Skip to content

v1.4.0 NSG and Tagging Support

Latest
Latest
Compare
Choose a tag to compare
@piyush-tiwari piyush-tiwari released this 26 Nov 12:03
v1.4.0
0b5f5f8

Caution

Starting from this version, OCI Native Ingress Controller will start configuring NSG associations and tags for LoadBalancers managed by it. Please see the Upgrade Steps section to see preparatory steps you may need to perform before upgrading to this version.

New Features and Support

  • NSG support is now available, for details see Network Security Groups Support. You may need to perform preparatory steps before upgrading to this version if you already have LoadBalancers assigned to any NSGs, please check the Upgrade Steps section if you do.
  • Tagging support is now available, for details see Tagging Support. You may need to perform preparatory steps before upgrading to this version if you already have defined or freeform tags applied to your LoadBalancers, please check the Upgrade Steps section if you do.
  • Users can now signal NIC to not delete a LoadBalancer when the corresponding IngressClass resource is deleted, please see Load Balancer Preservation on IngressClass delete for details.

Upgrade Steps

Pre-Upgrade

  • For all LoadBalancers managed by NIC that have NSG associations, add the oci-native-ingress.oraclecloud.com/network-security-group-ids annotation in the corresponding IngressClass resource to ensure NIC will retain them on upgrade.
    Example:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
 annotations:
   oci-native-ingress.oraclecloud.com/network-security-group-ids: ocid1.networksecuritygroup.oc1.abc,ocid1.networksecuritygroup.oc1.xyz
  • For all LoadBalancers managed by NIC that have defined and freeform tags, add the oci-native-ingress.oraclecloud.com/defined-tags and oci-native-ingress.oraclecloud.com/freeform-tags annotations in the corresponding IngressClass resource to ensure NIC will retain them on upgrade.
    Example:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  annotations:
    oci-native-ingress.oraclecloud.com/defined-tags: '{"namespace-1": {"key1": "value1", "key2": "value2"}, "namespace-2": {"key1": "value1"}}'
    oci-native-ingress.oraclecloud.com/freeform-tags: '{"key1": "value1", "key2": "value2"}'
  • Add an appropriate policy to give NIC permissions to use tag-namespaces for any defined tags that NIC has to manage. See Policy Reference for more information.
    An example policy that grants NIC permission to use all tag-namespaces in tenancy:
Allow <subject> to use tag-namespaces in tenancy

Upgrade

Upgrade normally according to Deployment, according to your installation method. Please use the latest helm chart while upgrading, since additional permissions have been added to the ClusterRole used by NIC.

What's Changed

  • Fix finalizer removal logic for ingresses by @piyush-tiwari in #87
  • Support for dynamic workload resource principal by @akka19 in #92
  • Sync with internal repo by @piyush-tiwari in #99
    • Add delete-protection-enabled annotation for IngressClasses
    • Add NSG support for IngressClasses
    • Fix update logic for BackendSets and Listeners
  • Add tagging support for IngressClass by @piyush-tiwari in #103
  • Sync with internal repo by @piyush-tiwari in #107
    • Add PodSecurityContext for stricter default security posture
    • Fix GetSSLConfigForBackendSet logic for secret type artifacts
    • Update base image to Oracle Linux 8
    • Add default tagging support

New Contributors

Full Changelog: v1.3.9...v1.4.0

Contributors

piyush-tiwari and akka19
Assets 2
Loading