DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Security: Follow-up on recent changes. (#11874)

Browse source
This commit is contained in:
Marco Ebert 2024-08-26 22:09:16 +02:00 committed by GitHub
parent bde6a6bc3e
commit e9f6c8e8f2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 19 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/images.yaml vendored
View file

@ -141,7 +141,7 @@ jobs:
(needs.changes.outputs.kube-webhook-certgen == 'true')
strategy:
matrix:
k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0]
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

4
charts/ingress-nginx/templates/_params.tpl
View file

@ -1,7 +1,7 @@
{{- define "ingress-nginx.params" -}}
- /nginx-ingress-controller
{{- if .Values.controller.enableAnnotationValidations }}
- --enable-annotation-validation=true
{{- if not .Values.controller.enableAnnotationValidations }}
- --enable-annotation-validation=false
{{- end }}
{{- if .Values.defaultBackend.enabled }}
- --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}

4
charts/ingress-nginx/templates/controller-configmap.yaml
View file

@ -13,7 +13,9 @@ metadata:
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
data:
allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
{{- if .Values.controller.allowSnippetAnnotations }}
allow-snippet-annotations: "true"
{{- end }}
{{- if .Values.controller.addHeaders }}
add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
{{- end }}

19
docs/user-guide/nginx-configuration/configmap.md
View file

@ -29,9 +29,9 @@ The following table shows a configuration option's name, type, and the default v
|:--------------------------------------------------------------------------------|:-------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------|
| [add-headers](#add-headers) | string | "" | |
| [allow-backend-server-header](#allow-backend-server-header) | bool | "false" | |
| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "true" | |
| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "false" | |
| [allow-snippet-annotations](#allow-snippet-annotations) | bool | "false" | |
| [annotations-risk-level](#annotations-risk-level) | string | Critical | |
| [annotations-risk-level](#annotations-risk-level) | string | High | |
| [annotation-value-word-blocklist](#annotation-value-word-blocklist) | string array | "" | |
| [hide-headers](#hide-headers) | string array | empty | |
| [access-log-params](#access-log-params) | string | "" | |
@ -221,7 +221,7 @@ The following table shows a configuration option's name, type, and the default v
| [service-upstream](#service-upstream) | bool | "false" | |
| [ssl-reject-handshake](#ssl-reject-handshake) | bool | "false" | |
| [debug-connections](#debug-connections) | []string | "127.0.0.1,1.1.1.1/24" | |
| [strict-validate-path-type](#strict-validate-path-type) | bool | "false" (v1.7.x) | |
| [strict-validate-path-type](#strict-validate-path-type) | bool | "true" | |
| [grpc-buffer-size-kb](#grpc-buffer-size-kb) | int | 0 | |
## add-headers
@ -234,18 +234,16 @@ Enables the return of the header Server from the backend instead of the generic
## allow-cross-namespace-resources
Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true
Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ false
**Annotations that may be impacted with this change**:
* `auth-secret`
* `auth-proxy-set-header`
* `auth-tls-secret`
* `fastcgi-params-configmap`
* `proxy-ssl-secret`
**This option will be defaulted to false in the next major release**
## allow-snippet-annotations
Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `false`
@ -253,15 +251,13 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the
Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this
may allow a user to add restricted configurations to the final nginx.conf file
**This option will be defaulted to false in the next major release**
## annotations-risk-level
Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted.
Accepted values are `Critical`, `High`, `Medium` and `Low`.
Defaults to `Critical` but will be changed to `High` on the next minor release
_**default:**_ `High`
## annotation-value-word-blocklist
@ -1364,6 +1360,7 @@ _References:_
[http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection)
## strict-validate-path-type
Ingress objects contains a field called pathType that defines the proxy behavior. It can be `Exact`, `Prefix` and `ImplementationSpecific`.
When pathType is configured as `Exact` or `Prefix`, there should be a more strict validation, allowing only paths starting with "/" and
@ -1377,6 +1374,8 @@ This means that Ingress objects that rely on paths containing regex characters s
The cluster admin should establish validation rules using mechanisms like [Open Policy Agent](https://www.openpolicyagent.org/) to
validate that only authorized users can use `ImplementationSpecific` pathType and that only the authorized characters can be used.
_**default:**_ "true"
## grpc-buffer-size-kb
Sets the configuration for the GRPC Buffer Size parameter. If not set it will use the default from NGINX.

2
internal/ingress/resolver/mock.go
View file

@ -39,7 +39,7 @@ func (m Mock) GetDefaultBackend() defaults.Backend {
func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration {
defRisk := m.AnnotationsRiskLevel
if defRisk == "" {
defRisk = "Critical"
defRisk = "High"
}
return defaults.SecurityConfiguration{
AnnotationsRiskLevel: defRisk,

2
pkg/flags/flags.go
View file

@ -160,7 +160,7 @@ Requires the update-status parameter.`)
`Prefix of the Ingress annotations specific to the NGINX controller.`)
enableAnnotationValidation = flags.Bool("enable-annotation-validation", true,
`If true, will enable the annotation validation feature. This value will be defaulted to true on a future release`)
`If true, will enable the annotation validation feature. Defaults to true`)
enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false,
`Autocomplete SSL certificate chains with missing intermediate CA certificates.

12
test/e2e/settings/proxy_host.go
View file

@ -58,16 +58,8 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() {
})
ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
"annotations-risk-level": "Critical", // To allow Configuration Snippet
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
"annotations-risk-level": "High",
})
}()
disableSnippet := f.AllowSnippetConfiguration()
defer disableSnippet()
upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService)
upstreamVHost := "different.host"

1
test/e2e/wait-for-nginx.sh
View file

@ -58,7 +58,6 @@ else
# TODO: remove the need to use fullnameOverride
fullnameOverride: nginx-ingress
controller:
enableAnnotationValidations: true
image:
repository: ingress-controller/controller
chroot: ${IS_CHROOT}