Closed ghouscht closed 5 years ago
This should have been fixed here: https://github.com/kubernetes/ingress-nginx/pull/3182 which was released in 0.20.0. Are you sure that you're running this version or later?
Thanks for the hint, I somehow missed that. Version should be 0.21.0, but now I'm a bit concerned if it really is. I'm out of the office now, will check again tomorrow.
We're definitly using version 0.21.0 of nginx-ingress-controller, see details below:
nginx-ingress-controller:
Container ID: docker://7c00cfcc65272672ddfe34521d48d19c81a65cb23cbd9a3f7f672d0b18987f33
Image: quay-docker-remote.repo.pnet.ch/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
Image ID: docker-pullable://quay-docker-remote.repo.pnet.ch/kubernetes-ingress-controller/nginx-ingress-controller@sha256:617076c3e3d4d0638a4927702530d8456bda64c67194f6daed272a59e93b992f
Image name is a bit confusing, it's just a simple pull-through our artifactory instance from quay.io, that's why the image name is different. Hash of the image matches the one from quay.io for version 0.21.0: sha256:617076c3e3d4d0638a4927702530d8456bda64c67194f6daed272a59e93b992f
I ran the reproduction on two different installations (one with version 0.20.0 and the other with version 0.21.0), the behaviour is the same as described in my first post. Looks like https://github.com/kubernetes/ingress-nginx/pull/3182 doesn't fix the problem. I'll have a look at the code and try to understand why this happens.
Looks like I did a small, but important mistake.... As per use-regex docs the annotation expects a string in this form:
nginx.ingress.kubernetes.io/use-regex: "true"
I used a bool in the following form:
nginx.ingress.kubernetes.io/use-regex: true
A simple kubectl get ingress -o yaml
shows, that the annotation is lost if the second form is used. On first sight thats not really obvious for a normal user and can be missed easily.
If you're a bit familiar with the k8s api, this should be quite obvious (however I also missed it on first sight), because the api defines an annotation as map[string]string
, which in turn explains that the annotation is lost if the value is not a string.
The only thing which is probably worth a discousion, is that a "normal" user with permissions to create an ingress, can possibly break the ingress of an entire cluster by simply putting a curly brace in the path field either
I can handle all those cases by writing a simple validating admission controller but probably it's worth to go the safe way and handle this for all users in the nginx ingress directly. I don't know if this is the "way to go" if so, please let me know, I'm happy to help out here with a PR and some opinions on how to do that, if not I'll close this issue. Thank you for your help.
The only thing which is probably worth a discousion, is that a "normal" user with permissions to create an ingress, can possibly break the ingress of an entire cluster
@ghouscht this is a known issue and it sucks. I'll create a Github issue to make it explicit and discuss possible solutions. Here's another report of this: https://github.com/kubernetes/ingress-nginx/issues/3435
Sounds good. I'll close this issue.
https://github.com/kubernetes/ingress-nginx/issues/3155 describes the same issue, but is closed without a soultion. I hope it's ok to open a new issue.
Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG
NGINX Ingress controller version: 0.21.0
Kubernetes version (use
kubectl version
):Environment:
uname -a
): 3.10.0-862.11.6.el7.x86_64What happened: Nginx config is broken if someone uses curly braces in the
path
directive, resulting in the following error:rendered config:
What you expected to happen: Not to break the ingress of a whole cluster simply by using curly braces in the path.
How to reproduce it (as minimally and precisely as possible): Apply the following ingress definition and watch the logs of your ingress:
Reloading of the ingress now fails forever (or at least until the created ingress is removed), which will sooner or later disturbe other things running in the same cluster.
Anything else we need to know: Putting single quotes around the location directive in the nginx template L1016 seems to solve the problem.
Nginx docs quote:
I'm happy to help out with a PR here, for either putting quotes around the directives in the nginx template or to handle this somewhere in the code (maybe also with proper escaping of special chars to handle this kind of problems better).