Ingress annotations let you unlock advanced features of your Ingress Controller (like TLS redirect, rate limiting, authentication) that arenβt part of the standard Kubernetes Ingress spec.
β Why?
The base Ingress API is minimal β annotations add real-world functionality.
Like custom settings on a smart thermostat:
- Basic mode: just heat/cool
- Advanced mode: schedule, geofencing, energy reports
- You enable extras via settings (annotations)
Step 1: Create a Middleware (Traefik CRD)
# redirect-https.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
meta
name: redirect-https
namespace: default
spec:
redirectScheme:
scheme: https
permanent: true
Step 2: Reference It in Ingress via Annotation
# ingress-with-redirect.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
meta
name: secure-ingress
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetess
spec:
tls:
- hosts: ["myapp.com"]
secretName: my-tls-secret
rules:
- host: myapp.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
β Result: All HTTP traffic β 301 redirect to HTTPS
# nginx-rate-limit.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
meta
name: rate-limited-ingress
annotations:
nginx.ingress.kubernetes.io/limit-rps: "5" # 5 requests/sec
nginx.ingress.kubernetes.io/limit-burst-multiplier: "2"
spec:
rules:
- host: api.example.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api
port:
number: 80
β Result: API is protected from brute-force or DDoS.
# Create auth file
htpasswd -c auth admin
kubectl create secret generic basic-auth --from-file=auth
# ingress-with-auth.yaml
meta
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"