All Products
Search

This Product

    Container Service for Kubernetes:Nginx Ingress Controller

    Document Center

    Container Service for Kubernetes:Nginx Ingress Controller

    Last Updated:Nov 20, 2025

    This topic describes the Nginx Ingress Controller component, provides instructions on how to use it, and lists its change history.

    About the component

    Ingress concepts

    In a Kubernetes cluster, an Ingress functions as an access point that exposes Services in the cluster. It distributes most of the network traffic that is destined for the Services in the cluster. An Ingress is a Kubernetes resource object that is used to enable external access to Services in a Kubernetes cluster. You can configure routing rules for an Ingress to route network traffic to backend pods of different Services. For Ingress comparisons in ACK, see Comparison among Nginx Ingresses, ALB Ingresses, and MSE Ingresses

    How Nginx Ingress Controller works

    Ingresses can work as normal only if you deploy an NGINX Ingress controller in the cluster to parse the routing rules of the Ingresses. After the NGINX Ingress controller receives a request that matches a routing rule, the NGINX Ingress controller routes the request to a corresponding backend Service. The backend Service then forwards the request to pods. In a Kubernetes cluster, Services, Ingresses, and the NGINX Ingress controller work in the following process:

    • A Service is an abstraction of a backend application that runs on a set of replicated pods.

    • An Ingress contains reverse proxy rules. It controls to which Service pods HTTP or HTTPS requests are routed. For example, requests are routed to different Service pods based on the hosts and URL paths in the requests.

    • The NGINX Ingress controller is a reverse proxy program that parses Ingress rules. If changes are made to the Ingress rules, the NGINX Ingress controller updates the Ingress rules accordingly. After the NGINX Ingress controller receives a request, it redirects the request to Service pods based on the Ingress rules.

    Nginx Ingress Controller and cluster version compatibility

    If the target component version is incompatible with your current cluster version, you must upgrade the cluster before you upgrade the component. For more information, see Upgrade a cluster.

    Nginx Ingress Controller version

    Compatible cluster versions

    [v1.5.1-aliyun.1, v1.11.5-aliyun.1]

    1.22 and later

    [v1.1.0-aliyun.1, v1.2.1-aliyun.1]

    1.20 and later

    Risks of outdated versions

    Maintenance for Nginx Ingress Controller v1.2 and earlier has been discontinued. For more information, see Product Announcements. Outdated component versions do not support the features and bug fixes available in newer versions. You cannot receive timely technical support for outdated versions, and they may contain unpatched security vulnerabilities. Upgrade the component promptly.

    Usage notes

    Change history

    September 2025

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.11.5-release.2

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.5-release.2

    September 11, 2025

    Feature optimizations:

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    March 2025

    Version

    Image URL

    Change date

    Changes

    Change impact

    v1.11.5-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.5-aliyun.1

    March 26, 2025

    Updated to community version v1.11.5 to fix CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514. For more information, see Notice on CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514.

    Important

    To fix the CVE-2025-1974 vulnerability, the Validation Webhook is enabled for the Nginx Ingress Controller component starting from this version, but the native NGINX configuration validation logic is disabled by default. If you enabled snippet annotations, which are used to customize native NGINX instructions, these configurations are no longer pre-validated by the Validation Webhook. Related errors will only trigger alerts when NGINX reloads the configuration. Check the Nginx Ingress Controller pod logs after you modify an Ingress rule. Correct the Ingress configuration based on any error logs.

    Note: An incorrect configuration does not affect running Nginx Ingress pods. However, when you perform operations such as scale-outs or restarts, new pods may fail to start due to the configuration error. Fully validate snippet instructions in a test environment before you change configurations in a production environment.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    v1.11.4-aliyun.2

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.4-aliyun.2

    March 19, 2025

    Optimized the node scheduling affinity configuration to prevent pods from being scheduled to Node Lingjun.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    February 2025

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.11.4-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.4-aliyun.1

    February 12, 2025

    Updated to community version v1.11.4. You can now add custom topology spread constraints for the component in the console.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    August 2024

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.10.4-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.4-aliyun.1

    August 20, 2024

    Updated to community version v1.10.4 to fix the CVE-2024-7646 vulnerability. For more information about the vulnerability, see Security issue.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    July 2024

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.10.2-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.2-aliyun.1

    July 24, 2024

    • Added support for connecting to ARMS using OpenTelemetry. OpenTracing is no longer supported.

    • On the Component Management page, you can configure the --shutdown-grace-period, --exclude-socket-metrics, and --default-ssl-certificate parameters.

    • Added support for using NLB for Layer 4 forwarding.

    • Enhanced image security by fixing CVE-2023-5363, CVE-2023-5678, CVE-2024-25062, and CVE-2024-2511.

    • Upgraded NGINX to version 1.25.5. The new version enhances the validation of headers in backend responses. For more information, see changeset.

      • Backend responses that contain duplicate Content-Length and Transfer-Encoding header fields are rejected.

      • Backend responses that contain invalid Content-Length or Transfer-Encoding header fields are rejected.

      • Backend responses that contain both Content-Length and Transfer-Encoding header fields are rejected.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    October 2023

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.9.3-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.9.3-aliyun.1

    October 24, 2023

    Important

    For security reasons, all snippet annotations, such as nginx.ingress.kubernetes.io/configuration-snippet, are disabled by default for the component starting from this version.

    Due to security and stability risks, we do not recommend that you enable snippet annotations. To use this feature, fully assess the risks and then manually enable it by adding allow-snippet-annotations: "true" to the kube-system/nginx-configuration ConfigMap.

    • Disabled the feature that lets you add snippets in annotations by default.

    • Added the --enable-annotation-validation parameter. Annotation content validation is enabled by default to mitigate CVE-2023-5044.

    • Fixed CVE-2023-44487.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    September 2023

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.8.2-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.2-aliyun.1

    September 20, 2023

    • Upgraded Golang to version 1.21.1.

    • Changed the anti-affinity scheduling by hostname from preferred to required. This enforces anti-affinity scheduling by node.

    • Added support for enabling OpenTelemetry. For more information, see the community configuration guide.

    • Fixed vulnerabilities such as CVE-2022-48174, CVE-2023-2975, CVE-2023-3446, and CVE-2023-3817.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    June 2023

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.8.0-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.0-aliyun.1

    June 20, 2023

    • Upgraded the Alpine image to version 1.18.

    • Added the strict-validate-path-type configuration item for strict path validation (disabled by default). For more information, see the community ConfigMap configuration instructions.

    • Fixed vulnerabilities such as CVE-2023-28322 and CVE-2023-2650.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    May 2023

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.7.0-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.7.0-aliyun.1

    May 5, 2023

    Important

    This version no longer supports the TLS 1.1 and TLS 1.0 encryption methods by default. If you upgrade the Nginx Ingress Controller to this version, be aware of the impact on your services. For more information about the impact of this issue, see set ssl-protocols config not working after v1.6.4. To enforce the use of older TLS encryption methods, see Known issues of earlier Nginx Ingress versions for configuration instructions.

    • Upgraded Golang to version 1.20 and the Alpine image to version 1.17.

    • Fixed an issue where the nginx.ingress.kubernetes.io/canary-weight-total annotation did not take effect.

    • Fixed a panic issue that occurred when the ready status was missing in an EndpointSlice.

    • Fixed vulnerabilities such as CVE-2023-27536 and CVE-2023-0464.

    • Removed the logic that checks for a service name prefix in EndpointSlices.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    March 2023

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.6.4-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.6.4-aliyun.1

    March 17, 2023

    • Added support for setting an IP blacklist using the nginx.ingress.kubernetes.io/denylist-source-range annotation.

    • Added support for the cluster-autoscaler.kubernetes.io/safe-to-evict: "false" annotation to prevent nodes where pods reside from being automatically scaled in.

    • Added support for enabling or disabling logs on the component management page.

    • Fixed several stability issues.

    • Fixed vulnerabilities such as CVE-2023-0286, CVE-2022-4450, and CVE-2023-0215.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    February 2023

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.5.1-aliyun.1

    registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.5.1-aliyun.1

    February 10, 2023

    • Nginx Ingress Controller v1.5.1 and later support only ACK clusters of v1.22.0 and later.

    • Upgraded NGINX to version 1.21.6 and Golang to version 1.19.2.

    • Updated the AHAS Sentinel plug-in to support the use-mse switch.

    • Used coordination.k8s.io/leases resources for leader election.

    • Used EndpointSlices instead of Endpoints for endpoint discovery.

    • Added multiple Prometheus metrics and deprecated _ingress_upstream_latency_seconds. For more information, see ingress-nginx.

    • Added support for using debug-connections to enable NGINX debug logs for an IP address range.

    • Fixed vulnerabilities such as CVE-2022-32149, CVE-2022-27664, and CVE-2022-1996.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    June 2022

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.2.1-aliyun.1

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.1-aliyun.1

    June 28, 2022

    • Removed the alias and root instructions from NGINX to reduce security risks.

    • Fixed several stability issues.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    May 2022

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.2.0-aliyun.1

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.0-aliyun.1

    May 10, 2022

    • Added and enabled by default the deep inspection feature for Ingress objects. This feature prevents the writing of Ingress configurations that contain sensitive fields and fixes the CVE-2021-25745 issue.

    • Fixed several stability issues.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    April 2022

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.44.0.12-27ae67262-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.12-27ae67262-aliyun

    April 29, 2022

    • Optimized the scheduling affinity configuration to allow all cluster nodes to be used as elastic scaling nodes.

    • Fixed known security vulnerabilities that occurred when the AHAS Sentinel feature was enabled.

    • Fixed several base image vulnerabilities.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    March 2022

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.1.2-aliyun.2

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.2-aliyun.2

    March 21, 2022

    • Downgraded the NGINX version to 1.19.9 to align with the community version and enhance stability.

    • Fixed an issue where an incorrect cors-allow-origin configuration caused the controller to crash.

    • Fixed an issue where a webhook check on Ingress resources that did not belong to the same IngressClass caused resource contention for Ingress resources with the same path.

    • Fixed an issue where the initContainer changed node kernel parameters when hostNetwork was used.

    • Fixed CVE-2022-0778 and CVE-2022-23308.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    January 2022

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.1.0-aliyun.2

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.2

    January 12, 2022

    • Upgraded the AHAS Sentinel plug-in from a Java module to a C++ module, significantly optimizing and improving performance.

    • Used the Protobuf protocol to communicate with the API Server for improved performance.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    December 2021

    Version

    Image URL

    Change date

    Changes

    Impact

    v1.1.0-aliyun.1

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.1

    December 17, 2021

    • Nginx Ingress Controller 1.X.X Versions Support Only ACK Clusters Of V1.20.0 And Later. For Earlier Cluster Versions, Use Nginx Ingress Controller 0.X.X Versions.

    • Used networking v1 Ingress resources to support clusters of v1.22 and later.

    • The cors-allow-origin annotation supports multiple values and automatically returns a response based on the Origin header when a website is accessed.

    • Added support for configuring session affinity for canary releases. This is now the default behavior.

    • Added support for configuring canary releases without specifying a Host.

    • Accelerated the execution speed of the admission webhook.

    • Improved stability.

    For more information, see the community changelog.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    October 2021

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.44.0.9-7b9e93e7e-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.9-7b9e93e7e-aliyun

    October 28, 2021

    • Added the allow-snippet-annotations annotation to mitigate the CVE-2021-25742 vulnerability. For more information, see Notice on CVE-2021-25742.

    • Disabled the SSL builtin cache to resolve potential memory leaks.

    • Fixed the CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712 vulnerabilities. For more information, see CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712.

    • Upgraded the AHAS Sentinel SDK to version 1.9.7.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    September 2021

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.44.0.5-e66e17ee3-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.5-e66e17ee3-aliyun

    September 6, 2021

    • Upgraded the AHAS Sentinel plug-in.

      • Optimized plug-in performance and stability.

      • Added support for cluster-level throttling.

    • Fixed the CVE-2021-36159 vulnerability. For more information, see CVE-2021-36159.

    • Disabled the kernel.core_uses_pid kernel parameter by default to prevent coredumps from consuming large amounts of disk space.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    June 2021

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.44.0.3-8e83e7dc6-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.3-8e83e7dc6-aliyun

    June 1, 2021

    Fixed the CVE-2021-23017 vulnerability.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    April 2021

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.44.0.2-abf1c6fe4-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.2-abf1c6fe4-aliyun

    April 1, 2021

    Made the the_real_ip field configured in log_format compatible with earlier versions (v0.30 and earlier).

