# 2023 archive




## 3.4.0

19 Dec 2023

The default_server listeners for ports 80 and 443 can now be fully customized giving you the flexibility to shift the HTTP and HTTPS default listeners to other ports as your needs require.

Traffic splits now support weights from 0 - 100 giving you the control that you expect when performing canary roll outs of your back end services.

A new capability of "upstream backup" has been introduced for NGINX Plus customers. This gives you the control to set a backup service for any path. This takes advantage of NGINX health checks and will automatically forward traffic to the backup service when all pods of the primary service stop responding.

Dynamic reloading of SSL certificates takes advantage of native NGINX functionality to dynamically load updated certificates when they are requested and thus not require a reload when certificates update.

A number of Helm enhancements have come directly from our community and range from giving greater flexibility for HPA, namespace sharing for custom sidecars, and supporting multiple image pull secrets for greater deployment flexibility.

To make sure NGINX Ingress Controller follows Helm best practices, we've refactored our helm chart location. You can now find our helm charts under `charts\nginx-ingress`.

We’ve added the functionality to define F5 WAF for NGINX bundles for VirtualServers by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller.

### [icon: rocket] Features

- [4574](https://github.com/nginx/kubernetes-ingress/pull/4574) Graduate TransportServer and GlobalConfiguration to v1.
- [4464](https://github.com/nginx/kubernetes-ingress/pull/4464) Allow default_server listeners to be customised.
- [4526](https://github.com/nginx/kubernetes-ingress/pull/4526) Update use of http2 listen directive to align with deprecation.
- [4276](https://github.com/nginx/kubernetes-ingress/pull/4276) Use Lease for leader election.
- [4655](https://github.com/nginx/kubernetes-ingress/pull/4655) Support weights 0 and 100 in traffic splitting.
- [4653](https://github.com/nginx/kubernetes-ingress/pull/4653) Add support for backup directive for VS and TS.
- [4788](https://github.com/nginx/kubernetes-ingress/pull/4788) Dynamic reload of SSL certificates
- [4428](https://github.com/nginx/kubernetes-ingress/pull/4428) Add option for installing CRDs from a single remote yaml.

### [icon: bug] Fixes

- [4504](https://github.com/nginx/kubernetes-ingress/pull/4504) Delete the DNSEndpoint resource when VS is deleted & Ratelimit requeues on errors.
- [4575](https://github.com/nginx/kubernetes-ingress/pull/4575) update dockerfile for debian NGINX Plus.

### [icon: box] Helm Chart

- [4306](https://github.com/nginx/kubernetes-ingress/pull/4306) Refactor Helm Chart location.
- [4391](https://github.com/nginx/kubernetes-ingress/pull/4391) Add HPA Custom Behavior.  Thanks to [saedx1](https://github.com/saedx1).
- [4559](https://github.com/nginx/kubernetes-ingress/pull/4559) Add process namespace sharing for ingress controller.  Thanks to [panzouh](https://github.com/panzouh).
- [4651](https://github.com/nginx/kubernetes-ingress/pull/4651) Add initContainerResources Helm configuration.
- [4656](https://github.com/nginx/kubernetes-ingress/pull/4656) Allows multiple imagePullSecrets in the helm chart.  Thanks to [AlessioCasco](https://github.com/AlessioCasco).

### [icon: download] Upgrade

- For NGINX, use the 3.4.0 images from our
[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.4.0),
[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress),
[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.4.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.0 source code.
- For Helm, use version 1.1.0 of the chart.

### [icon: life-buoy] Supported Platforms

We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by
its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes
versions: 1.22-1.29.
<hr>

## 3.3.2

1 Nov 2023

### [icon: bug] Fixes

- [4578](https://github.com/nginx/kubernetes-ingress/pull/4578) Update Dockerfile to add user creation for NGINX Plus images.

### [icon: arrow-up] Dependencies

- [4572](https://github.com/nginx/kubernetes-ingress/pull/4572) Update NGINX version to 1.25.3.
- [4569](https://github.com/nginx/kubernetes-ingress/pull/4569), [4591](https://github.com/nginx/kubernetes-ingress/pull/4591) Bump Go dependencies.

### [icon: download] Upgrade

- For NGINX, use the 3.3.2 images from our
[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.3.2),
[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress),
[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.3.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.2 source code.
- For Helm, use version 1.0.2 of the chart.

## 3.3.1

13 Oct 2023

### [icon: search] Overview

This releases updates NGINX Plus to R30 P1 and dependencies to mitigate HTTP/2 Rapid Reset Attack vulnerability [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487).

### [icon: arrow-up] Dependencies

- [4501](https://github.com/nginx/kubernetes-ingress/pull/4501) Bump Go to 1.21.3
- [4502](https://github.com/nginx/kubernetes-ingress/pull/4502), [4514](https://github.com/nginx/kubernetes-ingress/pull/4514) Bump Go dependencies.

### [icon: download] Upgrade

- For NGINX, use the 3.3.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.3.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.3.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.1 source code

## 3.3.0

26 Sep 2023

### [icon: search] Overview

With release 3.3, NGINX Ingress Controller continues to advance capabilities for an ever-demanding set of use cases
that go beyond simple layer 7 routing for services running exclusively in Kubernetes.

When involved in diagnostic operations and viewing the NGINX Plus console or when viewing the enhanced NGINX Plus
metrics through Prometheus, customers now enjoy the added dimension of the backend service being available to aide in
identification of issues as well as observing performance.

50% of our users continue to rely heavily on the Ingress resource and its "mergeable Ingress" usage pattern, to enhance
the experience for these customers we have added the path-regex annotation with support for case sensitive, case
insensitive, as well as exact regex match patterns.

Prometheus continues to be the most popular metrics platform for Kubernetes users. To further enhance ease of setting up
integration with Prometheus we have finalized support for the Prometheus serviceMonitor capability. Providing better
scraping controls for Prometheus admins.

For our most demanding customers performing a blue / green upgrade of the Ingress Controller itself supports the ability
to provide their business customers an enhanced experience with no loss of session fidelity. Support for this pattern
and others has been added through Helm chart enhancement that allows two deployments to share a single ingressClass
resource and duplicate the same configuration.

To accommodate these enhancements, several new values have been added to our Helm chart, as well as modifications to
existing values. Due to the potential impacts of these changes we have issued a major release to the Helm chart,
advancing to v1.0.0

To better align with the demands of supporting additional protocols such as MQTT and QUIC, NGINX Ingress Controller
is changing how listeners are defined for HTTP traffic. You have always had controls over the ports defined for
TCP/UDP traffic through the GlobalConfiguration and TransportServer objects. That same flexibility has been introduced
for HTTP/S traffic and the VirtualServer. This area will continue to expand to give customers full control over NGINX
listeners so they can tailor to their specific needs and policies.

### [icon: rocket] Features

- [4023](https://github.com/nginx/kubernetes-ingress/pull/4023) Read Prometheus key/cert from memory.
- [4080](https://github.com/nginx/kubernetes-ingress/pull/4080) Expose Location Zones metrics.
- [4127](https://github.com/nginx/kubernetes-ingress/pull/4127), [4200](https://github.com/nginx/kubernetes-ingress/pull/4200), [4223](https://github.com/nginx/kubernetes-ingress/pull/4223) Add path-regex annotation for ingress.
- [4108](https://github.com/nginx/kubernetes-ingress/pull/4108) Add command line argument for custom TLS Passthrough port.
- [4271](https://github.com/nginx/kubernetes-ingress/pull/4271) Add custom listener controls to VirtualServer.

### [icon: bug] Fixes

- [4160](https://github.com/nginx/kubernetes-ingress/pull/4160) Update JWT/JWKS policy validation.
- [4371](https://github.com/nginx/kubernetes-ingress/pull/4371) Improve runtime batch reloads.

