External auth is passed through default backend if custom-error-pages include returned status code

[acuteaura]

What happened:

ingress-nginx enables proxy_intercept_errors and installs error_page handlers for given status codes when the custom-error-pages config key is set. This unintentionally also happens when using subrequest authentication, using the status code from the proxied error_page handlers.

This causes the subrequest authentication result to be dependent on the default backend's correctness handling the X-Code header and returning it as the status code. A default backend that does not parse and return X-Code as the status code leads to complete authentication bypass, as the code will be 200.

This requirement to parse and return X-Code is noted as a caveat on in the documentation (https://kubernetes.github.io/ingress-nginx/user-guide/custom-errors/) - but in a non-security context.

While the subrequest handler probably appreciates getting fancy error pages, it's also a bit of an unnecessary hit on performance.

What you expected to happen:

Subrequest auth has proxy_intercept_errors explicitly turned off.

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):

registry.k8s.io/ingress-nginx/controller:v1.12.0

Kubernetes version (use kubectl version):

Not relevant

Environment:

Not relevant, but reproduced for testing in kind here: https://github.com/acuteaura/kubelab/tree/392f2118cb59f6d6136a52691c9634ea027b231b

This has been reported to sig-security and cleared for filing on the public issue tracker.