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    March 2021

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.44.0.1-5e842447b-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.1-5e842447b-aliyun

    March 8, 2021

    • Enabled the Validating Admission Webhook by default. For more information, see How the NGINX Ingress controller works.

    • Added a validity check for the value of the service-weight annotation.

    • Improved the performance of persistent connections and short-lived connections by 20% to 50%.

    • Added support for OCSP stapling.

    • Upgraded LuaJIT to version 2.1.0.

    • Upgraded NGINX to version 1.19.6.

    • Upgraded the Alpine image to version 3.13.

    • Fixed OpenSSL CVEs.

    • Enabled TLS 1.3 by default.

      Note

      By default, HTTPS supports only TLS 1.2 and TLS 1.3. To support TLS 1.0 and TLS 1.1, see Which SSL/TLS versions does Ingress support?.

    • Requires Kubernetes v1.16 or later.

    • Synchronized with community version 0.44.0. For more information, see the community changelog.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    April 2020

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.30.0.1-5f89cb606-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.30.0.1-5f89cb606-aliyun

    April 2, 2020

    • Added support for FastCGI backends.

    • Enabled the Dynamic SSL Cert Update mode by default.

    • Added support for traffic mirroring configurations.

    • Upgraded NGINX to version 1.17.8 and OpenResty to version 1.15.8. Updated the base image to Alpine.

    • Added support for the Ingress Validating Webhook.

    • Fixed the CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516 vulnerabilities.

    • Major updates:

      • The lua-resty-waf, session-cookie-hash, and force-namespace-isolation configurations are deprecated.

      • The type of x-forwarded-prefix is changed from boolean to string.

      • The the_real_ip variable in log-format will be deprecated in the next version and replaced by remote_addr.

    • Synchronized with community version 0.30.0. For more detailed changes, see the community changelog.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    October 2019

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.22.0.5-552e0db-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.5-552e0db-aliyun

    October 24, 2019

    Added support for wildcard domain names, whitelists, and redirection configurations when dynamic server updates are enabled.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    July 2019

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.22.0.4-5a14d4b-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.4-5a14d4b-aliyun

    July 18, 2019

    Optimized phased release rules to support matching by Perl regular expressions.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    April 2019

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.22.0.3-da10b7f-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.3-da10b7f-aliyun

    April 25, 2019

    • Synchronized with community version 0.22.0. For the change history, see Ingress-Nginx.

    • Added support for blue-green and phased deployment mechanisms when dynamic updates are enabled.

    • Enabled the dynamic update feature for NGINX Upstreams by default.

    • Major update: The rewrite-target annotation now uses a capture group configuration. For configuration details, see rewrite-target. For a smooth upgrade, see Github.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    January 2019

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.20.0.2-cc39f1b-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.2-cc39f1b-aliyun

    January 17, 2019

    • Optimized the default configuration for the number of NGINX worker processes to prevent excessive NGINX processes from consuming host resources.

    • Optimized blue-green and phased deployments to allow different service port numbers for old and new service versions.

    • Resolved an issue where the NGINX configuration test failed during a phased release if the new service version had no active backend pods.

    • Fixed an issue where the Ingress Address endpoint was not updated due to an abnormal connection to the Kubernetes API server.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.

    November 2018

    Version

    Image URL

    Change date

    Changes

    Impact

    v0.20.0.1-4597ce2-aliyun

    registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.1-4597ce2-aliyun

    November 29, 2018

    • Synchronized with community version 0.20.0. For the change history, see the community.

    • Upgraded NGINX to version 1.15.6 to fix HTTP/2-related security vulnerabilities.

    • Added support for regular expression configurations for paths.

    • Removed the default default-http-backend service and added support for configuring a custom default backend service.

    • Added support for blacklist configurations based on IP address, User-Agent, and Referer.

    • Optimized default running permissions by removing privileged permissions.

    • Added support for the AJP protocol.

    Upgrade the component during off-peak hours. The upgrade process may cause transient connection interruptions.