What is an NGINX Ingress controller-Container Service for Kubernetes(ACK)-阿里云帮助中心

This topic covers the NGINX Ingress controller, its usage notes, and release notes.

Important

Support for the open-source Ingress-NGINX project will end after March 2026. As a result, Container Service for Kubernetes will deprecate the NGINX Ingress Controller component. Please be aware of the risks involved. For more information, see [Product Announcement] Discontinuation of Maintenance for the NGINX Ingress Controller Component.

Introduction

The NGINX Ingress controller is based on the open-source Kubernetes project Ingress NGINX and provides a unified entry point for Services in a cluster. Its code implementation is identical to that of the community Ingress NGINX project. New versions align with the upstream community project's releases and maintain consistent version numbers. The NGINX Ingress controller is an unmanaged component deployed on your cluster's nodes. You are responsible for the operations and maintenance (O&M) of this component. It does not come with a service-level agreement (SLA) and supports extensive customization.

Key concepts of Ingress

In a Kubernetes cluster, an Ingress acts as the access point that exposes internal services and handles most of the service traffic. An Ingress is a Kubernetes resource object used to manage how external traffic accesses internal services. You can configure forwarding rules in an Ingress resource to route traffic to the backend pods of different Services. For more information about the comparison of different Ingresses in ACK, see Comparison among Nginx Ingresses, ALB Ingresses, and MSE Ingresses.

How the NGINX Ingress controller works

For Nginx Ingress resources to work properly, you must deploy an Nginx Ingress Controller in the cluster to parse the Ingress forwarding rules. The Nginx Ingress Controller receives requests, matches them against the Ingress rules, and then forwards them to the corresponding backend Service pods for processing. In Kubernetes, the relationship among a Service, an Nginx Ingress, and the Nginx Ingress Controller is as follows:

A Service is an abstraction of backend services. One Service can represent multiple identical backend services.
An Nginx Ingress defines reverse proxy rules that specify which Service pods receive HTTP or HTTPS requests. For example, requests are routed to different Service pods based on the Host and URL path in each request.
The Nginx Ingress Controller is a component in the Kubernetes cluster that parses Nginx Ingress reverse proxy rules. When an Ingress is added, deleted, or modified, the Nginx Ingress Controller immediately updates its forwarding rules. When the controller receives a request, it forwards the request to the appropriate Service pod based on these rules.

NGINX Ingress controller and cluster version compatibility

When you upgrade the component, if the target version is incompatible with your current cluster version, upgrade your cluster first.

NGINX Ingress controller version	Compatible cluster version
[v1.12.6-release.1, v1.14.5-release.1]	1.24 and later
[v1.5.1-aliyun.1, v1.11.5-aliyun.1]	1.22 and later
[v1.1.0-aliyun.1, v1.2.1-aliyun.1]	1.20 and later

Risks of outdated versions

Maintenance for the NGINX Ingress controller v1.2 and earlier has been discontinued. For more information, see the product announcement. Outdated versions of the component do not support new features, receive bug fixes, or qualify for timely technical support. This exposes your system to risks from unpatched security vulnerabilities. Please upgrade the component promptly.

Usage

To install or upgrade the NGINX Ingress controller, see Manage the NGINX Ingress controller component and Upgrade the NGINX Ingress controller.
To create, view, update, and delete an NGINX Ingress by using the console or kubectl, see Create and use an NGINX Ingress.
For more information about the NGINX Ingress controller, see Implement phased releases and blue-green deployments using NGINX Ingress, Configure the network type for NGINX Ingress controller, and Use an ingress controller to mirror network traffic.

Release notes

May 2026

Version

Image address

Change date

Changes

Impact

v1.14.5-release.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.14.5-release.1

May 20, 2026

Enhancements:

Updated Golang to v1.25.10.
Updated the Nginx baseline version to v1.27.1.

Vulnerability fixes:

Backported upstream security patches from Nginx:
- CVE-2026-42945: Buffer overflow in the ngx_http_rewrite_module
- CVE-2026-42946: Buffer overread in the ngx_http_scgi_module and ngx_http_uwsgi_module
- CVE-2026-42934: Buffer overread in the ngx_http_charset_module
- CVE-2026-40460: HTTP/3 address spoofing
- CVE-2026-40701: Resolver use-after-free in OCSP
- CVE-2026-1642: SSL upstream injection

We recommend upgrading during off-peak hours. The upgrade may briefly interrupt established connections.

April 2026

Version	Image address	Date	Description	Impact
v1.13.9-release.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.13.9-release.1	April 2, 2026	Updated to community version v1.13.9. For details, see the Full Changelog. Highlights Vulnerability fixes: Ingress controller: Fixed an Nginx configuration injection vulnerability caused by a combination of annotations. (#14731) CVE-2026-4342: ingress-nginx comment-based nginx configuration injection (#137893), a high-severity vulnerability with a CVSS score of 8.8. An attacker can use a combination of specific Ingress annotations to inject malicious data into the `rules.http.paths.path` field, thereby injecting arbitrary configurations into Nginx. This could lead to arbitrary code execution within the ingress-nginx controller's context and expose all accessible Secrets. In a default installation, this includes all Secrets in the cluster. This results in a severe information leak and a compromise of system integrity.	Upgrade during off-peak hours. Established connections might be briefly interrupted during the update.

March 2026

Version	Image address	Change date	Changes	Impact
v1.13.8-release.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.13.8-release.1	March 16, 2026	Updated to community version v1.13.8. For more details, see the Full Changelog. Highlights Vulnerability fixes NGINX: Updated the OWASP Core Rule Set to v4.22.0. (#14418) CVE-2026-21876. CVSS score: 9.3 (critical). Addressed a logic flaw in the OWASP Core Rule Set's charset validation for multipart/form-data. Previously, an attacker could bypass the Web Application Firewall (WAF) by crafting a multipart request with a specific charset encoding, allowing a malicious payload to be parsed and executed by the backend application. Admission Controller: Limited the request size that the validating webhook can process to 9 MB. (#14494) CVE-2026-24514: ingress-nginx Admission Controller denial of service (#136680). CVSS score: 3.1 (low). Limited the request size for the validating webhook to prevent an attacker from sending an oversized object or request that could exhaust the Admission Controller's memory. This could cause the ingress-nginx controller Pod to be OOM-killed or deplete node memory, resulting in a denial of service. Template: Added quotes to all `location` and `server_name` directives and escaped quotes and backslashes. (#14503) CVE-2026-24512: ingress-nginx rules.http.paths.path nginx configuration injection (#136678). CVSS score: 8.8 (high). Fixed a vulnerability where the `rules.http.paths.path` field could be used to inject raw Nginx configuration. This prevents an attacker from using a crafted path value to break out of the template and write arbitrary directives into the configuration file, which could lead to remote code execution in the controller Pod and access to all of its readable Secrets. Annotations: Added `^` and `$` anchors to the auth method regular expression. (#14506) CVE-2026-1580: ingress-nginx auth-method nginx configuration injection (#136677). CVSS score: 8.8 (high). Strengthened the value validation for the `nginx.ingress.kubernetes.io/auth-method` annotation to allow only exact matches of the expected methods. This prevents an attacker from injecting special content that could be concatenated directly into the Nginx configuration, which could lead to configuration injection, remote code execution, and theft of cluster Secrets. Template: Bypassed custom error pages when handling auth URL requests. (#14497) CVE-2026-24513: ingress-nginx auth-url protection bypass (#136679). CVSS score: 3.1 (low). Fixed an authentication bypass vulnerability that could occur when using the `auth-url` annotation with a custom error page backend. The issue was triggered if the backend did not correctly handle the `X-Code` header, which could cause an authentication failure (401/403) to be misinterpreted as a success, leading to unauthorized access to protected paths. Template: Added quotes to the `proxy_pass` directive. (#14669) CVE-2026-3288: ingress-nginx rewrite-target nginx configuration injection (#137560). CVSS score: 8.8 (high). Fixed a vulnerability where the value of the `nginx.ingress.kubernetes.io/rewrite-target` annotation was not strictly filtered, allowing the injection of arbitrary directives into the Nginx configuration file. Because the value was directly concatenated into the generated `nginx.conf`, an attacker with low-privilege permissions to create or modify Ingress resources could achieve remote code execution in the context of the controller Pod and read all accessible Secrets. In a default installation, this includes all Secrets in the cluster. Optimizations Controller: Added validity checks for UIDs. (#14500) Annotations: Considered aliases in risk assessment. (#14666) Controller: Ensured SSL Passthrough is correctly enabled when requested on an HTTP-only host. (#14557) Annotations: Used a dedicated regular expression for `proxy-cookie-domain`. (#14551) Template: Used `RawURLEncoding` instead of `URLEncoding` with padding removed. (#14538) Bug fixes Fixed a synchronization issue that occurred when the host clock jumped into the future. (#14450) Fixed a panic caused by an empty `cpu.max` file. (#14449) Fixed a panic caused by prematurely writing the status code when a custom error page is returned. (#14163) Controller: Fixed an issue where the host/path overlap check could exit prematurely when multiple rules were present. The `checkOverlap` function now inspects all rules of a new Ingress object to ensure it does not overlap with any existing Ingress objects. Previously, the function would exit after the first rule passed validation. (#14131) Annotations: Fixed an issue where the Equals function did not validate the `auth-proxy-set-headers` field. (#14104) Store: Fixed a panic in the service deletion handler. This occurred when the Kubernetes client cache was inconsistent with the state of the v1.Service resource in the Kubernetes store, causing the client to return an unhandled `cache.DeletedFinalStateUnknown` type, which led to a panic in subsequent checks. (#14057) Controller: Fixed a sorting issue with `limit_req_zone` to ensure the configuration is sorted before it takes effect. (#14006) Config/annotations: Fixed backward compatibility for `proxy-busy-buffers-size`. It is now rendered only if explicitly defined in the template. (#13638) Config/annotations: Removed the default value for `proxy-busy-buffers-size`. (#13790) Lua: Fixed a type mismatch issue. (#14515)	We recommend upgrading during off-peak hours. Established connections may be briefly interrupted during the update.

