kubernetes.io/ingress.class annotation is deprecated in Atik 1.28
Context
Nginx component used to expose your application has deprecated the kubernetes.io/ingress.class annotation. To continue using the last version of nginx and keep the compatibility with the next kubernetes version, a change is required on the ingress which uses this annotation.
What the change is ?
In the legacy ingress version, the choice of the ingress class was using the following annotation:
metadata:
annotations:
kubernetes.io/ingress.class: nginx # or nginx-internal
In the new ingress version, the syntax is:
spec:
ingressClassName: nginx # or nginx-internal
What the impact is if you don't update your ingress configuration ?
Nginx - public class
No impact, by default, the application will be exposed publicly.
Nginx-internal - internal class
HIGH impact, the application will be exposed publicly rather than be exposed internally.
When the legacy ingress configuration will be rejected ?
From 1.28 to 1.33 (17 february): legacy configuration is still supported
From 2.0 (30 may): legacy configuration will be not supported and the ingress configuration will be rejected.
Enabler / Tool to help you to update your ingress configuration
Hello world
K8saas provides 2 different hello world example:
Legacy:
Ingress configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world-ingress-legacy
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- hosts:
- hello-world-ingress-legacy.demo.kaas.thalesdigital.io
secretName: tls-secret
rules:
- host: hello-world-ingress-legacy.demo.kaas.thalesdigital.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: aks-helloworld-one
port:
number: 80
New:
Ingress configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleEngine On
SecAuditLog /dev/stdout
Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
spec:
ingressClassName: nginx
tls:
- hosts:
- hello-world-ingress.demo.kaas.thalesdigital.io
secretName: tls-secret
rules:
- host: hello-world-ingress.demo.kaas.thalesdigital.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: aks-helloworld-one
port:
number: 80
Compliance script
k8saas provides a script to help you:
- listing the ingresses in your cluster that are not compliant (meaning they use the deprecated annotation)
- showing the updated ingress configuration with the new syntax
To find the script, look at k8saas-script innersource project
Usage:
k8saas-format-ingress.sh -h
Tool to validate and format ingresses for nginx controller >= v1.0.1
WARNING: please specify the desired namespace if you do not have the rights to list all namespaces in your cluster.
Arguments:
-h | --help : this help message
-f | --format ingress_name : display the formatted yaml for the ingress resource that matches the given ingress_name
-V | --validate ingress_name : check if the ingress resource that matches the given ingress_name is valid
-n | --namespace namespace_name : Apply the command in the given namespace
-v : verbose, display the ingress that are valid as well
Examples:
bash ./k8saas-format-ingress.sh :
find all ingress resources in all namespaces and check if they are valid.
bash ./k8saas-format-ingress.sh -n customer-namespaces -v:
find all ingress resources in the dev namespace and check if they are valid.
bash ./k8saas-format-ingress.sh -f hello-world-ingress -n customer-namespaces :
Display the valid formatted yaml for the ingress 'hello-world-ingress' in the namespace dev
Source:
Next Step:
Please don't hesitate to contact the support at support-platform@thalesdigital.io for any questions