Professional Documents
Culture Documents
Kubernetes Ingress Controllers - Comparison
Kubernetes Ingress Controllers - Comparison
Notes
Notes [6] Notes [7] Notes [8] Notes [9] Notes [10] Notes Notes [11] Notes [12] Notes [13] Notes [14] Notes [15] Notes [16] Notes [17] Notes [18] Notes [19] Notes [20] Notes [21] Notes [22]
Leave a comment or drop us a line at
3. Clients research@learnk8s.io
Rate limiting (L4) [23] ✔ ✔ Needs help Partial ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✖ ✔ ✔ [24] Needs help ✔
Rate limiting (L7) [25] License: ✔ ✔ ✔ Partial ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✖ ✔ ✔ ✔ [26] Needs help ✔
Timeouts Apache 2.0 ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Safe-list/Block-list [27] Last updated: ✔ ✔ ✔ ✖ ✔ ✔ ✔ Partial ✖ ✖ ✔ Needs help ✔ ✔ ✔ ✔ Needs help ✔
Authentication February 17, 2021 ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Authorisation ✖ ✔ ✔ ✖ Needs help ✔ Partial ✖ ✔ ✔ ✖ ✔ ✖ ✔ ✔ ✔ ✔ ✔
Find more research at:
Notes
https://learnk8s.io/research Notes [28] Notes [29] Notes Notes Notes [30] Notes [31] Notes [32] Notes [33] Notes [34] Notes [35] Notes [36] Notes [37] Notes [38] Notes Notes [39] Notes [40] Notes [41] Notes [42]
4. Traffic routing
Host ✔ Supported in Free version ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Path ✔ Supported in Enterprise version ✔ [43] ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Headers ✖ Not supported ✔ [44] ✔ ✔ ✔ ✔ ✖ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔
Querystring Partial Partially supported ✔ [45] ✔ [46] ✔ ✔ ✔ ✖ ✔ ✖ ✔ ✖ Partial ✔ ✔ ✔ ✔ ✖ ✔ ✔
Method Needs help Not sure if it is supported ✔ [47] ✔ ✔ ✔ ✔ ✖ ✔ ✖ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔
ClientIP ✔ ✖ ✔
Notes
Notes [48] Notes [49] Notes Notes [50] Notes [51] Notes Notes [52] Notes [53] Notes [54] Notes [55] Notes [56] Notes [57] Notes [58] Notes [59] Notes [60] Notes [61] Notes [62] Notes [63]
5. Upstream probes/resiliency
Healthchecks [64] ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ [65] ✔ ✔ ✔ ✔
Retries ✔ [66] ✔ ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ Partial [67] ✖ Needs help ✖ ✔
Circuit Breaker ✖ ✔ ✔ ✖ ✔ ✔ ✖ ✖ ✔ ✖ ✔ ✔ ✔ ✔ [68] ✔ Needs help ✖ ✖
Notes
Notes Notes [69] Notes [70] Notes [71] Notes [72] Notes [73] Notes [74] Notes [75] Notes [76] Notes [77] Notes [78] Notes [79] Notes [80] Notes Notes [81] Notes [82] Notes [83] Notes [84]
6.Load balancer strategies
Round robin ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Sticky sessions ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Partial [85] ✔ ✔ ✔ ✔
Least connections ✖ ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ ✖ ✔ ✔ ✔ ✔
Ring hash ✔ ✔ ✔ ✖ ✔ ✖ ✖ ✖ ✔ ✖ ✔ ✔ ✖ ✔ Needs help ✔ ✖ ✔
Maglev ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✔ ✖ ✔ ✔ ✖ ✖ ✖ ✔ ✖ ✖
Exponential-Weighted-Moving-Average ✔ ✖ ✔ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖
Custom load balancing ✔
Notes
Notes [86] Notes [87] Notes [88] Notes [89] Notes [90] Notes [91] Notes [92] Notes [93] Notes [94] Notes [95] Notes [96] Notes [97] Notes [98] Notes [99] Notes [100] Notes [101] Notes [102]
7. Authentication
Basic auth ✔ [103] ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ ✖ ✔
External Auth ✔ [104] ✔ ✔ ✖ ✔ ✖ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ [105] ✖ ✔ ✖ ✖
Client certificate ✔ [106] ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Partial [107] ✔ ✖ ✖ ✔
OAuth ✔ ✔ ✔ ✖ ✔ ✖ ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔ [108] ✔ ✔ ✔ ✖
OpenID ✖ ✔ ✔ ✖ ✔ ✖ ✖ ✖ ✔ ✖ ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✖
JWT ✖ ✔ ✔ ✖ ✔ ✖ ✖ ✖ ✔ ✖ ✔ ✔ ✔ ✔ ✖ ✔ ✖ Partial [109]
