ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard
verified publisher icon kubernetes

The validating webhook does not prevent resource creation with invalid annotations

Open volver-13 opened this issue 1 year ago • 5 comments

What happened:

Create the below bad-ingress with nginx.ingress.kubernetes.io/whitelist-source-range annotation set to invalid value 1.1.1.1 2.2.2.2 . Ingress object gets created even though the whitelist-source-range value is incorrect (missing comma between IP addresses)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1 2.2.2.2
  name: bad-ingress.com
  namespace: default
spec:
  ingressClassName: nginx-public
  rules:
  - host: memoapp.com
    http:
      paths:
      - backend:
          service:
            name: memoapp
            port:
              name: http
        path: /
        pathType: ImplementationSpecific

The behavior is the same regardless of the enableAnnotationValidations value.

Ingress controller fails with the following errors once the resource is created:

ingress-nginx-public-controller-68969c4b6f-xxd8c controller W0912 13:55:00.658197       7 validators.go:237] validation error on ingress default/bad-ingress.com: annotation allowlist-source-range contains invalid value 1.1.1.1 2.2.2.2
ingress-nginx-public-controller-68969c4b6f-xxd8c controller E0912 13:55:00.658231       7 annotations.go:213] "error reading Ingress annotation" err="annotation nginx.ingress.kubernetes.io/whitelist-source-range contains invalid value" name="Allowlist" ingress="default/bad-ingress.com"

What you expected to happen:

Ideally, the validating webhook should reject the creation of this ingress object."

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller Release: v1.10.0 Build: 71f78d49f0a496c31d4c19f095469f3f23900f8a Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.25.3

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.5", GitCommit:"804d6167111f6858541cef440ccc53887fbbc96a", GitTreeState:"clean", BuildDate:"2022-12-08T10:15:02Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"28", GitVersion:"v1.28.10", GitCommit:"21be1d76a90bc00e2b0f6676a664bdf097224155", GitTreeState:"clean", BuildDate:"2024-05-22T15:00:24Z", GoVersion:"go1.21.9", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: Azure AKS

  • How was the ingress-nginx-controller installed: ArgoCD deployment (helm chart 4.10.0)

volver-13 avatar Sep 12 '24 14:09 volver-13

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Sep 12 '24 14:09 k8s-ci-robot

Its not creating the location block

% k create deploy httpd --image httpd:alpine --port 80
deployment.apps/httpd created
[~] 
% k expose deploy httpd --port 80
service/httpd exposed
[~] 
% k create ing httpd --class nginx --rule httpd.local/"*"=httpd:80 --annotation nginx.ingress.kubernetes.io/whitelist-source-range="1.1.1.1 2.2.2.2"
ingress.networking.k8s.io/httpd created
[~] 
% k describe ing httpd 
Name:             httpd
Labels:           <none>
Namespace:        default
Address:          192.168.49.2
Ingress Class:    nginx
Default backend:  <default>
Rules:
  Host         Path  Backends
  ----         ----  --------
  httpd.local  
               /   httpd:80 (10.244.0.104:80)
Annotations:   nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1 2.2.2.2
Events:
  Type    Reason  Age              From                      Message
  ----    ------  ----             ----                      -------
  Normal  Sync    1s (x2 over 6s)  nginx-ingress-controller  Scheduled for sync

$ kubectl -n ingress-nginx exec ingress-nginx-controller-6494fbd8fb-25r7f -- cat /etc/nginx/nginx.conf | grep -i 1.1.1.1 # Location denied. Reason: "the annotation does not contain a valid IP address or network: invalid CIDR address: 1.1.1.1 2.2.2.2"

longwuyuan avatar Sep 12 '24 17:09 longwuyuan

log message ;

E0912 17:31:03.025233 7 annotations.go:216] "error reading Ingress annotation" err="the annotation does not contain a valid IP address or network: invalid CIDR address: 1.1.1.1 2.2.2.2" name="Allowlist" ingress="default/httpd"

longwuyuan avatar Sep 12 '24 17:09 longwuyuan

/assign

chengjoey avatar Sep 13 '24 08:09 chengjoey

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

github-actions[bot] avatar Oct 14 '24 02:10 github-actions[bot]

I stepped onto this issue too. I am not sure what is the best approach here. The log error is great but since the Ingress Nightmare CVEs many would rely on the validation of annotations. IMHO if an annotation does not pass the validation when controller.enableAnnotationValidations is true the admission should fail and the Ingress shouldn't be created or updated.

kheraud avatar Oct 06 '25 12:10 kheraud