Skip to content

Installation Guide


The default configuration watches Ingress object from all namespaces.

To change this behavior use the flag --watch-namespace to limit the scope to a particular namespace.


If multiple Ingresses define paths for the same host, the ingress controller merges the definitions.


The admission webhook requires connectivity between Kubernetes API server and the ingress controller.

In case Network policies or additional firewalls, please allow access to port 8443.


The first time the ingress controller starts, two Jobs create the SSL Certificate used by the admission webhook. For this reason, there is an initial delay of up to two minutes until it is possible to create and validate Ingress definitions.

You can wait until it is ready to run the next command:

 kubectl wait --namespace ingress-nginx \
  --for=condition=ready pod \ \


Provider Specific Steps

Docker Desktop

Kubernetes is available in Docker Desktop

kubectl apply -f


For standard usage:

minikube addons enable ingress


For standard usage:

microk8s enable ingress

Please check the microk8s documentation page


In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of Type=LoadBalancer.

Network Load Balancer (NLB)
kubectl apply -f
TLS termination in AWS Load Balancer (ELB)

In some scenarios is required to terminate TLS in the Load Balancer and not in the ingress controller.

For this purpose we provide a template:

  • Edit the file and change:

  • VPC CIDR in use for the Kubernetes cluster:

proxy-real-ip-cidr: XXX.XXX.XXX/XX

  • AWS Certificate Manager (ACM) ID


  • Deploy the manifest:
kubectl apply -f deploy-tls-termination.yaml
NLB Idle Timeouts

Idle timeout value for TCP flows is 350 seconds and cannot be modified.

For this reason, you need to ensure the keepalive_timeout value is configured less than 350 seconds to work as expected.

By default NGINX keepalive_timeout is set to 75s.

More information with regards to timeouts can be found in the official AWS documentation



Initialize your user as a cluster-admin with the following command:

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user $(gcloud config get-value account)


For private clusters, you will need to either add an additional firewall rule that allows master nodes access to port 8443/tcp on worker nodes, or change the existing rule that allows access to ports 80/tcp, 443/tcp and 10254/tcp to also allow access to port 8443/tcp.

See the GKE documentation on adding rules and the Kubernetes issue for more detail.

kubectl apply -f


Proxy protocol is not supported in GCE/GKE


kubectl apply -f

More information with regards to Azure annotations for ingress controller can be found in the official AKS documentation.

Digital Ocean

kubectl apply -f


kubectl apply -f


kubectl apply -f

The full list of annotations supported by Exoscale is available in the Exoscale Cloud Controller Manager documentation.

Oracle Cloud Infrastructure

kubectl apply -f

A complete list of available annotations for Oracle Cloud Infrastructure can be found in the OCI Cloud Controller Manager documentation.


Using NodePort:

kubectl apply -f


Applicable on kubernetes clusters deployed on bare-metal with generic Linux distro(Such as CentOs, Ubuntu ...).


For extended notes regarding deployments on bare-metal, see Bare-metal considerations.

Verify installation

To check if the ingress controller pods have started, run the following command:

kubectl get pods -n ingress-nginx \
  -l --watch

Once the ingress controller pods are running, you can cancel the command typing Ctrl+C.

Now, you are ready to create your first ingress.

Detect installed version

To detect which version of the ingress controller is running, exec into the pod and run nginx-ingress-controller --version.

POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l --field-selector=status.phase=Running -o jsonpath='{.items[0]}')

kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version

Using Helm


Only Helm v3 is supported

NGINX Ingress controller can be installed via Helm using the chart from the project repository. To install the chart with the release name ingress-nginx:

helm repo add ingress-nginx
helm repo update

helm install ingress-nginx ingress-nginx/ingress-nginx

Detect installed version:

POD_NAME=$(kubectl get pods -l -o jsonpath='{.items[0]}')
kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version