Command-line arguments
F5 NGINX Ingress Controller supports several command-line arguments, which are set based on installation method:
- If you’re using Kubernetes Manifests to install NGINX Ingress Controller, modify the Manifests to set the command-line arguments. View the Installation with Manifests topic for more information.
- If you’re using Helm to install NGINX Ingress Controller, modify the parameters of the Helm chart to set the command-line arguments. View the Installation with Helm topic for more information.
Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources.
Default false.
Secret with a TLS certificate and key for TLS termination of the default server.
- If not set, certificate and key in the file /etc/nginx/secrets/defaultare used.
- If /etc/nginx/secrets/defaultdoesn’t exist, NGINX Ingress Controller will configure NGINX to reject TLS connections to the default server.
- If a secret is set, but NGINX Ingress Controller is not able to fetch it from Kubernetes API, or it is not set and NGINX Ingress Controller fails to read the file “/etc/nginx/secrets/default”, NGINX Ingress Controller will fail to start.
Format: <namespace>/<name>
A Secret with a TLS certificate and key for TLS termination of every Ingress/VirtualServer host for which TLS termination is enabled but the Secret is not specified.
- If the argument is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection
- If the argument is set, but NGINX Ingress Controller is not able to fetch the Secret from Kubernetes API, NGINX Ingress Controller will fail to start.
Format: <namespace>/<name>
Enables custom resources.
Default true.
Enables OIDC policies.
Default false.
Enables Leader election to avoid multiple replicas of the controller reporting the status of Ingress, VirtualServer and VirtualServerRoute resources – only one replica will report status.
Default true.
See -report-ingress-status flag.
Enable TLS Passthrough on port 443.
Requires -enable-custom-resources.
Set the port for TLS Passthrough.
Format: [1024 - 65535] (default 443)
Requires -enable-custom-resources.
Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io).
Requires -enable-custom-resources.
Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using ExternalDNS.
Requires -enable-custom-resources.
Specifies the name of the service with the type LoadBalancer through which the NGINX Ingress Controller pods are exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources.
For Ingress resources only: Requires -report-ingress-status.
Specifies the name of the IngressLink resource, which exposes the NGINX Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources.
For Ingress resources only: Requires -report-ingress-status.
A GlobalConfiguration resource for global configuration of NGINX Ingress Controller.
Format: <namespace>/<name>
Requires -enable-custom-resources.
Adds a location “/nginx-health” to the default server. The location responds with the 200 status code for any request.
Useful for external health-checking of NGINX Ingress Controller.
Sets the URI of health status location in the default server. Requires -health-status. (default /nginx-health)
The -ingress-class argument refers to the name of the resource kind: IngressClass. An IngressClass resource with a name equal to the class must be deployed. Otherwise, NGINX Ingress Controller will fail to start.
NGINX Ingress Controller will only process Ingress resources that belong to its class (Whose ingressClassName value matches the value of -ingress-class), skipping the ones without it. It will also process all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the ingressClassName field.
Default nginx.
Path to the ingress NGINX configuration template for an ingress resource. Default for NGINX is nginx.ingress.tmpl; default for NGINX Plus is nginx-plus.ingress.tmpl.
Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election.
Requires -enable-leader-election.
When logging hits line file:N, emit a stack trace.
Path to the main NGINX configuration template.
- Default for NGINX is nginx.tmpl.
- Default for NGINX Plus is nginx-plus.tmpl.
A ConfigMap resource for customizing NGINX configuration. If a ConfigMap is set, but NGINX Ingress Controller is not able to fetch it from Kubernetes API, NGINX Ingress Controller will fail to start.
Format: <namespace>/<name>
The Management ConfigMap resource is used for customizing the NGINX mgmt block. If using NGINX Plus, a Management ConfigMap must be set. If NGINX Ingress Controller is not able to fetch it from Kubernetes API, NGINX Ingress Controller will fail to start.
Format: <namespace>/<name>
Enable debugging for NGINX. Uses the nginx-debug binary. Requires ’error-log-level: debug’ in the ConfigMap.
Enable support for NGINX Plus.
Timeout in milliseconds which NGINX Ingress Controller will wait for a successful NGINX reload after a change or at the initial start.
