Contour Logo


Annotations Reference

Annotations are used in Ingress Controllers to configure features that are not covered by the Kubernetes Ingress API.

Some of the features that have been historically configured via annotations are supported as first-class features in Contour’s HTTPProxy API, which provides a more robust configuration interface over annotations.

However, Contour still supports a number of annotations on the Ingress resources.

Standard Kubernetes Ingress annotations

The following Kubernetes annotations are supported on Ingress objects:

Ingress Class

The Ingress class annotation can be used to specify which Ingress controller should serve a particular Ingress object. This annotation may be specified as the standard or a Contour-specific In both cases, they will behave as follows, by default:

  • If not set, then all Ingress controllers serve the Ingress.
  • If specified as contour, then Contour serves the Ingress.
  • If any other value, Contour ignores the Ingress definition.

You can override the default class contour by providing the --ingress-class-name flag to Contour. This can be useful while you are migrating from another controller, or if you need multiple instances of Contour. If you do this, the behavior is as follows:

  • If the annotation is not set, Contour will ignore the Ingress.
  • If the annotation is set to any value other than the one passed to the --ingress-class-name flag, Contour will ignore the Ingress.
  • If the annotation matches the value that you passed to --ingress-class-name flag, Contour will serve the Ingress.

This same logic applies for these annotations on HTTPProxy objects.

Note: Both Ingress and HTTPProxy now have an IngressClassName field in their spec. Going forward this is the preferred way to specify an ingress class, rather than using an annotation. If both the annotation and the spec field are specified on an object, the annotation takes preference for backwards compatibility.

Other annotations

  • Requires TLS/SSL for the Ingress to Envoy by setting the Envoy virtual host option require_tls.
  • Instructs Contour to not create an Envoy HTTP route for the virtual host. The Ingress exists only for HTTPS requests. Specify "false" for Envoy to mark the endpoint as HTTPS only. All other values are ignored.

The annotation takes precedence over If they are set to "true" and "false" respectively, Contour will create an Envoy HTTP route for the Virtual host, and set the require_tls virtual host option.

Contour specific Ingress annotations

Contour specific Service annotations

A Kubernetes Service maps to an Envoy Cluster. Envoy clusters have many settings to control specific behaviors. These annotations allow access to some of those settings.

  • The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024.
  • The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024.
  • The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024
  • The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3. This is independent of the per-Kubernetes Ingress number of retries ( and retry-on (, which control whether retries are attempted and how many times a single request can retry.
  •{protocol} : The protocol used to proxy requests to the upstream service. The annotation value contains a comma-separated list of port names and/or numbers that must match with the ones defined in the Service definition. This value can also be specified in the[].protocol field on the HTTPProxy object, where it takes precedence over the Service annotation. Supported protocol names are: h2, h2c, and tls:
    • The tls protocol allows for requests which terminate at Envoy to proxy via TLS to the upstream. This protocol should be used for HTTP/1.1 services over TLS. Note that validating the upstream TLS certificate requires additionally setting the validation field.
    • The h2 protocol proxies requests to the upstream using HTTP/2 over TLS.
    • The h2c protocol proxies requests to the the upstream using cleartext HTTP/2.

Contour specific HTTPProxy annotations

Ready to try Contour?

Read our getting started documentation.