This topic introduces the NGINX Ingress controller and describes the usage notes and
release notes for the NGINX Ingress controller.
Introduction
Introduction to Ingresses
In a Kubernetes cluster, an Ingress functions as an access point that exposes Services
in the cluster. It distributes most of the network traffic that is destined for the
Services in the cluster. An Ingress is a Kubernetes resource. It manages external
access to the Services in a Kubernetes cluster. You can configure routing rules for
an Ingress to route network traffic to backend pods of different Services.
How the NGINX Ingress controller works
Ingresses can work as normal only if you deploy an NGINX Ingress controller in the
cluster to parse the routing rules of the Ingresses. After the NGINX Ingress controller
receives a request that matches a routing rule, the NGINX Ingress controller routes
the request to a corresponding backend Service. The backend Service then forwards
the request to pods. In a Kubernetes cluster, Services, Ingresses, and the NGINX Ingress
controller work in the following process:
- A Service is an abstraction of a backend application that runs on a set of replicated
pods.
- An Ingress contains reverse proxy rules. It controls to which Service pods HTTP or
HTTPS requests are routed. For example, requests are routed to different Service pods
based on the hosts and URL paths in the requests.
- The NGINX Ingress controller is a reverse proxy program that parses Ingress rules.
If changes are made to the Ingress rules, the NGINX Ingress controller updates the
Ingress rules accordingly. After the NGINX Ingress controller receives a request,
it redirects the request to Service pods based on the Ingress rules.
Release notes
June 2022
Version |
Image address |
Release date |
Description |
Impact |
v1.2.1-aliyun.1 |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.1-aliyun.1 |
2022-06-28 |
- The NGINX
Alias and Root directives are deleted to reduce the potential risks.
- Some stability issues are fixed.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
May 2022
Version |
Image address |
Release date |
Description |
Impact |
v1.2.0-aliyun.1 |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.0-aliyun.1 |
2022-05-10 |
- The deep inspection feature for Ingresses is added and enabled by default. This feature
can prevent you from configuring Ingresses that contain sensitive fields. This feature
fixes the CVE-2021-25745 vulnerability.
- Some stability issues are fixed.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
April 2022
Version |
Image address |
Release date |
Description |
Impact |
v0.44.0.12-27ae67262-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.12-27ae67262-aliyun |
2022-04-29 |
- Affinity settings are optimized for scheduling. You can enable auto scaling for all
the nodes in a Container Service for Kubernetes (ACK) cluster.
- The vulnerabilities that exist after you enable the Application High Availability
Service (AHAS) Sentinel feature are fixed.
- Specific vulnerabilities in base images are fixed.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
March 2022
Version |
Image address |
Release date |
Description |
Impact |
v1.1.2-aliyun.2 |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.2-aliyun.2 |
2022-03-21 |
- The version of the NGINX component is rolled back to V1.19.9, which is the same as
the version of open source NGINX. This NGINX version is more stable.
- The following issue is fixed: The NGINX Ingress controller crashes if the
cors-allow-origin configuration is invalid.
- The following issue is fixed: The Ingresses that use the same webhook URL conflict
with each other when the system checks the webhook URLs of the Ingresses that belong
to different IngressClasses.
- The following issue is fixed: InitContainer modifies the kernel parameters of nodes
if hostNetwork is set to true.
- The CVE-2022-0778 and CVE-2022-23308 vulnerabilities are patched.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
January 2022
Version |
Image address |
Release date |
Description |
Impact |
v1.1.0-aliyun.2 |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.2 |
2022-01-12 |
- The AHAS Sentinel plug-in is updated and the Java module is replaced by the C++ module.
This greatly improves performance.
- Protocol Buffers (Protobuf) is used to communicate with the Kubernetes API server
of a cluster. This improves communication efficiency.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
December 2021
Version |
Image address |
Release date |
Description |
Impact |
v1.1.0-aliyun.1 |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.1 |
2021-12-17 |
- NGINX Ingress controller V1.X.X supports only ACK clusters that run Kubernetes V1.20.0
and later. For ACK clusters that run earlier Kubernetes versions, you must use NGINX
Ingress controller V0.X.X.
networking v1 Ingresses are used to support ACK clusters that run Kubernetes 1.22 and later.
- You can specify multiple origins in the
cors-allow-origin field. Requested resources are fetched based on the specified origins.
Session affinity can be enabled to define the behavior of canaries. You can also reset to the default
behavior of canaries.
- Canaries can be configured even when no host is specified.
- Admission webhooks are accelerated.
- Stability issues are fixed.
For more information, see Ingress-NGINX changelog.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
October 2021
Version |
Image address |
Release date |
Description |
Impact |
v0.44.0.9-7b9e93e7e-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.9-7b9e93e7e-aliyun |
2021-10-28 |
- The allow-snippet-annotations annotation is added to reduce the impact of vulnerability CVE-2021-25742. For more
information, see Vulnerability fixed: CVE-2021-25742.
- SSL builtin cache is disabled to prevent potential memory leaks.
- The following vulnerabilities are fixed: CVE-2021-22945, CVE-2021-22946, CVE-2021-3711,
and CVE-2021-3712. For more information, see CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712.
- The AHAS sentinel SDK is updated to V1.9.7.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
September 2021
Version |
Image address |
Release date |
Description |
Impact |
v0.44.0.5-e66e17ee3-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.5-e66e17ee3-aliyun |
2021-09-06 |
- The AHAS sentinel plug-in is updated.
- The performance and stability are improved.
- Traffic throttling for clusters is supported.
- Vulnerability CVE-2021-36159 is fixed. For more information, see CVE-2021-36159.
- By default, the kernel parameter kernel.core_uses_pid is disabled. This prevents coredump files from occupying excessive disk space.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
June 2021
Version |
Image address |
Release date |
Description |
Impact |
v0.44.0.3-8e83e7dc6-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.3-8e83e7dc6-aliyun |
2021-06-01 |
Vulnerability CVE-2021-23017 is fixed. For more information, see Updating NGINX for a DNS Resolver Vulnerability (CVE-2021-23017).
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
April 2021
Version |
Image address |
Release date |
Description |
Impact |
v0.44.0.2-abf1c6fe4-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.2-abf1c6fe4-aliyun |
2021-04-01 |
Compatibility with the the_real_ip field in the log_format parameter of NGINX Ingress controller V0.30 and earlier is added.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
March 2021
Version |
Image address |
Release date |
Description |
Impact |
v0.44.0.1-5e842447b-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.1-5e842447b-aliyun |
2021-03-08 |
- By default, validating admission webhooks are enabled. For more information, see How the NGINX Ingress controller works.
- Validity check is performed on the value of the
service-weight annotation.
- The performance of persistent connections and short-lived connections is increased
by 20% to 50%.
- Online Certificate Status Protocol (OCSP) stapling is supported.
- LuaJIT is updated to V2.1.0.
- NGINX is updated to V1.19.6.
- Alpine Linux is updated to V3.13 for base images.
- CVE vulnerabilities related to OpenSSL are fixed.
- By default, Transport Layer Security (TLS) 1.3 is enabled.
- The Kubernetes version must be 1.16 or later.
- The NGINX Ingress controller is updated based on open source Ingress-NGINX 0.44.0.
For more information, see Ingress-NGINX changelog.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
April 2020
Version |
Image address |
Release date |
Description |
Impact |
v0.30.0.1-5f89cb606-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.30.0.1-5f89cb606-aliyun |
2020-04-02 |
- FastCGI Backend is supported.
- By default, the Dynamic SSL Cert Update mode is enabled.
- Traffic mirroring is supported.
- NGINX is updated to V1.17.8 and OpenResty is updated to V1.15.8. The operating system
of base images is updated to Alpine Linux.
- Ingress validating admission webhooks are supported.
- The following vulnerabilities are fixed: CVE-2018-16843, CVE-2018-16844, CVE-2019-9511,
CVE-2019-9513, and CVE-2019-9516.
- Major updates:
- The lua-resty-waf, session-cookie-hash, and force-namespace-isolation configurations
are deprecated.
- The data type of x-forwarded-prefix is changed from BOOLEAN to STRING.
- The the_real_ip field in the log-format parameter will be deprecated in the next version
and replaced with the remote_addr field.
- The NGINX Ingress controller is updated based on Ingress-NGINX 0.30.0. For more information
about the updates, see Ingress-NGINX changelog.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
October 2019
Version |
Image address |
Release date |
Description |
Impact |
v0.22.0.5-552e0db-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.5-552e0db-aliyun |
2019-10-24 |
Wildcard domain names, whitelists, and rewrite rules are supported if you enable dynamic
update for NGINX upstream servers.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
July 2019
Version |
Image address |
Release date |
Description |
Impact |
v0.22.0.4-5a14d4b-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.4-5a14d4b-aliyun |
2019-07-18 |
Canary release rules are optimized and the Perl regular expressions are supported.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
April 2019
Version |
Image address |
Release date |
Description |
Impact |
v0.22.0.3-da10b7f-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.3-da10b7f-aliyun |
2019-04-25 |
- The NGINX Ingress controller is updated based on Ingress-NGINX 0.22.0. For more information
about the updates, see Ingress-NGINX.
- Blue-green releases and canary releases are supported if you enable dynamic update
for NGINX upstream servers.
- By default, dynamic update is enabled for NGINX upstream servers.
- Major updates: Capture groups are used for rewrite-target annotations. For more information,
see rewrite-target. For more information about how to smoothly update the NGINX Ingress controller,
visit GitHub.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
January 2019
Version |
Image address |
Release date |
Description |
Impact |
v0.20.0.2-cc39f1b-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.2-cc39f1b-aliyun |
2019-01-17 |
- The default number of NGINX worker processes is limited. This avoids the issue that
an excessive number of NGINX processes occupy host resources.
- The port numbers of Services that route traffic to the old application version and
the new application version can be different during blue-green releases and canary
releases.
- The NGINX configuration verification failure is fixed when no pod is active on the
backend servers of the new application version during canary releases.
- The issue that Ingress address endpoints are not updated due to failed connections
to the Kubernetes API server is fixed.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|
November 2018
Version |
Image address |
Release date |
Description |
Impact |
v0.20.0.1-4597ce2-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.1-4597ce2-aliyun |
2018-11-29 |
- The NGINX Ingress controller is updated based on Ingress-NGINX 0.20.0. For more information
about the updates, see Ingress-NGINX.
- NGINX is updated to V1.15.6 and HTTP/2-related vulnerabilities are fixed.
- Regular expressions are supported by the path parameter.
- The default-http-backend Service is removed and custom default backend Services are
supported.
- Blacklists based on IP addresses, user agents, and referer headers are supported.
- The default permissions are optimized and the privileged permissions are removed.
- Apache JServ Protocol (AJP) is supported.
|
The update may temporarily interrupt your service. We recommend that you update the
NGINX Ingress controller during off-peak hours.
|