Open artlogic opened 5 months ago
/triage accepted /priority backlog /assign
Discussed here https://kubernetes.slack.com/archives/CANQGM8BA/p1711559130696059
cc @rikatz @tao12345666333 @strongjz @cpanato
It is almost certain that the work on validations set the $/dollar sign as high risk and hence unacceptable. Was discussed in community meeting with Ricardo.
Next step is for me to peruse code and confirm the high-risk classification and exclusion of dollar/$ sign character from the list of allowed characters in the permanent-redirect
annotation.
@tao12345666333 any help or comments you can provide is appreciated.
Whats the pathType of the ingress object? We have added strict regex to Exact and Prefix, you may need to use ImplementationSpecfic
/triage needs-information
I encountered the same problem.
pathType: ImplementationSpecific
is set.apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: redirect-legacy
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: https://redirect-target.com/v2/$1?mode=legacy
spec:
ingressClassName: nginx
rules:
- host: legacy-api.com
http: &HTTP
paths:
- path: /([a-f0-9]{32})/?$
pathType: ImplementationSpecific
backend:
# `backend` field is ignored by NGINX ingress controller when `permanent-redirect` is active.
# It's only filled because k8s API requirements.
service:
name: upstream-service
port:
name: http
Using this version
$ helm list -n ingress-nginx
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
ingress-nginx ingress-nginx 1 2024-03-03 21:56:29.187687019 +0700 +07 deployed ingress-nginx-4.10.0 1.10.0
Whats the pathType of the ingress object? We have added strict regex to Exact and Prefix, you may need to use ImplementationSpecfic
My pathType
is set to Prefix
. I'm currently OOO but I will see if ImplementationSpecific
resolves the issue next week.
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev
on Kubernetes Slack.
We are facing the same issue in most recent version of ingress-nginx with ImplementationSpecific
ingress as well.
After looking at the redirect destination posted here, it seems there could be a contention regarding what values are valid as destination and what values are not.
Currently, if a FQDN or a FDN suffixed with a known path is configured as a value to the redirect annotations, then there is no problem at all. So it seems that this issue is reporting a fail of redirect annotation only and only when a nginx variable is used in the value for the redirect annotation.
After checking here, it looks like a regexp group can be used as the regexp does not call for extrapolating a nginx var. So I doubt that a nginx var is a acceptable valid value for the redirect annotations. Hence I think there is not much that can be done on this problem as nginx vars are nowhere visibly documented as a standard.
The project has taken on too many custom features unique to the controller, that are not defined in either the K8S KEP specs or the docs of the upstream Nginx reverseproxy/webserver. It has caused security problems and maintenance problems and hence the project is moving towards healthy and reliable design by removing less used and edge-case use features & functionalities. Hence working on using nginx vars as part of the value for the redirect annotations does not seem like a viable approach.
What happened:
When attempting to add a
permanent-redirect
annotation with an nginx variable, the admission controller wouldn't allow it.nginx.ingress.kubernetes.io/permanent-redirect: https://redirectedto.com$request_uri
Results in:
admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: annotation nginx.ingress.kubernetes.io/permanent-redirect contains invalid value
What you expected to happen:
In earlier versions this syntax was allowed. I have been using up until recently.
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
Version 1.9.6 installed via helm chart 4.9.1
Kubernetes version (use
kubectl version
):v1.27.11
Environment:
uname -a
): 5.10.0-27-cloud-amd64Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
kubectl version
: v1.27.11kubectl get nodes -o wide
helm ls -A | grep -i ingress
helm -n <ingresscontrollernamespace> get values <helmreleasename>
kubectl describe ingressclasses
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
Please let me know if the rest is needed.
kubectl -n <appnamespace> get all,ing -o wide
kubectl -n <appnamespace> describe ing <ingressname>
This occurs with any ingress.
kubectl describe ...
of any custom configmap(s) created and in useHow to reproduce this issue:
Try to add an ingress that uses
permanent-redirect
with a$
in the URL.Anything else we need to know: