The validating webhook does not prevent resource creation with invalid annotations

[volver-13]

What happened:

Create the below bad-ingress with nginx.ingress.kubernetes.io/whitelist-source-range annotation set to invalid value 1.1.1.1 2.2.2.2 . Ingress object gets created even though the whitelist-source-range value is incorrect (missing comma between IP addresses)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1 2.2.2.2
  name: bad-ingress.com
  namespace: default
spec:
  ingressClassName: nginx-public
  rules:
  - host: memoapp.com
    http:
      paths:
      - backend:
          service:
            name: memoapp
            port:
              name: http
        path: /
        pathType: ImplementationSpecific

The behavior is the same regardless of the enableAnnotationValidations value.

Ingress controller fails with the following errors once the resource is created:

ingress-nginx-public-controller-68969c4b6f-xxd8c controller W0912 13:55:00.658197       7 validators.go:237] validation error on ingress default/bad-ingress.com: annotation allowlist-source-range contains invalid value 1.1.1.1 2.2.2.2
ingress-nginx-public-controller-68969c4b6f-xxd8c controller E0912 13:55:00.658231       7 annotations.go:213] "error reading Ingress annotation" err="annotation nginx.ingress.kubernetes.io/whitelist-source-range contains invalid value" name="Allowlist" ingress="default/bad-ingress.com"

What you expected to happen:

Ideally, the validating webhook should reject the creation of this ingress object."

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller Release: v1.10.0 Build: 71f78d49f0a496c31d4c19f095469f3f23900f8a Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.25.3

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.5", GitCommit:"804d6167111f6858541cef440ccc53887fbbc96a", GitTreeState:"clean", BuildDate:"2022-12-08T10:15:02Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"28", GitVersion:"v1.28.10", GitCommit:"21be1d76a90bc00e2b0f6676a664bdf097224155", GitTreeState:"clean", BuildDate:"2024-05-22T15:00:24Z", GoVersion:"go1.21.9", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: Azure AKS

• How was the ingress-nginx-controller installed: ArgoCD deployment (helm chart 4.10.0)

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[longwuyuan]

Its not creating the location block

% k create deploy httpd --image httpd:alpine --port 80
deployment.apps/httpd created
[~] 
% k expose deploy httpd --port 80
service/httpd exposed
[~] 
% k create ing httpd --class nginx --rule httpd.local/"*"=httpd:80 --annotation nginx.ingress.kubernetes.io/whitelist-source-range="1.1.1.1 2.2.2.2"
ingress.networking.k8s.io/httpd created
[~] 
% k describe ing httpd 
Name:             httpd
Labels:           <none>
Namespace:        default
Address:          192.168.49.2
Ingress Class:    nginx
Default backend:  <default>
Rules:
  Host         Path  Backends
  ----         ----  --------
  httpd.local  
               /   httpd:80 (10.244.0.104:80)
Annotations:   nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1 2.2.2.2
Events:
  Type    Reason  Age              From                      Message
  ----    ------  ----             ----                      -------
  Normal  Sync    1s (x2 over 6s)  nginx-ingress-controller  Scheduled for sync

$ kubectl -n ingress-nginx exec ingress-nginx-controller-6494fbd8fb-25r7f -- cat /etc/nginx/nginx.conf | grep -i 1.1.1.1

Location denied. Reason: "the annotation does not contain a valid IP address or network: invalid CIDR address: 1.1.1.1 2.2.2.2"

[longwuyuan]

log message ;

E0912 17:31:03.025233 7 annotations.go:216] "error reading Ingress annotation" err="the annotation does not contain a valid IP address or network: invalid CIDR address: 1.1.1.1 2.2.2.2" name="Allowlist" ingress="default/httpd"

[chengjoey]

/assign

[github-actions[bot]]

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.