Open joshsleeper opened 8 months ago
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
I am currently running into a similar issue with the enable-annotation-validation
flag just not with the same annotation.
I am trying to get around this issue by running nginx in chroot mode, meaning you don't have to use the enable-annotation-validation flag, assuming that you are making use of this flag in response to the recent nginx vulnerabilities CVE-2023-5043 and CVE-2023-5044. This explains that chroot mode mitigates the vulnerability from a secrets exploitation perspective https://github.com/kubernetes/ingress-nginx/issues/10571#issue-1961738338
I am testing this out at the moment myself, but if you don't want to bother with it yourself I think a redesign of how that annotation is setup (ie the dollar sign being present) should get around your issue
@channaneq Can you share details on which annotations caused issue for you
nginx.ingress.kubernetes.io/auth-signin
annotation auth-signin contains invalid value
We are also running into the same issue with annotation:nginx.ingress.kubernetes.io/session-cookie-samesite: None
We always see the error: validators.go:221] validation error on ingress <namespace/<ingress>: annotation session-cookie-samesite contains invalid value None
Tested this with all 3 values and all gave the same result.
Concerning the permanent-redirect
I think I've narrowed down the regression in behaviour down to an issue with the Validator not being given capture groups (unlike the rewrite-target
annotation which does get these, hence why it works). I've opened another issue for this here: https://github.com/kubernetes/ingress-nginx/issues/10734
Hopefully we hear back
@channaneq wrote:
nginx.ingress.kubernetes.io/auth-signin
annotation auth-signin contains invalid value
...specifically:
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
which is what is used in the example here:
https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/
i think the current incarnation of annotation validation simply rejects anything with a $
in it. that's not a very useful validation imo.
there are variables that should absolutely be considered "safe" by this validation. e.g.
$host
$request_uri
$service_name
$service_port
$namespace
What happened:
after adding the
--enable-annotation-validation
option to ouringress-nginx
controller deployment to mitigate recent CVEs including #10572 we encountered some deploy-time issues with historically fine deployments.specifically,
helm
deployments containing anIngress
resource with thenginx.ingress.kubernetes.io/permanent-redirect
annotation containing a capture group failed to deploy with the following (sanitized) error:What you expected to happen:
I expected the
helm
deployments to succeed as they historically had prior to setting the--enable-annotation-validation
optionNGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
Kubernetes version (use
kubectl version
):Environment:
Cloud provider or hardware configuration:
GKE on Google Cloud, but that shouldn't be relevant to the issue
OS (e.g. from /etc/os-release):
N/A
Kernel (e.g.
uname -a
):N/A
Install tools:
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
N/A
Basic cluster related info:
kubectl version
kubectl get nodes -o wide
N/A
How was the ingress-nginx-controller installed:
helm ls -A | grep -i ingress
helm -n <ingresscontrollernamepspace> get values <helmreleasename>
helm 3.12+
, but pretty much positive this isn't an issue with how we installed/configured anything.Current State of the controller:
kubectl describe ingressclasses
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
N/A
Current state of ingress object, if applicable:
kubectl -n <appnnamespace> get all,ing -o wide
kubectl -n <appnamespace> describe ing <ingressname>
N/A
Others:
kubectl describe ...
of any custom configmap(s) created and in useN/A
How to reproduce this issue:
given any
ingress-nginx
deployment with the--enable-annotation-validation
option provided to the controller container.given the official
ingress-nginx
helm
chart this can be done by settingcontroller.enableAnnotationValidations: true
in the values.pared-down example of an affected
Ingress
resource:attempting to
kubectl apply
a resource like above should trigger a validation error and reject the resource.Anything else we need to know:
this could just be a documentation issue if the maintainer's opinion is that supporting capture groups in the redirect annotation isn't something they wish to do, in which case just documenting that is probably the desired outcome.
if that is supposed to be supported, then I believe the desired outcome is to correct the validation pattern used when the annotation validation is enabled.