Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: admission webhook denies auth-url with comma #11739

Closed
mikkel3000 opened this issue Aug 6, 2024 · 8 comments · Fixed by #11882
Closed

bug: admission webhook denies auth-url with comma #11739

mikkel3000 opened this issue Aug 6, 2024 · 8 comments · Fixed by #11882
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@mikkel3000
Copy link

mikkel3000 commented Aug 6, 2024
edited
Loading

What happened:
Tried to use nginx.ingress.kubernetes.io/auth-url: with oauth2-proxy and several allowed groups: https://oauth.example/oauth2/auth?allowed_groups=gid1,gid2 after oauth2-proxy documentation in an existing ingress.

This gave the error message:
error: ingresses.networking.k8s.io "tp-ingress-nessus-feature" could not be patched: admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: annotation nginx.ingress.kubernetes.io/auth-url contains invalid value

I get the same error with \ in front of the comma, like so:
nginx.ingress.kubernetes.io/auth-url: https://oauth.example/oauth2/auth?allowed_groups=gid1\,gid2

It is not allowed in encoded form either: %2C.

It works without a comma.

I believe you will need to update the validating regex for the auth-url annotation:

ingress-nginx/internal/ingress/annotations/authreq/main.go

Line 60 in fd7e02b

Validator: parser.ValidateRegex(parser.URLWithNginxVariableRegex, true),

The current one only allows :?&=

ingress-nginx/internal/ingress/annotations/parser/validators.go

Line 47 in fd7e02b

urlEnabledChars = regexp.QuoteMeta(`:?&=`)

What you expected to happen:
The ingress should have been updated.

NGINX Ingress controller version:
NGINX Ingress controller
Release: v1.9.4
Build: 846d251
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6

Kubernetes version (use kubectl version):
Server Version: v1.27.9

How to reproduce this issue:
Create an ingress with the nginx.ingress.kubernetes.io/auth-url: annotation, add a comma in a query parameter.

Install minikube/kind

Install the ingress controller

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml

Install an application that will act as default backend (is just an echo app)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml

Create an ingress (please add any additional annotation required)

echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo-bar
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: https://oauth.example/oauth2/auth?allowed_groups=g1,g2
spec:
ingressClassName: nginx # omit this if you're on controller version below 1.0.0
rules:
- host: foo.bar
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: http-svc
port:
number: 80
" | kubectl apply -f -
@mikkel3000 mikkel3000 added the kind/bug Categorizes issue or PR as related to a bug. label Aug 6, 2024
@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Aug 6, 2024
@longwuyuan
Copy link
Contributor

longwuyuan commented Aug 6, 2024 via email

@mikkel3000
Copy link
Author

Does it work without ,

On Tue, 6 Aug, 2024, 15:09 Kubernetes Prow Robot, @.> wrote: This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance. The triage/accepted label can be added by org members by writing /triage accepted in a comment. Instructions for interacting with me using PR comments are available here https://git.k8s.io/community/contributors/guide/pull-requests.md. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue: repository. — Reply to this email directly, view it on GitHub <#11739 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWWTPAJCVZLQHM3MGT3ZQCKUNAVCNFSM6AAAAABMB6ERGGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZQHA2DCOJZHE . You are receiving this because you are subscribed to this thread.Message ID: @.>

Yes, but the query parameter of oauth2-proxy requires a comma to specify several groups to give access to.
https://oauth2-proxy.github.io/oauth2-proxy/features/endpoints#auth

@longwuyuan
Copy link
Contributor

longwuyuan commented Aug 6, 2024 via email

@mikkel3000
Copy link
Author

I get the same error with \ in front of the comma, like so:
nginx.ingress.kubernetes.io/auth-url: https://oauth.example/oauth2/auth?allowed_groups=g1\,g2

@longwuyuan
Copy link
Contributor

longwuyuan commented Aug 6, 2024 via email

@longwuyuan
Copy link
Contributor

/remove-kind bug
/kind feature
/triage-accepted

validations were enabled with a objective to secure the controller's use cases. lets wait for developers and others to comment about allowing comma character as valid.

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Aug 6, 2024
@strongjz
Copy link
Member 

It can be configured using the following query parameters:

    allowed_groups: comma separated list of allowed groups
    allowed_email_domains: comma separated list of allowed email domains
    allowed_emails: comma separated list of allowed emails

Looks like we do need to a comma to the validation

https://oauth2-proxy.github.io/oauth2-proxy/features/endpoints/#auth

@strongjz
Copy link
Member

/kind bug
/triage accepted
/priority backlog

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Aug 26, 2024
@strongjz strongjz mentioned this issue Aug 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[SIG Network] Ingress NGINX
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Annotations: Allow commas in URLs. strongjz/ingress-nginx
4 participants
@strongjz @longwuyuan @k8s-ci-robot @mikkel3000