| title | Configuration Examples |
|---|---|
| slug | /reference/apisix-ingress-controller/examples |
| description | Explore a variety of APISIX Ingress Controller configuration examples to help you customize settings to suit your environment effectively. |
import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem';
APISIX Ingress Controller supports both Ingress resources and Gateway API for traffic management in Kubernetes. In addition to these standard Kubernetes APIs, the APISIX Ingress Controller also supports a set of CRDs (Custom Resource Definitions) designed specifically for APISIX-native functionality.
This document provides examples of common configurations covering how and when to use these resources. You should adjust custom values such as namespaces, route URIs, and credentials to match your environment.
To update the Control Plane endpoint and admin key for connectivity between APISIX Ingress Controller and Control Plane at runtime:
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: ingress-apisix
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
endpoints:
- http://127.0.0.1:9180
auth:
type: AdminKey
adminKey:
value: replace-with-your-admin-key:::important
All resources within the same gateway group must use the same IngressClass (for Ingress / APISIX CRDs) or Gateway (for Gateway API), each of which points to a single GatewayProxy.
Using multiple GatewayProxy, IngressClass, or Gateway resources for a single gateway group can lead to conflicts and unintended resource overwrites.
:::
To specify the controller responsible for handling resources before applying further configurations:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'Ingress', value: 'ingress'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
namespace: ingress-apisix
name: apisix
spec:
controllerName: "apisix.apache.org/apisix-ingress-controller" # 1
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: ingress-apisix
name: apisix
spec:
gatewayClassName: apisix
listeners:
- name: http
protocol: HTTP
port: 80 # 2
infrastructure:
parametersRef:
group: apisix.apache.org # 3
kind: GatewayProxy # 4
name: apisix-config # 5❶ The controller name should be customized if you are running multiple distinct instances of the APISIX Ingress Controller in the same cluster (not a single instance with multiple replicas). Each ingress controller instance must use a unique controllerName in its configuration file, and the corresponding GatewayClass should reference that value.
❷ The port in the Gateway listener is required but ignored. This is due to limitations in the data plane: it cannot dynamically open new ports. Since the Ingress Controller does not manage the data plane deployment, it cannot automatically update the configuration or restart the data plane to apply port changes.
❸ API group of the referenced resource.
❹ Kind of the referenced resource.
❺ Name of the referenced resource. Should match the metadata.name of the GatewayProxy resource.
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
namespace: ingress-apisix
name: apisix
spec:
controller: apisix.apache.org/apisix-ingress-controller # 1
parameters:
apiGroup: apisix.apache.org # 2
kind: GatewayProxy # 3
name: apisix-config # 4
namespace: ingress-apisix # 5
scope: Namespace # 6❷ API group of the referenced resource.
❸ Kind of the referenced resource.
❹ Name of the referenced resource. Should match the metadata.name of the GatewayProxy resource.
❺ Namespace where the referenced resource is defined.
❻ Scope of the referenced resource.
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
namespace: ingress-apisix
name: apisix
spec:
controller: apisix.apache.org/apisix-ingress-controller # 1
parameters:
apiGroup: apisix.apache.org # 2
kind: GatewayProxy # 3
name: apisix-config # 4
namespace: ingress-apisix # 5
scope: Namespace # 6❷ API group of the referenced resource.
❸ Kind of the referenced resource.
❹ Name of the referenced resource. Should match the metadata.name of the GatewayProxy resource.
❺ Namespace where the referenced resource is defined.
❻ Scope of the referenced resource.
