User ManualPodWarden
Ingress
Ingress rules with domain routing, TLS certificates, and health checks
What you see
URL: /ingress
The ingress page lists all ingress rules that route external traffic to workloads running in your clusters. Each rule maps a domain (and optional path) to a backend service, with TLS certificate management handled automatically.
Fields / columns
| Column | Description |
|---|---|
| Domain | The fully qualified domain name for this rule (e.g. app.example.com) |
| Path | URL path prefix (defaults to /) |
| Target service | The Kubernetes service and namespace that receives traffic |
| Port | The backend service port |
| TLS | TLS certificate status. A BE label appears next to the lock icon when backend HTTPS is enabled |
| Gateway | The gateway or ingress controller handling this rule |
Gateway filtering
Use the gateway filter dropdown to show only rules routed through a specific gateway host. This is useful when managing multiple gateways or reviewing which domains are handled by each ingress controller.
Available actions
| Action | Where | What it does |
|---|---|---|
| Create | List page toolbar | Opens the ingress rule form. Specify domain, path, target service, port, and gateway |
| Edit | Rule row | Modify the rule's domain, path, target, or gateway |
| Delete | Rule row | Removes the ingress rule from PodWarden and the cluster |
| Apply | Rule row | Applies or re-applies the ingress rule to the cluster (generates and applies the Kubernetes Ingress manifest) |
| Check DNS | Rule row | Verifies that the domain's DNS records resolve to the expected IP address |
| Check HTTP | Rule row | Sends an HTTP request to the domain and reports the response status |
| Check TLS | Rule row | Validates the TLS certificate (issuer, expiry, chain completeness) |
Create ingress rule
The create form lets you configure:
| Field | Description |
|---|---|
| Domain | The FQDN to route traffic for. Select a registered domain or enter a custom one |
| Path | URL path prefix (default /) |
| Backend type | Managed (K8s workload) or Manual (IP:port) |
| Deployment | Which running workload to route to (managed type only) |
| Backend address | Target IP:port or hostname:port (manual type only) |
| Backend port | The container port to forward to |
| Gateway host | Which gateway node handles this rule |
| Enable TLS | Automatic Let's Encrypt certificates (enabled by default) |
| Backend uses HTTPS | Enable when the backend serves HTTPS instead of HTTP. Required for apps like Kasm, Portainer, and Proxmox that don't have an HTTP fallback. When enabled, Traefik connects to the backend via HTTPS with certificate verification skipped (for self-signed certs). See the HTTPS Backends guide for details and a list of common apps that need this |
| Backend timeout | Custom timeout in seconds for slow backends (optional) |
| Notes | Freeform notes (optional) |
Edit ingress rule
Click the edit icon on any rule row to modify its configuration. All fields are pre-populated with the current values.
Status badges
TLS status
| Badge | Meaning |
|---|---|
| valid | TLS certificate is present and not expired |
| pending | Certificate has been requested but not yet issued (e.g. ACME challenge in progress) |
| expired | Certificate has passed its expiry date |
| none | No TLS configured for this rule |
| error | Certificate provisioning failed |
| BE | Shown next to the TLS icon when "Backend uses HTTPS" is enabled |
DNS status
| Badge | Meaning |
|---|---|
| ok | Domain resolves to the expected IP |
| mismatch | Domain resolves to a different IP than expected |
| not found | No DNS record found for the domain |
Related docs
- Ingress and DDNS guide -- Detailed guide including HTTPS backends, DDNS, and troubleshooting
- Settings -- DDNS -- Dynamic DNS configuration
- Clusters -- Clusters that serve ingress traffic
- Networking guide -- Network types and public access