Release 3.1.0 #3685
Release 3.1.0 #3685
Conversation
github-actions
bot
added
documentation
Codecov Report
@@ Coverage Diff @@
## release-3.1 #3685 +/- ##
===============================================
- Coverage 52.35% 52.33% -0.03%
===============================================
Files 59 59
Lines 16880 16880
===============================================
- Hits 8838 8834 -4
- Misses 7747 7749 +2
- Partials 295 297 +2 see 1 file with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
You have successfully added a new Trivy configuration |
shaun-nx
requested review from
lucacome,
brianehlert,
sigv,
ciarams87,
haywoodsh and
jjngx
and removed request for
sigv
| 29 Mar 2023 | ||
|
|
||
| OVERVIEW: | ||
| * *The minimum supported version of Kubernetes is now 1.22*. The NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without privilege escalation](https://github.com/nginxinc/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! |
There was a problem hiding this comment.
"bind to lower level ports without privilege escalation" should be
"bind to privileged ports without privilege escalation"
yes, it sounds redundant but the accurate terms are "privileged ports", and "privilege escalation"
I will let the docs professional be the final arbiter.
There was a problem hiding this comment.
When nginx binds, ports 80 and 443 are actually not privileged.
The sentence should instead be reworded "bind to lower level ports without additional privileges" if we want to be strict.
|
|
||
| OVERVIEW: | ||
| * *The minimum supported version of Kubernetes is now 1.22*. The NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without privilege escalation](https://github.com/nginxinc/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! | ||
| * Added support for loading pre-compiled [AppProtect Policy Bundles](https://github.com/nginxinc/kubernetes-ingress/pull/3560) when using the `-enable-app-protect` cli argument. This feature removes the need for the Ingress Controller to re-compile App Protect when NGINX reloads, and will instead use a pre-compile policy bundle. See [App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/app-protect-waf/configuration/#app-protect-waf-bundles) for examples and configuration details. |
There was a problem hiding this comment.
Simplify "This feature removes the need for the Ingress Controller to re-compile App Protect when NGINX reloads, and will instead use a pre-compile policy bundle."
to
"This feature removes the need for the Ingress Controller to compile NGINX App Protect Policy when NGINX App Protect Policy is updated."
| OVERVIEW: | ||
| * *The minimum supported version of Kubernetes is now 1.22*. The NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without privilege escalation](https://github.com/nginxinc/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! | ||
| * Added support for loading pre-compiled [AppProtect Policy Bundles](https://github.com/nginxinc/kubernetes-ingress/pull/3560) when using the `-enable-app-protect` cli argument. This feature removes the need for the Ingress Controller to re-compile App Protect when NGINX reloads, and will instead use a pre-compile policy bundle. See [App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/app-protect-waf/configuration/#app-protect-waf-bundles) for examples and configuration details. | ||
| * IngressMTLS policy now supports configuring a Certificate Revocation Lists(CRL). When using this feature requests made using a revoked certificate will be rejected. See [Using a Certificate Revocation List](https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#using-a-certificate-revocation-list) for details on configuring this option. |
There was a problem hiding this comment.
"When using this feature requests made using a revoked certificate will be rejected." We should not need to describe what the impact of a revoked cert in a CRL means.
Try this:
"This enhancement allows the CRL to be presented as either a Kubernetes secret (limited to 1MB) or as a CRL file to the IngressMTLS Policy"
(I was guessing on the 1MB, I can't recall at the moment but it is the size limit of a K8s secret I was reaching for)
| * *The minimum supported version of Kubernetes is now 1.22*. The NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without privilege escalation](https://github.com/nginxinc/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! | ||
| * Added support for loading pre-compiled [AppProtect Policy Bundles](https://github.com/nginxinc/kubernetes-ingress/pull/3560) when using the `-enable-app-protect` cli argument. This feature removes the need for the Ingress Controller to re-compile App Protect when NGINX reloads, and will instead use a pre-compile policy bundle. See [App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/app-protect-waf/configuration/#app-protect-waf-bundles) for examples and configuration details. | ||
| * IngressMTLS policy now supports configuring a Certificate Revocation Lists(CRL). When using this feature requests made using a revoked certificate will be rejected. See [Using a Certificate Revocation List](https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#using-a-certificate-revocation-list) for details on configuring this option. | ||
| * The NGINX Ingress Controller now supports [running with a Read-only Root Filesystem](https://github.com/nginxinc/kubernetes-ingress/pull/3548). This hardens the overall security of the Ingress Controller. See [Configure root filesystem as read-only](https://docs.nginx.com/nginx-ingress-controller/configuration/security/#configure-root-filesystem-as-read-only) for details on configuring this option with both HELM and Manifest. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! |
There was a problem hiding this comment.
"This hardens the overall security of the Ingress Controller."
try this:
"This improves the security posture of NGINX Ingress Controller by protecting the file system from unknown writes."
| * The NGINX Ingress Controller now supports [running with a Read-only Root Filesystem](https://github.com/nginxinc/kubernetes-ingress/pull/3548). This hardens the overall security of the Ingress Controller. See [Configure root filesystem as read-only](https://docs.nginx.com/nginx-ingress-controller/configuration/security/#configure-root-filesystem-as-read-only) for details on configuring this option with both HELM and Manifest. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! | ||
| * HELM deployments can now set [custom environment variables with controller.env](https://github.com/nginxinc/kubernetes-ingress/pull/3326). Thanks to [Aaron Shiels](https://github.com/AaronShiels) for making this possible! | ||
| * HELM deployments can now configure a [pod disruption budget](https://github.com/nginxinc/kubernetes-ingress/pull/3248) allowing deployments to configure either a minimum number or a maximum unavailable number of pods. Thanks to [Bryan Hendryx](https://github.com/coolbry95) for making this possible! | ||
| * The NGINX Ingress Controller uses the latest OIDC reference implementation which now supports [access tokens for authorization](https://github.com/nginxinc/kubernetes-ingress/pull/3474) against protected resources. Thanks to [Shawn Kim](https://github.com/shawnhankim) for making this possible! |
There was a problem hiding this comment.
"[access tokens for authorization]"
Try this:
"[forwarding access tokens to upstreams / backends]"
Remove: "against protected resources."
"Upstreams" is what we call them in NGINX speak. "Backends" is a more common term in infrastructure conversation.
| * HELM deployments can now set [custom environment variables with controller.env](https://github.com/nginxinc/kubernetes-ingress/pull/3326). Thanks to [Aaron Shiels](https://github.com/AaronShiels) for making this possible! | ||
| * HELM deployments can now configure a [pod disruption budget](https://github.com/nginxinc/kubernetes-ingress/pull/3248) allowing deployments to configure either a minimum number or a maximum unavailable number of pods. Thanks to [Bryan Hendryx](https://github.com/coolbry95) for making this possible! | ||
| * The NGINX Ingress Controller uses the latest OIDC reference implementation which now supports [access tokens for authorization](https://github.com/nginxinc/kubernetes-ingress/pull/3474) against protected resources. Thanks to [Shawn Kim](https://github.com/shawnhankim) for making this possible! | ||
| * The default TLS secret is now optional. This ensures that TLS termination for not fall back to using the default TLS secret. |
There was a problem hiding this comment.
"This improves the security posture of NGINX Ingress Controller through enabling NGINX ssl_reject_handshake directive. This has the impact of immediately terminating the SSL handshake and not revealing TLS or cypher settings to calls that do not match a configured hostname."
Documentation updates for Release 3.1.0