To create a route that proxies requests to a service on K8s:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'Ingress', value: 'ingress'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: ingress-apisix
name: httpbin
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin
port: 80apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: ingress-apisix
name: httpbin
spec:
ingressClassName: apisix
rules:
- http:
paths:
- path: /ip
pathType: Exact
backend:
service:
name: httpbin
port:
number: 80apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: httpbin
spec:
ingressClassName: apisix
http:
- name: httpbin
match:
paths:
- /ip
backends:
- serviceName: httpbin
servicePort: 80To create a route that proxies requests to a service publicly hosted:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'Ingress', value: 'ingress'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: v1
kind: Service
metadata:
namespace: ingress-apisix
name: httpbin-external-domain
spec:
type: ExternalName
externalName: httpbin.org
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: ingress-apisix
name: get-ip
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin-external-domain
port: 80apiVersion: v1
kind: Service
metadata:
namespace: ingress-apisix
name: httpbin-external-domain
spec:
type: ExternalName
externalName: httpbin.org
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: ingress-apisix
name: get-ip
spec:
ingressClassName: apisix
rules:
- http:
paths:
- path: /ip
pathType: Exact
backend:
service:
name: httpbin-external-domain
port:
number: 80apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
namespace: ingress-apisix
name: httpbin-external-domain
spec:
ingressClassName: apisix
externalNodes:
- type: Domain
name: httpbin.org
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: get-ip
spec:
ingressClassName: apisix
http:
- name: get-ip
match:
paths:
- /ip
upstreams:
- name: httpbin-external-domainTo create a route that proxies traffic to upstream services by weight:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: ingress-apisix
name: httpbin
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin-1
port: 80
weight: 3
- name: httpbin-2
port: 80
weight: 7apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: httpbin
spec:
ingressClassName: apisix
http:
- name: httpbin
match:
paths:
- /ip
backends:
- serviceName: httpbin-1
servicePort: 80
weight: 3
- serviceName: httpbin-2
servicePort: 80
weight: 7This configuration is not supported by the Ingress resource.
To configure upstream related configurations, including load balancing algorithm, how the host header is passed to upstream, service timeout, and more:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: apisix.apache.org/v1alpha1
kind: BackendTrafficPolicy
metadata:
namespace: ingress-apisix
name: httpbin
spec:
targetRefs:
- name: httpbin
kind: Service
group: ""
timeout:
send: 10s
read: 10s
connect: 10s
scheme: http
retries: 10
loadbalancer:
type: roundrobin
passHost: rewrite
upstreamHost: httpbin.example.comapiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
namespace: ingress-apisix
name: httpbin
spec:
ingressClassName: apisix
timeout:
send: 10s
read: 10s
connect: 10s
scheme: http
retries: 10
loadbalancer:
type: roundrobin
passHost: rewrite
upstreamHost: httpbin.example.com<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
To create a consumer and configure the authentication credentials directly on the consumer:
apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
namespace: ingress-apisix
name: alice
spec:
gatewayRef:
name: apisix
credentials:
- type: key-auth
name: primary-key
config:
key: alice-primary-keyYou can also use the secret CRD, where the credential should be base64 encoded:
apiVersion: v1
kind: Secret
metadata:
namespace: ingress-apisix
name: key-auth-primary
data:
key: YWxpY2UtcHJpbWFyeS1rZXk=
---
apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
namespace: ingress-apisix
name: alice
spec:
gatewayRef:
name: apisix
credentials:
- type: key-auth
name: key-auth-primary
secretRef:
name: key-auth-primaryTo create a consumer and configure the authentication credentials directly on the consumer:
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
namespace: ingress-apisix
name: alice
spec:
ingressClassName: apisix
authParameter:
keyAuth:
value:
key: alice-primary-keyYou can also use the secret CRD, where the credential should be base64 encoded:
apiVersion: v1
kind: Secret
metadata:
namespace: ingress-apisix
name: key-auth-primary
data:
key: YWxpY2UtcHJpbWFyeS1rZXk=
---
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
namespace: ingress-apisix
name: alice
spec:
ingressClassName: apisix
authParameter:
keyAuth:
secretRef:
name: key-auth-primaryTo configure plugin(s) on a consumer, such as a rate limiting plugin:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
namespace: ingress-apisix
name: alice
spec:
gatewayRef:
name: apisix
credentials:
- type: key-auth
name: alice-key
config:
key: alice-key
plugins:
- name: limit-count
config:
count: 3
time_window: 60
key: remote_addr
key_type: var
policy: local
rejected_code: 429
rejected_msg: Too many requests
show_limit_quota_header: true
allow_degradation: falseApisixConsumer currently does not support configuring plugins on consumers.
