Introduction to NGINX Ingress controller - Container Service for Kubernetes

This topic introduces the NGINX Ingress controller and describes the usage notes and release notes for the NGINX Ingress controller.

Introduction

Introduction to Ingress

In a Kubernetes cluster, an Ingress functions as an access point that exposes Services in the cluster. It distributes most of the network traffic that is destined for the Services in the cluster. An Ingress is a Kubernetes resource object that is used to enable external access to Services in a Kubernetes cluster. You can configure routing rules for an Ingress to route network traffic to backend pods of different Services.

How the NGINX Ingress controller works

Ingresses can work as normal only if you deploy an NGINX Ingress controller in the cluster to parse the routing rules of the Ingresses. After the NGINX Ingress controller receives a request that matches a routing rule, the NGINX Ingress controller routes the request to a corresponding backend Service. The backend Service then forwards the request to pods. In a Kubernetes cluster, Services, Ingresses, and the NGINX Ingress controller work in the following process:

A Service is an abstraction of a backend application that runs on a set of replicated pods.
An Ingress contains reverse proxy rules. It controls to which Service pods HTTP or HTTPS requests are routed. For example, requests are routed to different Service pods based on the hosts and URL paths in the requests.
The NGINX Ingress controller is a reverse proxy program that parses Ingress rules. If changes are made to the Ingress rules, the NGINX Ingress controller updates the Ingress rules accordingly. After the NGINX Ingress controller receives a request, it redirects the request to Service pods based on the Ingress rules.

Usage notes

For more information about how to install and update the NGINX Ingress controller, see Manage the NGINX Ingress controller and Update the NGINX Ingress controller.
For more information about how to create, view, update, and delete an NGINX Ingress in the Container Service for Kubernetes (ACK) console or by using kubectl, see Create an NGINX Ingress.
For more information about how to use the NGINX Ingress controller, see the following topics: Use the NGINX Ingress controller to implement canary releases and blue-green releases, Configure an Internet-facing or internal-facing NGINX Ingress controller, and Use an Ingress controller to mirror network traffic.

Release notes

August 2024

Version	Image address	Release date	Description	Impact
v1.10.4-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.4-aliyun.1	2024-08-20	New features and enhancements of open source v1.10.4 are supported. The CVE-2024-7646 vulnerability is fixed. For more information about the vulnerability, see Security issue.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

July 2024

Version	Image address	Release date	Description	Impact
v1.10.2-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.2-aliyun.1	2024-07-24	OpenTelemetry can integrate with Application Real-Time Monitoring Service (ARMS). Integrate with ARMS using OpenTracing is no longer supported. You can configure the `--shutdown-grace-period`, `--exclude-socket-metrics`, and `--default-ssl-certificate` parameters on the Add-ons page in the ACK console. Use Network Load Balancer (NLB) for Layer 4 forwarding is supported. Image hardening is supported. The CVE-2023-5363, CVE-2023-5678, CVE-2024-25062, and CVE-2024-2511 vulnerabilities are fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

October 2023

Version

Image address

Release date

Description

Impact

v1.9.3-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.9.3-aliyun.1

2023-10-24

Important

For security reasons, all snippet annotations, such as nginx.ingress.kubernetes.io/configuration-snippet, are disabled by default as of this release.

We recommend that you do not enable the snippet annotation feature to ensure security and stability. If you still want to use the feature after a full risk evaluation, add the allow-snippet-annotations: "true" annotation to kube-system/nginx-configuration in the ConfigMap to enable the feature.

The snippet annotation feature is disabled by default.
The --enable-annotation-validation parameter is added to enable annotation verification by default. This helps relieve the impact of the CVE-2023-5044 vulnerability.
The CVE-2023-44487 vulnerability is fixed.

The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

September 2023

Version

Image address

Release date

Description

Impact

v1.8.2-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.2-aliyun.1

2023-09-20

Golang is updated to 1.21.1.
Pod anti-affinity settings based on hostnames are changed from preferred to required. The system is forced to schedule pods based on the anti-affinity settings.
OpenTelemetry can be enabled. For more information, see OpenTelemetry.
The CVE-2022-48174, CVE-2023-2975, CVE-2023-3446, and CVE-2023-3817 vulnerabilities are fixed.

The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

June 2023

Version

Image address

Release date

Description

Impact

v1.8.0-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.0-aliyun.1

2023-06-20

Alpine image version is updated to 1.18.
The strict-validate-path-type configuration item is added to use strict path validation. By default, this feature is disabled. For more information, see strict-validate-path-type.
The CVE-2023-28322 and CVE-2023-2650 vulnerabilities are fixed.

The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

May 2023

Version	Image address	Release date	Description	Impact
v1.7.0-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.7.0-aliyun.1	2023-05-05	Important Transport Layer Security (TLS) v1.1 and TLS v1.0 are no longer supported by this version. If you update the NGINX Ingress controller to this version, pay attention to the impact on your businesses. For more information about the impact of this issue, see set ssl-protocols config not working after v1.6.4. If you want to use TLS v1.1 and TLS v1.0, see the Which SSL or TLS protocol versions are supported by Ingresses? section of the "Nginx Ingress FAQ" topic. Golang is updated to 1.20 and Alpine Linux is updated to 1.17. The issue that the `nginx.ingress.kubernetes.io/canary-weight-total` annotation does not take effect is fixed. Panics that occur when ready conditions are lost in Endpointslices are fixed. The CVE-2023-27536 and CVE-2023-0464 vulnerabilities are fixed. Prefix checks are no longer performed based on service names in EndpointSlices.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

March 2023

Version	Image address	Release date	Description	Impact
v1.6.4-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.6.4-aliyun.1	2023-03-17	The `nginx.ingress.kubernetes.io/denylist-source-range` annotation can be used to configure IP address blacklists. The `cluster-autoscaler.kubernetes.io/safe-to-evict: "false"` annotation can be added to the configurations of a pod to prevent Cluster Autoscaler from removing the node that hosts the pod. Simple Log Service can be enabled or disabled on the Add-ons page in the ACK console. Some stability issues are fixed. The CVE-2023-0286, CVE-2022-4450, and CVE-2023-0215 vulnerabilities are fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

February 2023

Version	Image address	Release date	Description	Impact
v1.5.1-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.5.1-aliyun.1	2023-02-10	NGINX Ingress controller 1.5.1 and later support only ACK clusters that run Kubernetes 1.22.0 or later. NGINX is updated to 1.21.6 and Golang is updated to 1.19.2. The AHAS sentinel plug-in is updated and the use-mse switch is supported. The coordination.k8s.io/leases is used to enable leader election. Endpoints are replaced by EndpointSlices for endpoint discovery. Multiple Prometheus metrics are supported and the _ingress_upstream_latency_seconds metric is discontinued. For more information, see Consistent prometheus metric names and documentation. debug-connections can be used to enable NGINX debugging logs for specified IP address ranges. The CVE-2022-32149, CVE-2022-27664, and CVE-2022-1996 vulnerabilities are fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

June 2022

Version	Image address	Release date	Description	Impact
v1.2.1-aliyun.1	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.1-aliyun.1	2022-06-28	The `alias` and `root` directives are deleted to reduce potential risks. Some stability issues are fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

May 2022

Version	Image address	Release date	Description	Impact
v1.2.0-aliyun.1	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.0-aliyun.1	2022-05-10	The deep inspection feature for Ingresses is added and enabled by default. This feature can prevent you from configuring Ingresses that contain sensitive fields. This feature fixes the CVE-2021-25745 vulnerability. Some stability issues are fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

April 2022

Version	Image address	Release date	Description	Impact
v0.44.0.12-27ae67262-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.12-27ae67262-aliyun	2022-04-29	Affinity settings are optimized for scheduling. You can enable auto scaling for all the nodes in an ACK cluster. The vulnerabilities that exist after you enable the Application High Availability Service (AHAS) Sentinel feature are fixed. Specific vulnerabilities in base images are fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

March 2022

Version	Image address	Release date	Description	Impact
v1.1.2-aliyun.2	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.2-aliyun.2	2022-03-21	The version of the NGINX component is rolled back to 1.19.9, which is the same as the version of open source NGINX. This NGINX version is more stable. The following issue is fixed: The NGINX Ingress controller crashes if the `cors-allow-origin` configuration is invalid The following issue is fixed: The Ingresses that use the same webhook URL conflict with each other when the system checks the webhook URLs of the Ingresses that belong to different IngressClasses. The following issue is fixed: InitContainer modifies the kernel parameters of nodes if hostNetwork is set to true. The CVE-2022-0778 and CVE-2022-23308 vulnerabilities are fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

January 2022

Version	Image address	Release date	Description	Impact
v1.1.0-aliyun.2	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.2	2022-01-12	The AHAS Sentinel plug-in is updated and the Java module is replaced by the C++ module. This greatly improves performance. Protocol Buffers (Protobuf) is used to communicate with the Kubernetes API server of a cluster. This improves communication efficiency.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

December 2021

Version

Image address

Release date

Description

Impact

v1.1.0-aliyun.1

registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.1

2021-12-17

NGINX Ingress controller V1.X.X supports only ACK clusters that run Kubernetes V1.20.0 and later. For ACK clusters that run earlier Kubernetes versions, you must use NGINX Ingress controller V0.X.X.
networking v1 Ingresses are used to support ACK clusters that run Kubernetes 1.22 and later.
You can specify multiple origins in the cors-allow-origin field. Requested resources are fetched based on the specified origins.
Session affinity can be enabled to define the behavior of canaries. You can also reset canaries to the default behavior.
Canaries can be configured even when no host is specified.
Admission webhooks are accelerated.
Stability issues are fixed.

For more information, see Ingress-NGINX changelog.

The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

October 2021

Version	Image address	Release date	Description	Impact
v0.44.0.9-7b9e93e7e-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.9-7b9e93e7e-aliyun	2021-10-28	The allow-snippet-annotations annotation is added to reduce the impact of the CVE-2021-25742 vulnerability. For more information, see Vulnerability fixed: CVE-2021-25742. SSL builtin cache is disabled to prevent memory leaks. The following vulnerabilities are fixed: CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712. For more information, see CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712. The AHAS Sentinel SDK is updated to V1.9.7.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

September 2021

Version	Image address	Release date	Description	Impact
v0.44.0.5-e66e17ee3-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.5-e66e17ee3-aliyun	2021-09-06	The AHAS Sentinel plug-in is updated. The performance and stability are improved. Traffic throttling for clusters is supported. Vulnerability CVE-2021-36159 is fixed. For more information, see CVE-2021-36159. By default, the kernel parameter kernel.core_uses_pid is disabled. This prevents coredump files from occupying excessive disk space.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

June 2021

Version	Image address	Release date	Description	Impact
v0.44.0.3-8e83e7dc6-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.3-8e83e7dc6-aliyun	2021-06-01	The CVE-2021-23017 vulnerability is fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

April 2021

Version	Image address	Release date	Description	Impact
v0.44.0.2-abf1c6fe4-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.2-abf1c6fe4-aliyun	2021-04-01	Compatibility with the `the_real_ip` field in the log_format parameter of NGINX Ingress controller V0.30 and earlier is added.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

