Open srikiz opened 10 months ago
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
I think the webhookvalidation and the annotation value string validation are different code-paths and I guess non test is written to check for a value like 300. Probable that no upstream can be named as 300
cc @rikatz @tao12345666333
Hello @srikiz Is that issue resolved ? thanks
Hello @srikiz Is that issue resolved ? thanks
Is a resolution expected in 1.9.5? I didn't my see a linked PR so we haven't tested 1.9.5 yet.
Hello everyone
look like i facing off with enableAnnotationValidations
too.
please take a look
depend on CVE-2021-25742 ( This issue has been rated High )
but when I edited annotations-risk-level: High
and set --enable-annotation-validation=true , look like this wrong and cannot create ingress object. Im not sure CVE-2021-25742 was rated correctly.
Here are details
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: "true"
annotations-risk-level: High
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: platform
app.kubernetes.io/component: controller
replicas: 5
revisionHistoryLimit: 10
minReadySeconds: 0
template:
spec:
containers:
- name: controller
image: registry.k8s.io-ingress-nginx-controller:v1.9.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- **--enable-annotation-validation=true**
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-ssl-passthrough=true
ingress:
class_name: "nginx"
enabled: true
# default: override_yaml is undefined
override_yaml:
metadata:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header "X-B3-Sampled" "1";
spec:
rules:
- host: kiali.example.com
http:
paths:
- backend:
service:
name: kiali
port:
number: 20001
path: /
pathType: Prefix
tls:
- hosts:
- kiali.example.com
secretName: "kiali-tls"`
`/nginx-ingress-controller
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.9.5
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6
Here is the issue which use command line kubectl describe kiali -n istio
and ingress of Kiali wasn't created.
Status:
Conditions:
Message:
Reason:
Status: False
Type: Successful
Message: Running reconciliation
Reason: Running
Status: False
Type: Running
Ansible Result:
Changed: 5
Failures: 1
Ok: 64
Skipped: 51
Message: Failed to patch object: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"admission webhook \\"validate.nginx.ingress.kubernetes.io\\" denied the request: annotation group ConfigurationSnippet contains risky annotation based on ingress configuration","reason":"BadRequest","code":400}\n'
Reason: Failed
Status: True
Type: Failure
Deployment:
Instance Name: kiali
Namespace: istio
Environment:
Is Kubernetes: true
Kubernetes Version: 1.24.17
Operator Version: v1.77.0
Progress:
Duration: 0:00:26
Message: 5. Creating core resources
Spec Version: default
Events: <none>
But when set to Critical or delete annotations-risk-level
in configmap, the issue was gone and working fine.
Just got stuck when set to High, Medium or Low.
So please kindly for take a look.
Thank you guys.
What happened:
Create the below bad-ingress with
proxy-next-upstream
set to300
. It creates an ingress object even though theproxy-next-upstream
value is in-correct.This issue occurs only when
enableAnnotationValidations
is set to true.What you expected to happen:
Ideally, the validating webhook should reject creating this ingress object. Looks like the additional annotation validation that's introduced in
v1.9.0
is not validating the errors as expected.NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
NGINX Ingress controller Release: v1.9.4 Build: 846d251814a09d8a5d8d28e2e604bfc7749bcb49 Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.21.6
Kubernetes version (use
kubectl version
):Environment: On-Prem installed via kubeadm