LDAP ✖ ✔ ✔ ✖ ✔ ✖ ✖ ✖ ✖ ✖ ✖ ✔ ✔ ✖ ✖ ✔ ✖ ✔
HMAC ✖ ✔ ✔ ✖ Needs help ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✔ ✖ ✖ ✖ ✖ ✖
SAML ✔ ✖ ✔
Notes
Notes Notes [110] Notes [111] Notes Notes [112] Notes [113] Notes [114] Notes [115] Notes [116] Notes [117] Notes [118] Notes [119] Notes [120] Notes Notes [121] Notes [122] Notes [123] Notes [124]
8. Observability
Metrics ✔ [125] ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ ✔
Tracing ✔ [126] ✔ ✔ ✔ ✔ Needs help ✖ Needs help ✔ ✔ ✔ ✔ ✔ ✔ ✔ Needs help ✖ ✖ [127]
Notes
Notes Notes [128] Notes [129] Notes [130] Notes [131] Notes [132] Notes [133] Notes [134] Notes [135] Notes [136] Notes [137] Notes [138] Notes [139] Notes [140] Notes Notes [141] Notes [142]
9. Kubernetes Integration
Kubernetes,
Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes
State Nomad
CRD ✖ ✔ ✔ ✔ ✔ ✖ ✖ ✔ ✔ ✔ ✔ Needs help ✔ ✔ ✔ ✔ ✖ ✔
Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide Clusterwide,
Scope and and namespace and and and and and and and and and and and and Clusterwide and namespace &
namespace namespace namespace namespace namespace namespace namespace namespace namespace namespace namespace namespace namespace namespace namespace Multi cluster
Support for the Service API (Ingress v2) ✖ ✖ Preview ✖ [143] ✖ ✖ ✖ Needs help Experimental ✖ ✖ ✖ ✖ ✖ [144] ✖ ✖ ✖ ✖
Integrates with service meshes ✔ ✔ ✔ ✖ ✔ ✔ ✔ Needs help ✔ ✖ ✔ ✔ ✔ ✖ [145] ✔ Needs help ✖ ✖ [146]
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Notes
Notes [147] Notes Notes Notes [148] Notes [149] Notes Notes [150] Notes Notes [151] Notes Notes Notes Notes [152] Notes [153] Notes [154] Notes Notes [155] Notes [156]
10. Traffic shaping
Canary ✔ [157] ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ ✖ ✔
Session Affinity ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ [158] ✔ ✔ ✔ ✔
Dark launch ✔ Needs help ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✖ ✔ ✔ ✔ ✔ [159] ✔ ✖ ✖ ✔
blue-green and A/B or more generic Tee (think UNIX tee)
Notes
Notes Notes [160] Notes [161] Notes [162] Notes Notes [163] Notes Notes Notes [164] Notes [165] Notes [166] Notes Notes [167] Notes [168] Notes [169] Notes Notes [170]
11. Interface
Dashboard ✖ ✔ ✔ ✔ ✔ ✖ ✖ ✖ ✔ ✖ ✖ Needs help ✔ ✖ [171] ✖ Needs help ✖ ✔
Billing and reporting ✖ ✔ ✔ ✔ ✖ ✖ ✖ ✖ ✔ ✖ ✖ Needs help ✖ ✖ ✖ ✔ ✖ ✔
Developer portal ✖ ✔ ✔ ✔ ✔ ✖ ✖ ✖ ✔ ✖ ✔ ✔ ✔ ✔ [172] ✖ ✖ ✖ ✔
Skipper is built as library [173]
Notes
Notes Notes Notes Notes [174] Notes [175] Notes Notes Notes Notes [176] Notes Notes Notes Notes [177] Notes [178] Notes Notes [179] Notes Notes [180]
12. Performance
Elastic HA ✔ ✔
DPDK ✔ ✔
TCP Segmentation Offload ✔ ✔
Generic Receive Offload ✔ ✔
Receive Side Scaling ✔ ✔
Notes
Notes Notes Notes Notes Notes Notes Notes Notes Notes Notes Notes Notes Notes Notes Notes Notes Notes [181]
<---WIP--->
13. Other
Hot reloading [182] ✖ Needs help ✔ Needs help ✔ ✔ Needs help ✔ ✔ ✔ Needs help ✖ ✔ Needs help Needs help Needs help ✔
LetsEncrypt Integration ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✖
Transparent update of certificates ✔ ✔
Wildcard certificate support ✔ ✔ ✔ ✔ ✔ ✔
Rolling Upgrades ✔ ✔
Global load balancing ✔ ✔
Notes
Notes [183] Notes [184] Notes Notes [185] Notes [186] Notes [187] Notes [188] Notes [189] Notes [190] Notes [191] Notes [192] Notes [193] Notes [194] Notes [195] Notes [196] Notes Notes [197]
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
Azure App
Apache HAProxy HAProxy
Ingress Nginx Kong Gateway Nginx+ Voyager Istio Ingress Contour Ambassador Gloo Traefik Skipper Citrix Ingress GKE Ingress ALB Ingress AKO
APISIX Tech (jcmoraisjr)
Product/Project Ingress
[1] TLS termination not supported.
[4] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
QUIC/HTTP3: https://github.com/kubernetes/ingress-nginx/issues/4760
WAF:
https://kubernetes.github.io/ingress-nginx/user-guide/third-party-addons/modsecurity/
[7]
- TCP & TLS Support
https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/guides/using-tcpingress/
- QUIC/HTTP3
https://github.com/Kong/kong/issues/4103
TCP https://github.com/apache/apisix-ingress-controller/issues/11
TCP+TLS https://github.com/apache/apisix-ingress-controller/issues/119
UDP https://github.com/apache/apisix-ingress-controller/issues/116
[9] - HTTP2 is supported for inbound traffic only. Traffic to listeners is HTTP/1.1.
- gRPC is in development.
[10] - https://docs.nginx.com/nginx-ingress-controller/overview/#nginx-ingress-controller
WAF: https://docs.nginx.com/nginx-waf/
WAF: https://haproxy-ingress.github.io/docs/examples/modsecurity/
[12] https://voyagermesh.com/docs/10.0.0/guides/ingress/
[13] https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/
[14] https://projectcontour.io/docs/main/httpproxy/
[15] https://github.com/datawire/ambassador
WAF: https://blog.getambassador.io/integration-enables-secure-self-service-microservice-deployment-fbc0e6c0f087
[16] https://docs.solo.io/gloo/latest/guides/traffic_management/listener_configuration/
WAF: https://docs.solo.io/gloo-edge/latest/guides/security/waf/
[17] https://doc.traefik.io/traefik/routing/entrypoints/
Proxy protocol
https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol
GRPC: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/grpc/
TCP: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/profiles/#tcp-profile
UDP: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/tcp-udp-ingress/
WAF: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/crds/waf/#configure-web-application-firewall-policies-with-the-citrix-
ingress-controller
TCP: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/profiles/#tcp-profile
UDP: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/tcp-udp-ingress/
WAF: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/crds/waf/#configure-web-application-firewall-policies-with-the-citrix-
ingress-controller
HTTP2:
https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-http2
GRPC Example:
https://medium.com/google-cloud/gke-grpc-ingress-loadbalancing-4b9cdbc09758
Websocket:
https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-xlb#support_for_websocket
Proxy Protocol:
https://github.com/kubernetes/ingress-gce/issues/1002
WAF:
This is possible by using Google cloud armor
https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#cloud_armor
[21] HTTP(S):
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#backend-protocol
HTTP2/GRPC:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#backend-protocol-version
TCP/UDP:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/nlb_ip_mode/#protocols
Websockets:
Refer for config
https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1090#issuecomment-561842212
Proxy Protocol:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/nlb_ip_mode/#protocols
WAF:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#default-throttle-config
Websockets:
Refer for config
https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1090#issuecomment-561842212
Proxy Protocol:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/nlb_ip_mode/#protocols
WAF:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#default-throttle-config
TCP: https://avinetworks.com/docs/20.1/architectural-overview/templates/profiles/application-profile/#l4-profile
TCP+TLS: https://avinetworks.com/docs/18.2/layer-4-ssl-support/
UDP: https://avinetworks.com/docs/20.1/architectural-overview/templates/profiles/application-profile/#l4-profile
Websockets: https://avinetworks.com/docs/20.1/configuration-guide/templates/profiles/application-profile/#http-profile-tab
WAF: https://avinetworks.com/docs/20.1/waf-support/
GSLB: https://github.com/avinetworks/avi-helm-charts/blob/master/docs/AMKO/README.md
https://avinetworks.com/docs/20.1/avi-gslb-architecture/
[24] RPS documentation is not straight forward, possibly involves work around.
