Use a better name for annotation risk
This commit is contained in:
Ricardo Katz
Ricardo Katz
parent
65997ac6d0
commit
7ce93ae0c4
47 changed files with 57 additions and 57 deletions
|
|
@ -31,7 +31,7 @@ The following table shows a configuration option's name, type, and the default v
|
|||
|[allow-backend-server-header](#allow-backend-server-header)|bool|"false"||
|
||||
|[allow-cross-namespace-resources](#allow-cross-namespace-resources)|bool|"true"||
|
||||
|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true||
|
||||
|[annotation-risk](#annotation-risk)|string|Critical||
|
||||
|[annotations-risk-level](#annotations-risk-level)|string|Critical||
|
||||
|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""||
|
||||
|[hide-headers](#hide-headers)|string array|empty||
|
||||
|[access-log-params](#access-log-params)|string|""||
|
||||
|
|
@ -264,7 +264,7 @@ may allow a user to add restricted configurations to the final nginx.conf file
|
|||
|
||||
**This option will be defaulted to false in the next major release**
|
||||
|
||||
## annotation-risk
|
||||
## annotations-risk-level
|
||||
|
||||
Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted.
|
||||
|
||||
|
|
|
|||
|
|
@ -88,6 +88,6 @@ func (a alias) Parse(ing *networking.Ingress) (interface{}, error) {
|
|||
}
|
||||
|
||||
func (a alias) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, aliasAnnotation.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -277,6 +277,6 @@ func (a auth) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a auth) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, authSecretAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -504,6 +504,6 @@ func (a authReq) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a authReq) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, authReqAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -69,6 +69,6 @@ func (a authReqGlobal) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a authReqGlobal) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, globalAuthAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -217,6 +217,6 @@ func (a authTLS) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a authTLS) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, authTLSAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -83,6 +83,6 @@ func (a backendProtocol) Parse(ing *networking.Ingress) (interface{}, error) {
|
|||
}
|
||||
|
||||
func (a backendProtocol) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, backendProtocolConfig.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -190,6 +190,6 @@ func (c canary) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a canary) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, CanaryAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -66,6 +66,6 @@ func (cbbs clientBodyBufferSize) Parse(ing *networking.Ingress) (interface{}, er
|
|||
}
|
||||
|
||||
func (a clientBodyBufferSize) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, clientBodyBufferSizeConfig.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -102,6 +102,6 @@ func (a connection) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a connection) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, connectionHeadersAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -261,6 +261,6 @@ func (c cors) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a cors) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, corsAnnotation.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -89,6 +89,6 @@ func (e customhttperrors) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a customhttperrors) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, customHTTPErrorsAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -77,6 +77,6 @@ func (db backend) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a backend) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, defaultBackendAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -162,6 +162,6 @@ func (a fastcgi) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a fastcgi) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, fastCGIAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -175,6 +175,6 @@ func (a globalratelimit) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a globalratelimit) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, globalRateLimitAnnotationConfig.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -63,6 +63,6 @@ func (h2pp http2PushPreload) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a http2PushPreload) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, http2PushPreloadAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -128,6 +128,6 @@ func (a ipallowlist) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a ipallowlist) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, allowlistAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -125,6 +125,6 @@ func (a ipdenylist) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a ipdenylist) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, denylistAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -69,6 +69,6 @@ func (a loadbalancing) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a loadbalancing) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, loadBalanceAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -102,6 +102,6 @@ func (l log) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a log) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, logAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -163,6 +163,6 @@ func (a mirror) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a mirror) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, mirrorAnnotation.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -155,6 +155,6 @@ func (a modSecurity) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a modSecurity) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, modsecurityAnnotation.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -151,6 +151,6 @@ func (c opentelemetry) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a opentelemetry) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, otelAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -108,6 +108,6 @@ func (s opentracing) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a opentracing) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, opentracingAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -68,6 +68,6 @@ func (a portInRedirect) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a portInRedirect) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, portsInRedirectAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -359,6 +359,6 @@ func (a proxy) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a proxy) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, proxyAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -261,6 +261,6 @@ func (p proxySSL) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a proxySSL) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, proxySSLAnnotation.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -296,6 +296,6 @@ func (a ratelimit) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a ratelimit) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, rateLimitAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -179,6 +179,6 @@ func (a redirect) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a redirect) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, redirectAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -210,6 +210,6 @@ func (a rewrite) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a rewrite) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, rewriteAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,6 +70,6 @@ func (s satisfy) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a satisfy) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, satisfyAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -64,6 +64,6 @@ func (a serverSnippet) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a serverSnippet) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, serverSnippetAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,6 +70,6 @@ func (s serviceUpstream) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a serviceUpstream) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, serviceUpstreamAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -299,6 +299,6 @@ func (a affinity) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a affinity) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, sessionAffinityAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -64,6 +64,6 @@ func (a snippet) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a snippet) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, configurationSnippetAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -105,6 +105,6 @@ func (sc sslCipher) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a sslCipher) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, sslCipherAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -67,6 +67,6 @@ func (a sslpt) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a sslpt) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, sslPassthroughAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -64,6 +64,6 @@ func (a streamSnippet) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a streamSnippet) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, streamSnippetAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -109,6 +109,6 @@ func (a upstreamhashby) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a upstreamhashby) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, upstreamHashByAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,6 +65,6 @@ func (a upstreamVhost) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a upstreamVhost) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, upstreamVhostAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -63,6 +63,6 @@ func (cbbs xforwardedprefix) GetDocumentation() parser.AnnotationFields {
|
|||
}
|
||||
|
||||
func (a xforwardedprefix) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk)
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, xForwardedForAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -103,10 +103,10 @@ type Configuration struct {
|
|||
// This value will default to `false` on future releases
|
||||
AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"`
|
||||
|
||||
// AnnotationsRisk represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations
|
||||
// AnnotationsRiskLevel represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations
|
||||
// with risk High and Critical will not be accepted.
