The Ingress Controller is a critical requirement and key component of the SAS Viya infrastructure. This component can be seen as the "front door" or "entry point" of your SAS Viya deployment. SAS currently (as of April 2025) only supports the Ingress NGINX Controller (aka ingress-nginx) - with the exception of OpenShift routes if you are deploying SAS Viya in the Red Hat OpenShift platform.

 

Note: [11-Feb-2026]  See Upcoming Changes to Kubernetes Ingress for SAS Viya 4 Deployments for recent announcement about how Contour ingress will replace ingress-nginx as the supported ingress controller in SAS Viya (as of 2026.03).

 

There were some recent changes and announcements related to the Ingress NGINX Controller, so I thought it could be a good time to list and explain them.

 

As there was a lot to discuss I have split this post in two parts.

 

Here is a little "ToC" table for this first part to help you to navigate through this post 😊

 

• What is the Ingress Controller?
• Ingress NGINX <> NGINX Ingress …A little clarification on the Terminology
• Which ingress NGINX version should I use?
• How do I install ingress-nginx?
• Vulnerability Mitigation for the "allow-snippet-annotation"

 

What is the Ingress Controller ?

 

In a Kubernetes cluster, an "Ingress" is the object that makes your web (HTTP or HTTPS) service available from the outside. It lets you map traffic to different backends based on rules that you define in the Ingress definition.

 

But in order for the Ingress resources to work, the cluster must have an Ingress Controller running (usually inside its own Kubernetes namespace). There are many implementations of the Ingress Controller component (Cloud plugins or generic, based on different technologies such as HAProxy, Istio, Envoy, etc.).

 

The Ingress Controller acts as a reverse proxy and load balancer. Its main role is to read the rules defined in Ingress resources and route incoming traffic to the appropriate services.

 

Ingress NGINX <> NGINX Ingress…A little clarification on the Terminology

 

There are two types of nginx ingress controllers with VERY VERY similar product names ☹:

 

• One from the community (Ingress NGINX)
• The second from F5 (NGINX Ingress)

 

They are really different and the only one we support is the one from the community.

 

 

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

SAS supports the Ingress NGINX Controller which is commonly called ingress-nginx.

 

So here is the link to the project: ingress-nginx  to avoid any further confusion!

 

It is important, because if you install the wrong one (NGINX Ingress), then the annotations used in the SAS Viya ingresses definitions will not work…

 

Which version should I install?

 

The SAS Viya official documentation has a dedicated section to answer this question.

 

If you look at the latest version of the documentation (2025.04 at the time of this write up), you can see that the SAS Viya platform supports ingress-nginx 1.9.6 and later. Another important requirement is that ingress-nginx snippet annotations setting must be enabled.

 

However we can also read : "Make sure that the version of ingress-nginx that you are using is compatible with your cloud provider, and check for updates."

 

So aside the minimum version requirement and the need to allow snippet annotations, what really drives the ingress-nginx version is the Kubernetes version.

 

The ingress-nginx GitHub page has a reference table that tells you which Kubernetes versions are supported for each ingress-nginx versions.

 

See below an extract from this table:

 

 

It means that, for example, if you are running Viya 2025.03 on Azure AKS 1.31, you need to deploy at least ingress-nginx with v1.12. The corresponding Helm chart version is also included, which will come in handy in the next section.

 

How do I install ingress-nginx ?

 

Since ingress-nginx is a system requirement for SAS Viya, it should be the responsibility of the customer to deploy it.

 

However, the customer may ask for your help or for a test environment you may have to deploy it by yourself. The instructions to deploy ingress-nginx are provided in the "SAS® Viya® System Requirements" course available on learn.sas.com (see the extract below).

 

 

Using Helm is the most common way to install ingress-nginx. You need to provide the Helm chart version as shown in the example above.

 

Another point of reference, if you are looking for the commands to install ingress-nginx is the viya4-deployment GitHub project (aka "DaC" – for Deployment As Code).

 

The DAC playbook has a "baseline" role that includes the setup of ingress-nginx. If you look at the corresponding codebase , you’ll notice that several rules are now used to determine the correct version to install and implement specific configuration (CVE mitigation, annotations, strict path validation,…) depending on the Kubernetes version, Viya version and Cloud provider…

 

So, even if you don’t use it to install SAS Viya itself, it could be a good idea to use only the "baseline" feature of the DaC tool to ensure that you install the correct ingress-nginx version with the required configurations.

 

Vulnerability Mitigation for the "allow-snippet-annotation"

 

Back in 2021, a security issue was discovered in ingress-nginx where a user, who can create or update ingress objects, can use the custom snippets feature to obtain all secrets in the cluster! (see CVE-2021-25742 for more details)

 

However, the SAS Viya platform requires custom snippets to function properly.

 

So for each supported LTS and stable Viya version there is a set of instructions provided in the SAS documentation to explain how to mitigate the security risk by using an annotation-value-word-blocklist annotation. The  annotation-value-word-blocklist contains the characters/words that are well known of being used to abuse Ingress configuration and must be blocked. When an annotation is detected with a value that matches one of the blocked bad words, the whole Ingress won't be configured (source).

 

Here is an example on how to patch the ingress-nginx configMap object to implement this mitigation :

 

kubectl patch cm ingress-nginx-controller -n ingress-nginx -p '{"data":{"allow-snippet-annotations":"true", "annotation-value-word-blocklist":"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\\"}}';

 

SAS strongly recommends to implement this mitigation to limit the risk of attackers exploiting this vulnerability.

That's all for this first part of the post !

 

Now that you know what is the Ingress NGINX controller, which version to install and how to install it, you are ready for the next part where we will discuss the changes brought by the new ingress-nginx version (1.12) as well as some new security patches recently released to address several CVEs (Common Vulnerabilities and Exposures).

 

 

Find more articles from SAS Global Enablement and Learning here.