Refer issue: https://github.com/kubernetes/ingress-gce/issues/670
[26] RPS documentation is not straight forward, possibly involves work around.
Refer issue: https://github.com/kubernetes/ingress-gce/issues/670
[27] allowlist/denylist
[28] - https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
-
https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/#testing-the-request-rate-limit
https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-health-check/
[28] - https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
-
https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/#testing-the-request-rate-limit
https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-health-check/
- Timeout
https://docs.konghq.com/2.2.x/proxy/#3-proxying--upstream-timeouts
- Safe-list/Block-list
https://docs.konghq.com/hub/kong-inc/ip-restriction/
- Authentication
https://docs.konghq.com/hub/#authentication
-Authorization
https://konghq.com/blog/custom-authentication-and-authorization-framework-with-kong/
Safe-list/Block-list example:
https://github.com/nginxinc/kubernetes-ingress/tree/5047caf007ce5ba6239a4c4c0b64c118435d32a1/examples-of-custom-resources/access-control
- Timeout
https://www.haproxy.com/documentation/hapee/latest/onepage/#4.2-timeout%20check
- Safe-list/Block-list
https://www.haproxy.com/documentation/aloha/12-0/security/packetshield/blacklist/
https://www.haproxy.com/documentation/aloha/12-0/security/packetshield/whitelist/
- Authentication
-Authorization
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/
- Safe-list/Block-list
https://www.haproxy.com/documentation/aloha/12-0/security/packetshield/blacklist/
https://www.haproxy.com/documentation/aloha/12-0/security/packetshield/whitelist/
- Authentication
-Authorization
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/
- Timeout
https://www.haproxy.com/documentation/hapee/latest/onepage/#4.2-timeout%20check
- Safe-list/Block-list
https://www.haproxy.com/documentation/aloha/12-0/security/packetshield/blacklist/
https://www.haproxy.com/documentation/aloha/12-0/security/packetshield/whitelist/
- Authentication
-Authorization
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/
- Timeout
https://voyagermesh.com/docs/5.0.0/guides/ingress/configuration/default-timeouts/
- Safe-list/Block-list
https://voyagermesh.com/docs/7.1.1/guides/ingress/configuration/whitelist/
- Authentication
https://voyagermesh.com/docs/7.1.1/guides/ingress/security/basic-auth/
- Timeout
https://www.haproxy.com/documentation/hapee/latest/onepage/#4.2-timeout%20check
- Safe-list/Block-list
https://istio.io/latest/docs/tasks/policy-enforcement/denial-and-list/
- Authentication
https://istio.io/latest/docs/tasks/security/authentication/
-Authorization
- Timeout
https://www.haproxy.com/documentation/hapee/latest/onepage/#4.2-timeout%20check
- Safe-list/Block-list
https://istio.io/latest/docs/tasks/policy-enforcement/denial-and-list/
- Authentication
https://istio.io/latest/docs/tasks/security/authentication/
-Authorization
https://istio.io/latest/docs/tasks/security/authorization/
- Timeout
https://projectcontour.io/docs/main/annotations/
- Authentication
https://projectcontour.io/client-cert-auth-ingress-improvements/
- Timeout
https://www.getambassador.io/docs/latest/topics/using/timeouts/
- Authentication
https://www.getambassador.io/docs/latest/howtos/basic-auth/
- Timeout
https://docs.solo.io/gloo/latest/guides/traffic_management/request_processing/timeout/
- Timeout
https://doc.traefik.io/traefik/v1.7/configuration/commons/#timeouts
- Safe-list/Block-list
https://doc.traefik.io/traefik/middlewares/ipwhitelist/
[38] - Rate limit
https://doc.traefik.io/traefik/middlewares/ratelimit/
- Timeout
https://doc.traefik.io/traefik/v1.7/configuration/commons/#timeouts
- Safe-list/Block-list
https://doc.traefik.io/traefik/middlewares/ipwhitelist/
https://pilot.traefik.io/plugins/276812076107694611/deny-ip-plugin
- Authentication
https://docs.konghq.com/getting-started-guide/2.1.x/secure-services/
-Authorization
https://doc.traefik.io/traefik/middlewares/forwardauth/
Timeout: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/http-use-cases/#reqtimeout-and-reqtimeoutaction
Safe-list/Block-list
https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/ip-whitelist-blacklist/
Authentication/Authorisation:
https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/crds/auth/
Timeout: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#timeout
Safe-list/Block-list:
Requires google cloud armor
- Reference https://github.com/kubernetes/ingress-gce/issues/38
Authentication/Authorization:
Possible with using google Identity Aware Proxy (IAP)
Docs:https://cloud.google.com/iap/docs/enabling-kubernetes-howto
- Reference: https://github.com/kubernetes/ingress-gce/issues/914
[41] Timeout:
idle_timeout
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#custom-attributes
Authentication: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#authentication
[41] Timeout:
idle_timeout
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#custom-attributes
Authentication: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#authentication
Authorisation:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/tasks/cognito_authentication/#cognito-configuration
Timeouts: https://avinetworks.com/docs/20.1/tcpudp-profile/#custom
Safe-list/Block-list: https://avinetworks.com/docs/20.1/architectural-overview/applications/vs-policies/#network-security
Authentication: https://avinetworks.com/docs/20.1/configuration-guide/applications/vs-policies/#access
Authorization:
SAML: https://avinetworks.com/docs/20.1/configuring-saml-authorization-policies/
JWT: https://avinetworks.com/docs/20.1/jwt-validation-configuration/
[48] Headers, Querystrings and Methods are not supported in the Ingress manifest. You need to use the configuration snippet and configure Nginx directly:
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#configuration-snippet
[49] - Routing
https://docs.konghq.com/2.0.x/proxy/#routes-and-matching-capabilities
[51] All routing techniques supported by nginx is supported. Use raw config
More here: https://github.com/nginxinc/kubernetes-ingress/blob/00618a60c3419348411df4ba805a9827e3e8520a/docs-web/configuration/ingress-
resources/advanced-configuration-with-snippets.md#advanced-configuration-with-snippets
[52] - Routing
HTTP Routing section
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-1/
- Method: https://cbonte.github.io/haproxy-dconv/2.3/configuration.html&sa=D&ust=1609811768642000&usg=AFQjCNE0aCgu_IRlpqnwBsEOL46K2Ef5QA
[53] - Routing
https://voyagermesh.com/docs/7.1.1/guides/ingress/http/virtual-hosting/#hostname-based-routing
[54] - Routing
https://istio.io/latest/docs/concepts/traffic-management/#routing-rules
https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRoute
[55] - Routing
https://github.com/projectcontour/contour/blob/main/site/docs/v1.0.0/ingressroute.md
[56]
- Header based Routing
https://www.getambassador.io/docs/latest/topics/using/headers/headers/
[57] https://docs.solo.io/gloo/latest/introduction/traffic_management/
[58] - Routing
https://doc.traefik.io/traefik/routing/routers/
[60] https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/crds/content-routing/
[61] GLBC supports only Host and Path routing, documented here: https://cloud.google.com/load-balancing/docs/url-map
In the github repository was able to find only Host and Path based routing.
https://github.com/kubernetes/ingress-gce/search?q=routing
[63] https://avinetworks.com/docs/20.1/http-request-policy/
https://github.com/avinetworks/avi-helm-charts/blob/master/docs/AKO/crds/hostrule.md
[66] https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-timeouts
[67] automated retry in case of TCP/TLS connect to backend was not possible
[69] - Healthchecks
https://docs.konghq.com/2.2.x/health-checks-circuit-breakers/
- Retries
https://docs.konghq.com/2.2.x/proxy/#4-errors--retries
- Circuit breaker
https://docs.konghq.com/2.2.x/health-checks-circuit-breakers/#passive-health-checks-circuit-breakers
Retries https://github.com/apache/apisix-ingress-controller/issues/118
Retries https://github.com/apache/apisix-ingress-controller/issues/118
[72]
Circuit breaker:
https://www.nginx.com/blog/announcing-nginx-ingress-controller-for-kubernetes-release-1-7-0/#circuit-breaker
[73] - Healthchecks
https://www.haproxy.com/documentation/aloha/latest/traffic-management/lb-layer7/health-checks/
- Retries
https://www.haproxy.com/blog/haproxy-layer-7-retries-and-chaos-engineering/
- Circuit Breaker
https://www.haproxy.com/blog/circuit-breaking-haproxy/
[74] - Healthchecks
https://www.haproxy.com/documentation/aloha/latest/traffic-management/lb-layer7/health-checks/
- Retries
https://www.haproxy.com/blog/haproxy-layer-7-retries-and-chaos-engineering/
[75] - Healthchecks
https://voyagermesh.com/docs/10.0.0/guides/ingress/configuration/health-check/
[76] - Healthchecks
https://istio.io/latest/docs/ops/configuration/mesh/app-health-check/
- Retries
https://istio.io/latest/docs/concepts/traffic-management/#retries
- Circuit breakers
https://istio.io/latest/docs/concepts/traffic-management/#circuit-breakers
- Retries
https://istio.io/latest/docs/concepts/traffic-management/#retries
- Circuit breakers
https://istio.io/latest/docs/concepts/traffic-management/#circuit-breakers
[77] - Healthchecks
https://projectcontour.io/docs/main/httpproxy/#per-route-health-checking
- Retries
https://projectcontour.io/docs/main/httpproxy/#response-timeout
[78] - Healthchecks
https://www.getambassador.io/docs/latest/topics/running/diagnostics/#health-status
- Retries
https://www.getambassador.io/docs/latest/topics/using/retries/
- Circuit breakers
https://www.getambassador.io/docs/latest/topics/using/circuit-breakers/
[79] - Healthchecks
https://docs.solo.io/gloo/1.1.0/gloo_routing/gateway_configuration/health_checks/
- Retries
https://docs.solo.io/gloo/latest/introduction/traffic_management/
- Circuit breakers
https://www.getambassador.io/docs/latest/topics/using/circuit-breakers/
[80] - Healthchecks
https://doc.traefik.io/traefik/routing/services/#health-check
- Retries
https://doc.traefik.io/traefik/middlewares/retry/#retry
- Circuit breaker
https://doc.traefik.io/traefik/middlewares/circuitbreaker/
[81] https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/multicluster/multi-cluster/#failover-deployment
[82] Health Check
https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#health_checks
Retries: https://avinetworks.com/docs/20.1/http-server-reselect/
[86] https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-nginx-load-balancing
- Algorithms
Check algorithm attribute
https://docs.konghq.com/2.2.x/admin-api/#upstream-object
[88] 在此处键入
在此处键入
Maglev https://research.google/pubs/pub44824/
[89] https://opensource.zalando.com/skipper/reference/backends/#load-balancer-backend
power of N choices based on HTTP requests is an open PR
[90] lb Setting:
https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#backend-services-upstreams
Sticky session:
Available in nginx plus
https://github.com/nginxinc/kubernetes-ingress/tree/v1.9.0/examples/session-persistence
[90] lb Setting:
https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#backend-services-upstreams
Sticky session:
Available in nginx plus
https://github.com/nginxinc/kubernetes-ingress/tree/v1.9.0/examples/session-persistence
[91] - Algorithms
check balance section in
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html
[92] - Algorithms
https://voyagermesh.com/docs/10.0.0/guides/ingress/configuration/loadbalance-algorithm/
[93] - Algorithms
https://istio.io/latest/docs/reference/config/networking/destination-rule/
[94] - Algorithms
https://github.com/projectcontour/contour/blob/main/design/ingressroute-design.md#load-balancing
[95] - Algorithms
https://www.getambassador.io/docs/latest/topics/running/load-balancer/
[96] - Algorithms
https://docs.solo.io/gloo/1.3.0/api/github.com/solo-io/gloo/projects/gloo/api/v1/load_balancer.proto.sk/
[97] - Algorithms
https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#server-load-balancing
[98] https://opensource.zalando.com/skipper/reference/backends/#load-balancer-backend
power of N choices based on HTTP requests is an open PR
Sticky Session:
https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/session-affinity/#source-ip-address-persistence
Least connections:
https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/annotations/#sample-ingress-yaml-with-smart-annotations
https://github.com/kubernetes/ingress-gce/blob/6c3ddf60041c71718d7b67c753cc8c44b25afb02/pkg/composite/gen.go#L425
[100] List from github code. Couldn't find clear documentation.
https://github.com/kubernetes/ingress-gce/blob/6c3ddf60041c71718d7b67c753cc8c44b25afb02/pkg/composite/gen.go#L425
https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#request-routing
LB Algorithms: https://avinetworks.com/docs/20.1/load-balancing-algorithms/
[103] https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#authentication
[104] https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication
[105] https://opensource.zalando.com/skipper/reference/filters/#webhook
[106] https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/
[109] Feature present in Avi. Configuration of JWT auth using AKO is on roadmap
- External Auth
https://konghq.com/blog/custom-authentication-and-authorization-framework-with-kong/
- Client Certificate
https://docs.konghq.com/hub/kong-inc/mtls-auth/
- OAuth
https://docs.konghq.com/hub/kong-inc/basic-auth/
- External Auth
https://konghq.com/blog/custom-authentication-and-authorization-framework-with-kong/
- Client Certificate
https://docs.konghq.com/hub/kong-inc/mtls-auth/
- OAuth
https://docs.konghq.com/hub/kong-inc/oauth2/
- OpenID
https://docs.konghq.com/hub/kong-inc/openid-connect/
-JWT
https://docs.konghq.com/hub/kong-inc/jwt/
-LDAP
https://docs.konghq.com/hub/kong-inc/ldap-auth/
-HMAC
https://docs.konghq.com/hub/kong-inc/hmac-auth/
OAuth:
https://github.com/nginxinc/kubernetes-ingress/issues/982
LDAP:
https://github.com/nginxinc/nginx-ldap-auth
- Client Certificate
https://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
- OAuth
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/
https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.6-http_auth
- Client Certificate
https://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
- OAuth
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/
- Client Certificate
https://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
- OAuth
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/
[115] https://voyagermesh.com/docs/7.1.1/guides/ingress/security/basic-auth/
- OpenID
https://istio.io/latest/blog/2019/app-identity-and-access-adapter/#protecting-web-applications
-JWT
https://istio.io/latest/docs/concepts/security/#request-authentication
[117] https://github.com/projectcontour/contour-authserver
- External Auth
https://www.getambassador.io/docs/latest/topics/running/services/auth-service/#configure-an-external-authservice
- Client Certificate
https://www.getambassador.io/docs/latest/howtos/client-cert-validation/
- OAuth
https://www.getambassador.io/docs/latest/howtos/oauth-oidc-auth/
-JWT
https://www.getambassador.io/docs/latest/topics/using/filters/jwt/
https://www.getambassador.io/docs/latest/topics/running/services/auth-service/#configure-an-external-authservice
- Client Certificate
https://www.getambassador.io/docs/latest/howtos/client-cert-validation/
- OAuth
https://www.getambassador.io/docs/latest/howtos/oauth-oidc-auth/
-JWT
https://www.getambassador.io/docs/latest/topics/using/filters/jwt/
[119] https://docs.solo.io/gloo/latest/guides/security/auth/
- External Auth
https://doc.traefik.io/traefik/middlewares/forwardauth/
- Client Certificate
https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls
- OAuth
https://doc.traefik.io/traefik-enterprise/middlewares/oauth-intro/
- OpenID
https://doc.traefik.io/traefik-enterprise/middlewares/oidc/
-JWT
https://doc.traefik.io/traefik-enterprise/middlewares/jwt/
-LDAP
https://doc.traefik.io/traefik-enterprise/middlewares/ldap/
-HMAC
https://doc.traefik.io/traefik-enterprise/middlewares/hmac/
OAuth:
https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/crds/auth/#oauth-authentication
Client certificate:
https://github.com/citrix/citrix-k8s-ingress-controller/blob/5e357361726988a4a01691c9a14dfd4f80c6e9a1/docs/certificate-management/client-auth-support.
md
OAuth:
https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/crds/auth/#oauth-authentication
Client certificate:
https://github.com/citrix/citrix-k8s-ingress-controller/blob/5e357361726988a4a01691c9a14dfd4f80c6e9a1/docs/certificate-management/client-auth-support.
md
LDAP:
https://cloud.google.com/iap/docs/concepts-overview#authentication
JWT:
https://cloud.google.com/iap/docs/signed-headers-howto
OpenID:
https://cloud.google.com/iap/docs/authentication-howto#obtaining_an_oidc_token_for_the_default_service_account
SAML: https://avinetworks.com/docs/20.1/single-sign-on-with-saml/
JWT: https://avinetworks.com/docs/20.1/jwt-validation/
LDAP: https://avinetworks.com/docs/18.2/ldap-authentication/
[125] https://kubernetes.github.io/ingress-nginx/user-guide/monitoring/
[126] https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/third-party-addons/opentracing.md
[128] - Prometheus
https://docs.konghq.com/hub/kong-inc/prometheus/
- StatsD
https://docs.konghq.com/hub/kong-inc/statsd/
- Zipkin
https://docs.konghq.com/hub/kong-inc/zipkin/
https://docs.konghq.com/hub/kong-inc/prometheus/
- StatsD
https://docs.konghq.com/hub/kong-inc/statsd/
- Zipkin
https://docs.konghq.com/hub/kong-inc/zipkin/
[131] - Prometheus
https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
- Tracing
https://www.haproxy.com/blog/announcing-haproxy-2-3/
[132] - Prometheus
https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
[133] - Metrics
https://voyagermesh.com/docs/10.0.0/guides/ingress/monitoring/using-builtin-prometheus/
[134] - Metrics
https://istio.io/latest/docs/tasks/observability/metrics/
- Tracing
https://istio.io/latest/docs/tasks/observability/distributed-tracing/
[135] - Metrics
https://projectcontour.io/guides/prometheus/
- Tracing
https://github.com/projectcontour/contour/issues/399
[136] - Metrics
https://www.getambassador.io/docs/latest/topics/running/statistics/
-Tracing
https://www.getambassador.io/docs/latest/topics/running/services/tracing-service/
[136] - Metrics
https://www.getambassador.io/docs/latest/topics/running/statistics/
-Tracing
https://www.getambassador.io/docs/latest/topics/running/services/tracing-service/
[137] - Metrics
https://docs.solo.io/gloo/1.1.0/observability/metrics/
-Tracing
https://docs.solo.io/gloo/1.1.0/observability/tracing/
[138] - Metrics
https://doc.traefik.io/traefik/observability/metrics/overview/
- Tracing
https://doc.traefik.io/traefik/observability/tracing/overview/
Tracing support:
https://developer-docs.citrix.com/projects/citrix-observability-exporter/en/latest/deploy-coe/
Skipper is strong in HTTP routing and best result can be achieved in combination with Cloud load balancers, or baremetal load balancers that terminate TLS
traffic.
For AWS there is https://github.com/zalando-incubator/kube-ingress-aws-controller that integrates with ALB or NLB (shared cloud loadbalancer)
[149] Scope:
https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/
[150] - Scope
https://github.com/jcmoraisjr/haproxy-ingress/issues/400
- Consul support
https://www.hashicorp.com/resources/integrating-consul-connect-with-haproxy
[152] - CRD
https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/
Skipper is strong in HTTP routing and best result can be achieved in combination with Cloud load balancers, or baremetal load balancers that terminate TLS
traffic.
For AWS there is https://github.com/zalando-incubator/kube-ingress-aws-controller that integrates with ALB or NLB (shared cloud loadbalancer)
Scope:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#limiting-namespaces
[157] https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#canary
[159] https://opensource.zalando.com/skipper/tutorials/shadow-traffic/
- Canary
https://docs.konghq.com/hub/kong-inc/canary/
[164] -Canary
https://github.com/projectcontour/contour/blob/main/design/ingressroute-design.md#canary-deployments
[165] - Canary
https://www.getambassador.io/docs/latest/topics/using/canary/
- Dark launch
https://blog.getambassador.io/embrace-the-dark-side-of-api-gateways-traffic-shadowing-and-dark-launching-976984f9d094
[166] - Canary
https://docs.solo.io/gloo/1.2.0/gloo_routing/virtual_services/canary/
- Dark launch
https://blog.getambassador.io/embrace-the-dark-side-of-api-gateways-traffic-shadowing-and-dark-launching-976984f9d094
[167] automation for blue-green with canary available via https://github.com/zalando-incubator/stackset-controller
or via https://github.com/weaveworks/flagger
Session Affinity:
https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/session-affinity/
[172] https://opensource.zalando.com/skipper/tutorials/development/
[173] https://pkg.go.dev/github.com/zalando/skipper
- Developer portal
https://istio.io/latest/docs/tasks/observability/kiali/
[178] https://opensource.zalando.com/skipper/tutorials/
Lets encrypt:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/#automated-certificate-management-with-kube-lego
[184]
Integrates with cert-manager
https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/guides/cert-manager/
LetsEncrypt: https://github.com/istio/istio/issues/6486
[189] Hot reload: https://github.com/istio/istio/issues/15182
LetsEncrypt: https://github.com/istio/istio/issues/6486
LetsEncrypt: https://github.com/projectcontour/contour/blob/53c21fa0781e61a48ee9945687b46ccfd6bb6efe/site/_guides/cert-manager.md
LetsEncrypt: https://github.com/datawire/ambassador/blob/e76d06e99de4feef16566bfbb50dd406666a8e7b/docs/howtos/cert-manager.md
LetsEncrypt: https://github.com/traefik/traefik/blob/2747e240c1a97031367a1a566a1401a2367a54d2/docs/content/providers/kubernetes-ingress.md