|
||||
// Default Risk is Critical by default, but this may be changed in future releases
|
||||
AnnotationsRisk string `json:"annotations-risk"`
|
||||
AnnotationsRiskLevel string `json:"annotations-risk-level"`
|
||||
|
||||
// AnnotationValueWordBlocklist defines words that should not be part of an user annotation value
|
||||
// (can be used to run arbitrary code or configs, for example) and that should be dropped.
|
||||
|
|
@ -719,7 +719,7 @@ type Configuration struct {
|
|||
|
||||
// DatadogSampleRate specifies sample rate for any traces created.
|
||||
// Default: use a dynamic rate instead
|
||||
DatadogSampleRate *float32 `json:"datadog-sample-rate",omitempty`
|
||||
DatadogSampleRate *float32 `json:"datadog-sample-rate,omitempty"`
|
||||
|
||||
// MainSnippet adds custom configuration to the main section of the nginx configuration
|
||||
MainSnippet string `json:"main-snippet"`
|
||||
|
|
@ -867,7 +867,7 @@ func NewDefault() Configuration {
|
|||
AllowCrossNamespaceResources: true,
|
||||
AllowBackendServerHeader: false,
|
||||
AnnotationValueWordBlocklist: "",
|
||||
AnnotationsRisk: "Critical",
|
||||
AnnotationsRiskLevel: "Critical",
|
||||
AccessLogPath: "/var/log/nginx/access.log",
|
||||
AccessLogParams: "",
|
||||
EnableAccessLogForDefaultBackend: false,
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration {
|
|||
|
||||
func (fis fakeIngressStore) GetSecurityConfiguration() defaults.SecurityConfiguration {
|
||||
return defaults.SecurityConfiguration{
|
||||
AnnotationsRisk: fis.configuration.AnnotationsRisk,
|
||||
AnnotationsRiskLevel: fis.configuration.AnnotationsRiskLevel,
|
||||
AllowCrossNamespaceResources: fis.configuration.AllowCrossNamespaceResources,
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1145,7 +1145,7 @@ func (s *k8sStore) GetSecurityConfiguration() defaults.SecurityConfiguration {
|
|||
|
||||
secConfig := defaults.SecurityConfiguration{
|
||||
AllowCrossNamespaceResources: s.backendConfig.AllowCrossNamespaceResources,
|
||||
AnnotationsRisk: s.backendConfig.AnnotationsRisk,
|
||||
AnnotationsRiskLevel: s.backendConfig.AnnotationsRiskLevel,
|
||||
}
|
||||
return secConfig
|
||||
}
|
||||
|
|
|
|||
|
|
@ -178,7 +178,7 @@ type SecurityConfiguration struct {
|
|||
// This valid will default to `false` on future releases
|
||||
AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"`
|
||||
|
||||
// AnnotationsRisk represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations
|
||||
// AnnotationsRiskLevel represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations
|
||||
// with risk High and Critical will not be accepted
|
||||
AnnotationsRisk string `json:"annotations-risk"`
|
||||
AnnotationsRiskLevel string `json:"annotations-risk-level"`
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,9 +26,9 @@ import (
|
|||
|
||||
// Mock implements the Resolver interface
|
||||
type Mock struct {
|
||||
ConfigMaps map[string]*apiv1.ConfigMap
|
||||
AnnotationRisk string
|
||||
AllowCrossNamespace bool
|
||||
ConfigMaps map[string]*apiv1.ConfigMap
|
||||
AnnotationsRiskLevel string
|
||||
AllowCrossNamespace bool
|
||||
}
|
||||
|
||||
// GetDefaultBackend returns the backend that must be used as default
|
||||
|
|
@ -37,12 +37,12 @@ func (m Mock) GetDefaultBackend() defaults.Backend {
|
|||
}
|
||||
|
||||
func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration {
|
||||
defRisk := m.AnnotationRisk
|
||||
defRisk := m.AnnotationsRiskLevel
|
||||
if defRisk == "" {
|
||||
defRisk = "Critical"
|
||||
}
|
||||
return defaults.SecurityConfiguration{
|
||||
AnnotationsRisk: defRisk,
|
||||
AnnotationsRiskLevel: defRisk,
|
||||
AllowCrossNamespaceResources: m.AllowCrossNamespace,
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() {
|
|||
host := "annotation-validations"
|
||||
|
||||
// Low and Medium Risk annotations should be allowed, the rest should be denied
|
||||
f.UpdateNginxConfigMapData("annotations-risk", "Medium")
|
||||
f.UpdateNginxConfigMapData("annotations-risk-level", "Medium")
|
||||
// Sleep a while just to guarantee that the configmap is applied
|
||||
framework.Sleep()
|
||||
|
||||
|
|
@ -61,7 +61,7 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() {
|
|||
host := "annotation-validations"
|
||||
|
||||
// Low and Medium Risk annotations should be allowed, the rest should be denied
|
||||
f.UpdateNginxConfigMapData("annotations-risk", "Medium")
|
||||
f.UpdateNginxConfigMapData("annotations-risk-level", "Medium")
|
||||
// Sleep a while just to guarantee that the configmap is applied
|
||||
framework.Sleep()
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue