What is an NGINX Ingress controller - Container Service for Kubernetes

Track version updates, security patches, and feature changes for the NGINX Ingress controller component.

Important

Support for the open-source Ingress-NGINX project will end after March 2026. As a result, Container Service for Kubernetes will deprecate the NGINX Ingress Controller component. See [Product Announcement] Discontinuation of Maintenance for the NGINX Ingress Controller Component.

Overview

Based on the open-source Ingress NGINX project, the NGINX Ingress controller provides a unified entry point for cluster Services. Code and version numbers align with the upstream community project. This is an unmanaged component on your cluster nodes—you own its O&M, no SLA applies, and extensive customization is supported.

Key concepts of Ingress

An Ingress is a Kubernetes resource that routes external traffic to internal Service pods through forwarding rules. See Comparison among Nginx Ingresses, ALB Ingresses, and MSE Ingresses.

How it works

Deploy an Nginx Ingress Controller in the cluster to parse Ingress forwarding rules. The controller receives requests, matches them against the rules, and forwards them to backend Service pods. The relationship among a Service, an Nginx Ingress, and the Nginx Ingress Controller:

A Service abstracts one or more identical backend services.
An Nginx Ingress defines reverse proxy rules that route HTTP/HTTPS requests to Service pods based on host and URL path.
The Nginx Ingress Controller parses Nginx Ingress rules. When an Ingress changes, the controller updates its forwarding rules and routes incoming requests to the appropriate Service pod.

Version compatibility

If the target version is incompatible with your cluster version, upgrade your cluster first.

NGINX Ingress controller version	Compatible cluster version
[v1.12.6-release.1, v1.14.5-release.1]	1.24 and later
[v1.5.1-aliyun.1, v1.11.5-aliyun.1]	1.22 and later
[v1.1.0-aliyun.1, v1.2.1-aliyun.1]	1.20 and later

Risks of outdated versions

Maintenance for the NGINX Ingress controller v1.2 and earlier has been discontinued. See the product announcement. Outdated versions do not receive new features, bug fixes, or timely technical support, exposing your system to unpatched security vulnerabilities. Upgrade the component promptly.

Usage

To install or upgrade the NGINX Ingress controller, see Manage the NGINX Ingress controller component and Upgrade the NGINX Ingress controller.
To create, view, update, and delete an NGINX Ingress by using the console or kubectl, see Create and use an NGINX Ingress.
See also Implement phased releases and blue-green deployments using NGINX Ingress, Configure the network type for NGINX Ingress controller, and Use an ingress controller to mirror network traffic.

Release notes

May 2026

Version

Image address

Change date

Changes

Impact

v1.14.5-release.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.14.5-release.1

May 20, 2026

Enhancements:

Updated Golang to v1.25.10.
Updated the Nginx baseline version to v1.27.1.

Vulnerability fixes:

Backported upstream security patches from Nginx:
- CVE-2026-42945: Buffer overflow in the ngx_http_rewrite_module
- CVE-2026-42946: Buffer overread in the ngx_http_scgi_module and ngx_http_uwsgi_module
- CVE-2026-42934: Buffer overread in the ngx_http_charset_module
- CVE-2026-40460: HTTP/3 address spoofing
- CVE-2026-40701: Resolver use-after-free in OCSP
- CVE-2026-1642: SSL upstream injection

Upgrade during off-peak hours. The upgrade may briefly interrupt established connections.

April 2026

Version	Image address	Date	Description	Impact
v1.13.9-release.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.13.9-release.1	April 2, 2026	Updated to community version v1.13.9. See the Full Changelog. Highlights Vulnerability fixes: Ingress controller: Fixed an Nginx configuration injection vulnerability caused by a combination of annotations. (#14731) CVE-2026-4342: ingress-nginx comment-based nginx configuration injection (#137893), a high-severity vulnerability with a CVSS score of 8.8. An attacker can use a combination of specific Ingress annotations to inject malicious data into the `rules.http.paths.path` field, thereby injecting arbitrary configurations into Nginx. This could lead to arbitrary code execution within the ingress-nginx controller's context and expose all accessible Secrets. In a default installation, this includes all Secrets in the cluster. This results in a severe information leak and a compromise of system integrity.	Upgrade during off-peak hours. Established connections might be briefly interrupted during the update.