### [icon: box] Helm Chart

- [3977](https://github.com/nginx/kubernetes-ingress/pull/3977) Add support for controller.selectorLabels. Thanks to [Youqing Han](https://github.com/hanyouqing).
- [4058](https://github.com/nginx/kubernetes-ingress/pull/4058) Add clusterIP to service if specified in values. Thanks to [EutiziStefano](https://github.com/EutiziStefano).
- [4252](https://github.com/nginx/kubernetes-ingress/pull/4252) Make containerPort and hostPort customizable.
- [4331](https://github.com/nginx/kubernetes-ingress/pull/4331) Expose Prometheus metrics through a headless Service.
- [4351](https://github.com/nginx/kubernetes-ingress/pull/4351) Update helm values file to move controller.serviceMonitor to prometheus.serviceMonitor.
- [4333](https://github.com/nginx/kubernetes-ingress/pull/4333) Allow installing IC without creating a new ingress class.

### [icon: download] Upgrade

- For NGINX, use the 3.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.3.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.0 source code.
- For Helm, use version 1.0.0 of the chart.

### [icon: life-buoy] Supported Platforms

We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.22-1.28.

## 3.2.1

17 Aug 2023

### [icon: arrow-up] Dependencies

- Update NGINX version to 1.25.2.
- Update NGINX Plus version to R30.
- Update Go to 1.21 and Go dependencies.

### [icon: download] Upgrade

- For NGINX, use the 3.2.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.2.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.2.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.2.1 source code.
- For Helm, use version 0.18.1 of the chart.

## 3.2.0

27 June 2023

### [icon: rocket] Features

- [3790](https://github.com/nginx/kubernetes-ingress/pull/3790) Gunzip for VS
- [3863](https://github.com/nginx/kubernetes-ingress/pull/3863) OIDC - relaxed OIDC scope validation
- [3925](https://github.com/nginx/kubernetes-ingress/pull/3925) Specify runAsNonRoot in daemon-set manifests. Thanks to [Valters Jansons](https://github.com/sigv).
- [3951](https://github.com/nginx/kubernetes-ingress/pull/3951) Add NGINX Plus images to Google Marketplace.
- [3954](https://github.com/nginx/kubernetes-ingress/pull/3954) Add utilization tracking for supported (paid) customers.
- [4001](https://github.com/nginx/kubernetes-ingress/pull/4001) Add support for the SameSite sticky cookie attribute.
- [4022](https://github.com/nginx/kubernetes-ingress/pull/4022) Add document to tutorial section for configuring the default OIDC implementation.
- [4031](https://github.com/nginx/kubernetes-ingress/pull/4031) Add NGINX Plus Alpine image with FIPS inside for supported (paid) customers.

### [icon: bug] Fixes

- [3737](https://github.com/nginx/kubernetes-ingress/pull/3737) Update VirtualServer to ignore CRL for EgressMTLS.
- [3798](https://github.com/nginx/kubernetes-ingress/pull/3798) Update VirtualServer template to generate an internal jwt auth location per policy applied.
- [3844](https://github.com/nginx/kubernetes-ingress/pull/3844) Fix gunzip support for VS and add python tests.
- [3870](https://github.com/nginx/kubernetes-ingress/pull/3870) Add Funcs() method to UpdateVirtualServerTemplate method. Thanks to [Bryan Hendryx](https://github.com/coolbry95).
- [3933](https://github.com/nginx/kubernetes-ingress/pull/3933) fix --external-service flag when using serviceNameOverride. Thanks to [Tim N](https://github.com/timnee).

### [icon: arrow-up] Dependencies

- Update NGINX version to 1.25.1.
- Update Debian to 12 for NGINX Plus images (except for images containing the NGINX App Protect modules).
- Update Alpine to 3.18 for NGINX Plus images.

### [icon: box] Helm Chart

- [3814](https://github.com/nginx/kubernetes-ingress/pull/3814) Remove semverCompare for allocateLoadBalancerNodePorts. Thanks to [Alex Wied](https://github.com/centromere).
- [3905](https://github.com/nginx/kubernetes-ingress/pull/3905) Reverse order of NAPDOS maxDaemons and maxWorkers in Helm chart.

### [icon: download] Upgrade

- For NGINX, use the 3.2.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.2.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.2.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.2.0 source code.
- For Helm, use version 0.18.0 of the chart.

### [icon: life-buoy] Supported Platforms

We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.22-1.27.