To configure route priority and request matching conditions on a targeted route:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: apisix.apache.org/v1alpha1
kind: HTTPRoutePolicy
metadata:
namespace: ingress-apisix
name: http-route-policy
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: httpbin
priority: 10
vars:
- - http_x_test_name
- ==
- new_name
- - arg_test
- ==
- test_nameapiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: httpbin
spec:
ingressClassName: apisix
http:
- name: httpbin
match:
paths:
- /*
exprs:
- subject:
scope: Header
name: X-Test-Name
op: Equal
value: new_name
- subject:
scope: Query
name: test
op: Equal
value: test_name
backends:
- serviceName: httpbin
servicePort: 80To configure plugins on a route:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: apisix.apache.org/v1alpha1
kind: PluginConfig
metadata:
namespace: ingress-apisix
name: auth-plugin-config
spec:
plugins:
- name: key-auth
config:
_meta:
disable: false
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: ingress-apisix
name: get-ip
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
filters:
- type: ExtensionRef
extensionRef:
group: apisix.apache.org
kind: PluginConfig
name: auth-plugin-config
backendRefs:
- name: httpbin
port: 80To enable basic-auth, key-auth, wolf-rbac, jwt-auth, ldap-auth, or hmac-auth:
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: get-ip
spec:
ingressClassName: apisix
http:
- name: get-ip
match:
paths:
- /ip
authentication:
enable: true
type: keyAuth
backends:
- serviceName: httpbin
servicePort: 80To enable other plugins:
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: get-ip
spec:
ingressClassName: apisix
http:
- name: get-ip
match:
paths:
- /ip
plugins:
- name: limit-count
enable: true
config:
count: 2
time_window: 10
rejected_code: 429
backends:
- serviceName: httpbin
servicePort: 80To configure a global plugin:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: ingress-apisix
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
endpoints:
- https://xxx.xxx.xxx.xxx:7443 # update with your CP endpoint
auth:
type: AdminKey
adminKey:
value: xxxxxxxxxxx # update with your admin key
plugins:
- name: clickhouse-logger
config:
endpoint_addr: http://clickhouse-clickhouse-installation.apisix.svc.cluster.local:8123
user: quickstart-user
password: quickstart-pass
logtable: test
database: quickstart_dbapiVersion: apisix.apache.org/v2
kind: ApisixGlobalRule
metadata:
namespace: ingress-apisix
name: apisix-global-rule-logging
spec:
ingressClassName: apisix
plugins:
- name: clickhouse-logger
enable: true
config:
endpoint_addr: http://clickhouse-clickhouse-installation.apisix.svc.cluster.local:8123
user: quickstart-user
password: quickstart-pass
logtable: test
database: quickstart_dbTo configure plugin metadata:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: ingress-apisix
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
endpoints:
- https://xxx.xxx.xxx.xxx:7443 # update with your CP endpoint
auth:
type: AdminKey
adminKey:
value: xxxxxxxxxxx # update with your admin key
pluginMetadata:
opentelemetry: {
"trace_id_source": "x-request-id",
"resource": {
"service.name": "APISIX"
},
"collector": {
"address": "simplest-collector:4318",
"request_timeout": 3,
"request_headers": {
"Authorization": "token"
}
},
"batch_span_processor": {
"drop_on_queue_full": false,
"max_queue_size": 1024,
"batch_timeout": 2,
"inactive_timeout": 1,
"max_export_batch_size": 16
},
"set_ngx_var": true
}To create a plugin config and reference it in a route:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'} ]}>
apiVersion: apisix.apache.org/v1alpha1
kind: PluginConfig
metadata:
namespace: ingress-apisix
name: example-plugin-config
spec:
plugins:
- name: response-rewrite
enable: true
config:
headers:
X-Plugin-Config: "example-response-rewrite"
X-Plugin-Test: "enabled"
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: ingress-apisix
name: httpbin
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
filters:
- type: ExtensionRef
extensionRef:
group: apisix.apache.org
kind: PluginConfig
name: example-plugin-config
backendRefs:
- name: httpbin
port: 80apiVersion: apisix.apache.org/v2
kind: ApisixPluginConfig
metadata:
namespace: ingress-apisix
name: example-plugin-config
spec:
ingressClassName: apisix
plugins:
- name: response-rewrite
enable: true
config:
headers:
X-Plugin-Config: "example-response-rewrite"
X-Plugin-Test: "enabled"
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: httpbin
spec:
ingressClassName: apisix
http:
- name: get-ip
match:
paths:
- /ip
backends:
- serviceName: httpbin
servicePort: 80
plugin_config_name: example-plugin-configTo configure downstream TLS:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'}, ]}>
apiVersion: v1
kind: Secret
metadata:
namespace: ingress-apisix
name: test-tls-secret
type: kubernetes.io/tls
data:
tls.crt: <base64-encoded cert>
tls.key: <base64-encoded key>
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: ingress-apisix
name: apisix
spec:
gatewayClassName: apisix
listeners:
- name: https
protocol: HTTPS
port: 443
hostname: apisix.test
tls:
certificateRefs:
- kind: Secret
group: ""
name: test-tls-secret
infrastructure:
parametersRef:
group: apisix.apache.org
kind: GatewayProxy
name: apisix-proxy-config:::note
The port in the Gateway listener is required but ignored. This is due to limitations in the data plane: it cannot dynamically open new ports. Since the Ingress Controller does not manage the data plane deployment, it cannot automatically update the configuration or restart the data plane to apply port changes.
:::
apiVersion: v1
kind: Secret
metadata:
namespace: ingress-apisix
name: test-tls-secret
type: kubernetes.io/tls
data:
tls.crt: <base64-encoded cert>
tls.key: <base64-encoded key>
---
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
namespace: ingress-apisix
name: test-tls
spec:
ingressClassName: apisix-tls
hosts:
- apisix.test
secret:
name: test-tls-secret
namespace: ingress-apisixTo configure downstream mTLS:
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'APISIX CRD', value: 'apisix-crd'}, ]}>
Not supported.
apiVersion: v1
kind: Secret
metadata:
namespace: ingress-apisix
name: test-mtls-secret
type: kubernetes.io/tls
data:
tls.crt: <base64-encoded cert>
tls.key: <base64-encoded key>
---
apiVersion: v1
kind: Secret
metadata:
namespace: ingress-apisix
name: test-ca-secret
data:
cert: <base64-encoded caCert>
---
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
namespace: ingress-apisix
name: test-mtls
spec:
ingressClassName: apisix-tls
hosts:
- apisix.test
secret:
name: test-mtls-secret
namespace: ingress-apisix
client:
caSecret:
name: test-ca-secret
namespace: ingress-apisix
depth: 1These configurations allow Ingress Controller users to access the gateway.
<Tabs groupId="k8s-api" defaultValue="gateway" values={[ {label: 'Gateway API', value: 'gateway'}, {label: 'Ingress', value: 'ingress'}, {label: 'APISIX CRD', value: 'apisix-crd'}, ]}>
To configure the statusAddress:
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: ingress-apisix
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
endpoints:
- https://xxx.xxx.xxx.xxx:7443 # update with your CP endpoint
auth:
type: AdminKey
adminKey:
value: xxxxxxxxxxx # update with your admin key
statusAddress:
- 10.24.87.13If you are using Ingress resources, you can configure either statusAddress or publishService.
To configure the statusAddress:
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: ingress-apisix
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
endpoints:
- https://xxx.xxx.xxx.xxx:7443 # update with your CP endpoint
auth:
type: AdminKey
adminKey:
value: xxxxxxxxxxx # update with your admin key
statusAddress:
- 10.24.87.13To configure the publishService:
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: ingress-apisix
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
endpoints:
- https://xxx.xxx.xxx.xxx:7443 # update with your CP endpoint
auth:
type: AdminKey
adminKey:
value: xxxxxxxxxxx # update with your admin key
publishService: apisix-ee-3-gateway-gatewayWhen using publishService, make sure your gateway Service is of LoadBalancer type the address can be populated. The controller will use the endpoint of this Service to update the status information of the Ingress resource. The format can be either namespace/svc-name or simply svc-name if the default namespace is correctly set.
Not supported.