March 2026

Version	Image address	Change date	Changes	Impact
v1.13.8-release.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.13.8-release.1	March 16, 2026	Updated to community version v1.13.8. See the Full Changelog. Highlights Vulnerability fixes NGINX: Updated the OWASP Core Rule Set to v4.22.0. (#14418) CVE-2026-21876. CVSS score: 9.3 (critical). Addressed a logic flaw in the OWASP Core Rule Set's charset validation for multipart/form-data. Previously, an attacker could bypass the Web Application Firewall (WAF) by crafting a multipart request with a specific charset encoding, allowing a malicious payload to be parsed and executed by the backend application. Admission Controller: Limited the request size that the validating webhook can process to 9 MB. (#14494) CVE-2026-24514: ingress-nginx Admission Controller denial of service (#136680). CVSS score: 3.1 (low). Limited the request size for the validating webhook to prevent an attacker from sending an oversized object or request that could exhaust the Admission Controller's memory. This could cause the ingress-nginx controller Pod to be OOM-killed or deplete node memory, resulting in a denial of service. Template: Added quotes to all `location` and `server_name` directives and escaped quotes and backslashes. (#14503) CVE-2026-24512: ingress-nginx rules.http.paths.path nginx configuration injection (#136678). CVSS score: 8.8 (high). Fixed a vulnerability where the `rules.http.paths.path` field could be used to inject raw Nginx configuration. This prevents an attacker from using a crafted path value to break out of the template and write arbitrary directives into the configuration file, which could lead to remote code execution in the controller Pod and access to all of its readable Secrets. Annotations: Added `^` and `$` anchors to the auth method regular expression. (#14506) CVE-2026-1580: ingress-nginx auth-method nginx configuration injection (#136677). CVSS score: 8.8 (high). Strengthened the value validation for the `nginx.ingress.kubernetes.io/auth-method` annotation to allow only exact matches of the expected methods. This prevents an attacker from injecting special content that could be concatenated directly into the Nginx configuration, which could lead to configuration injection, remote code execution, and theft of cluster Secrets. Template: Bypassed custom error pages when handling auth URL requests. (#14497) CVE-2026-24513: ingress-nginx auth-url protection bypass (#136679). CVSS score: 3.1 (low). Fixed an authentication bypass vulnerability that could occur when using the `auth-url` annotation with a custom error page backend. The issue was triggered if the backend did not correctly handle the `X-Code` header, which could cause an authentication failure (401/403) to be misinterpreted as a success, leading to unauthorized access to protected paths. Template: Added quotes to the `proxy_pass` directive. (#14669) CVE-2026-3288: ingress-nginx rewrite-target nginx configuration injection (#137560). CVSS score: 8.8 (high). Fixed a vulnerability where the value of the `nginx.ingress.kubernetes.io/rewrite-target` annotation was not strictly filtered, allowing the injection of arbitrary directives into the Nginx configuration file. Because the value was directly concatenated into the generated `nginx.conf`, an attacker with low-privilege permissions to create or modify Ingress resources could achieve remote code execution in the context of the controller Pod and read all accessible Secrets. In a default installation, this includes all Secrets in the cluster. Optimizations Controller: Added validity checks for UIDs. (#14500) Annotations: Considered aliases in risk assessment. (#14666) Controller: Ensured SSL Passthrough is correctly enabled when requested on an HTTP-only host. (#14557) Annotations: Used a dedicated regular expression for `proxy-cookie-domain`. (#14551) Template: Used `RawURLEncoding` instead of `URLEncoding` with padding removed. (#14538) Bug fixes Fixed a synchronization issue that occurred when the host clock jumped into the future. (#14450) Fixed a panic caused by an empty `cpu.max` file. (#14449) Fixed a panic caused by prematurely writing the status code when a custom error page is returned. (#14163) Controller: Fixed an issue where the host/path overlap check could exit prematurely when multiple rules were present. The `checkOverlap` function now inspects all rules of a new Ingress object to ensure it does not overlap with any existing Ingress objects. Previously, the function would exit after the first rule passed validation. (#14131) Annotations: Fixed an issue where the Equals function did not validate the `auth-proxy-set-headers` field. (#14104) Store: Fixed a panic in the service deletion handler. This occurred when the Kubernetes client cache was inconsistent with the state of the v1.Service resource in the Kubernetes store, causing the client to return an unhandled `cache.DeletedFinalStateUnknown` type, which led to a panic in subsequent checks. (#14057) Controller: Fixed a sorting issue with `limit_req_zone` to ensure the configuration is sorted before it takes effect. (#14006) Config/annotations: Fixed backward compatibility for `proxy-busy-buffers-size`. It is now rendered only if explicitly defined in the template. (#13638) Config/annotations: Removed the default value for `proxy-busy-buffers-size`. (#13790) Lua: Fixed a type mismatch issue. (#14515)	Upgrade during off-peak hours. Established connections may be briefly interrupted during the update.

December 2025

Version	Image address	Date	Description	Impact
v1.12.6-release.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.12.6-release.1	December 11, 2025	Updated to community version v1.12.6. Important This version tightens default security configurations for ingress-nginx. If you use or plan to use features disabled by these changes, enable them in the ConfigMap `kube-system/nginx-configuration` after performing a thorough security risk assessment: The default risk level for allowed annotations is lowered to High. If you use or plan to use annotations with a Critical risk level, such as snippet-type annotations, you must manually add `annotations-risk-level: Critical`. Cross-namespace resource references are disabled by default. If your Ingress objects need to reference resources such as ConfigMaps or Secrets in other namespaces by using annotations like `auth-secret`, `auth-tls-secret`, `auth-proxy-set-header`, `fastcgi-params-configmap`, or `proxy-ssl-secret`, you must manually add `allow-cross-namespace-resources: "true"`. Strict path validation is enabled by default. This means that for paths with an `Exact` or `Prefix` path type, the path must start with `/` and can only contain letters, numbers, `-`, `_`, `.`, and additional `/` characters. If you use or plan to use paths with other characters, such as `+` or `$`, you must manually add `strict-validate-path-type: "false"` or change the path type to `ImplementationSpecific`. Key feature changes New features: annotation/AuthTLS: Allowed redirection to named locations. ( #13820 ) Added support for using `.` in `Exact` and `Prefix` paths. (#13800) NGINX: Upgraded to OpenResty v1.25.3.2. ( #13530 ) Added support for any CORS origin. ( #11153 ) metrics: Added the `--metrics-per-undefined-host` parameter. ( #11818 ) Enhancements: Security: Hardened socket creation and validated error code input. ( #13786 ) Security: Adjusted default security configurations (#11819): Lowered the acceptable annotation risk level from Critical to High. Disabled cross-namespace references by default. Enabled strict path validation. NGINX: Disabled architecture-specific optimizations for mimalloc. ( #13670 ) Removed the global rate limiting feature. ( #11851 ) The following configuration options are removed: `global-rate-limit-memcached-host` `global-rate-limit-memcached-port` `global-rate-limit-memcached-connect-timeout` `global-rate-limit-memcached-max-idle-timeout` `global-rate-limit-memcached-pool-size` `global-rate-limit-status-code` The following annotations are removed: `global-rate-limit` `global-rate-limit-window` `global-rate-limit-key` `global-rate-limit-ignored-cidrs` Removed support for third-party Lua plugins in `/etc/nginx/lua/plugins`. (#11821) metrics: Removed `ingress_upstream_latency_seconds`. ( #11795 ) Bug fixes: Metrics: Fixed `nginx_ingress_controller_config_last_reload_successful`. (#13859) Controller: Fixed the SSL session ticket path. (#13668) Lua: Fixed `ExternalName` Services with no endpoints. (#13429) Fixed a DNS resolution issue when an ExternalName is used as a backend. (#12951)	Upgrade during off-peak hours. Established connections may be briefly interrupted during the update.

