Skip to main content

kubernetes.io/ingress.class annotation is deprecated in Atik 1.28

Context

Nginx component used to expose your application has deprecated the kubernetes.io/ingress.class annotation. To continue using the last version of nginx and keep the compatibility with the next kubernetes version, a change is required on the ingress which uses this annotation.

What the change is ?

In the legacy ingress version, the choice of the ingress class was using the following annotation:

metadata:
annotations:
kubernetes.io/ingress.class: nginx # or nginx-internal

In the new ingress version, the syntax is:

spec:
ingressClassName: nginx # or nginx-internal

What the impact is if you don't update your ingress configuration ?

Nginx - public class

No impact, by default, the application will be exposed publicly.

Nginx-internal - internal class

HIGH impact, the application will be exposed publicly rather than be exposed internally.

When the legacy ingress configuration will be rejected ?

From 1.28 to 1.33 (17 february): legacy configuration is still supported

From 2.0 (30 may): legacy configuration will be not supported and the ingress configuration will be rejected.

Enabler / Tool to help you to update your ingress configuration

Hello world

K8saas provides 2 different hello world example:

Legacy:

Ingress configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world-ingress-legacy
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- hosts:
- hello-world-ingress-legacy.demo.kaas.thalesdigital.io
secretName: tls-secret
rules:
- host: hello-world-ingress-legacy.demo.kaas.thalesdigital.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: aks-helloworld-one
port:
number: 80

source

New:

Ingress configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleEngine On
SecAuditLog /dev/stdout
Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
spec:
ingressClassName: nginx
tls:
- hosts:
- hello-world-ingress.demo.kaas.thalesdigital.io
secretName: tls-secret
rules:
- host: hello-world-ingress.demo.kaas.thalesdigital.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: aks-helloworld-one
port:
number: 80

Source

Compliance script

k8saas provides a script to help you:

  • listing the ingresses in your cluster that are not compliant (meaning they use the deprecated annotation)
  • showing the updated ingress configuration with the new syntax

To find the script, look at k8saas-script innersource project

Usage:

k8saas-format-ingress.sh -h

Tool to validate and format ingresses for nginx controller >= v1.0.1

WARNING: please specify the desired namespace if you do not have the rights to list all namespaces in your cluster.

Arguments:
-h | --help : this help message
-f | --format ingress_name : display the formatted yaml for the ingress resource that matches the given ingress_name
-V | --validate ingress_name : check if the ingress resource that matches the given ingress_name is valid
-n | --namespace namespace_name : Apply the command in the given namespace
-v : verbose, display the ingress that are valid as well

Examples:
bash ./k8saas-format-ingress.sh :
find all ingress resources in all namespaces and check if they are valid.
bash ./k8saas-format-ingress.sh -n dev -v:
find all ingress resources in the dev namespace and check if they are valid.
bash ./k8saas-format-ingress.sh -f hello-world-ingress -n dev :
Display the valid formatted yaml for the ingress 'hello-world-ingress' in the namespace dev

Source:

Next Step:

Please don't hesitate to contact the support at support-platform@thalesdigital.io for any questions