Specify the header to be removed in the following format:

    ingress.alb.yc.io/modify-header-request-remove: <key>=true

    Where <key> is the name of the header to be removed.

  • ingress.alb.yc.io/security-profile-id

    Enables support for Yandex Smart Web Security, including DDoS protection, WAF, and resource overload protection.

    Note

    To connect your security profile to an Application Load Balancer virtual host, the service account used to operate the Ingress controller must have the smart-web-security.editor role for the folder hosting Application Load Balancer and Smart Web Security resources. For more information, see Assigning a role to a service account.

    This service checks HTTP requests sent to the protected resource through the L7 load balancer virtual host. Depending on check results, it forwards the requests to the protected resource, blocks them, or sends them to Yandex SmartCaptcha for additional verification.

    To enable this service, specify the Smart Web Security security profile ID in the Ingress annotation:

    ingress.alb.yc.io/security-profile-id: <security_profile_ID>

    This profile contains validation conditions and actions performed on incoming HTTP requests following the check results.

    If you do not have a security profile, create one.

  • ingress.alb.yc.io/use-regex

    If set to true, enables RE2 regular expression support for matching the request path. This setting only works when the pathType is set to Exact.

  • ingress.alb.yc.io/balancing-panic-threshold

    Specifies the panic mode threshold. If the percentage of healthy endpoints falls below the specified threshold, it will trigger the panic mode.

    The default value is 0, meaning the panic mode will never be activated.

  • ingress.alb.yc.io/balancing-locality-aware-routing

    Share of incoming traffic the load balancer will forward to its availability zone backends. The remaining traffic will be evenly distributed across other availability zones.

    The default value is 0.

    Read more about locality-aware routing here.

  • ingress.alb.yc.io/autoscale-max-size

    Resource unit maximum total. By default, it is unlimited. Make sure this value is no less than (number of load balancer availability zones) × (minimum number of resource units per zone).

    Learn more about the autoscaling settings here.

  • ingress.alb.yc.io/autoscale-min-zone-size

    Resource unit minimum per availability zone. The minimum and default value is 2.

    Learn more about the autoscaling settings here.

IngressSpec

ingressClassName: <string>
tls:
  - <IngressTLS>
  - ...
rules:
  - <IngressRule>
  - ...
defaultBackend:
  - <IngressBackend>
  - ...

Field

Value / Type

Description

ingressClassName

string

Name of the IngressClass resource associated with the Ingress resource.

When using multiple ingress controllers within a single application, the IngressClass determines which controller processes the requests. If you deploy multiple ingress controllers without specifying ingressClassName in your Ingress resources, you should create a default IngressClass to ensure proper request handling.

tls

[]IngressTLS

This is a required field.
Incoming HTTPS traffic settings: Domain name collections and their associated TLS certificates.

When this field is configured, the system will create two types of load balancer listeners: HTTPS listeners to serve encrypted traffic on port 443, and HTTP listeners redirecting requests on port 80 to port 443. If multiple Ingress rules apply to the same domain, rules without tls, i.e., HTTP-only, will take priority over HTTP-to-HTTPS redirects.

If this field omitted, the system will only create HTTP listeners processing unencrypted traffic on port 80.

rules

[]IngressRule

Rules for routing incoming traffic to backends, matching domain names and requested resources specified in host and http.paths fields, respectively.

In Application Load Balancer, these routing rules map to HTTP router virtual hosts.

If no routing rules are specified, you must configure a default backend to handle all unmatched traffic.

IngressTLS

hosts:
  - <string>
  - ...
secretName: <string>

Field

Value / Type

Description

hosts

[]string

This is a required field.
Domain names covered by the secretName TLS certificate.

The load balancer will create a dedicated listener for each domain name specified in the Server Name Indication (SNI) TLS extension.

To match all subdomains at any level, use a wildcard * in place of the first-level domain name. Wildcard domain values must be quoted.

For example, "*.example.com" matches foo.example.com, foo-bar.example.com, foo.bar.example.com, and foo.bar.baz.example.com, but not example.com.

Wildcards must replace complete domain levels; for example, *foo.example.com is invalid.

secretName

string

This is a required field.
Yandex Certificate Manager TLS certificate in yc-certmgr-cert-id-<certificate ID> format. You can use this name to access the certificate secret in Managed Service for Kubernetes.

In Certificate Manager, you can either use a Let's Encrypt® certificate or upload your own custom certificate.

If the certificate is not available in Certificate Manager, provide it through a Kubernetes secret by specifying its name in the secretName field. Application Load Balancer Ingress controller will automatically add this certificate to Certificate Manager.

IngressRule

host: <string>
http:
  paths:
    - path: <string>
      pathType: <string>
      backend: <IngressBackend>

Pre-0.2.0 ALB Ingress Controller versions map each backend group to a distinct combination of host, http.paths.path, and http.paths.pathType values. ALB Ingress Controllers v0.2.0 and later map backend groups directly to the backend.service configuration, i.e., IngressBackend. This may cause collisions when upgrading the ALB Ingress Controller. To avoid them, check the upgrade restrictions applying to your infrastructure.

Field

Value / Type

Description

host

string

This is a required field.
Domain name, i.e., HTTP/1.1 Host or HTTP/2 :authority header value, to which this rule applies.

To match all subdomains at any level, use a wildcard * in place of the first-level domain name. Wildcard domain values must be quoted.