March 2021

Version	Image address	Release date	Description	Impact
v0.44.0.1-5e842447b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.1-5e842447b-aliyun	2021-03-08	By default, validating admission webhooks are enabled. For more information, see How the NGINX Ingress controller works. The validity of the value of the `service-weight` annotation is checked. The performance of persistent connections and short-lived connections is increased by 20% to 50%. Online Certificate Status Protocol (OCSP) stapling is supported. LuaJIT is updated to V2.1.0. NGINX is updated to V1.19.6. Alpine Linux is updated to V3.13 for base images. CVE vulnerabilities related to OpenSSL are fixed. By default, Transport Layer Security (TLS) 1.3 is enabled. Note By default, only TLS 1.2 and TLS 1.3 are supported by HTTPS. For more information about how to enable HTTPS to support TLS 1.0 and TLS 1.1, see the Which SSL or TLS protocol versions are supported by Ingresses? section of the "Nginx Ingress FAQ" topic. The Kubernetes version must be 1.16 or later. The NGINX Ingress controller is updated based on open source Ingress-NGINX 0.44.0. For more information, see Changelog.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

April 2020

Version	Image address	Release date	Description	Impact
v0.30.0.1-5f89cb606-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.30.0.1-5f89cb606-aliyun	2020-04-02	FastCGI Backend is supported. By default, the Dynamic SSL Cert Update mode is enabled. Traffic mirroring is supported. NGINX is updated to V1.17.8 and OpenResty is updated to V1.15.8. The operating system of base images is updated to Alpine Linux. Ingress validating admission webhooks are supported. The following vulnerabilities are fixed: CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516. Major updates: The lua-resty-waf, session-cookie-hash, and force-namespace-isolation configurations are deprecated. The data type of x-forwarded-prefix is changed from BOOLEAN to STRING. The the_real_ip field in the log-format parameter will be deprecated in the next version and replaced with the remote_addr field. The NGINX Ingress controller is updated based on Ingress-NGINX 0.30.0. For more information about the updates, see Ingress-NGINX changelog.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

October 2019

Version	Image address	Release date	Description	Impact
v0.22.0.5-552e0db-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.5-552e0db-aliyun	2019-10-24	Wildcard domain names, whitelists, and rewrite rules are supported if you enable dynamic updates for NGINX upstream servers.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

July 2019

Version	Image address	Release date	Description	Impact
v0.22.0.4-5a14d4b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.4-5a14d4b-aliyun	2019-07-18	Canary release rules are optimized and the Perl regular expressions are supported.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

April 2019

Version	Image address	Release date	Description	Impact
v0.22.0.3-da10b7f-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.3-da10b7f-aliyun	2019-04-25	The NGINX Ingress controller is updated based on Ingress-NGINX 0.22.0. For more information about the updates, see Ingress-NGINX. Blue-green releases and canary releases are supported if you enable dynamic updates for NGINX upstream servers. By default, dynamic updates are enabled for NGINX upstream servers. Major updates: Capture groups are used for rewrite-target annotations. For more information, see rewrite-target. For more information about how to smoothly update the NGINX Ingress controller, visit GitHub.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

January 2019

Version	Image address	Release date	Description	Impact
v0.20.0.2-cc39f1b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.2-cc39f1b-aliyun	2019-01-17	The default number of NGINX worker processes is limited. This avoids the issue that an excessive number of NGINX processes occupy host resources. The port numbers of Services that route traffic to the old application version and the new application version can be different during blue-green releases and canary releases. The NGINX configuration verification failure is fixed when no pod is active on the backend servers of the new application version during canary releases. The issue that Ingress address endpoints are not updated due to failed connections to the Kubernetes API server is fixed.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.

November 2018

Version	Image address	Release date	Description	Impact
v0.20.0.1-4597ce2-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.1-4597ce2-aliyun	2018-11-29	The NGINX Ingress controller is updated based on Ingress-NGINX 0.20.0. For more information about the updates, see Ingress-NGINX. NGINX is updated to V1.15.6 and HTTP/2-related vulnerabilities are fixed. Regular expressions are supported by the path parameter. The default-http-backend Service is removed and custom default backend Services are supported. Blacklists based on IP addresses, user agents, and referer headers are supported. The default permissions are optimized and the privileged permissions are removed. Apache JServ Protocol (AJP) is supported.	The update may temporarily interrupt your service. We recommend that you update the NGINX Ingress controller during off-peak hours.