dirsigler
commented
2 years ago To fix this issue you have to do following:
PLEASE BE AWARE, THIS CHANGE IS GLOBAL AND DEACTIVATES SOME OF THE SECURITY MEASUREMENTS!
# Edit the ingress-nginx-controller ConfigMap in your Ingress namespace
kubectl -n ingress-nginx edit configmap ingress-nginx-controller
# You will find something like:
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
# Add following line into the data map:
annotation-value-word-blocklist: load_module,lua_package,_by_lua,root,serviceaccount,',\
# It should look now like:
apiVersion: v1
data:
allow-snippet-annotations: "true"
annotation-value-word-blocklist: load_module,lua_package,_by_lua,root,serviceaccount,',\
kind: ConfigMapThis change overrides the default annotation-value-word-blocklist to allow certain symbols and charakters in a snippet.
strongjz
If you use the newest ingress-nginx (/ community nginx ingress) Version 1.0.5 you may see following error:
Error: UPGRADE FAILED: failed to create resource: admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: nginx.ingress.kubernetes.io/server-snippets annotation contains invalid word locationThis is due to a change in the ingress-nginx configuration which was introduced in https://github.com/kubernetes/ingress-nginx/pull/7874. This change solves a security vulnerability which was found in https://github.com/kubernetes/kubernetes/issues/126811.