Graduate policy resource and accessControl policy to GA

cmd/nginx-ingress/main.go

@@ -157,6 +157,9 @@ var (
 	enableCustomResources = flag.Bool("enable-custom-resources", true,
 		"Enable custom resources")
 
+	enablePreviewPolicies = flag.Bool("enable-preview-policies", false,
+		"Enable preview policies")
+
 	enableSnippets = flag.Bool("enable-snippets", false,
 		"Enable custom NGINX configuration snippets in VirtualServer and VirtualServerRoute resources.")
 
@@ -227,7 +230,7 @@ func main() {
 	}
 
 	if *enableTLSPassthrough && !*enableCustomResources {
-		glog.Fatalf("enable-tls-passthrough flag requires -enable-custom-resources")
+		glog.Fatal("enable-tls-passthrough flag requires -enable-custom-resources")
 	}
 
 	if *appProtect && !*nginxPlus {
@@ -624,6 +627,7 @@ func main() {
 		ConfigMaps:                   *nginxConfigMaps,
 		GlobalConfiguration:          *globalConfiguration,
 		AreCustomResourcesEnabled:    *enableCustomResources,
+		EnablePreviewPolicies:        *enablePreviewPolicies,
 		MetricsCollector:             controllerCollector,
 		GlobalConfigurationValidator: globalConfigurationValidator,
 		TransportServerValidator:     transportServerValidator,

deployments/common/crds-v1beta1/k8s.nginx.org_policies.yaml

@@ -34,7 +34,7 @@ spec:
           type: object
           properties:
             accessControl:
-              description: AccessControl defines an access policy based on the source IP of a request.
+              description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
               type: object
               properties:
                 allow:
@@ -46,7 +46,7 @@ spec:
                   items:
                     type: string
             egressMTLS:
-              description: EgressMTLS defines an Egress MTLS policy.
+              description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
               type: object
               properties:
                 ciphers:
@@ -68,7 +68,7 @@ spec:
                 verifyServer:
                   type: boolean
             ingressMTLS:
-              description: IngressMTLS defines an Ingress MTLS policy.
+              description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
               type: object
               properties:
                 clientCertSecret:
@@ -78,7 +78,7 @@ spec:
                 verifyDepth:
                   type: integer
             jwt:
-              description: JWTAuth holds JWT authentication configuration.
+              description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
               type: object
               properties:
                 realm:
@@ -88,7 +88,7 @@ spec:
                 token:
                   type: string
             rateLimit:
-              description: RateLimit defines a rate limit policy.
+              description: 'RateLimit defines a rate limit policy. policy status: preview'
               type: object
               properties:
                 burst:
@@ -109,9 +109,9 @@ spec:
                   type: integer
                 zoneSize:
                   type: string
-  version: v1alpha1
+  version: v1
   versions:
-    - name: v1alpha1
+    - name: v1
       served: true
       storage: true
 status:

deployments/common/crds/k8s.nginx.org_policies.yaml

@@ -16,7 +16,7 @@ spec:
     singular: policy
   scope: Namespaced
   versions:
-    - name: v1alpha1
+    - name: v1
       schema:
         openAPIV3Schema:
           description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
@@ -35,7 +35,7 @@ spec:
               type: object
               properties:
                 accessControl:
-                  description: AccessControl defines an access policy based on the source IP of a request.
+                  description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
                   type: object
                   properties:
                     allow:
@@ -47,7 +47,7 @@ spec:
                       items:
                         type: string
                 egressMTLS:
-                  description: EgressMTLS defines an Egress MTLS policy.
+                  description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
                   type: object
                   properties:
                     ciphers:
@@ -69,7 +69,7 @@ spec:
                     verifyServer:
                       type: boolean
                 ingressMTLS:
-                  description: IngressMTLS defines an Ingress MTLS policy.
+                  description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
                   type: object
                   properties:
                     clientCertSecret:
@@ -79,7 +79,7 @@ spec:
                     verifyDepth:
                       type: integer
                 jwt:
-                  description: JWTAuth holds JWT authentication configuration.
+                  description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
                   type: object
                   properties:
                     realm:
@@ -89,7 +89,7 @@ spec:
                     token:
                       type: string
                 rateLimit:
-                  description: RateLimit defines a rate limit policy.
+                  description: 'RateLimit defines a rate limit policy. policy status: preview'
                   type: object
                   properties:
                     burst:

deployments/helm-chart/README.md

@@ -170,6 +170,7 @@ Parameter | Description | Default
 `controller.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass`. Only for kubernetes versions >= 1.18. | false
 `controller.watchNamespace` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | ""
 `controller.enableCustomResources` | Enable the custom resources. | true
+`controller.enablePreviewPolicies` | Enable preview policies. | false
 `controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false
 `controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false
 `controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {}

deployments/helm-chart/crds/k8s.nginx.org_policies.yaml

@@ -34,7 +34,7 @@ spec:
           type: object
           properties:
             accessControl:
-              description: AccessControl defines an access policy based on the source IP of a request.
+              description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
               type: object
               properties:
                 allow:
@@ -46,7 +46,7 @@ spec:
                   items:
                     type: string
             egressMTLS:
-              description: EgressMTLS defines an Egress MTLS policy.
+              description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
               type: object
               properties:
                 ciphers:
@@ -68,7 +68,7 @@ spec:
                 verifyServer:
                   type: boolean
             ingressMTLS:
-              description: IngressMTLS defines an Ingress MTLS policy.
+              description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
               type: object
               properties:
                 clientCertSecret:
@@ -78,7 +78,7 @@ spec:
                 verifyDepth:
                   type: integer
             jwt:
-              description: JWTAuth holds JWT authentication configuration.
+              description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
               type: object
               properties:
                 realm:
@@ -88,7 +88,7 @@ spec:
                 token:
                   type: string
             rateLimit:
-              description: RateLimit defines a rate limit policy.
+              description: 'RateLimit defines a rate limit policy. policy status: preview'
               type: object
               properties:
                 burst:
@@ -109,9 +109,9 @@ spec:
                   type: integer
                 zoneSize:
                   type: string
-  version: v1alpha1
+  version: v1
   versions:
-    - name: v1alpha1
+    - name: v1
       served: true
       storage: true
 status:

deployments/helm-chart/templates/controller-deployment.yaml

@@ -144,6 +144,7 @@ spec:
 {{- if .Values.controller.enableCustomResources }}
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
           - -enable-snippets={{ .Values.controller.enableSnippets }}
+          - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
 {{- if .Values.controller.globalConfiguration.create }}
           - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.name" . }}
 {{- end }}

deployments/helm-chart/values.yaml

@@ -146,6 +146,9 @@ controller:
   ## Enable the custom resources.
   enableCustomResources: true
 
+  ## Enable preview policies.
+  enablePreviewPolicies: false
+
   ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources.
   enableTLSPassthrough: false
 

docs-web/configuration/global-configuration/command-line-arguments.md

@@ -33,6 +33,10 @@ Below we describe the available command-line arguments:
 
 	Enables custom resources. (default true)
 
+.. option:: -enable-preview-policies
+
+	Enables preview policies. (default false)
+
 .. option:: -enable-leader-election
 
 	Enables Leader election to avoid multiple replicas of the controller reporting the status of Ingress, VirtualServer and VirtualServerRoute resources -- only one replica will report status. (default true)

docs-web/configuration/policy-resource.md

@@ -6,8 +6,6 @@ The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/co
 
 This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repo](https://github.com/nginxinc/kubernetes-ingress/blob/master/examples-of-custom-resources/access-control).
 
-> **Feature Status**: The Policy resource is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview, we might introduce some backward-incompatible changes to the resource specification in the next releases.
-
 ## Contents
 
 - [Policy Resource](#policy-resource)
@@ -39,7 +37,7 @@ Policies work together with [VirtualServer and VirtualServerRoute resources](/ng
 