September 2025

Version

Image address

Date

Description

Impact

v1.11.5-release.2

registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.5-release.2

September 11, 2025

Improvements:

Adds support for Network Load Balancer (NLB).
Adds support for Pod Disruption Budgets.

Upgrade during off-peak hours, as established connections might be briefly interrupted.

March 2025

Version	Image address	Release date	Description	Impact
v1.11.5-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.5-aliyun.1	March 26, 2025	Updated to community v1.11.5 to fix vulnerabilities CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514. See the Security Bulletin for CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514. Important To fix the CVE-2025-1974 vulnerability, the validation webhook for the NGINX Ingress controller remains enabled, but native NGINX configuration validation is disabled by default. If you use snippet annotations for custom NGINX directives, these configurations are no longer pre-validated by the validation webhook. Related errors are detected only when NGINX reloads. Check the NGINX Ingress controller Pod logs after modifying Ingress rules and correct any configuration issues. Important: An invalid Ingress configuration does not affect running NGINX Ingress controller Pods. However, any new Pods created during scaling or restart operations will fail to start. Before applying changes to a production environment, thoroughly validate all snippet directives in a staging environment.	Upgrade during off-peak hours. The update may briefly interrupt existing connections.
v1.11.4-aliyun.2	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.4-aliyun.2	March 19, 2025	Optimized node affinity to prevent Pods from being scheduled to Lingjun nodes.	Upgrade during off-peak hours. The update may briefly interrupt existing connections.

February 2025

Version	Image address	Release date	Description	Impact
v1.11.4-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.4-aliyun.1	February 12, 2025	Updated to community version v1.11.4. Adds support for configuring topology constraints in the console.	Upgrade during off-peak hours, as the process may briefly interrupt established connections.

August 2024

Version	Image address	Release date	Description	Impact
v1.10.4-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.4-aliyun.1	August 20, 2024	Updated to community edition v1.10.4 to fix CVE-2024-7646. See Security issue.	Upgrade during off-peak hours, as the process may briefly interrupt established connections.

July 2024

Version	Image address	Release date	Description	Impact
v1.10.2-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.2-aliyun.1	July 24, 2024	Adds integration with Application Real-Time Monitoring Service (ARMS) via OpenTelemetry and removes support for OpenTracing. Allows configuring the `--shutdown-grace-period`, `--exclude-socket-metrics`, and `--default-ssl-certificate` parameters on the Add-ons page. Enables layer 4 forwarding by using a Network Load Balancer (NLB). Hardened the image and fixed CVE-2023-5363, CVE-2023-5678, CVE-2024-25062, and CVE-2024-2511. Upgraded NGINX to v1.25.5, which introduces stricter validation for header fields in backend responses. See the changeset. Rejects backend responses with duplicate `Content-Length` and `Transfer-Encoding` header fields. Rejects backend responses with an invalid `Content-Length` or `Transfer-Encoding` header field. Rejects backend responses with both `Content-Length` and `Transfer-Encoding` header fields.	The upgrade may briefly interrupt established connections. Perform the upgrade during off-peak hours.

October 2023

Version

Image address

Release date

Description

Impact

v1.9.3-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.9.3-aliyun.1

October 24, 2023

Important

For security reasons, this release disables all snippet annotations, such as nginx.ingress.kubernetes.io/configuration-snippet, by default.

If you must use this feature after a thorough risk assessment, add allow-snippet-annotations: "true" to the kube-system/nginx-configuration ConfigMap to enable it.

Snippet annotations are disabled by default.
Added the --enable-annotation-validation parameter, which is enabled by default. This parameter validates annotation content to help mitigate CVE-2023-5044.
Fixed CVE-2023-44487.

Upgrade during off-peak hours because the upgrade may briefly interrupt established connections.

September 2023

Version

Image address

Release date

Description

Impact

v1.8.2-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.2-aliyun.1

September 20, 2023

Upgraded Golang to version 1.21.1.
Changed the hostname-based Pod anti-affinity scheduling from preferred to required to enforce node-level anti-affinity.
Added support for OpenTelemetry. See the community configuration guide.
Fixed vulnerabilities CVE-2022-48174, CVE-2023-2975, CVE-2023-3446, and CVE-2023-3817.