## 3.1.1

04 May 2023

### [icon: search] Overview

This release reverts the changes made in 3.1.0 to use sysctls to bind to lower level ports without the NET_BIND_SERVICE capability. It also adds support for serviceNameOverride in the Helm chart, that can be used to override the service name for NGINX Ingress Controller. This is useful especially during an upgrade from versions prior to 3.1.0, to avoid downtime due to the service name change. To use this feature, set the `serviceNameOverride` value in the Helm chart to the name of the existing service.

For example, if the existing service name is `my-release-nginx-ingress`, you can use `--set serviceNameOverride=my-release-nginx-ingress` when running the upgrade command.
Here is an example upgrade command that keeps the existing service name `my-release-nginx-ingress` for a deployment named `my-release`:

```console
helm upgrade my-release oci://ghcr.io/nginx/charts/nginx-ingress --version 0.17.1 --set serviceNameOverride=my-release-nginx-ingress
```

### [icon: bug] Fixes

- [3737](https://github.com/nginx/kubernetes-ingress/pull/3737) Update VirtualServer to ignore CRL for EgressMTLS.
- [3722](https://github.com/nginx/kubernetes-ingress/pull/3722) Inherit NET_BIND_SERVICE from IC to Nginx. Thanks to [Valters Jansons](https://github.com/sigv).
- [3798](https://github.com/nginx/kubernetes-ingress/pull/3798) Update VirtualServer template to generate an internal jwt auth location per policy applied.

### [icon: rocket] Features

- [3491](https://github.com/nginx/kubernetes-ingress/pull/3491) Egress via Ingress VirtualServer Resource.

### [icon: arrow-up] Dependencies

- Update NGINX version to 1.23.4.
- Update NGINX Plus version to R29.

### [icon: box] Helm Chart

- [3602](https://github.com/nginx/kubernetes-ingress/pull/3602) Updated NGINX Service Mesh references in Helm templates. Thanks to [Jared Byers](https://github.com/jbyers19).
- [3773](https://github.com/nginx/kubernetes-ingress/pull/3773) Swap cpu and memory in HPA template. Thanks to [Bryan Hendryx](https://github.com/coolbry95).
- [3802](https://github.com/nginx/kubernetes-ingress/pull/3802) Add serviceNameOverride. Thanks to [Tim N](https://github.com/timnee).
- [3815](https://github.com/nginx/kubernetes-ingress/pull/3815) Fix GlobalConfiguration name in Helm Chart.
- [3862](https://github.com/nginx/kubernetes-ingress/pull/3862) Add correct indentation to controller-leader-election configmap helm template.

### [icon: download] Upgrade

- For NGINX, use the 3.1.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.1.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.1.1 images from the F5 Container registry or build your own image using the 3.1.1 source code.
- For Helm, use version 0.17.1 of the chart.

## 3.1.0

29 Mar 2023

### [icon: search] Overview

- Beginning with release 3.1.0 the NET_BIND_SERVICE capability is no longer used, and instead relies on net.ipv4.ip_unprivileged_port_start sysctl to allow port binding. Kubernetes 1.22 or later is required for this sysctl to be [classified as safe](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls). **Ensure that you are using the latest updated `deployment` and `daemonset` example yaml files available in the repo.**
- *The minimum supported version of Kubernetes is now 1.22*. NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without additional privileges](https://github.com/nginx/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible!
- Added support for loading pre-compiled [AppProtect Policy Bundles](https://github.com/nginx/kubernetes-ingress/pull/3560) when using the `-enable-app-protect` cli argument. This feature removes the need for the Ingress Controller to compile NGINX App Protect Policy when NGINX App Protect Policy is updated.
- IngressMTLS policy now supports configuring a Certificate Revocation Lists(CRL). When using this feature requests made using a revoked certificate will be rejected. See [Using a Certificate Revocation List](/nic/configuration/policy-resource.md#using-a-certificate-revocation-list) for details on configuring this option.
- NGINX Ingress Controller now supports [running with a Read-only Root Filesystem](https://github.com/nginx/kubernetes-ingress/pull/3548). This improves the security posture of NGINX Ingress Controller by protecting the file system from unknown writes. See [Configure root filesystem as read-only](/nic/configuration/security.md#configure-root-filesystem-as-read-only) for details on configuring this option with both HELM and Manifest. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible!
- HELM deployments can now set [custom environment variables with controller.env](https://github.com/nginx/kubernetes-ingress/pull/3326). Thanks to [Aaron Shiels](https://github.com/AaronShiels) for making this possible!
- HELM deployments can now configure a [pod disruption budget](https://github.com/nginx/kubernetes-ingress/pull/3248) allowing deployments to configure either a minimum number or a maximum unavailable number of pods. Thanks to [Bryan Hendryx](https://github.com/coolbry95) for making this possible!
- NGINX Ingress Controller uses the latest OIDC reference implementation which now supports [forwarding access tokens to upstreams / backends](https://github.com/nginx/kubernetes-ingress/pull/3474). Thanks to [Shawn Kim](https://github.com/shawnhankim) for making this possible!
- The default TLS secret is now optional. This improves the security posture of NGINX Ingress Controller through enabling [ssl_reject_handshake](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake). This has the impact of immediately terminating the SSL handshake and not revealing TLS or cypher settings to calls that do not match a configured hostname.