 Below is an example of a policy that allows access for clients from the subnet `10.0.0.0/8` and denies access for any other clients:
 ```yaml
-apiVersion: k8s.nginx.org/v1alpha1
+apiVersion: k8s.nginx.org/v1
 kind: Policy 
 metadata:
   name: allow-localhost
@@ -140,6 +138,8 @@ policies:
 
 ### RateLimit
 
+> **Feature Status**: Rate-Limiting is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
+
 The rate limit policy configures NGINX to limit the processing rate of requests.
 
 For example, the following policy will limit all subsequent requests coming from a single IP address once a rate of 10 requests per second is exceeded:
@@ -212,6 +212,8 @@ When you reference more than one rate limit policy, the Ingress Controller will
 
 ### JWT
 
+> **Feature Status**: JWT is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
+
 > Note: This feature is only available in NGINX Plus.
 
 The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens.
@@ -277,6 +279,8 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### IngressMTLS
 
+> **Feature Status**: IngressMTLS is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
+
 The IngressMTLS policy configures client certificate verification.
 
 For example, the following policy will verify a client certificate using the CA certificate specified in the `ingress-mtls-secret`:
@@ -343,6 +347,8 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### EgressMTLS
 
+> **Feature Status**: EgressMTLS is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
+
 The EgressMTLS policy configures upstreams authentication and certificate verification.
 
 For example, the following policy will use `egress-mtls-secret` to authenticate with the upstream application and `egress-trusted-ca-secret` to verify the certificate of the application:
@@ -526,7 +532,7 @@ If you try to create (or update) a resource that violates the structural schema
 * Example of `kubectl` validation:
     ```
     $ kubectl apply -f access-control-policy-allow.yaml
-    error: error validating "access-control-policy-allow.yaml": error validating data: ValidationError(Policy.spec.accessControl.allow): invalid type for org.nginx.k8s.v1alpha1.Policy.spec.accessControl.allow: got "string", expected "array"; if you choose to ignore these errors, turn validation off with --validate=false
+    error: error validating "access-control-policy-allow.yaml": error validating data: ValidationError(Policy.spec.accessControl.allow): invalid type for org.nginx.k8s.v1.Policy.spec.accessControl.allow: got "string", expected "array"; if you choose to ignore these errors, turn validation off with --validate=false
     ```
 * Example of Kubernetes API server validation:
     ```

docs-web/installation/installation-with-helm.md

@@ -238,6 +238,9 @@ The following tables lists the configurable parameters of the NGINX Ingress cont
    * - ``controller.enableCustomResources``
      - Enable the custom resources.
      - true
+   * - ``controller.enablePreviewPolicies``
+     - Enable preview policies.
+     - false
    * - ``controller.enableTLSPassthrough``
      - Enable TLS Passthrough on port 443. Requires ``controller.enableCustomResources``.
      - false

examples-of-custom-resources/access-control/access-control-policy-allow.yaml

@@ -1,4 +1,4 @@
-apiVersion: k8s.nginx.org/v1alpha1
+apiVersion: k8s.nginx.org/v1
 kind: Policy 
 metadata:
   name: webapp-policy 

examples-of-custom-resources/access-control/access-control-policy-deny.yaml

@@ -1,4 +1,4 @@
-apiVersion: k8s.nginx.org/v1alpha1
+apiVersion: k8s.nginx.org/v1
 kind: Policy 
 metadata:
   name: webapp-policy

examples-of-custom-resources/egress-mtls/egress-mtls.yaml

@@ -1,4 +1,4 @@
-apiVersion: k8s.nginx.org/v1alpha1
+apiVersion: k8s.nginx.org/v1
 kind: Policy
 metadata:
   name: egress-mtls-policy

examples-of-custom-resources/ingress-mtls/ingress-mtls.yaml

@@ -1,4 +1,4 @@
-apiVersion: k8s.nginx.org/v1alpha1
+apiVersion: k8s.nginx.org/v1
 kind: Policy
 metadata:
   name: ingress-mtls-policy

examples-of-custom-resources/jwt/jwt.yaml

@@ -1,4 +1,4 @@
-apiVersion: k8s.nginx.org/v1alpha1
+apiVersion: k8s.nginx.org/v1
 kind: Policy
 metadata:
   name: jwt-policy

examples-of-custom-resources/rate-limit/rate-limit.yaml

@@ -1,4 +1,4 @@
-apiVersion: k8s.nginx.org/v1alpha1
+apiVersion: k8s.nginx.org/v1
 kind: Policy
 metadata:
   name: rate-limit-policy