diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml index fdaf6e5c33..4393a5bc06 100644 --- a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml +++ b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml @@ -4,7 +4,7 @@ controller: tag: 1.0.0-dev digest: null kind: DaemonSet - enableSnippetDirectives: false + allowSnippetAnnotations: false admissionWebhooks: enabled: false service: diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml index f0d827dbca..174941848e 100644 --- a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml +++ b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml @@ -5,7 +5,7 @@ controller: digest: null config: use-proxy-protocol: "true" - enableSnippetDirectives: false + allowSnippetAnnotations: false admissionWebhooks: enabled: false service: diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index 0099bd0a23..6973892071 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -10,7 +10,7 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ .Release.Namespace }} data: - enable-snippet-directives: "{{ .Values.controller.enableSnippetDirectives }}" + allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" {{- if .Values.controller.addHeaders }} add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index a41d30c04a..b58e799752 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -70,10 +70,10 @@ controller: ingressClassByName: false # This configuration defines if Ingress Controller should allow users to set - # their own *-snippet directives/annotations, otherwise this is forbidden / dropped + # their own *-snippet annotations, otherwise this is forbidden / dropped # when users add those annotations. # Global snippets in ConfigMap are still respected - enableSnippetDirectives: true + allowSnippetAnnotations: true # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index dd1828ed89..4fdda21ba9 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -29,6 +29,7 @@ The following table shows a configuration option's name, type, and the default v |:---|:---|:------| |[add-headers](#add-headers)|string|""| |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"| +|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true| |[hide-headers](#hide-headers)|string array|empty| |[access-log-params](#access-log-params)|string|""| |[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"| @@ -46,7 +47,6 @@ The following table shows a configuration option's name, type, and the default v |[disable-access-log](#disable-access-log)|bool|false| |[disable-ipv6](#disable-ipv6)|bool|false| |[disable-ipv6-dns](#disable-ipv6-dns)|bool|false| -|[enable-snippet-directives](#enable-snippet-directives)|bool|true| |[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false| |[enable-ocsp](#enable-ocsp)|bool|false| |[ignore-invalid-headers](#ignore-invalid-headers)|bool|true| @@ -214,6 +214,13 @@ Sets custom headers from named configmap before sending traffic to the client. S Enables the return of the header Server from the backend instead of the generic nginx string. _**default:**_ is disabled +## allow-snippet-annotations + +Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`; + +Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this +may allow a user to add restricted configurations to the final nginx.conf file + ## hide-headers Sets additional header that will not be passed from the upstream server to the client response. @@ -317,12 +324,6 @@ Disable listening on IPV6. _**default:**_ `false`; IPv6 listening is enabled Disable IPV6 for nginx DNS resolver. _**default:**_ `false`; IPv6 resolving enabled. -## enable-snippet-directives - -Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`; -Obs.: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this -may allow a user to add restricted configurations to the final nginx.conf file - ## enable-underscores-in-headers Enables underscores in header names. _**default:**_ is disabled diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 89bbb33cf4..a29c1b094f 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -93,9 +93,9 @@ const ( type Configuration struct { defaults.Backend `json:",squash"` - // EnableSnippetDirectives enable users to add their own snippets via ingress annotation. + // AllowSnippetAnnotations enable users to add their own snippets via ingress annotation. // If disabled, only snippets added via ConfigMap are added to ingress. - EnableSnippetDirectives bool `json:"enable-snippet-directives"` + AllowSnippetAnnotations bool `json:"allow-snippet-annotations"` // Sets the name of the configmap that contains the headers to pass to the client AddHeaders string `json:"add-headers,omitempty"` @@ -761,7 +761,8 @@ func NewDefault() Configuration { defGlobalExternalAuth := GlobalExternalAuth{"", "", "", "", "", append(defResponseHeaders, ""), "", "", "", []string{}, map[string]string{}} cfg := Configuration{ - EnableSnippetDirectives: true, + + AllowSnippetAnnotations: true, AllowBackendServerHeader: false, AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 2c42041a5d..aeed322788 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -244,7 +244,7 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { } } - if !cfg.EnableSnippetDirectives && strings.HasSuffix(key, "-snippet") { + if !cfg.AllowSnippetAnnotations && strings.HasSuffix(key, "-snippet") { return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key) } @@ -550,7 +550,7 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in ingKey := k8s.MetaNamespaceKey(ing) anns := ing.ParsedAnnotations - if !n.store.GetBackendConfiguration().EnableSnippetDirectives { + if !n.store.GetBackendConfiguration().AllowSnippetAnnotations { dropSnippetDirectives(anns, ingKey) } @@ -830,7 +830,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B ingKey := k8s.MetaNamespaceKey(ing) anns := ing.ParsedAnnotations - if !n.store.GetBackendConfiguration().EnableSnippetDirectives { + if !n.store.GetBackendConfiguration().AllowSnippetAnnotations { dropSnippetDirectives(anns, ingKey) } @@ -1124,7 +1124,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, ingKey := k8s.MetaNamespaceKey(ing) anns := ing.ParsedAnnotations - if !n.store.GetBackendConfiguration().EnableSnippetDirectives { + if !n.store.GetBackendConfiguration().AllowSnippetAnnotations { dropSnippetDirectives(anns, ingKey) } @@ -1204,7 +1204,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, ingKey := k8s.MetaNamespaceKey(ing) anns := ing.ParsedAnnotations - if !n.store.GetBackendConfiguration().EnableSnippetDirectives { + if !n.store.GetBackendConfiguration().AllowSnippetAnnotations { dropSnippetDirectives(anns, ingKey) } diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 1ed8766005..d7020bb48d 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -255,7 +255,7 @@ func TestCheckIngress(t *testing.T) { nginx.store = fakeIngressStore{ ingresses: []*ingress.Ingress{}, configuration: ngx_config.Configuration{ - EnableSnippetDirectives: false, + AllowSnippetAnnotations: false, }, } nginx.command = testNginxTestCommand{ @@ -2309,7 +2309,7 @@ func TestGetBackendServers(t *testing.T) { SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), }, Data: map[string]string{ - "enable-snippet-directives": "false", + "allow-snippet-annotations": "false", }, } }, diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go index c4babf21a5..cfd6286e45 100644 --- a/test/e2e/annotations/modsecurity/modsecurity.go +++ b/test/e2e/annotations/modsecurity/modsecurity.go @@ -316,7 +316,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f.SetNginxConfigMapData(map[string]string{ "enable-modsecurity": "true", "enable-owasp-modsecurity-crs": "true", - "enable-snippet-directives": "false", + "allow-snippet-annotations": "false", "modsecurity-snippet": expectedComment, }) diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go index ccd235e13c..adba23feed 100644 --- a/test/e2e/annotations/serversnippet.go +++ b/test/e2e/annotations/serversnippet.go @@ -67,10 +67,10 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.UpdateNginxConfigMapData("enable-snippet-directives", "false") + f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") defer func() { // Return to the original value - f.UpdateNginxConfigMapData("enable-snippet-directives", "true") + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") }() // Sleep a while just to guarantee that the configmap is applied framework.Sleep() diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go index 82f0622207..be0e9ccf99 100644 --- a/test/e2e/annotations/snippet.go +++ b/test/e2e/annotations/snippet.go @@ -63,10 +63,10 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.UpdateNginxConfigMapData("enable-snippet-directives", "false") + f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") defer func() { // Return to the original value - f.UpdateNginxConfigMapData("enable-snippet-directives", "true") + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") }() // Sleep a while just to guarantee that the configmap is applied framework.Sleep() diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go index c3ff5aa468..b9e172717a 100644 --- a/test/e2e/settings/server_snippet.go +++ b/test/e2e/settings/server_snippet.go @@ -94,7 +94,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { hostAnnots := "serverannotssnippet2.foo.com" f.SetNginxConfigMapData(map[string]string{ - "enable-snippet-directives": "false", + "allow-snippet-annotations": "false", "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, })