December 2025

Version	Image address	Date	Description	Impact
v1.12.6-release.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.12.6-release.1	December 11, 2025	Updated to community version v1.12.6. Important To enhance the security of ingress-nginx, this version adjusts the default values for several security configurations. If you use or plan to use features that are now disabled by these configurations, you must manually enable them by adding the relevant settings to the ConfigMap `kube-system/nginx-configuration` after performing a thorough security risk assessment: The default risk level for allowed annotations is lowered to High. If you use or plan to use annotations with a Critical risk level, such as snippet-type annotations, you must manually add `annotations-risk-level: Critical`. Cross-namespace resource references are disabled by default. If your Ingress objects need to reference resources such as ConfigMaps or Secrets in other namespaces by using annotations like `auth-secret`, `auth-tls-secret`, `auth-proxy-set-header`, `fastcgi-params-configmap`, or `proxy-ssl-secret`, you must manually add `allow-cross-namespace-resources: "true"`. Strict path validation is enabled by default. This means that for paths with an `Exact` or `Prefix` path type, the path must start with `/` and can only contain letters, numbers, `-`, `_`, `.`, and additional `/` characters. If you use or plan to use paths with other characters, such as `+` or `$`, you must manually add `strict-validate-path-type: "false"` or change the path type to `ImplementationSpecific`. Key feature changes New features: annotation/AuthTLS: Allowed redirection to named locations. ( #13820 ) Added support for using `.` in `Exact` and `Prefix` paths. (#13800) NGINX: Upgraded to OpenResty v1.25.3.2. ( #13530 ) Added support for any CORS origin. ( #11153 ) metrics: Added the `--metrics-per-undefined-host` parameter. ( #11818 ) Enhancements: Security: Hardened socket creation and validated error code input. ( #13786 ) Security: Adjusted default security configurations (#11819): Lowered the acceptable annotation risk level from Critical to High. Disabled cross-namespace references by default. Enabled strict path validation. NGINX: Disabled architecture-specific optimizations for mimalloc. ( #13670 ) Removed the global rate limiting feature. ( #11851 ) The following configuration options are removed: `global-rate-limit-memcached-host` `global-rate-limit-memcached-port` `global-rate-limit-memcached-connect-timeout` `global-rate-limit-memcached-max-idle-timeout` `global-rate-limit-memcached-pool-size` `global-rate-limit-status-code` The following annotations are removed: `global-rate-limit` `global-rate-limit-window` `global-rate-limit-key` `global-rate-limit-ignored-cidrs` Removed support for third-party Lua plugins (#11821). Custom plugins in the `/etc/nginx/lua/plugins` directory are no longer supported. metrics: Removed `ingress_upstream_latency_seconds`. ( #11795 ) Bug fixes: Metrics: Fixed `nginx_ingress_controller_config_last_reload_successful`. (#13859) Controller: Fixed the SSL session ticket path. (#13668) Lua: Fixed `ExternalName` Services with no endpoints. (#13429) Fixed a DNS resolution issue when an ExternalName is used as a backend. (#12951)	We recommend upgrading during off-peak hours. Established connections may be briefly interrupted during the update.

