Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow per-namespace annotations-risk-level #12639

Closed
sathieu opened this issue Jan 8, 2025 · 4 comments
Closed

Allow per-namespace annotations-risk-level #12639

sathieu opened this issue Jan 8, 2025 · 4 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@sathieu
Copy link
Contributor

sathieu commented Jan 8, 2025

Raising annotations-risk-level to High is good, but we need a way to add exceptions for specific namespaces that we now are using safe parameters.

For example, we use this for MinIO:

      nginx.ingress.kubernetes.io/configuration-snippet: |
          chunked_transfer_encoding off;

Proposed change: add a new option in ConfigMap annotations-risk-level-excluded-namespaces containing a space-separed list of namespaces where annotations-risk-level is set to Critical.
@sathieu sathieu added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 8, 2025
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jan 8, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sathieu
Copy link
Contributor Author

sathieu commented Jan 8, 2025

Other usecases (for kube-apiserver):

    nginx.ingress.kubernetes.io/server-snippet: |
      client_header_buffer_size 40k;
      large_client_header_buffers 4 40k;

@sathieu sathieu mentioned this issue Jan 8, 2025
Open
@Gacko
Copy link
Member

Gacko commented Jan 10, 2025

We lowered the annotation risk level to High because there are Critical annotations known to cause security issues in multi-tenant environments. It's probably not what you want, but I'd suggest deploying a second Ingress NGINX Controller for your secure/trusted stuff as this would make it even more secure overall. If you're not running a multi-tenant environment and trust the people creating Ingress resources, there shouldn't be an issue with increasing the risk level back to Critical.

Anyway: We won't implement a feature like this as we're currently looking forward to our Gateway API implementation.

@Gacko Gacko closed this as completed Jan 10, 2025
@sathieu
Copy link
Contributor Author

sathieu commented Jan 13, 2025

We are using multi-tenant clusters, and will probably move to another Gateway API implementation than ingate, but a few features are still missing in Gateway API specs.

We'll use Gatekeeper to check ingress-nginx annotations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[SIG Network] Ingress NGINX
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sathieu @Gacko @k8s-ci-robot