Some Annotations are not constrained

teamhephy / router

MIT License

4 stars 10 forks source link

Some Annotations are not constrained #75

Closed kstych closed 2 years ago

kstych commented 2 years ago

Hi ,

Some annotations eg router.deis.io/nginx.gzip.disable are not constrained and so it is possible to inject any custom configuration

Sample : router.deis.io/nginx.gzip.disable: msie6 ; server_tokens off

This can be an issue for security?

Thankyou

Cryptophobia commented 2 years ago

This can be an issue for security?

Yes, but only cluster admins or namespace admins would have access to this router deployment object, right? So as long as they do not inject something malicious they do not understand, then this should fine for the threat model.