September 2025

Version

Image address

Date

Description

Impact

v1.11.5-release.2

registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.5-release.2

September 11, 2025

Improvements:

Adds support for Network Load Balancer (NLB).
Adds support for Pod Disruption Budgets.

We recommend upgrading during off-peak hours, as established connections might be briefly interrupted.

March 2025

Version	Image address	Release date	Description	Impact
v1.11.5-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.5-aliyun.1	March 26, 2025	Updated to community v1.11.5 to fix vulnerabilities CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514. For more information, see the Security Bulletin for CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514. Important To fix the CVE-2025-1974 vulnerability, the validation webhook for the NGINX Ingress controller remains enabled, but native NGINX configuration validation is disabled by default. If you use the snippet annotation to add custom NGINX directives, these configurations are no longer pre-validated by the validation webhook. As a result, related errors are detected only when NGINX reloads the configuration. We recommend checking the NGINX Ingress controller Pod logs for errors after you modify an Ingress rule and correcting the Ingress configuration as needed. Important: An invalid Ingress configuration does not affect running NGINX Ingress controller Pods. However, any new Pods created during scaling or restart operations will fail to start. Before applying changes to a production environment, thoroughly validate all snippet directives in a staging environment.	We recommend upgrading during off-peak hours. The update may briefly interrupt existing connections.
v1.11.4-aliyun.2	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.4-aliyun.2	March 19, 2025	Optimized the node affinity for scheduling to prevent Pods from being scheduled to Lingjun nodes.	We recommend upgrading during off-peak hours. The update may briefly interrupt existing connections.

February 2025

Version	Image address	Release date	Description	Impact
v1.11.4-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.11.4-aliyun.1	February 12, 2025	Updated to community version v1.11.4. This version adds support for configuring customizable topology constraints for the component in the console.	We recommend upgrading during off-peak hours, as the process may briefly interrupt established connections.

August 2024

Version	Image address	Release date	Description	Impact
v1.10.4-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.4-aliyun.1	August 20, 2024	Updated to community edition v1.10.4 to fix the CVE-2024-7646 vulnerability. For more information, see Security issue.	We recommend upgrading during off-peak hours, as the process may briefly interrupt established connections.

July 2024

Version	Image address	Release date	Description	Impact
v1.10.2-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.10.2-aliyun.1	July 24, 2024	Adds integration with Application Real-Time Monitoring Service (ARMS) via OpenTelemetry and removes support for OpenTracing. Allows configuring the `--shutdown-grace-period`, `--exclude-socket-metrics`, and `--default-ssl-certificate` parameters on the Add-ons page. Enables layer 4 forwarding by using a Network Load Balancer (NLB). Hardened the image and fixed CVE-2023-5363, CVE-2023-5678, CVE-2024-25062, and CVE-2024-2511. Upgraded NGINX to v1.25.5, which introduces stricter validation for header fields in backend responses. For more information, see the changeset. Rejects backend responses with duplicate `Content-Length` and `Transfer-Encoding` header fields. Rejects backend responses with an invalid `Content-Length` or `Transfer-Encoding` header field. Rejects backend responses with both `Content-Length` and `Transfer-Encoding` header fields.	The upgrade may briefly interrupt established connections. We recommend performing the upgrade during off-peak hours.

October 2023

Version

Image address

Release date

Description

Impact

v1.9.3-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.9.3-aliyun.1

October 24, 2023

Important

For security reasons, this release disables all snippet annotations, such as nginx.ingress.kubernetes.io/configuration-snippet, by default.

If you must use this feature after a thorough risk assessment, add allow-snippet-annotations: "true" to the kube-system/nginx-configuration ConfigMap to enable it.

Snippet annotations are disabled by default.
Added the --enable-annotation-validation parameter, which is enabled by default. This parameter validates annotation content to help mitigate CVE-2023-5044.
Fixed CVE-2023-44487.

We recommend upgrading during off-peak hours because the upgrade may briefly interrupt established connections.

September 2023

Version

Image address

Release date

Description

Impact

v1.8.2-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.2-aliyun.1

September 20, 2023

Upgraded Golang to version 1.21.1.
Changed the hostname-based Pod anti-affinity scheduling from preferred to required to enforce node-level anti-affinity.
Added support for OpenTelemetry. For more information, see the community configuration guide.
Fixed the following vulnerabilities: CVE-2022-48174, CVE-2023-2975, CVE-2023-3446, and CVE-2023-3817.

We recommend upgrading during off-peak hours as the upgrade may cause transient interruptions to established connections.

June 2023

Version

Image address

Release date

Description

Impact

v1.8.0-aliyun.1

registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.8.0-aliyun.1

June 20, 2023

Upgraded the Alpine image to version 1.18.
Added the strict-validate-path-type configuration option to enable strict path validation (disabled by default). Refer to the community ConfigMap documentation.
Fixed vulnerabilities, including CVE-2023-28322 and CVE-2023-2650.

We recommend upgrading during off-peak hours. The upgrade may briefly interrupt established connections.

May 2023

Version	Image address	Release date	Description	Impact
v1.7.0-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.7.0-aliyun.1	May 5, 2023	Important This version no longer supports Transport Layer Security (TLS) v1.1 and v1.0 by default. If you upgrade NGINX Ingress Controller, evaluate the impact on your services. For more information, see the GitHub issue: set ssl-protocols config not working after v1.6.4. If you must use these older TLS versions, see Known issues in earlier versions for configuration instructions. Upgraded Golang to v1.20 and the Alpine base image to v1.17. Fixed an issue where the `nginx.ingress.kubernetes.io/canary-weight-total` annotation was not taking effect. Resolved a panic caused by a missing ready condition in an EndpointSlice. Addressed vulnerabilities CVE-2023-27536 and CVE-2023-0464. Removed the prefix check for the service name in an EndpointSlice.	We recommend upgrading during off-peak hours. The upgrade may briefly interrupt established connections.

March 2023

Version	Image address	Release date	Description	Impact
v1.6.4-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.6.4-aliyun.1	March 17, 2023	Added support for the `nginx.ingress.kubernetes.io/denylist-source-range` annotation to configure an IP blacklist. Added support for the `cluster-autoscaler.kubernetes.io/safe-to-evict: "false"` annotation to prevent the removal of the node hosting the pod during auto scaling. Added the ability to enable or disable logging on the Add-ons page. Resolved several stability issues. Addressed vulnerabilities CVE-2023-0286, CVE-2022-4450, and CVE-2023-0215.	We recommend upgrading during off-peak hours. The update may briefly interrupt established connections.

February 2023

Version	Image address	Release date	Description	Impact
v1.5.1-aliyun.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.5.1-aliyun.1	February 10, 2023	NGINX Ingress controller v1.5.1 and later supports only ACK clusters that run Kubernetes v1.22.0 or later. Upgraded NGINX to v1.21.6 and Golang to v1.19.2. Updated the AHAS Sentinel plugin to support the `use-mse` switch. The controller now uses `coordination.k8s.io/leases` resources for leader election. EndpointSlices replace Endpoints for endpoint discovery. Added multiple Prometheus metrics and deprecated the `_ingress_upstream_latency_seconds` metric. For more information, see ingress-nginx. Added support for using `debug-connections` to enable NGINX debug logs for a specific IP range. Fixed the vulnerabilities CVE-2022-32149, CVE-2-27664, and CVE-2022-1996.	We recommend upgrading during off-peak hours. The upgrade may cause transient interruptions to established connections.

June 2022

Version	Image address	Release date	Description	Impact
v1.2.1-aliyun.1	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.1-aliyun.1	June 28, 2022	Removed the `alias` and `root` directives from NGINX to reduce security risks. Fixed several stability issues.	We recommend that you upgrade during off-peak hours. The upgrade may cause a transient interruption to established connections.

May 2022

Version	Image address	Release date	Description	Impact
v1.2.0-aliyun.1	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.2.0-aliyun.1	May 10, 2022	Adds deep inspection for Ingress objects, which is enabled by default to block configurations containing sensitive fields. This addresses CVE-2021-25745. Fixed several stability issues.	We recommend upgrading during off-peak hours. The upgrade may briefly interrupt established connections.

