diff --git a/docs/configuration/backends/kubernetes.md b/docs/configuration/backends/kubernetes.md index 86aec53bf..1641c15f4 100644 --- a/docs/configuration/backends/kubernetes.md +++ b/docs/configuration/backends/kubernetes.md @@ -116,12 +116,12 @@ The following general annotations are applicable on the Ingress object: | `traefik.ingress.kubernetes.io/buffering: ` | (3) See [buffering](/configuration/commons/#buffering) section. | | `traefik.ingress.kubernetes.io/error-pages: ` | (1) See [custom error pages](/configuration/commons/#custom-error-pages) section. | | `traefik.ingress.kubernetes.io/frontend-entry-points: http,https` | Override the default frontend endpoints. | -| `traefik.ingress.kubernetes.io/pass-tls-cert: true` | Override the default frontend PassTLSCert value. Default: `false`. | -| `traefik.ingress.kubernetes.io/preserve-host: true` | Forward client `Host` header to the backend. | +| `traefik.ingress.kubernetes.io/pass-tls-cert: "true"` | Override the default frontend PassTLSCert value. Default: `false`. | +| `traefik.ingress.kubernetes.io/preserve-host: "true"` | Forward client `Host` header to the backend. | | `traefik.ingress.kubernetes.io/priority: "3"` | Override the default frontend rule priority. | | `traefik.ingress.kubernetes.io/rate-limit: ` | (2) See [rate limiting](/configuration/commons/#rate-limiting) section. | | `traefik.ingress.kubernetes.io/redirect-entry-point: https` | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS). | -| `traefik.ingress.kubernetes.io/redirect-permanent: true` | Return 301 instead of 302. | +| `traefik.ingress.kubernetes.io/redirect-permanent: "true"` | Return 301 instead of 302. | | `traefik.ingress.kubernetes.io/redirect-regex: ^http://localhost/(.*)` | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-replacement`. | | `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1` | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`. | | `traefik.ingress.kubernetes.io/rewrite-target: /users` | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header. | @@ -176,8 +176,8 @@ The following annotations are applicable on the Service object associated with a | Annotation | Description | |--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `traefik.backend.loadbalancer.sticky=true` | Enable backend sticky sessions (DEPRECATED). | -| `traefik.ingress.kubernetes.io/affinity: true` | Enable backend sticky sessions. | +| `traefik.backend.loadbalancer.sticky: "true"` | Enable backend sticky sessions (DEPRECATED). | +| `traefik.ingress.kubernetes.io/affinity: "true"` | Enable backend sticky sessions. | | `traefik.ingress.kubernetes.io/circuit-breaker-expression: ` | Set the circuit breaker expression for the backend. | | `traefik.ingress.kubernetes.io/load-balancer-method: drr` | Override the default `wrr` load balancer algorithm. | | `traefik.ingress.kubernetes.io/max-conn-amount: 10` | Set a maximum number of connections to the backend.
Must be used in conjunction with the below label to take effect. | @@ -192,37 +192,37 @@ The following annotations are applicable on the Service object associated with a The following security annotations are applicable on the Ingress object: | Annotation | Description | -| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `ingress.kubernetes.io/allowed-hosts:EXPR` | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2` | -| `ingress.kubernetes.io/custom-request-headers:EXPR` | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: HEADER:value||HEADER2:value2 | -| `ingress.kubernetes.io/custom-response-headers:EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: HEADER:value||HEADER2:value2 | -| `ingress.kubernetes.io/proxy-headers:EXPR` | Provides a list of headers that the proxied hostname may be stored. Format: `HEADER1,HEADER2` | -| `ingress.kubernetes.io/ssl-redirect:true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. | -| `ingress.kubernetes.io/ssl-temporary-redirect:true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. | -| `ingress.kubernetes.io/ssl-host:HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. | -| `ingress.kubernetes.io/ssl-proxy-headers:EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: HEADER:value||HEADER2:value2 | -| `ingress.kubernetes.io/hsts-max-age:315360000` | Sets the max-age of the HSTS header. | -| `ingress.kubernetes.io/hsts-include-subdomains:true` | Adds the IncludeSubdomains section of the STS header. | -| `ingress.kubernetes.io/hsts-preload:true` | Adds the preload flag to the HSTS header. | -| `ingress.kubernetes.io/force-hsts:false` | Adds the STS header to non-SSL requests. | -| `ingress.kubernetes.io/frame-deny:false` | Adds the `X-Frame-Options` header with the value of `DENY`. | -| `ingress.kubernetes.io/custom-frame-options-value:VALUE` | Overrides the `X-Frame-Options` header with the custom value. | -| `ingress.kubernetes.io/content-type-nosniff:true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | -| `ingress.kubernetes.io/browser-xss-filter:true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | -| `ingress.kubernetes.io/content-security-policy:VALUE` | Adds CSP Header with the custom value. | -| `ingress.kubernetes.io/public-key:VALUE` | Adds pinned HTST public key header. | -| `ingress.kubernetes.io/referrer-policy:VALUE` | Adds referrer policy header. | -| `ingress.kubernetes.io/is-development:false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.
When deploying to production, be sure to set this to false. | +| --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `ingress.kubernetes.io/allowed-hosts: EXPR` | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2` | +| `ingress.kubernetes.io/custom-request-headers: EXPR` | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: HEADER:value||HEADER2:value2 | +| `ingress.kubernetes.io/custom-response-headers: EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: HEADER:value||HEADER2:value2 | +| `ingress.kubernetes.io/proxy-headers: EXPR` | Provides a list of headers that the proxied hostname may be stored. Format: `HEADER1,HEADER2` | +| `ingress.kubernetes.io/ssl-redirect: "true"` | Forces the frontend to redirect to SSL if a non-SSL request is sent. | +| `ingress.kubernetes.io/ssl-temporary-redirect: "true"` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. | +| `ingress.kubernetes.io/ssl-host: HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. | +| `ingress.kubernetes.io/ssl-proxy-headers: EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: HEADER:value||HEADER2:value2 | +| `ingress.kubernetes.io/hsts-max-age: "315360000"` | Sets the max-age of the HSTS header. | +| `ingress.kubernetes.io/hsts-include-subdomains: "true"` | Adds the IncludeSubdomains section of the STS header. | +| `ingress.kubernetes.io/hsts-preload: "true"` | Adds the preload flag to the HSTS header. | +| `ingress.kubernetes.io/force-hsts: "false"` | Adds the STS header to non-SSL requests. | +| `ingress.kubernetes.io/frame-deny: "false"` | Adds the `X-Frame-Options` header with the value of `DENY`. | +| `ingress.kubernetes.io/custom-frame-options-value: VALUE` | Overrides the `X-Frame-Options` header with the custom value. | +| `ingress.kubernetes.io/content-type-nosniff: "true"` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | +| `ingress.kubernetes.io/browser-xss-filter: "true"` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `ingress.kubernetes.io/content-security-policy: VALUE` | Adds CSP Header with the custom value. | +| `ingress.kubernetes.io/public-key: VALUE` | Adds pinned HTST public key header. | +| `ingress.kubernetes.io/referrer-policy: VALUE` | Adds referrer policy header. | +| `ingress.kubernetes.io/is-development: "false"` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.
When deploying to production, be sure to set this to false. | ### Authentication Is possible to add additional authentication annotations to the Ingress object. The source of the authentication is a Secret object that contains the credentials. -| Annotation | Description | -|----------------------------------------------|--------------------------------------------------------------------------------------------| -| `ingress.kubernetes.io/auth-type:basic` | Contains the authentication type. The only permitted type is `basic`. | -| `ingress.kubernetes.io/auth-secret:mysecret` | Contains the username and password with access to the paths defined in the Ingress object. | +| Annotation | Description | +|---------------------------------------------- | --------------------------------------------------------------------------------------------| +| `ingress.kubernetes.io/auth-type: basic` | Contains the authentication type. The only permitted type is `basic`. | +| `ingress.kubernetes.io/auth-secret: mysecret` | Name of Secret containing the username and password with access to the paths defined in the Ingress object. | The secret must be created in the same namespace as the Ingress object.