For example, "*.example.com" matches foo.example.com, foo-bar.example.com, foo.bar.example.com, and foo.bar.baz.example.com, but not example.com.

Wildcards must replace complete domain levels; for example, *foo.example.com is invalid.

http

HTTPIngressRuleValue

This is a required field.
Routing rule that distributes incoming requests based on the domain name specified in the host field and the requested resource path.

http.paths

[]HTTPIngressPath

This is a required field.
Resource paths and their associated backends for this rule.

The order of paths matters because only the first path matching the incoming request will be used for routing. Therefore, we recommend to list your most specific paths first, followed by more general ones. This behavior differs from Kubernetes standard path prioritization logic, where longer paths, i.e., rules.http.paths.path values, take precedence regardless of their order in the list.

Warning

When multiple Ingress resources (with the same ingress.alb.yc.io/group-name annotation value) share the same load balancer and define rules for the same domain name, route ordering is only enforced within individual Ingress resources, not across them.

http.paths.path

string

This is a required field.
Requested resource path:

  • For HTTP protocol, it is incoming request URI or its prefix for Exact or Prefix path types, respectively.
  • For gRPC protocol, i.e., grpc ingress.alb.yc.io/protocol annotation value, it is the full gRPC method name or its prefix for Exact or Prefix path types, respectively. Example: /my.custom.server.Service/Method.

In both cases, the path must begin with /.

http.paths.pathType

string

This is a required field.
Requested resource path type:

  • Exact: Request URI path or gRPC method name must match the rules.http.paths.path field value.
  • Prefix: Request URI path or gRPC method name must begin with the rules.http.paths.path field value.

The selected path type will affect traffic distribution and the path replacement mechanism for backend requests if it is configured using the ingress.alb.yc.io/prefix-rewrite annotation.

http.paths.backend

IngressBackend

This is a required field.
backend or group of backends that will process requests with domain names and resource paths, i.e., HTTP URI paths or gRPC method names, specified in this Ingress rule.

IngressBackend

service:
  name: <string>
  port:
    name: <string>
    number: <int32>
resource:
  kind: HttpBackendGroup
  name: <string>
  apiGroup: alb.yc.io

Field

Value / Type

Description

service

IngressServiceBackend

This is a required field.
Kubernetes service backend for processing requests.

The referred Service resource must be described per the standard configuration.

Each spec.rules.http.paths entry must be either a service backend or a backend group, i.e., resource, but not both.

  • name (string, required):

    Kubernetes service name.

  • port (ServiceBackendPort, required):

    Service port to which Ingress will direct traffic.

    The field is designed for ingress controller operation and has no equivalents in Application Load Balancer.

    • name (string):

      Service port name.

      This name must match one of the Service resource spec.ports.name values. For more information, see the resource specification.

      You must specify either the service port name or its number, but not both.

    • number (int32):

      Service port number.

      This number must match one of the Service resource spec.ports.port values. For more information, see the resource specification.

      You must specify either the service port name or its number, but not both.

resource

TypedLocalObjectReference

This is a required field.
Backend group for processing requests.

The Ingress controller implements this field through the HttpBackendGroup custom resource. The referenced resource must comply with standard configuration requirements.

Each spec.rules.http.paths entry must be either a backend group or a service backend, i.e., service resource, but not both.

  • kind: HttpBackendGroup

  • name (string): Backend group name

    This name must match the metadata.name value of the HttpBackendGroup resource. For more information, see the HttpBackendGroup resource configuration.

  • apiGroup: alb.yc.io

DefaultBackend

Default backend for requests that do not match any ingress traffic rules. If the spec.rules field is undefined in the Ingress description, the spec.defaultBackend field becomes mandatory to ensure all traffic has a valid destination.

The default backend handles requests when no rules are defined in the Ingress or the request’s domain/path matches no existing rules.

The spec.defaultBackend field defines either a service backend, i.e.,service, or a backend group, i.e., resource. Configure this field using the same schema as IngressBackend.

spec.defaultBackend.service example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: testapp-ingress-with-default-backend
  namespace: testapp-ns
  annotations:
    ...
spec:
  defaultBackend:
    service:
      name: testapp-service
      port:
        name: http
spec.defaultBackend.resource example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-1
  annotations:
    ...
spec:
  defaultBackend:
    resource:
      apiGroup: alb.yc.io
      kind: HttpBackendGroup
      name: bg-with-bucket

Warning

You can only specify one default backend for a single Ingress resource group, i.e., ingress.alb.yc.io/group-name annotation.

IngressGroupSettings

apiVersion: alb.yc.io/v1alpha1
kind: IngressGroupSettings
metadata:
  name: non-default-settings
logOptions:
  logGroupID: <log_group_ID>
  discardRules:
    - discardPercent: 50
      grpcCodes:
        - OK
        - CANCELLED
        - UNKNOWN
    - discardPercent: 67
      httpCodeIntervals:
        - HTTP_1XX
    - discardPercent: 20
      httpCodes:
        - 200
        - 404

Specify the log group ID and log discard rule settings:

  • httpCodes: HTTP codes.
  • httpCodeIntervals: HTTP code classes.
  • grpcCodes: gRPC codes.
  • discardPercent: Log discard rate.
Previous
Updating an Ingress controller
Next
HttpBackendGroup