diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml index fe83f1dd3..63a72dd3a 100644 --- a/.github/workflows/images.yaml +++ b/.github/workflows/images.yaml @@ -141,7 +141,7 @@ jobs: (needs.changes.outputs.kube-webhook-certgen == 'true') strategy: matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] + k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0] steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl index 48569a8b0..763e55570 100644 --- a/charts/ingress-nginx/templates/_params.tpl +++ b/charts/ingress-nginx/templates/_params.tpl @@ -1,7 +1,7 @@ {{- define "ingress-nginx.params" -}} - /nginx-ingress-controller -{{- if .Values.controller.enableAnnotationValidations }} -- --enable-annotation-validation=true +{{- if not .Values.controller.enableAnnotationValidations }} +- --enable-annotation-validation=false {{- end }} {{- if .Values.defaultBackend.enabled }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index 22080d115..b73cdc2d0 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -13,7 +13,9 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ include "ingress-nginx.namespace" . }} data: - allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" +{{- if .Values.controller.allowSnippetAnnotations }} + allow-snippet-annotations: "true" +{{- end }} {{- if .Values.controller.addHeaders }} add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 51896e3a1..c2e6935d5 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -29,9 +29,9 @@ The following table shows a configuration option's name, type, and the default v |:--------------------------------------------------------------------------------|:-------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------| | [add-headers](#add-headers) | string | "" | | | [allow-backend-server-header](#allow-backend-server-header) | bool | "false" | | -| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "true" | | +| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "false" | | | [allow-snippet-annotations](#allow-snippet-annotations) | bool | "false" | | -| [annotations-risk-level](#annotations-risk-level) | string | Critical | | +| [annotations-risk-level](#annotations-risk-level) | string | High | | | [annotation-value-word-blocklist](#annotation-value-word-blocklist) | string array | "" | | | [hide-headers](#hide-headers) | string array | empty | | | [access-log-params](#access-log-params) | string | "" | | @@ -221,7 +221,7 @@ The following table shows a configuration option's name, type, and the default v | [service-upstream](#service-upstream) | bool | "false" | | | [ssl-reject-handshake](#ssl-reject-handshake) | bool | "false" | | | [debug-connections](#debug-connections) | []string | "127.0.0.1,1.1.1.1/24" | | -| [strict-validate-path-type](#strict-validate-path-type) | bool | "false" (v1.7.x) | | +| [strict-validate-path-type](#strict-validate-path-type) | bool | "true" | | | [grpc-buffer-size-kb](#grpc-buffer-size-kb) | int | 0 | | ## add-headers @@ -234,18 +234,16 @@ Enables the return of the header Server from the backend instead of the generic ## allow-cross-namespace-resources -Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true +Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ false **Annotations that may be impacted with this change**: + * `auth-secret` * `auth-proxy-set-header` * `auth-tls-secret` * `fastcgi-params-configmap` * `proxy-ssl-secret` - -**This option will be defaulted to false in the next major release** - ## allow-snippet-annotations Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `false` @@ -253,15 +251,13 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file -**This option will be defaulted to false in the next major release** - ## annotations-risk-level Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted. Accepted values are `Critical`, `High`, `Medium` and `Low`. -Defaults to `Critical` but will be changed to `High` on the next minor release +_**default:**_ `High` ## annotation-value-word-blocklist @@ -1364,6 +1360,7 @@ _References:_ [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) ## strict-validate-path-type + Ingress objects contains a field called pathType that defines the proxy behavior. It can be `Exact`, `Prefix` and `ImplementationSpecific`. When pathType is configured as `Exact` or `Prefix`, there should be a more strict validation, allowing only paths starting with "/" and @@ -1377,6 +1374,8 @@ This means that Ingress objects that rely on paths containing regex characters s The cluster admin should establish validation rules using mechanisms like [Open Policy Agent](https://www.openpolicyagent.org/) to validate that only authorized users can use `ImplementationSpecific` pathType and that only the authorized characters can be used. +_**default:**_ "true" + ## grpc-buffer-size-kb Sets the configuration for the GRPC Buffer Size parameter. If not set it will use the default from NGINX. diff --git a/internal/ingress/resolver/mock.go b/internal/ingress/resolver/mock.go index 679c3b13c..5a36155e9 100644 --- a/internal/ingress/resolver/mock.go +++ b/internal/ingress/resolver/mock.go @@ -39,7 +39,7 @@ func (m Mock) GetDefaultBackend() defaults.Backend { func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration { defRisk := m.AnnotationsRiskLevel if defRisk == "" { - defRisk = "Critical" + defRisk = "High" } return defaults.SecurityConfiguration{ AnnotationsRiskLevel: defRisk, diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 6f62f75b5..a64a37193 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -160,7 +160,7 @@ Requires the update-status parameter.`) `Prefix of the Ingress annotations specific to the NGINX controller.`) enableAnnotationValidation = flags.Bool("enable-annotation-validation", true, - `If true, will enable the annotation validation feature. This value will be defaulted to true on a future release`) + `If true, will enable the annotation validation feature. Defaults to true`) enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false, `Autocomplete SSL certificate chains with missing intermediate CA certificates. diff --git a/test/e2e/settings/proxy_host.go b/test/e2e/settings/proxy_host.go index 3ce86127e..bb5dc9c01 100644 --- a/test/e2e/settings/proxy_host.go +++ b/test/e2e/settings/proxy_host.go @@ -58,16 +58,8 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - "annotations-risk-level": "Critical", // To allow Configuration Snippet - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - "annotations-risk-level": "High", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) upstreamVHost := "different.host" diff --git a/test/e2e/wait-for-nginx.sh b/test/e2e/wait-for-nginx.sh index 506c4e03f..73023aba1 100755 --- a/test/e2e/wait-for-nginx.sh +++ b/test/e2e/wait-for-nginx.sh @@ -58,7 +58,6 @@ else # TODO: remove the need to use fullnameOverride fullnameOverride: nginx-ingress controller: - enableAnnotationValidations: true image: repository: ingress-controller/controller chroot: ${IS_CHROOT}