April 2022

Version	Image address	Release date	Description	Impact
v0.44.0.12-27ae67262-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.12-27ae67262-aliyun	April 29, 2022	Optimized scheduling affinity settings to enable auto scaling on all cluster nodes. Fixed known security vulnerabilities related to the Application High Availability Service (AHAS) Sentinel feature. Fixed several vulnerabilities in the base image.	We recommend upgrading during off-peak hours. Established connections may be briefly interrupted during the upgrade.

March 2022

Version	Image address	Release date	Description	Impact
v1.1.2-aliyun.2	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.2-aliyun.2	March 21, 2022	Downgraded the Nginx version to 1.19.9 to align with the community version for improved stability. Fixed a crash in the Ingress controller caused by an invalid `cors-allow-origin` configuration. Fixed a path conflict for Ingresses from different IngressClasses during webhook validation. Prevented the init container from modifying node kernel parameters when hostNetwork is enabled. Addressed the vulnerabilities CVE-2022-0778 and CVE-2022-23308.	Upgrading during off-peak hours is recommended. The update may cause a transient interruption to established connections.

January 2022

Version	Image address	Release date	Description	Impact
v1.1.0-aliyun.2	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.2	January 12, 2022	Upgraded the AHAS Sentinel plugin from a Java to a C++ module, significantly improving performance. Improves performance by using Protocol Buffers (Protobuf) to communicate with the Kubernetes API server.	We recommend upgrading during off-peak hours. During the upgrade, established connections may be briefly interrupted.

December 2021

Version

Image address

Release date

Description

Impact

v1.1.0-aliyun.1

registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.1

December 17, 2021

NGINX Ingress controller v1.X.X is only compatible with ACK clusters running Kubernetes v1.20.0 or later. For earlier cluster versions, you must use NGINX Ingress controller v0.X.X.
Now uses networking.k8s.io/v1 Ingress to support clusters running Kubernetes v1.22 and later.
The cors-allow-origin annotation now supports multiple values and dynamically returns a response based on the Origin header of the request.
Added support for session affinity in canary configurations, which is now the default behavior.
Added support for configuring a canary release without specifying a host.
Improved the performance of the admission webhook.
Resolved several stability issues.

For more information, see the Ingress-NGINX changelog.

Upgrade during off-peak hours. The upgrade may briefly interrupt established connections.

October 2021

Version	Image address	Release date	Description	Impact
v0.44.0.9-7b9e93e7e-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.9-7b9e93e7e-aliyun	October 28, 2021	Added the allow-snippet-annotations annotation to mitigate the CVE-2021-25742 vulnerability. See Vulnerability fixed: CVE-2021-25742. Disabled the SSL builtin cache to fix a potential memory leak. Fixed vulnerabilities CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712. See CVE-2021-22945, CVE-2021-22946, CVE-2021-3711, and CVE-2021-3712. Upgraded the AHAS Sentinel SDK to 1.9.7.	Upgrade during off-peak hours. Established connections may be briefly interrupted.

September 2021

Version	Image address	Release date	Description	Impact
v0.44.0.5-e66e17ee3-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.5-e66e17ee3-aliyun	September 6, 2021	Upgraded the AHAS Sentinel plug-in. Improved performance and stability. Added support for cluster traffic throttling. Fixed the CVE-2021-36159 vulnerability. For more information, see CVE-2021-36159. Disabled the kernel.core_uses_pid kernel parameter by default to prevent coredump files from consuming excessive disk space.	We recommend upgrading during off-peak hours. The upgrade may briefly interrupt established connections.

June 2021

Version	Image address	Release date	Description	Impact
v0.44.0.3-8e83e7dc6-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.3-8e83e7dc6-aliyun	June 1, 2021	Fixed CVE-2021-23017.	We recommend upgrading during off-peak hours. The update may briefly interrupt established connections.

April 2021

Version	Image address	Release date	Description	Impact
v0.44.0.2-abf1c6fe4-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.2-abf1c6fe4-aliyun	April 1, 2021	Adds compatibility with `the_real_ip` in the log_format of NGINX Ingress controller v0.30 and earlier.	We recommend upgrading during off-peak hours. The update may cause a transient interruption to established connections.

