Admission Webhook denies request #7
Comments
|
To fix this issue you have to do following: PLEASE BE AWARE, THIS CHANGE IS GLOBAL AND DEACTIVATES SOME OF THE SECURITY MEASUREMENTS! # Edit the ingress-nginx-controller ConfigMap in your Ingress namespace
kubectl -n ingress-nginx edit configmap ingress-nginx-controller
# You will find something like:
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
# Add following line into the data map:
annotation-value-word-blocklist: load_module,lua_package,_by_lua,root,serviceaccount,',\
# It should look now like:
apiVersion: v1
data:
allow-snippet-annotations: "true"
annotation-value-word-blocklist: load_module,lua_package,_by_lua,root,serviceaccount,',\
kind: ConfigMapThis change overrides the default annotation-value-word-blocklist to allow certain symbols and charakters in a snippet. |
dirsigler
changed the title
|
We have fixed the issue with location and other snippets by making it an empty list by default in v1.1.0 We leave the security configuration of the block list to the user. We are continuing to look into other remediations as well. /close |
|
@strongjz Thank you very much for responding, even tho I just had this here open for myself and others as a simple note 😄 |
|
It was linked from another ingress-nginx issue so I assumed this was one as well, lol. Sorry for stomping on your issue. |
|
No worries, really appreciate that I somehow have proper solution here :D |
If you use the newest ingress-nginx (/ community nginx ingress) Version 1.0.5 you may see following error:
Error: UPGRADE FAILED: failed to create resource: admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: nginx.ingress.kubernetes.io/server-snippets annotation contains invalid word locationThis is due to a change in the ingress-nginx configuration which was introduced in kubernetes/ingress-nginx#7874.
This change solves a security vulnerability which was found in kubernetes/kubernetes#126811.
The text was updated successfully, but these errors were encountered: