NGINX Ingress Controller is a powerful Kubernetes component that manages external access to services, typically HTTP, through Ingress resources. It extends Kubernetes’ native Ingress API with advanced NGINX capabilities like load balancing, SSL termination, and rate limiting.
As Kubernetes clusters grow in production environments, efficient traffic management becomes essential for scalability and security. This comprehensive guide walks you through installation, key annotations, and pitfalls to avoid, delivering quick wins for your deployments.
Why NGINX Ingress Controller?
NGINX Ingress Controller stands out for its high performance and feature-rich configuration options compared to other controllers. Built on the proven NGINX web server, it handles millions of requests per second with minimal resource overhead.
It supports both community (ingress-nginx) and commercial (F5 NGINX) versions, offering flexibility for open-source enthusiasts and enterprises needing advanced security like WAF integration. For VoIP and ERP workloads common in B2B tech stacks, its low-latency proxying ensures reliable API routing and microservices communication.
Prerequisites
Before installation, ensure your Kubernetes cluster runs version 1.19 or later, with kubectl configured for access. Nodes should have sufficient resources: at least 2 CPUs and 4GB RAM per controller pod for production.
Install Helm 3.x for chart-based deployment, and verify MetalLB or a cloud LoadBalancer if using bare-metal. Common setups include AWS EKS, GKE, or AKS, where LoadBalancer services auto-provision external IPs.
Create a dedicated namespace to isolate resources:
kubectl create namespace ingress-nginxInstallation Methods
Using Manifests (Recommended for Simplicity)
Download and apply official manifests from the NGINX repository for a quick start. This method deploys RBAC roles, CRDs, ConfigMaps, and the controller Deployment.
Run these commands sequentially:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml# For F5 NGINX Plus, customize with JWT secrets and licensing:
kubectl apply -f deployments/rbac/rbac.yaml
kubectl apply -f deployments/common/nginx-config.yaml
kubectl apply -f deployments/deployment/nginx-plus-ingress.yamlThis creates the controller pod in ingress-nginx namespace, exposing it via a LoadBalancer Service. Verify with kubectl get svc -n ingress-nginx to note the external IP.
Helm Chart Installation (Production-Ready)
Add the ingress-nginx Helm repo and install with customization:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--set controller.service.type=LoadBalancer \
--set controller.resources.requests.cpu=200m \
--set controller.resources.requests.memory=256MiKey values.yaml overrides include replicaCount: 2 for HA, autoscaling enabled, and metrics integration with Prometheus. This method shines for managed configs and upgrades via helm upgrade.
Custom Image Builds
For NGINX Plus or custom modules like App Protect DoS, build your image:
git clone https://github.com/nginxinc/kubernetes-ingress
docker build -t myregistry/nginx-ingress:custom -f deployments/Dockerfile .Update manifests to pull your image, ensuring JWT secrets for licensing. This avoids vendor lock-in while enabling F5 features.
Verifying Installation
Check pod status:
kubectl get pods -n ingress-nginxExpect ingress-nginx-controller-xxx READY at 1/1. Logs reveal config reloads:
kubectl logs -n ingress-nginx deployment/ingress-nginx-controllerExpose the dashboard via Ingress for monitoring (disable in prod):
nginx.ingress.kubernetes.io/enable-access-log: "true"Test basic connectivity: curl http://EXTERNAL-IP should return NGINX welcome page.
Core Configuration
Create an IngressClass resource to specify the controller:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: nginx
spec:
controller: k8s.io/ingress-nginxEssential Annotations
SSL/TLS Termination
Enable HTTPS passthrough or termination:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"Rate Limiting and Throttling
Prevent abuse with connection limits:
nginx.ingress.kubernetes.io/limit-rps: "10"
nginx.ingress.kubernetes.io/limit-connections: "5"
nginx.ingress.kubernetes.io/limit-req-status-code: "429"Path Rewriting and Redirects
Strip prefixes for clean backend routing:
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- http:
paths:
- path: /app(/|$)(.*)
pathType: PrefixExample Deployment
Deploy a test app:
kubectl create deployment hello --image=gcr.io/google-samples/hello-app:1.0
kubectl expose deployment hello --port=8080Create Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
ingressClassName: nginx
rules:
- host: hello.example.com
http:
paths:
- path: /hello(/|$)(.*)
pathType: Prefix
backend:
service:
name: hello
port:
number: 8080High Availability Setup
Scale controller replicas:
kubectl scale deployment ingress-nginx-controller --replicas=3 -n ingress-nginxCommon Pitfalls
- LoadBalancer Stuck in Pending: On bare-metal, install MetalLB
- Pods Not Ready: Check logs for syntax errors in ConfigMap
- Ingress Not Routing: Verify IngressClass match and host headers
- SSL Handshake Failures: Validate cert/key format in secrets
Best Practices
- Always use IngressClass for multi-controller clusters
- Enable audit logs and rotate them
- Set resource limits/requests to prevent OOM kills
- Use cert-manager for automated TLS
- Test rewrites with curl -H “Host:…” extensively
- Monitor config reload latency (<1s target)
Conclusion
Mastering NGINX Ingress Controller unlocks Kubernetes’ full potential for traffic orchestration, from basic HTTP routing to enterprise-grade security. By following this guide, you’ve gained actionable steps for installation, annotation mastery, and pitfall avoidance, ensuring robust deployments.
Apply these quick wins iteratively: start with manifests, layer annotations, then scale to HA. Your VoIP, ERP, and web services will thrive under optimized ingress management, driving performance and reliability in 2026’s demanding cloud-native landscape.
