The Nginx Ingress Controller provides a unified entry point for HTTP and HTTPS traffic in an ACK cluster. It is based on the Kubernetes community project Ingress NGINX, with code identical to the upstream implementation. Versions are released in sync with the community, using the same version numbers.
Two open source NGINX-based ingress controllers exist for Kubernetes: one maintained by the Kubernetes community (kubernetes/ingress-nginx) and one maintained by NGINX, Inc. (nginxinc/kubernetes-ingress). This component is based on the Kubernetes community project.
The Nginx Ingress Controller is a non-managed component deployed on your cluster nodes. You are responsible for its operations and maintenance (O&M). It does not come with a Service-Level Agreement (SLA) and supports extensive customization.
How it works
An Ingress is a Kubernetes resource object that exposes Services in a cluster and defines routing rules for incoming traffic. The NGINX Ingress controller watches for Ingress resources and translates their rules into NGINX configuration.
When a request arrives:
The NGINX Ingress controller matches the request against configured routing rules (based on host and URL path).
The controller forwards the request to the corresponding backend Service.
The Service routes the request to one of its pods.
For a comparison of ingress options in ACK, see Comparison among Nginx Ingresses, ALB Ingresses, and MSE Ingresses.
Version compatibility
If the target component version is incompatible with your cluster version, upgrade the cluster first. For more information, see Upgrade cluster.
| Nginx Ingress Controller version | Compatible cluster versions |
|---|---|
| [v1.5.1-aliyun.1, v1.11.5-aliyun.1] | 1.22 and later |
| [v1.1.0-aliyun.1, v1.2.1-aliyun.1] | 1.20 and later |
Risks of outdated versions
Maintenance for Nginx Ingress Controller v1.2 and earlier has been discontinued. See Product Announcements for details. Expired versions receive no new features or bug fixes and are ineligible for technical support, leaving your cluster exposed to unpatched vulnerabilities. Upgrade the component promptly.
Usage notes
To install or upgrade the component, see Manage the Nginx Ingress Controller component and Upgrade the Nginx Ingress Controller component.
To create, view, update, or delete an Nginx Ingress using the console or kubectl, see Create and use an Nginx Ingress to expose services.
For advanced scenarios such as canary releases, traffic replication, and load balancer configuration, see Use Nginx Ingress for phased releases and blue-green deployments, Configure public and private network access for an Ingress Controller SLB instance, and Use Nginx Ingress to replicate application traffic.
Change history
December 2025
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.12.6-release.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.12.6-release.1 | December 11, 2025 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Updated to community version v1.12.6.
This version removes several features that may affect existing configurations. Review the breaking changes below before upgrading.
Breaking changes:
Global rate limiting removed (#11851): The following ConfigMap options are no longer supported:
global-rate-limit-memcached-host,global-rate-limit-memcached-port,global-rate-limit-memcached-connect-timeout,global-rate-limit-memcached-max-idle-timeout,global-rate-limit-memcached-pool-size,global-rate-limit-status-code. The following annotations are also removed:global-rate-limit,global-rate-limit-window,global-rate-limit-key,global-rate-limit-ignored-cidrs.Third-party Lua plugins removed (#11821): Custom plugins in
/etc/nginx/lua/pluginsare no longer supported.Metric removed (#11795):
ingress_upstream_latency_secondshas been removed.
New features:
Annotation/AuthTLS allows named redirects (#13820).
.is now allowed inExactandPrefixpath types (#13800).NGINX upgraded to OpenResty v1.25.3.2 (#13530).
Any CORS origin protocol is now allowed (#11153).
Added the
--metrics-per-undefined-hostparameter (#11818).
Optimizations:
Hardened socket creation and validated error code input (#13786).
Disabled architecture-specific optimizations for mimalloc (#13670).
Bug fixes:
September 2025
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.11.5-release.2 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.5-release.2 | September 11, 2025 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Feature updates:
Added support for Network Load Balancer (NLB).
Added Pod Disruption Budget configuration.
March 2025
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.11.5-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.5-aliyun.1 | March 26, 2025 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
| v1.11.4-aliyun.2 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.4-aliyun.2 | March 19, 2025 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
v1.11.5-aliyun.1: Updated to community version v1.11.5 to fix CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514. See Vulnerability Notice for CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514 for details.
To fix CVE-2025-1974, the Validation Webhook is now enabled by default and native NGINX configuration validation is disabled by default. If you use snippet annotations (such as nginx.ingress.kubernetes.io/configuration-snippet) for custom NGINX directives, those configurations are no longer pre-validated by the Validation Webhook — errors appear only when NGINX reloads the configuration. Check NGINX Ingress Controller pod logs after each Ingress rule modification and correct any errors promptly. Note: An incorrect snippet configuration does not affect running NGINX Ingress pods. However, new pods created during scale-out or restart will fail to start if the configuration contains errors. Fully validate snippet directives in a staging environment before applying changes in production.
v1.11.4-aliyun.2: Optimized node scheduling affinity. Pods are no longer scheduled to Lingjun nodes.
February 2025
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.11.4-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.4-aliyun.1 | February 12, 2025 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Updated to community version v1.11.4. Added support for configuring custom topology spread constraints for the component in the console.
August 2024
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.10.4-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.4-aliyun.1 | August 20, 2024 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Updated to community version v1.10.4 to fix CVE-2024-7646. See the security advisory for details.
July 2024
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.10.2-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.2-aliyun.1 | July 24, 2024 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Added support for connecting to Application Real-Time Monitoring Service (ARMS) using OpenTelemetry. OpenTracing is no longer supported.
Added the
--shutdown-grace-period,--exclude-socket-metrics, and--default-ssl-certificateparameters on the Component Management page.Added NLB support for Layer 4 forwarding.
Fixed CVE-2023-5363, CVE-2023-5678, CVE-2024-25062, and CVE-2024-2511.
Upgraded NGINX to version 1.25.5, which enforces stricter backend response header validation: responses with duplicate, invalid, or conflicting
Content-LengthandTransfer-Encodingfields are rejected. See the changeset for details.
October 2023
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.9.3-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.9.3-aliyun.1 | October 24, 2023 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
All snippet annotations (such as nginx.ingress.kubernetes.io/configuration-snippet) are disabled by default in this and later versions. Snippet annotations introduce security and stability risks. If you must use them, add allow-snippet-annotations: "true" to the kube-system/nginx-configuration ConfigMap after carefully assessing the risks.
Added the
--enable-annotation-validationparameter (annotation content validation is enabled by default to mitigate CVE-2023-5044).Fixed CVE-2023-44487.
September 2023
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.8.2-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.2-aliyun.1 | September 20, 2023 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Upgraded Golang to version 1.21.1.
Changed hostname-based anti-affinity scheduling from preferred to required, enforcing node-level anti-affinity.
Added support for OpenTelemetry (see the community configuration guide).
Fixed CVE-2022-48174, CVE-2023-2975, CVE-2023-3446, and CVE-2023-3817.
June 2023
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.8.0-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.0-aliyun.1 | June 20, 2023 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Upgraded the Alpine image to version 1.18.
Added the
strict-validate-path-typeconfiguration item for strict path validation (disabled by default; see the community ConfigMap configuration instructions).Fixed CVE-2023-28322 and CVE-2023-2650.
May 2023
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.7.0-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.7.0-aliyun.1 | May 5, 2023 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
TLS v1.0 and TLS v1.1 are no longer supported by default. If your services depend on these older TLS versions, review the impact before upgrading. See Known issues in earlier versions of Nginx Ingress for how to force older TLS versions.
Upgraded Golang to version 1.20 and the Alpine image to version 1.17.
Fixed an issue where
nginx.ingress.kubernetes.io/canary-weight-totaldid not take effect.Fixed a panic when the ready status was missing in an EndpointSlice.
Fixed CVE-2023-27536 and CVE-2023-0464.
Removed the logic that checks for a service name prefix in EndpointSlices.
March 2023
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.6.4-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.6.4-aliyun.1 | March 17, 2023 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Added support for IP denylist configuration using
nginx.ingress.kubernetes.io/denylist-source-range.Added support for the
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"annotation to prevent nodes hosting component pods from being scaled in automatically.Added support for enabling or disabling logs on the Component Management page.
Fixed several stability issues and CVE-2023-0286, CVE-2022-4450, and CVE-2023-0215.
February 2023
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.5.1-aliyun.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.5.1-aliyun.1 | February 10, 2023 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
v1.5.1 and later support only ACK clusters of v1.22.0 and later.
Upgraded NGINX to version 1.21.6 and Golang to version 1.19.2.
Updated the AHAS Sentinel plugin to support the use-mse switch.
Switched to
coordination.k8s.io/leasesfor leader election.Switched from Endpoints to EndpointSlices for endpoint discovery.
Added multiple Prometheus metrics and deprecated
_ingress_upstream_latency_seconds(see ingress-nginx PR #8728).Added support for enabling NGINX debug logs for an IP range using
debug-connections.Fixed CVE-2022-32149, CVE-2022-27664, and CVE-2022-1996.
June 2022
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.2.1-aliyun.1 | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.1-aliyun.1 | June 28, 2022 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Removed the
aliasandrootdirectives from NGINX to reduce security risks.Fixed several stability issues.
May 2022
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.2.0-aliyun.1 | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.0-aliyun.1 | May 10, 2022 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Added and enabled by default the Ingress object deep inspection feature, which prevents Ingress configurations containing sensitive fields from being applied (fixes CVE-2021-25745).
Fixed several stability issues.
April 2022
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.44.0.12-27ae67262-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.12-27ae67262-aliyun | April 29, 2022 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Optimized scheduling affinity to allow all cluster nodes to be used as auto scaling nodes.
Fixed security vulnerabilities when the AHAS Sentinel feature was enabled.
Fixed several base image vulnerabilities.
March 2022
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.1.2-aliyun.2 | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.2-aliyun.2 | March 21, 2022 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Downgraded the NGINX version to 1.19.9 to align with the community version and improve stability.
Fixed an issue where an incorrect
cors-allow-originconfiguration caused the controller to crash.Fixed an issue where a webhook check on Ingress resources outside the same IngressClass caused resource contention for Ingresses with the same path.
Fixed an issue where the initContainer modified node kernel parameters when
hostNetworkwas used.Fixed CVE-2022-0778 and CVE-2022-23308.
January 2022
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.1.0-aliyun.2 | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.2 | January 12, 2022 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Upgraded the AHAS Sentinel plugin, switching the module from Java to C++ for significant performance improvements.
Switched to the Protobuf protocol for API Server communication to improve performance.
December 2021
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v1.1.0-aliyun.1 | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.1 | December 17, 2021 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Nginx Ingress Controller 1.x supports only ACK clusters of v1.20.0 and later. For earlier cluster versions, use Nginx Ingress Controller 0.x.
Switched to
networking/v1Ingress resources to support clusters of v1.22 and later.cors-allow-originnow supports multiple values and automatically returns the request origin when a website is accessed.Added support for configuring session affinity for canary releases (now the default behavior).
Added support for canary releases without specifying a host.
Accelerated Admission Webhook execution.
Improved stability.
See the community changelog for full details.
October 2021
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.44.0.9-7b9e93e7e-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.9-7b9e93e7e-aliyun | October 28, 2021 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Added the
allow-snippet-annotationsannotation to mitigate CVE-2021-25742 (see Vulnerability Notice for CVE-2021-25742).Disabled the SSL built-in cache to resolve a potential memory leak.
Fixed CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712.
Upgraded the AHAS Sentinel SDK to version 1.9.7.
September 2021
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.44.0.5-e66e17ee3-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.5-e66e17ee3-aliyun | September 6, 2021 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Upgraded the AHAS Sentinel plugin: optimized performance and stability, and added support for cluster-level traffic throttling.
Fixed CVE-2021-36159.
Disabled the
kernel.core_uses_pidkernel parameter by default to prevent coredumps from consuming excessive disk space.
June 2021
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.44.0.3-8e83e7dc6-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.3-8e83e7dc6-aliyun | June 1, 2021 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Fixed CVE-2021-23017.
April 2021
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.44.0.2-abf1c6fe4-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.2-abf1c6fe4-aliyun | April 1, 2021 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Added backward compatibility for the the_real_ip field in log_format, which was used in v0.30 and earlier.
March 2021
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.44.0.1-5e842447b-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.1-5e842447b-aliyun | March 8, 2021 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Enabled the Validating Admission Webhook by default (see how it works).
Added validation for the
service-weightannotation value.Improved performance for persistent and short-lived connections by 20%–50%.
Added support for OCSP stapling.
Upgraded LuaJIT to version 2.1.0, NGINX to version 1.19.6, and the Alpine image to version 3.13.
Fixed OpenSSL CVEs.
Enabled TLS 1.3 by default.
Requires Kubernetes v1.16 or later.
Synchronized with community version 0.44.0 (see the community changelog).
HTTPS requests support only TLS 1.2 and TLS 1.3 by default. To support TLS 1.0 and TLS 1.1, see Which SSL/TLS versions does Ingress support?.
April 2020
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.30.0.1-5f89cb606-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.30.0.1-5f89cb606-aliyun | April 2, 2020 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Added support for FastCGI backends.
Enabled Dynamic SSL Cert Update mode by default.
Added support for traffic mirroring configuration.
Upgraded NGINX to version 1.17.8 and OpenResty to version 1.15.8; updated the base image to Alpine.
Added support for Ingress Validating Webhook.
Fixed CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516.
Synchronized with community version 0.30.0 (see the community changelog).
The following breaking changes apply: the lua-resty-waf, session-cookie-hash, and force-namespace-isolation configurations are deprecated; the type of x-forwarded-prefix changed from boolean to string; the the_real_ip variable in log-format is deprecated and will be replaced by remote_addr in the next version.
October 2019
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.22.0.5-552e0db-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.5-552e0db-aliyun | October 24, 2019 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Added support for wildcard domain names, allowlists, and redirect configurations when dynamic server updates are enabled.
July 2019
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.22.0.4-5a14d4b-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.4-5a14d4b-aliyun | July 18, 2019 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Optimized phased release rules to support Perl regular expression matching.
April 2019
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.22.0.3-da10b7f-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.3-da10b7f-aliyun | April 25, 2019 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Synchronized with community version 0.22.0 (see Ingress-Nginx releases).
Added support for blue-green deployment and phased release when dynamic updates are enabled.
Enabled the dynamic update feature for NGINX Upstream by default.
The rewrite-target annotation now uses a capture group configuration (see rewrite-target). For upgrade guidance, see the GitHub comment.
January 2019
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.20.0.2-cc39f1b-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.2-cc39f1b-aliyun | January 17, 2019 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Optimized the default NGINX worker process count to prevent excessive processes from consuming host resources.
Improved blue-green deployments and phased releases to allow different port numbers for old and new service versions.
Fixed NGINX configuration test failures during phased releases when the new version had no active backend pods.
Fixed an issue where Ingress address endpoints were not updated due to abnormal API Server connections.
November 2018
| Version | Registry address | Change date | Impact |
|---|---|---|---|
| v0.20.0.1-4597ce2-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.1-4597ce2-aliyun | November 29, 2018 | Upgrade during off-peak hours. Established connections may be briefly interrupted. |
Synchronized with community version 0.20.0 (see the community changelog).
Upgraded NGINX to version 1.15.6 to fix HTTP/2-related security vulnerabilities.
Added support for regular expression configuration for paths.
Removed the default
default-http-backendService; added support for configuring a custom default backend Service.Added support for denylist configurations based on IP, User-Agent, and Referer.
Optimized default runtime permissions by removing privileged permissions.
Added support for the AJP protocol.