March 2021

Version	Image address	Release date	Description	Impact
v0.44.0.1-5e842447b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.1-5e842447b-aliyun	March 8, 2021	Enables the validating admission webhook by default. For more information, see How the NGINX Ingress controller works. Validates the value of the `service-weight` annotation. Improves the performance of persistent and short-lived connections by 20% to 50%. Supports OCSP stapling. Upgrades LuaJIT to v2.1.0. Upgrades NGINX to v1.19.6. Upgrades the Alpine image to v3.13. Addresses OpenSSL CVEs. Enables TLS 1.3 by default. Note By default, HTTPS supports only TLS 1.2 and TLS 1.3. To enable support for TLS 1.0 and TLS 1.1, see Which SSL/TLS versions does NGINX Ingress support?. Requires Kubernetes v1.16 or later. Updated to community version 0.44.0. For more information, see the Changelog.	We recommend upgrading during off-peak hours. During the upgrade, established connections may be briefly interrupted.

April 2020

Version	Image address	Release date	Description	Impact
v0.30.0.1-5f89cb606-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.30.0.1-5f89cb606-aliyun	April 2, 2020	Added support for FastCGI backends. Enabled the Dynamic SSL Certificate Update mode by default. Added support for traffic mirroring configurations. Upgraded NGINX to v1.17.8, OpenResty to v1.15.8, and the base image to Alpine. Added support for Ingress validating admission webhooks. Fixed vulnerabilities: CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516. Breaking Changes: Deprecated the lua-resty-waf, session-cookie-hash, and force-namespace-isolation configurations. Changed the data type of the x-forwarded-prefix annotation from boolean to string. The the_real_ip variable in log-format will be deprecated and replaced by remote_addr in a future release. Updated to community version 0.30.0. For the full list of changes, see the community changelog.	Upgrade during off-peak hours. The update may briefly interrupt established connections.

October 2019

Version	Image address	Release date	Changes	Impact
v0.22.0.5-552e0db-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.5-552e0db-aliyun	October 24, 2019	Adds support for wildcard domain names, whitelists, and redirects when dynamic server updates are enabled.	We recommend upgrading during off-peak hours. The update may transiently interrupt established connections.

July 2019

Version	Image address	Release date	Description	Impact
v0.22.0.4-5a14d4b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.4-5a14d4b-aliyun	July 18, 2019	Adds support for Perl regular expressions to canary release rules.	Upgrading during off-peak hours is recommended, as the update may temporarily interrupt established connections.

April 2019

Version	Image address	Release date	Changes	Impact
v0.22.0.3-da10b7f-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.22.0.3-da10b7f-aliyun	April 25, 2019	Updated to community version 0.22.0. For the changelog, see Ingress-Nginx. Added support for blue-green and canary releases when dynamic updates are enabled. Enabled dynamic updates for NGINX upstream servers by default. Major update: The rewrite-target annotation now uses capture groups. For configuration details, see rewrite-target. For instructions on a smooth upgrade, see GitHub.	We recommend upgrading during off-peak hours. The upgrade may temporarily interrupt established connections.

January 2019

Version	Image address	Release date	Change description	Impact
v0.20.0.2-cc39f1b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.2-cc39f1b-aliyun	January 17, 2019	Optimized the default number of NGINX worker processes to reduce host resource consumption. Enabled configuring different port numbers for the old and new versions of a Service during blue-green and canary releases. Fixed an NGINX configuration check failure in canary releases that occurred when a new Service version had no active backend pods. Fixed an issue that prevented Ingress address endpoints from updating during connection issues with the Kubernetes API server.	Upgrade during off-peak hours. The update may transiently interrupt established connections.

November 2018

Version	Image address	Release date	Changes	Impact
v0.20.0.1-4597ce2-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.20.0.1-4597ce2-aliyun	November 29, 2018	Updated to community version 0.20.0. For the full changelog, see Ingress-NGINX. Upgraded NGINX to v1.15.6 and fixed HTTP/2-related security vulnerabilities. Added support for regular expressions in paths. Removed the default-http-backend service and added support for configuring custom default backend services. Added support for blacklists based on IP, User-Agent, and Referer. Optimized default runtime permissions and removed privileged container settings. Added support for the Apache JServ Protocol (AJP).	We recommend upgrading during off-peak hours. The update may briefly interrupt established connections.