### [icon: rocket] Features

- [3034](https://github.com/nginx/kubernetes-ingress/pull/3034) Allow extra args to be provided to the OIDC auth endpoint. Thanks to [Alan Wilkie](https://github.com/alanwilkie-finocomp).
- [3474](https://github.com/nginx/kubernetes-ingress/pull/3474) Add access token support in the OIDC. Thanks to [Shawn Kim](https://github.com/shawnhankim).
- [3326](https://github.com/nginx/kubernetes-ingress/pull/3326) Add support for custom environment variables on the Nginx Controller container. Thanks to [Aaron Shiels](https://github.com/AaronShiels).
- [3527](https://github.com/nginx/kubernetes-ingress/pull/3527) Change controller.topologySpreadConstraints schema to array. Thanks to [Marco Londero](https://github.com/marcuz).
- [3248](https://github.com/nginx/kubernetes-ingress/pull/3248) Add Pod disruption budget option to HELM based installations. Thanks to [Bryan Hendryx](https://github.com/coolbry95).
- [3462](https://github.com/nginx/kubernetes-ingress/pull/3462) Add initial support for SSL termination for TransportServer.
- [3451](https://github.com/nginx/kubernetes-ingress/pull/3451) Enable keepalive-time for healthchecks in VS and VSR.
- [3560](https://github.com/nginx/kubernetes-ingress/pull/3560) Add support for load a pre-compiles AppProtect Policy Bundle.
- [3632](https://github.com/nginx/kubernetes-ingress/pull/3632) Update nginx.org/ca secret type & crl field to IngressMTLS to support CRL.
- [3629](https://github.com/nginx/kubernetes-ingress/pull/3629) Use the "runtime default" seccomp profile. Thanks to [Valters Jansons](https://github.com/sigv).
- [3573](https://github.com/nginx/kubernetes-ingress/pull/3573) Rework port binding logic without privileges. Thanks to [Valters Jansons](https://github.com/sigv).
- [3646](https://github.com/nginx/kubernetes-ingress/pull/3646) Remove app protect agent.
- [3507](https://github.com/nginx/kubernetes-ingress/pull/3507) Support empty path for ImplementationSpecific pathType.
- [3482](https://github.com/nginx/kubernetes-ingress/pull/3482) Use new NSM Spiffe and Cert rotation library.
- [3442](https://github.com/nginx/kubernetes-ingress/pull/3442) Add websocket protocol option to monitor directive.
- [3674](https://github.com/nginx/kubernetes-ingress/pull/3674) Move NAP DoS chart to new repo.
- [3302](https://github.com/nginx/kubernetes-ingress/pull/3302) Make default-server-secret optional.
- [3586](https://github.com/nginx/kubernetes-ingress/pull/3586) Add new labels and metadata to add version information to pods.