Default is 60000.
Enable the NGINX stub_status, or the NGINX Plus API.
Default true.
Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API.
Separate multiple IP/CIDR by commas. (default 127.0.0.1,::1)
Set the port where the NGINX stub_status or the NGINX Plus API is exposed.
Format: [1024 - 65535] (default 8080)
Warning This argument is intended for testing purposes only.
Use a proxy server to connect to Kubernetes API started with kubectl proxy.
NGINX Ingress Controller does not start NGINX and does not write any generated NGINX configuration files to disk.
Updates the address field in the status of Ingress resources.
Requires the -external-service or -ingresslink flag, or the external-status-address key in the ConfigMap.
Path to the TransportServer NGINX configuration template for a TransportServer resource.
- Default for NGINX is nginx.transportserver.tmpl.
- Default for NGINX Plus is nginx-plus.transportserver.tmpl.
Log level for Ingress Controller logs. Allowed values: fatal, error, warn, info, debug, trace.
- Default is info.
Log format for Ingress Controller logs. Allowed values: glog, json, text.
- Default is glog.
Print the version, git-commit hash and build date and exit.
Path to the VirtualServer NGINX configuration template for a VirtualServer resource.
- Default for NGINX is nginx.virtualserver.tmpl.
- Default for NGINX Plus is nginx-plus.virtualserver.tmpl.
A comma-separated list of pattern=N settings for file-filtered logging.
Comma separated list of namespaces NGINX Ingress Controller should watch for resources. By default NGINX Ingress Controller watches all namespaces. Mutually exclusive with “watch-namespace-label”.
Configures NGINX Ingress Controller to watch only those namespaces with label foo=bar. By default NGINX Ingress Controller watches all namespaces. Mutually exclusive with “watch-namespace”.
Comma separated list of namespaces NGINX Ingress Controller should watch for secrets. If this arg is not configured, NGINX Ingress Controller watches the same namespaces for all resources, see “watch-namespace” and “watch-namespace-label”. All namespaces included with this argument must be part of either -watch-namespace or  -watch-namespace-label.
Enables exposing NGINX or NGINX Plus metrics in the Prometheus format.
Sets the port where the Prometheus metrics are exposed.
Format: [1024 - 65535] (default 9113)
A Secret with a TLS certificate and key for TLS termination of the Prometheus metrics endpoint.
- If the argument is not set, the Prometheus endpoint will not use a TLS connection.
- If the argument is set, but NGINX Ingress Controller is not able to fetch the Secret from Kubernetes API, NGINX Ingress Controller will fail to start.
Exposes the Service Insight endpoint for Ingress Controller.
Sets the port where the Service Insight is exposed.
Format: [1024 - 65535] (default 9114)
A Secret with a TLS certificate and key for TLS termination of the Service Insight endpoint.
- If the argument is not set, the Service Insight endpoint will not use a TLS connection.
- If the argument is set, but NGINX Ingress Controller is not able to fetch the Secret from Kubernetes API, NGINX Ingress Controller will fail to start.
Format: <namespace>/<name>
Specifies the address of a running Spire agent. For use with NGINX Service Mesh only.
- If the argument is set, but NGINX Ingress Controller is unable to connect to the Spire Agent, NGINX Ingress Controller will fail to start.
Enable support for internal routes with NGINX Service Mesh. For use with NGINX Service Mesh only.
Requires -spire-agent-address.
- If the argument is set, but spire-agent-addressis not provided, NGINX Ingress Controller will fail to start.
Enable collection of latency metrics for upstreams. Requires -enable-prometheus-metrics.
Enables support for App Protect.
Requires -nginx-plus.
- If the argument is set, but nginx-plusis set to false, NGINX Ingress Controller will fail to start.
Sets log level for App Protect. Allowed values: fatal, error, warn, info, debug, trace.
Requires -nginx-plus and -enable-app-protect.
- If the argument is set, but nginx-plusandenable-app-protectare set to false, NGINX Ingress Controller will fail to start.
Enables support for App Protect DoS.
Requires -nginx-plus.
- If the argument is set, but nginx-plusis set to false, NGINX Ingress Controller will fail to start.
