-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 3.1.0 #3685
Release 3.1.0 #3685
Conversation
Codecov Report
@@ Coverage Diff @@
## release-3.1 #3685 +/- ##
===============================================
- Coverage 52.35% 52.33% -0.03%
===============================================
Files 59 59
Lines 16880 16880
===============================================
- Hits 8838 8834 -4
- Misses 7747 7749 +2
- Partials 295 297 +2 see 1 file with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
You have successfully added a new Trivy configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
29 Mar 2023 | ||
|
||
OVERVIEW: | ||
* *The minimum supported version of Kubernetes is now 1.22*. The NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without privilege escalation](https://github.com/nginxinc/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"bind to lower level ports without privilege escalation" should be
"bind to privileged ports without privilege escalation"
yes, it sounds redundant but the accurate terms are "privileged ports", and "privilege escalation"
I will let the docs professional be the final arbiter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When nginx binds, ports 80 and 443 are actually not privileged.
The sentence should instead be reworded "bind to lower level ports without additional privileges" if we want to be strict.
|
||
OVERVIEW: | ||
* *The minimum supported version of Kubernetes is now 1.22*. The NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without privilege escalation](https://github.com/nginxinc/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! | ||
* Added support for loading pre-compiled [AppProtect Policy Bundles](https://github.com/nginxinc/kubernetes-ingress/pull/3560) when using the `-enable-app-protect` cli argument. This feature removes the need for the Ingress Controller to re-compile App Protect when NGINX reloads, and will instead use a pre-compile policy bundle. See [App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/app-protect-waf/configuration/#app-protect-waf-bundles) for examples and configuration details. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Simplify "This feature removes the need for the Ingress Controller to re-compile App Protect when NGINX reloads, and will instead use a pre-compile policy bundle."
to
"This feature removes the need for the Ingress Controller to compile NGINX App Protect Policy when NGINX App Protect Policy is updated."
OVERVIEW: | ||
* *The minimum supported version of Kubernetes is now 1.22*. The NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without privilege escalation](https://github.com/nginxinc/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! | ||
* Added support for loading pre-compiled [AppProtect Policy Bundles](https://github.com/nginxinc/kubernetes-ingress/pull/3560) when using the `-enable-app-protect` cli argument. This feature removes the need for the Ingress Controller to re-compile App Protect when NGINX reloads, and will instead use a pre-compile policy bundle. See [App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/app-protect-waf/configuration/#app-protect-waf-bundles) for examples and configuration details. | ||
* IngressMTLS policy now supports configuring a Certificate Revocation Lists(CRL). When using this feature requests made using a revoked certificate will be rejected. See [Using a Certificate Revocation List](https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#using-a-certificate-revocation-list) for details on configuring this option. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"When using this feature requests made using a revoked certificate will be rejected." We should not need to describe what the impact of a revoked cert in a CRL means.
Try this:
"This enhancement allows the CRL to be presented as either a Kubernetes secret (limited to 1MB) or as a CRL file to the IngressMTLS Policy"
(I was guessing on the 1MB, I can't recall at the moment but it is the size limit of a K8s secret I was reaching for)
* *The minimum supported version of Kubernetes is now 1.22*. The NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without privilege escalation](https://github.com/nginxinc/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! | ||
* Added support for loading pre-compiled [AppProtect Policy Bundles](https://github.com/nginxinc/kubernetes-ingress/pull/3560) when using the `-enable-app-protect` cli argument. This feature removes the need for the Ingress Controller to re-compile App Protect when NGINX reloads, and will instead use a pre-compile policy bundle. See [App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/app-protect-waf/configuration/#app-protect-waf-bundles) for examples and configuration details. | ||
* IngressMTLS policy now supports configuring a Certificate Revocation Lists(CRL). When using this feature requests made using a revoked certificate will be rejected. See [Using a Certificate Revocation List](https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#using-a-certificate-revocation-list) for details on configuring this option. | ||
* The NGINX Ingress Controller now supports [running with a Read-only Root Filesystem](https://github.com/nginxinc/kubernetes-ingress/pull/3548). This hardens the overall security of the Ingress Controller. See [Configure root filesystem as read-only](https://docs.nginx.com/nginx-ingress-controller/configuration/security/#configure-root-filesystem-as-read-only) for details on configuring this option with both HELM and Manifest. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"This hardens the overall security of the Ingress Controller."
try this:
"This improves the security posture of NGINX Ingress Controller by protecting the file system from unknown writes."
* The NGINX Ingress Controller now supports [running with a Read-only Root Filesystem](https://github.com/nginxinc/kubernetes-ingress/pull/3548). This hardens the overall security of the Ingress Controller. See [Configure root filesystem as read-only](https://docs.nginx.com/nginx-ingress-controller/configuration/security/#configure-root-filesystem-as-read-only) for details on configuring this option with both HELM and Manifest. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! | ||
* HELM deployments can now set [custom environment variables with controller.env](https://github.com/nginxinc/kubernetes-ingress/pull/3326). Thanks to [Aaron Shiels](https://github.com/AaronShiels) for making this possible! | ||
* HELM deployments can now configure a [pod disruption budget](https://github.com/nginxinc/kubernetes-ingress/pull/3248) allowing deployments to configure either a minimum number or a maximum unavailable number of pods. Thanks to [Bryan Hendryx](https://github.com/coolbry95) for making this possible! | ||
* The NGINX Ingress Controller uses the latest OIDC reference implementation which now supports [access tokens for authorization](https://github.com/nginxinc/kubernetes-ingress/pull/3474) against protected resources. Thanks to [Shawn Kim](https://github.com/shawnhankim) for making this possible! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"[access tokens for authorization]"
Try this:
"[forwarding access tokens to upstreams / backends]"
Remove: "against protected resources."
"Upstreams" is what we call them in NGINX speak. "Backends" is a more common term in infrastructure conversation.
* HELM deployments can now set [custom environment variables with controller.env](https://github.com/nginxinc/kubernetes-ingress/pull/3326). Thanks to [Aaron Shiels](https://github.com/AaronShiels) for making this possible! | ||
* HELM deployments can now configure a [pod disruption budget](https://github.com/nginxinc/kubernetes-ingress/pull/3248) allowing deployments to configure either a minimum number or a maximum unavailable number of pods. Thanks to [Bryan Hendryx](https://github.com/coolbry95) for making this possible! | ||
* The NGINX Ingress Controller uses the latest OIDC reference implementation which now supports [access tokens for authorization](https://github.com/nginxinc/kubernetes-ingress/pull/3474) against protected resources. Thanks to [Shawn Kim](https://github.com/shawnhankim) for making this possible! | ||
* The default TLS secret is now optional. This ensures that TLS termination for not fall back to using the default TLS secret. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"This improves the security posture of NGINX Ingress Controller through enabling NGINX ssl_reject_handshake directive. This has the impact of immediately terminating the SSL handshake and not revealing TLS or cypher settings to calls that do not match a configured hostname."
Documentation updates for Release 3.1.0