Upgrade during off-peak hours, as the upgrade may cause transient interruptions to established connections.

June 2023

Version

Image address

Release date

Description

Impact

v1.8.0-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.0-aliyun.1

June 20, 2023

Upgraded the Alpine image to version 1.18.
Added the strict-validate-path-type configuration option to enable strict path validation (disabled by default). See the community ConfigMap documentation.
Fixed vulnerabilities, including CVE-2023-28322 and CVE-2023-2650.

Upgrade during off-peak hours. The upgrade may briefly interrupt established connections.

May 2023

Version	Image address	Release date	Description	Impact
v1.7.0-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.7.0-aliyun.1	May 5, 2023	Important This version no longer supports Transport Layer Security (TLS) v1.1 and v1.0 by default. If you upgrade NGINX Ingress Controller, evaluate the impact on your services. See the GitHub issue: set ssl-protocols config not working after v1.6.4. If you must use these older TLS versions, see Known issues in earlier versions for configuration instructions. Upgraded Golang to v1.20 and the Alpine base image to v1.17. Fixed an issue where the `nginx.ingress.kubernetes.io/canary-weight-total` annotation did not take effect. Resolved a panic caused by a missing ready condition in an EndpointSlice. Addressed vulnerabilities CVE-2023-27536 and CVE-2023-0464. Removed the prefix check for the service name in an EndpointSlice.	Upgrade during off-peak hours. The upgrade may briefly interrupt established connections.

March 2023

Version	Image address	Release date	Description	Impact
v1.6.4-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.6.4-aliyun.1	March 17, 2023	Added support for the `nginx.ingress.kubernetes.io/denylist-source-range` annotation to configure an IP blacklist. Added support for the `cluster-autoscaler.kubernetes.io/safe-to-evict: "false"` annotation to prevent the removal of the node hosting the pod during auto scaling. Added the ability to enable or disable logging on the Add-ons page. Resolved several stability issues. Addressed vulnerabilities CVE-2023-0286, CVE-2022-4450, and CVE-2023-0215.	Upgrade during off-peak hours. The update may briefly interrupt established connections.

February 2023

Version	Image address	Release date	Description	Impact
v1.5.1-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.5.1-aliyun.1	February 10, 2023	NGINX Ingress controller v1.5.1 and later supports only ACK clusters that run Kubernetes v1.22.0 or later. Upgraded NGINX to v1.21.6 and Golang to v1.19.2. Updated the AHAS Sentinel plugin to support the `use-mse` switch. The controller now uses `coordination.k8s.io/leases` resources for leader election. EndpointSlices replace Endpoints for endpoint discovery. Added multiple Prometheus metrics and deprecated the `_ingress_upstream_latency_seconds` metric. See ingress-nginx. Added support for using `debug-connections` to enable NGINX debug logs for a specific IP range. Fixed the vulnerabilities CVE-2022-32149, CVE-2-27664, and CVE-2022-1996.	Upgrade during off-peak hours. The upgrade may cause transient interruptions to established connections.

June 2022

Version	Image address	Release date	Description	Impact
v1.2.1-aliyun.1	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.1-aliyun.1	June 28, 2022	Removed the `alias` and `root` directives from NGINX to reduce security risks. Fixed several stability issues.	Upgrade during off-peak hours. The upgrade may cause a transient interruption to established connections.

May 2022

Version	Image address	Release date	Description	Impact
v1.2.0-aliyun.1	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.0-aliyun.1	May 10, 2022	Adds deep inspection for Ingress objects, enabled by default, to block configurations containing sensitive fields. This addresses CVE-2021-25745. Fixed several stability issues.	Upgrade during off-peak hours. The upgrade may briefly interrupt established connections.

April 2022

Version	Image address	Release date	Description	Impact
v0.44.0.12-27ae67262-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.12-27ae67262-aliyun	April 29, 2022	Optimized scheduling affinity settings to enable auto scaling on all cluster nodes. Fixed known security vulnerabilities related to the Application High Availability Service (AHAS) Sentinel feature. Fixed several vulnerabilities in the base image.	Upgrade during off-peak hours. Established connections may be briefly interrupted during the upgrade.

March 2022

Version	Image address	Release date	Description	Impact
v1.1.2-aliyun.2	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.2-aliyun.2	March 21, 2022	Downgraded Nginx to v1.19.9 to match the community version and improve stability. Fixed a crash in the Ingress controller caused by an invalid `cors-allow-origin` configuration. Fixed a path conflict for Ingresses from different IngressClasses during webhook validation. Prevented the init container from modifying node kernel parameters when hostNetwork is enabled. Addressed the vulnerabilities CVE-2022-0778 and CVE-2022-23308.	Upgrading during off-peak hours is recommended. The update may cause a transient interruption to established connections.

January 2022

Version	Image address	Release date	Description	Impact
v1.1.0-aliyun.2	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.2	January 12, 2022	Upgraded the AHAS Sentinel plugin from a Java to a C++ module, significantly improving performance. Improves performance by using Protocol Buffers (Protobuf) to communicate with the Kubernetes API server.	Upgrade during off-peak hours. During the upgrade, established connections may be briefly interrupted.

December 2021

Version

Image address

Release date

Description

Impact

v1.1.0-aliyun.1

registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.1

December 17, 2021

NGINX Ingress controller v1.X.X is only compatible with ACK clusters running Kubernetes v1.20.0 or later. For earlier cluster versions, you must use NGINX Ingress controller v0.X.X.
Now uses networking.k8s.io/v1 Ingress to support clusters running Kubernetes v1.22 and later.
The cors-allow-origin annotation now supports multiple values and dynamically returns a response based on the Origin header of the request.
Added support for session affinity in canary configurations, which is now the default behavior.
Added support for configuring a canary release without specifying a host.
Improved the performance of the admission webhook.
Resolved several stability issues.

See the Ingress-NGINX changelog.

Upgrade during off-peak hours. The upgrade may briefly interrupt established connections.

October 2021

Version	Image address	Release date	Description	Impact
v0.44.0.9-7b9e93e7e-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.9-7b9e93e7e-aliyun	October 28, 2021	Added the allow-snippet-annotations annotation to mitigate the CVE-2021-25742 vulnerability. See Vulnerability fixed: CVE-2021-25742. Disabled the SSL builtin cache to fix a potential memory leak. Fixed vulnerabilities CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712. See CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712. Upgraded the AHAS Sentinel SDK to 1.9.7.	Upgrade during off-peak hours. Established connections may be briefly interrupted.

September 2021

Version	Image address	Release date	Description	Impact
v0.44.0.5-e66e17ee3-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.5-e66e17ee3-aliyun	September 6, 2021	Upgraded the AHAS Sentinel plug-in. Improved performance and stability. Added support for cluster traffic throttling. Fixed CVE-2021-36159. Disabled the kernel.core_uses_pid kernel parameter by default to prevent coredump files from consuming excessive disk space.	Upgrade during off-peak hours. The upgrade may briefly interrupt established connections.

June 2021

Version	Image address	Release date	Description	Impact
v0.44.0.3-8e83e7dc6-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.3-8e83e7dc6-aliyun	June 1, 2021	Fixed CVE-2021-23017.	Upgrade during off-peak hours. The update may briefly interrupt established connections.

April 2021

Version	Image address	Release date	Description	Impact
v0.44.0.2-abf1c6fe4-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.2-abf1c6fe4-aliyun	April 1, 2021	Adds compatibility with `the_real_ip` in the log_format of NGINX Ingress controller v0.30 and earlier.	Upgrade during off-peak hours. The update may cause a transient interruption to established connections.

March 2021

Version	Image address	Release date	Description	Impact
v0.44.0.1-5e842447b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.1-5e842447b-aliyun	March 8, 2021	Enables the validating admission webhook by default. See How the NGINX Ingress controller works. Validates the value of the `service-weight` annotation. Improves the performance of persistent and short-lived connections by 20% to 50%. Supports OCSP stapling. Upgrades LuaJIT to v2.1.0. Upgrades NGINX to v1.19.6. Upgrades the Alpine image to v3.13. Addresses OpenSSL CVEs. Enables TLS 1.3 by default. Note By default, HTTPS supports only TLS 1.2 and TLS 1.3. To enable support for TLS 1.0 and TLS 1.1, see Which SSL/TLS versions does NGINX Ingress support?. Requires Kubernetes v1.16 or later. Updated to community version 0.44.0. See the Changelog.	Upgrade during off-peak hours. During the upgrade, established connections may be briefly interrupted.

April 2020

Version	Image address	Release date	Description	Impact
v0.30.0.1-5f89cb606-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.30.0.1-5f89cb606-aliyun	April 2, 2020	Added support for FastCGI backends. Enabled the Dynamic SSL Certificate Update mode by default. Added support for traffic mirroring configurations. Upgraded NGINX to v1.17.8, OpenResty to v1.15.8, and the base image to Alpine. Added support for Ingress validating admission webhooks. Fixed vulnerabilities: CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516. Breaking Changes: Deprecated the lua-resty-waf, session-cookie-hash, and force-namespace-isolation configurations. Changed the data type of the x-forwarded-prefix annotation from boolean to string. The the_real_ip variable in log-format will be deprecated and replaced by remote_addr in a future release. Updated to community version 0.30.0. For the full list of changes, see the community changelog.	Upgrade during off-peak hours. The update may briefly interrupt established connections.

October 2019

Version	Image address	Release date	Changes	Impact
v0.22.0.5-552e0db-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.5-552e0db-aliyun	October 24, 2019	Adds support for wildcard domain names, whitelists, and redirects when dynamic server updates are enabled.	Upgrade during off-peak hours. The update may transiently interrupt established connections.

July 2019

Version	Image address	Release date	Description	Impact
v0.22.0.4-5a14d4b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.4-5a14d4b-aliyun	July 18, 2019	Adds support for Perl regular expressions to canary release rules.	Upgrading during off-peak hours is recommended, as the update may temporarily interrupt established connections.

April 2019

Version	Image address	Release date	Changes	Impact
v0.22.0.3-da10b7f-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.3-da10b7f-aliyun	April 25, 2019	Updated to community version 0.22.0. For the changelog, see Ingress-Nginx. Added support for blue-green and canary releases when dynamic updates are enabled. Enabled dynamic updates for NGINX upstream servers by default. Major update: The rewrite-target annotation now uses capture groups. For configuration details, see rewrite-target. For instructions on a smooth upgrade, see GitHub.	Upgrade during off-peak hours. The upgrade may temporarily interrupt established connections.

January 2019

Version	Image address	Release date	Change description	Impact
v0.20.0.2-cc39f1b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.2-cc39f1b-aliyun	January 17, 2019	Optimized the default number of NGINX worker processes to reduce host resource consumption. Enabled configuring different port numbers for the old and new versions of a Service during blue-green and canary releases. Fixed an NGINX configuration check failure in canary releases that occurred when a new Service version had no active backend pods. Fixed an issue that prevented Ingress address endpoints from updating during connection issues with the Kubernetes API server.	Upgrade during off-peak hours. The update may transiently interrupt established connections.

November 2018

Version	Image address	Release date	Changes	Impact
v0.20.0.1-4597ce2-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.1-4597ce2-aliyun	November 29, 2018	Updated to community version 0.20.0. For the full changelog, see Ingress-NGINX. Upgraded NGINX to v1.15.6 and fixed HTTP/2-related security vulnerabilities. Added support for regular expressions in paths. Removed the default-http-backend service and added support for configuring custom default backend services. Added support for blacklists based on IP, User-Agent, and Referer. Optimized default runtime permissions and removed privileged container settings. Added support for the Apache JServ Protocol (AJP).	Upgrade during off-peak hours. The update may briefly interrupt established connections.