ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Admissionwebhook stopped validating annotations after upgrade

Open talon-amatziab opened this issue 6 months ago • 1 comments

After upgrading nginx ingress helm chart from 4.5.2 to 4.11.5 due to IngressNightmare we saw our ingress components stopped being validated and a config such as

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simple-fanout-example
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffering: "false"
spec:
  ingressClassName: nginx
  rules:
  - host: foo.bar.com
    http:
      paths:
      - path: /foo
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 4200

which was previously rejected with the following error (listed below) stopped being rejected and when loaded to nginx ingress caused it to crash due to broken nginx.conf (after reload)

Error from server (BadRequest): error when creating "test.yaml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request:
-------------------------------------------------------------------------------
Error: exit status 1
2025/04/02 12:48:15 [warn] 433#433: the "http2_max_field_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /tmp/nginx/nginx-cfg3707782051:144
nginx: [warn] the "http2_max_field_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /tmp/nginx/nginx-cfg3707782051:144
2025/04/02 12:48:15 [warn] 433#433: the "http2_max_header_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /tmp/nginx/nginx-cfg3707782051:145
nginx: [warn] the "http2_max_header_size" directive is obsolete, use the "large_client_header_buffers" directive instead in /tmp/nginx/nginx-cfg3707782051:145
2025/04/02 12:48:15 [warn] 433#433: the "http2_max_requests" directive is obsolete, use the "keepalive_requests" directive instead in /tmp/nginx/nginx-cfg3707782051:146
nginx: [warn] the "http2_max_requests" directive is obsolete, use the "keepalive_requests" directive instead in /tmp/nginx/nginx-cfg3707782051:146
2025/04/02 12:48:15 [emerg] 433#433: invalid value "false" in "proxy_buffering" directive, it must be "on" or "off" in /tmp/nginx/nginx-cfg3707782051:551
nginx: [emerg] invalid value "false" in "proxy_buffering" directive, it must be "on" or "off" in /tmp/nginx/nginx-cfg3707782051:551
nginx: configuration file /tmp/nginx/nginx-cfg3707782051 test failed

is there anyway to bring back this validation? i tried adding the following values in the helm chart of 4.11.5

controller.allowSnippetAnnotations=true controller.enableAnnotationValidations=true controller.admissionWebhooks.enabled=true

but the ingress object still passes without showing an issue

talon-amatziab avatar Apr 02 '25 13:04 talon-amatziab