Kubernetes Ingress with NGINX: Production Routing and TLS
Kubernetes

Kubernetes Ingress with NGINX: Production Routing and TLS

  • Author :Liam K.
  • Date :March 08, 2026
  • Time :24 minutes

Production ingress is where application reliability and platform reliability meet. NGINX Ingress configuration affects latency, TLS behavior, error handling, and blast radius during incidents, so it needs the same engineering discipline as application code.

The goal is to make routing predictable under change: clear ownership, safe defaults, and runbooks for certificate failures, backend outages, and bad rewrites.

1. Traffic model and ownership

Define who owns global ingress policy versus team-specific routes. Platform teams should own controller lifecycle, TLS policy, and WAF integration, while service teams own host/path contracts and backend SLOs.

2. Baseline ingress resource

yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: api-ingress
  annotations:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "30"
spec:
[...]
Command truncated. Copy to view full command.

3. TLS and certificate lifecycle

Use cert-manager with clear issuer boundaries per environment. Track renewal windows and alert on expiration risk before user traffic is impacted.

yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: api-example-com
spec:
  secretName: api-example-com-tls
  dnsNames:
    - api.example.com
[...]
Command truncated. Copy to view full command.

4. Failure handling and safe rollouts

Treat ingress changes like production code changes. Validate rewrite rules in staging, run canary traffic, and keep explicit rollback commands for broken host/path mappings.

bash
kubectl apply -f ingress.yaml
kubectl describe ingress api-ingress -n production
kubectl get events -n production --sort-by=.lastTimestamp | tail -n 30

5. Observability and security controls

  • Track request rate, upstream latency, and 4xx/5xx by host and path.
  • Enable access logs with correlation IDs for end-to-end tracing.
  • Limit request body size and enforce sensible timeout boundaries.
  • Keep network policies and namespace boundaries aligned with ingress exposure.

"Ingress reliability comes from disciplined route ownership, certificate hygiene, and tested rollback paths."

Technical Author

Technical Author - Liam K.
Liam K.

System administrator and technical writer specializing in server infrastructure, security and deployment. Creating comprehensive guides to help you master server administration.

Related Guides

Ansible Dynamic Inventory for AWS at Scale
Ansible Dynamic Inventory for AWS at Scale

March 08, 2026

Ansible for Server Automation: Playbooks, Roles and Idempotence
Ansible for Server Automation: Playbooks, Roles and Idempotence

March 08, 2026

Ansible Role Testing with Molecule and CI Pipelines
Ansible Role Testing with Molecule and CI Pipelines

March 08, 2026

Topics