Here’s a comprehensive, practical, and easy-to-follow tutorial on all main types of Kubernetes Ingress rules—with detailed explanations, diagrams, and YAML examples for each. This guide is aimed at both beginners and advanced users and covers every core ingress rule type you’ll encounter, including real-world use cases.
🚀 Kubernetes Ingress Rules: Complete Guide with Examples
Table of Contents
- What is Kubernetes Ingress?
- Types of Ingress Rules
- Host-based Routing
- Path-based Routing
- Combined Host & Path Routing
- Default Backend (Catch-all)
- TLS/SSL Rules
- Advanced (Rewrite/Redirect, Auth, Rate Limiting)
- Examples and Use Cases
- Visual Summary
- FAQ & Tips
1. What is Kubernetes Ingress?
- Ingress is a Kubernetes resource that manages external access to your cluster services, typically HTTP/HTTPS.
- With Ingress, you can expose multiple apps under different domains/paths using a single load balancer or IP.
- An Ingress Controller (like NGINX, AWS ALB, Traefik, etc.) implements the routing specified in your Ingress resource.
2. Types of Ingress Rules
A. Host-based Routing (Name-based Routing)
What it is:
Route traffic to different services based on the requested domain name (host).
Use Case:
You have multiple apps, each with its own subdomain or domain (e.g., app1.example.com, app2.example.com).
Example YAML:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: host-based-ingress
spec:
rules:
- host: app1.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app1
port:
number: 80
- host: app2.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app2
port:
number: 80
Diagram:
(app1.example.com) --> [Ingress] --> [app1 Service]
(app2.example.com) --> [Ingress] --> [app2 Service]
Code language: CSS (css)B. Path-based Routing (URL Path Routing)
What it is:
Route traffic to different services based on the URL path.
Use Case:
Expose multiple apps under different paths of the same domain (e.g., /api, /shop).
Example YAML:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: path-based-ingress
spec:
rules:
- host: www.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
- path: /shop
pathType: Prefix
backend:
service:
name: shop-service
port:
number: 80
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Diagram:
(www.example.com/api) --> [Ingress] --> [api-service]
(www.example.com/shop) --> [Ingress] --> [shop-service]
(www.example.com/) --> [Ingress] --> [web-service]
C. Combined Host and Path-based Routing
What it is:
Use both host and path to route traffic for fine-grained control.
Use Case:
Same domain serves different apps under different paths, and you have more than one domain.
Example YAML:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: combined-ingress
spec:
rules:
- host: admin.example.com
http:
paths:
- path: /dashboard
pathType: Prefix
backend:
service:
name: admin-dashboard
port:
number: 80
- host: shop.example.com
http:
paths:
- path: /cart
pathType: Prefix
backend:
service:
name: cart-service
port:
number: 80
Diagram:
(admin.example.com/dashboard) --> [Ingress] --> [admin-dashboard]
(shop.example.com/cart) --> [Ingress] --> [cart-service]
D. Default Backend (Catch-all Rule)
What it is:
A default backend serves any request that doesn’t match the host/path rules above (often a 404 or static site).
Use Case:
Handle “not found” errors or serve a default landing page.
How to set:
- For NGINX, add a path: / rule without host or at the bottom.
- For AWS ALB Ingress, define a backend with path
/and no host, or use a dedicated default backend controller.
Example YAML:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: default-backend-ingress
spec:
defaultBackend:
service:
name: default-backend
port:
number: 80
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
Code language: PHP (php)Diagram:
(Any unmatched domain/path) --> [Ingress] --> [default-backend]
Code language: JavaScript (javascript)Note: The exact method depends on your Ingress controller version.
E. TLS/SSL Rules
What it is:
Specify which hosts should use HTTPS and which certificate to use for encryption.
Use Case:
Serve your app securely over HTTPS.
NGINX Example:
spec:
tls:
- hosts:
- www.example.com
secretName: my-tls-secret
rules:
- host: www.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
my-tls-secretis a Kubernetes TLS secret with your certificate and private key.
AWS ALB Example:
metadata:
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:REGION:ACCOUNT:certificate/XXXX
- The annotation links your ACM certificate to the ALB for HTTPS.
Diagram:
(Browser --HTTPS--> ALB) --HTTP--> [Service]
Code language: CSS (css)F. Advanced Rules
1. Rewrite/Redirect Rules
- Modify the URL path before passing to backend, or redirect to another location.
- Often set using annotations (varies by controller).
2. Authentication Rules
- Protect paths with Basic Auth, OAuth2, or custom headers.
- Usually via annotations or external Auth service.
3. Rate Limiting / WAF
- Control request rates or apply security policies.
- Usually via annotations/integration with external tools.
3. Examples and Use Cases Table
| Rule Type | Use Case Example | YAML Location | Example Controller Features |
|---|---|---|---|
| Host-based | Subdomains for separate apps | rules.host | All controllers |
| Path-based | Single domain, multiple apps (microservices) | rules.http.paths | All controllers |
| Host + Path | Multi-tenant or region-based routing | Both | All controllers |
| Default Backend | Catch-all for 404 or static page | defaultBackend | All controllers |
| TLS/SSL | Enable HTTPS with certs for security | tls / annotation | NGINX/ALB/Traefik (cert or ACM annotation) |
| Rewrite/Redirect | SEO, cleaner URLs, app migration | annotations | NGINX, Traefik |
| Authentication | Protect admin panels, APIs, dashboards | annotations | NGINX, Traefik, Kong, custom plugins |
| Rate Limiting/WAF | Throttle abusive users, block attacks | annotations | NGINX, Kong, ALB WAF |
4. Visual Summary
+-------------------------+
| Ingress Controller |
+-------------------------+
| | |
Host1 Host2+Path Default
| | |
[ServiceA] [ServiceB] [Default Svc]
Code language: PHP (php)5. FAQ & Tips
Q: Can I use all rule types in one Ingress?
A: Yes! You can combine host, path, TLS, and advanced rules as needed.
Q: What about gRPC?
A: Use the right annotation (e.g., alb.ingress.kubernetes.io/backend-protocol-version: GRPC for AWS) and make sure your ingress controller supports gRPC routing.
Q: What happens if rules overlap?
A: The most specific rule (exact match > prefix match > default) wins.
Q: Can I redirect HTTP to HTTPS?
A: Yes, with annotations or controller config. For ALB, use alb.ingress.kubernetes.io/ssl-redirect: '443'.
6. Full Example: Real-World Multi-rule Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: complex-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-northeast-1:123456789012:certificate/abcd1234
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/backend-protocol-version: GRPC
spec:
tls:
- hosts:
- www.example.com
secretName: my-tls-secret # For NGINX/Traefik; ignored by ALB
rules:
- host: www.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
- path: /shop
pathType: Prefix
backend:
service:
name: shop-service
port:
number: 80
- host: admin.example.com
http:
paths:
- path: /dashboard
pathType: Prefix
backend:
service:
name: admin-dashboard
port:
number: 80
# Default backend or more hosts/paths as needed
Conclusion
- Host-based: Route by domain.
- Path-based: Route by URL path.
- Combined: Mix host/path for precise routing.
- Default backend: Catch all requests not matched.
- TLS: Secure HTTPS by mapping domain(s) to certificate(s).
- Advanced: Use controller features for rewrites, redirects, auth, WAF, etc.
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