Enable debugging for App Protect DoS.
Requires -nginx-plus and -enable-app-protect-dos.
- If the argument is set, but nginx-plusandenable-app-protect-dosare set to false, NGINX Ingress Controller will fail to start.
Max number of ADMD instances.
Default 1.
Requires -nginx-plus and -enable-app-protect-dos.
- If the argument is set, but nginx-plusandenable-app-protect-dosare set to false, NGINX Ingress Controller will fail to start.
Max number of nginx processes to support.
Default Number of CPU cores in the machine.
Requires -nginx-plus and -enable-app-protect-dos.
- If the argument is set, but nginx-plusandenable-app-protect-dosare set to false, NGINX Ingress Controller will fail to start.
RAM memory size to consume in MB
Default 50% of free RAM in the container or 80MB, the smaller.
Requires -nginx-plus and -enable-app-protect-dos.
- If the argument is set, but nginx-plusandenable-app-protect-dosare set to false, NGINX Ingress Controller will fail to start.
Enables the readiness endpoint /nginx-ready. The endpoint returns a success code when NGINX has loaded all the config after the startup.
Default true.
The HTTP port for the readiness endpoint.
Format: [1024 - 65535] (default 8081)
Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack.
Default false.
Sets the port for the HTTP default_server listener.
Default 80.
Sets the port for the HTTPS default_server listener.
Default 443.
Used to activate or deactivate lazy loading for SSL Certificates.
The default value is true.
Enables the ability to change the weight distribution of two-way split clients without reloading NGINX.
Requires -nginx-plus.
Using this feature may require increasing map_hash_bucket_size, map_hash_max_size, variable_hash_bucket_size, and variable_hash_max_size in the ConfigMap based on the number of two-way splits.
The default value is false.
- If the argument is set, but nginx-plusis set to false, NGINX Ingress Controller will ignore the flag.
Enable gathering and reporting of software telemetry.
The default value is true.
Enable NGINX Agent which can used with -enable-app-protect to send events to Security Monitoring.
The default value is false.
Specify the instance group name to use for the NGINX Ingress Controller deployment when using -agent.
What's on This Page
- 
      - -enable-snippets
- -default-server-tls-secret <string>
- -wildcard-tls-secret <string>
- -enable-custom-resources
- -enable-oidc
- -enable-leader-election
- -enable-tls-passthrough
- -tls-passthrough-port <int>
- -enable-cert-manager
- -enable-external-dns
- -external-service <string>
- -ingresslink <string>
- -global-configuration <string>
- -health-status
- -health-status-uri <string>
- -ingress-class <string>
- -ingress-template-path <string>
- -leader-election-lock-name <string>
- -log_backtrace_at <value>
- -main-template-path <string>
- -nginx-configmaps <string>
- -mgmt-configmap <string>
- -nginx-debug
- -nginx-plus
- -nginx-reload-timeout <value>
- -nginx-status
- -nginx-status-allow-cidrs <string>
- -nginx-status-port <int>
- -proxy <string>
- -report-ingress-status
- -transportserver-template-path <string>
- -log-level <string>
- -log-format <string>
- -version
- -virtualserver-template-path <string>
- -vmodule <value>
- -watch-namespace <string>
- -watch-namespace-label <string>
- -watch-secret-namespace <string>
- -enable-prometheus-metrics
- -prometheus-metrics-listen-port <int>
- -prometheus-tls-secret <string>
- -enable-service-insight
- -service-insight-listen-port <int>
- -service-insight-tls-secret <string>
- -spire-agent-address <string>
- -enable-internal-routes
- -enable-latency-metrics
- -enable-app-protect
- -app-protect-log-level <string>
- -enable-app-protect-dos
- -app-protect-dos-debug
- -app-protect-dos-max-daemons
- -app-protect-dos-max-workers
- -app-protect-dos-memory
- -ready-status
- -ready-status-port
- -disable-ipv6
- -default-http-listener-port
- -default-https-listener-port
- -ssl-dynamic-reload
- -weight-changes-dynamic-reload
- -enable-telemetry-reporting
- -agent
- -agent-instance-group