-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enabling annotation validation prevents deployment of previously allowed permanent redirect annotations #10634
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I am currently running into a similar issue with the I am trying to get around this issue by running nginx in chroot mode, meaning you don't have to use the enable-annotation-validation flag, assuming that you are making use of this flag in response to the recent nginx vulnerabilities CVE-2023-5043 and CVE-2023-5044. This explains that chroot mode mitigates the vulnerability from a secrets exploitation perspective kubernetes/kubernetes#126816 I am testing this out at the moment myself, but if you don't want to bother with it yourself I think a redesign of how that annotation is setup (ie the dollar sign being present) should get around your issue |
@channaneq Can you share details on which annotations caused issue for you |
|
We are also running into the same issue with annotation: We always see the error: Tested this with all 3 values and all gave the same result. |
Concerning the Hopefully we hear back |
@channaneq wrote:
...specifically: nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" which is what is used in the example here: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/ i think the current incarnation of annotation validation simply rejects anything with a there are variables that should absolutely be considered "safe" by this validation. e.g.
|
Some changes were made and also cherry picked into the v1.10.x and v1.11.x releases. It could be allowing the dollar/$ sign now on some annotations. But that has to be tested on the recent release of the controller and the detailed data of the test posted here so that readers do not need to do the test themselves just for triaging the issue. The background to hardeing annotations is the CVEs announced and overall security concerns because crafty strings in annotations are a threat that need to be addressed without any delay asap. On a long shot someone can also claim that the validation code itself can get comprehensive enough to check some valid use-cases of characters. But that works requires resources that are not available now. And top that with the absolute need to ship a controller that is secure by default. We have actually deprecated features because there are no resources available to support/maintain the entire range of possible use-cases. The focus is on ensuring that the Ingress-API implied behavior is all working as specified in KEP and all other features are subject to availability of resources to maintain & support. So its better you engage in the Kubernetes slack about this as there are more engineers & maintainers there and there is hardly any resources here. Once the slack discussion comes to a state of deciding on the dollar/$ character in whichever annotation , then this issue can be updated with those discussions and decisions (related data). Until then I will close the issue as it is adding to the tally of open issues without any action item on any party. After data is posted here to track a action item, the issue can be reopened. /close |
@longwuyuan: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What happened:
after adding the
--enable-annotation-validation
option to ouringress-nginx
controller deployment to mitigate recent CVEs including kubernetes/kubernetes#126817 we encountered some deploy-time issues with historically fine deployments.specifically,
helm
deployments containing anIngress
resource with thenginx.ingress.kubernetes.io/permanent-redirect
annotation containing a capture group failed to deploy with the following (sanitized) error:What you expected to happen:
I expected the
helm
deployments to succeed as they historically had prior to setting the--enable-annotation-validation
optionNGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
Kubernetes version (use
kubectl version
):Environment:
Cloud provider or hardware configuration:
GKE on Google Cloud, but that shouldn't be relevant to the issue
OS (e.g. from /etc/os-release):
N/A
Kernel (e.g.
uname -a
):N/A
Install tools:
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
N/A
Basic cluster related info:
kubectl version
kubectl get nodes -o wide
N/A
How was the ingress-nginx-controller installed:
helm ls -A | grep -i ingress
helm -n <ingresscontrollernamepspace> get values <helmreleasename>
helm 3.12+
, but pretty much positive this isn't an issue with how we installed/configured anything.Current State of the controller:
kubectl describe ingressclasses
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
N/A
Current state of ingress object, if applicable:
kubectl -n <appnnamespace> get all,ing -o wide
kubectl -n <appnamespace> describe ing <ingressname>
N/A
Others:
kubectl describe ...
of any custom configmap(s) created and in useN/A
How to reproduce this issue:
given any
ingress-nginx
deployment with the--enable-annotation-validation
option provided to the controller container.given the official
ingress-nginx
helm
chart this can be done by settingcontroller.enableAnnotationValidations: true
in the values.pared-down example of an affected
Ingress
resource:attempting to
kubectl apply
a resource like above should trigger a validation error and reject the resource.Anything else we need to know:
ingress-nginx/internal/ingress/annotations/redirect/redirect.go
Line 64 in da51393
ingress-nginx/internal/ingress/annotations/parser/validators.go
Line 62 in da51393
this could just be a documentation issue if the maintainer's opinion is that supporting capture groups in the redirect annotation isn't something they wish to do, in which case just documenting that is probably the desired outcome.
if that is supposed to be supported, then I believe the desired outcome is to correct the validation pattern used when the annotation validation is enabled.
The text was updated successfully, but these errors were encountered: