kubernetes/ingress-nginx controller-v1.2.0

NGINX Ingress Controller - v1.2.0

on GitHub

The chroot release :)

If you want to take full advantage of the security improvements in this release, and also want to take a look into the chroot feature, change the image in your manifest to use controller-chroot:v1.2.0 image and add the SYS_CHROOT capability.

We are going to release soon a blog post about this release!

Images:

• k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
• k8s.gcr.io/ingress-nginx/controller-chroot:v1.2.0@sha256:fb17f1700b77d4fcc52ca6f83ffc2821861ae887dbb87149cf5cbc52bea425e5

This new release contains the following changes that need attention:

• A new deep inspector for objects. Now every time an object gets to be reconciled/added, it will pass entirely through a validation (this may lead to some CPU increase)
• The NGINX process now can be chrooted/jailed inside the ingress container, for security reasons. This option is disabled by default and will be enabled in future releases. This new option requires the SYS_CHROOT capability to be added to the Pod

What's Changed

• Upstream keepalive time by @sskserk in #8319
• update base images and protobuf gomod by @rikatz in #8478
• added new auth-tls-match-cn annotation by @chrisshino in #8434
• changed nginx base img tag to img built with alpine3.14.6 by @longwuyuan in #8479
• change tag to v120beta1 by @longwuyuan in #8480
• Fix log creation in chroot script by @rikatz in #8481
• Release chart v1.2.0-beta.1 by @rikatz in #8484
• Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty by @phidlipus in #8468
• force helm release to artifact hub by @strongjz in #8417
• fix change log changes list by @strongjz in #8421
• kubectl-plugin code overview info by @kundan2707 in #8405
• Darwin arm64 by @jsoref in #8399
• Add dependency review enforcement by @rikatz in #8443
• Bump github.com/prometheus/common from 0.32.1 to 0.33.0 by @dependabot in #8426
• replace deprecated topology key in example with current one by @froblesmartin in #8444
• typo fixing by @chienfuchen32 in #8447
• Fix suggested annotation-value-word-blocklist by @sathieu in #8446
• Add keepalive support for auth requests by @leki75 in #8219
• Jail/chroot nginx process inside controller container by @rikatz in #8337
• Update index.md by @ndunks in #8454
• Update dependencies by @rikatz in #8455
• Implement object deep inspector by @rikatz in #8456
• Fix for buggy ingress sync with retries by @davideshay in #8325
• Improve req handling dashboard by @naseemkullah in #8322
• Prepare v1.2.0-beta.0 release by @rikatz in #8464
• chore: v1.2.0-beta.0 release by @tao12345666333 in #8465

New Contributors

• @chrisshino made their first contribution in #8434
• @phidlipus made their first contribution in #8468
• @froblesmartin made their first contribution in #8444
• @chienfuchen32 made their first contribution in #8447
• @ndunks made their first contribution in #8454
• @davideshay made their first contribution in #8325

Full Changelog: controller-v1.1.3...controller-v1.2.0

Thank you all for our amazing community!