### [icon: bug] Fixes

- [3463](https://github.com/nginx/kubernetes-ingress/pull/3463) Support non-vs created Challenge Ingress.
- [3475](https://github.com/nginx/kubernetes-ingress/pull/3475) Ensure leader election is correctly disabled when option is set to `false` in helm template.
- [3481](https://github.com/nginx/kubernetes-ingress/pull/3481) Add missing OSS internal routes for integration with NSM.
- [3541](https://github.com/nginx/kubernetes-ingress/pull/3541) Ensure non-ready endpoints are not added to upstreams.
- [3583](https://github.com/nginx/kubernetes-ingress/pull/3583) Update keyCache path for JWKs to avoid conflict with OIDC.
- [3607](https://github.com/nginx/kubernetes-ingress/pull/3607) Clear Content-Length headers for requests processed by internal JWKS routes.
- [3660](https://github.com/nginx/kubernetes-ingress/pull/3660) Remove unwanted chars from label value.

### [icon: box] Helm Chart

- [3581](https://github.com/nginx/kubernetes-ingress/pull/3581) Push edge Helm Chart to OCI registries.
- [3449](https://github.com/nginx/kubernetes-ingress/pull/3449) Correct values.schema.json nodeSelector.
- [3448](https://github.com/nginx/kubernetes-ingress/pull/3448) Fix Helm Chart Schema for priorityClassName.
- [3519](https://github.com/nginx/kubernetes-ingress/pull/3519) Add OnDelete to allowed strategy values.
- [3537](https://github.com/nginx/kubernetes-ingress/pull/3537) Update schema references to k8s v1.26.1.
- [3606](https://github.com/nginx/kubernetes-ingress/pull/3606) Fix Helm Chart labels and templates. Move version update to labels.

### [icon: download] Upgrade

- Make sure the Kubernetes version is in the supported platforms listed below.
- For NGINX, use the 3.1.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.1.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.1.0 images from the F5 Container registry or build your own image using the 3.1.0 source code.
- For Helm, use version 0.17.0 of the chart.

### [icon: life-buoy] Supported Platforms

We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.22-1.26.

## 3.0.2

13 Feb 2023

### [icon: bug] Fixes

- [3519](https://github.com/nginx/kubernetes-ingress/pull/3519) Add OnDelete to allowed strategy values
- [3541](https://github.com/nginx/kubernetes-ingress/pull/3541) Ensure non-ready endpoints are not added to upstreams
- [3527](https://github.com/nginx/kubernetes-ingress/pull/3527) Fix controller.topologySpreadConstraints schema, thanks to [Marco Londero](https://github.com/marcuz)

### [icon: download] Upgrade

- For NGINX, use the 3.0.2 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.0.2), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.0.2 images from the F5 Container registry or build your own image using the 3.0.2 source code.
- For Helm, use version 0.16.2 of the chart.

## 3.0.1

25 Jan 2023

### [icon: bug] Fixes

- [3448](https://github.com/nginx/kubernetes-ingress/pull/3448) Fix Helm Chart Schema for priorityClassName
- [3449](https://github.com/nginx/kubernetes-ingress/pull/3449) Correct nodeSelector in the Helm Chart Schema
- [3463](https://github.com/nginx/kubernetes-ingress/pull/3463) Support non-VS created Challenge Ingress
- [3481](https://github.com/nginx/kubernetes-ingress/pull/3481) Add missing OSS internal routes for NGINX Service Mesh

### [icon: download] Upgrade

- For NGINX, use the 3.0.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.0.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the 3.0.1 images from the F5 Container registry or build your own image using the 3.0.1 source code.
- For Helm, use version 0.16.1 of the chart.

## 3.0.0

12 January 2023

### [icon: search] Overview

- Added support for [Deep Service Insight](/nic/logging-and-monitoring.md#service-insight) for VirtualServer and TransportServer using the [-enable-service-insight](/nic/configuration/global-configuration/command-line-arguments.md#-enable-service-insight) cli argument.
- *The minimum supported version of Kubernetes is now 1.21*. NGINX Ingress Controller 3.0.0 removes support for `k8s.io/v1/Endpoints` API in favor of `discovery.k8s.io/v1/EndpointSlices`. For older Kubernetes versions, use the 2.4.x release of the Ingress Controller.
- Added support for [EndpointSlices](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/).
- Added support to dynamically reconfigure namespace watchers using labels  [-watch-namespace-label](/nic/configuration/global-configuration/command-line-arguments.md#-watch-namespace-label-string) and watching secrets using the [-watch-secret-namespace](/nic/configuration/global-configuration/command-line-arguments.md#-watch-secret-namespace-string) cli arguments.
- Allow configuration of NGINX directives `map-hash-bucket-size` and `map-hash-max-size` using the [ConfigMap resource](/nic/configuration/global-configuration/configmap-resource.md#general-customization).
- Added support for [fetching JWKs from a remote URL](/nic/configuration/policy-resource.md#jwt-using-jwks-from-remote-location) to dynamically validate JWT tokens and optimize performance through caching.
- Beginning with NGINX Service Mesh release 1.7 it will include support for the free version of NGINX Ingress Controller as well as the paid version.
- NGINX Ingress Controller + NGINX App Protect Denial of Service is now available through the AWS Marketplace.

### [icon: bomb] Breaking Changes

- [3260](https://github.com/nginx/kubernetes-ingress/pull/3260) Added support for EndpointSlices.

### [icon: rocket] Features

- [3299](https://github.com/nginx/kubernetes-ingress/pull/3299) Support Dynamic namespaces using Labels.
- [3261](https://github.com/nginx/kubernetes-ingress/pull/3261) Deep service insight endpoint for VirtualServer CR.
- [3361](https://github.com/nginx/kubernetes-ingress/pull/3361) Added healthcheck for TransportServer CR.
- [3347](https://github.com/nginx/kubernetes-ingress/pull/3347) Import JWKS from URL on JWT policy.
- [3274](https://github.com/nginx/kubernetes-ingress/pull/3274) Allow configuration of map-hash-bucket-size and map-hash-max-size directives.
- [3376](https://github.com/nginx/kubernetes-ingress/pull/3376) NGINX Service Mesh will support the free version of NGINX Ingress Controller when using NGINX open source.
- [3170](https://github.com/nginx/kubernetes-ingress/pull/3170) Watch subset of namespaces for secrets. Thanks to [Hans Feldt](https://github.com/hafe).
- [3341](https://github.com/nginx/kubernetes-ingress/pull/3341) Set value of `$remote_addr` to client IP when TLSPassthrough and Proxy Protocol are enabled.
- [3131](https://github.com/nginx/kubernetes-ingress/pull/3131) NAP DoS images are now available in the AWS Marketplace.
- [3231](https://github.com/nginx/kubernetes-ingress/pull/3231) Always print build info and flags used at the start to provide better supportability.
- [2735](https://github.com/nginx/kubernetes-ingress/pull/2735) Support default client proxy headers to be overwritten in VirtualServer. Thanks to [Alex Wied](https://github.com/centromere).
- [3133](https://github.com/nginx/kubernetes-ingress/pull/3133) Added caseSensitiveHttpHeaders to APPolicy CRD. Thanks to [Pavel Galitskiy](https://github.com/galitskiy).

### [icon: bug] Fixes

- [3139](https://github.com/nginx/kubernetes-ingress/pull/3139) Remove all IPV6 listeners in ingress resources with `-disable-ipv6` command line.

### [icon: box] Helm Chart

- [3113](https://github.com/nginx/kubernetes-ingress/pull/3113) Added JSON Schema.
- [3143](https://github.com/nginx/kubernetes-ingress/pull/3143) Added annotations for deployment and daemonset.
- [3136](https://github.com/nginx/kubernetes-ingress/pull/3136) Added controller.dnsPolicy. Thanks to [Dong Wang](https://github.com/wd).
- [3065](https://github.com/nginx/kubernetes-ingress/pull/3065) Added annotations to the service account. Thanks to [0m1xa](https://github.com/0m1xa).
- [3276](https://github.com/nginx/kubernetes-ingress/pull/3276) Added horizontalpodautoscaler. Thanks to [Bryan Hendryx](https://github.com/coolbry95).

### [icon: download] Upgrade

- Make sure the Kubernetes version is in the supported platforms listed below.
- For NGINX, use the 3.0.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.0.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress).
- For NGINX Plus, use the 3.0.0 images from the F5 Container registry or the AWS Marketplace or build your own image using the 3.0.0 source code.
- For Helm, use version 0.16.0 of the chart. Helm does not upgrade the CRDs. If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs.

### [icon: life-buoy] Supported Platforms

We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.21-1.26.