Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable security features by default #11819

Merged
merged 1 commit into from
Aug 23, 2024
Merged

Enable security features by default #11819

merged 1 commit into from
Aug 23, 2024

Conversation

rikatz
Copy link
Contributor

@rikatz rikatz commented Aug 18, 2024

What this PR does / why we need it:

This PR:

  • Lowers the acceptable annotation risk from Critical to High
  • Disables cross namespace consumption
  • Enables strict path validation

Also makes validation enabled by default

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • CVE Report (Scanner found CVE and adding report)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

@k8s-ci-robot k8s-ci-robot requested a review from puerco August 18, 2024 19:06
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/helm Issues or PRs related to helm charts approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority labels Aug 18, 2024
@netlify Netlify
Copy link

netlify bot commented Aug 18, 2024
edited
Loading

Deploy Preview for kubernetes-ingress-nginx canceled.

Name Link
🔨 Latest commit 771614f
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/66c29aafb403c10008db347a

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 18, 2024
@rikatz rikatz mentioned this pull request Aug 18, 2024
Open
@rikatz rikatz force-pushed the breaking-changes-for-112 branch from 3de00d7 to df1a115 Compare August 18, 2024 20:23
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 18, 2024
@aojea
Copy link
Member

aojea commented Aug 18, 2024

/priority critical-important
/assign @aojea
/cc @robscott

@k8s-ci-robot
Copy link
Contributor

@aojea: The label(s) priority/critical-important cannot be applied, because the repository doesn't have them.

In response to this:

/priority critical-important
/assign @aojea
/cc @robscott

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot requested a review from robscott August 18, 2024 21:25
@rikatz rikatz force-pushed the breaking-changes-for-112 branch 4 times, most recently from dc9222b to 427baf8 Compare August 18, 2024 23:28
@rikatz rikatz force-pushed the breaking-changes-for-112 branch from 427baf8 to 771614f Compare August 19, 2024 01:06
@rikatz rikatz mentioned this pull request Aug 19, 2024
Closed
@aojea
Copy link
Member

aojea commented Aug 19, 2024
edited
Loading

/priority critical-urgent

for context kubernetes/kubernetes#126744 and

https://www.cvedetails.com/vulnerability-list/vendor_id-15867/product_id-94170/Kubernetes-Ingress-nginx.html

The proliferation of annotations and the complexity to sanitize the inputs is causing a lot of damage to the security reputation of the project. We should aim for a secure by default setup that does not put on risk the non-advanced users

@k8s-ci-robot k8s-ci-robot added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. and removed needs-priority labels Aug 19, 2024
@Gacko
Copy link
Member

Gacko commented Aug 20, 2024

Actually there might be more to enable by default, like strict path type checking. I'm currently on vacation, but I'll try to contribute here in the next days.

@longwuyuan
Copy link
Contributor

/triage accepted
/kind bug

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. kind/bug Categorizes issue or PR as related to a bug. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Aug 20, 2024
@aojea
Copy link
Member

aojea commented Aug 20, 2024

/assign @kubernetes/ingress-nginx-maintainers

@rikatz
Copy link
Contributor Author

rikatz commented Aug 20, 2024 via email

@longwuyuan
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 23, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: longwuyuan, rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 7b4e4e2 into kubernetes:main Aug 23, 2024
27 checks passed
@Gacko
Copy link
Member

Gacko commented Aug 24, 2024

The changes in the chart in conjunction with those in the controller effectively break the flag. Before you could opt-in for annotation validation by enabling the flag in the chart, now, if you disable it, nothing happens as we do not pass false to the controller in the deployment.

I'll create a follow-up PR to fix this.

@Gacko
Copy link
Member

Gacko commented Aug 24, 2024

Also we forgot to update the help text in flags.go.

This was referenced Aug 26, 2024
Closed
Merged
@strongjz strongjz deleted the breaking-changes-for-112 branch August 26, 2024 19:04
@ThoSap ThoSap mentioned this pull request Oct 9, 2024
Open
budimanjojo added a commit to budimanjojo/home-cluster that referenced this pull request Dec 31, 2024
@budimanjojo
fix(apps): nginx disabled more annotations by default now
cf3bbb1 
See: kubernetes/ingress-nginx#11819

Signed-off-by: budimanjojo <[email protected]>
qlonik added a commit to qlonik/musical-parakeet that referenced this pull request Jan 6, 2025
@qlonik
feat(apps/nginx): allow critical annotations
efeb2d6 
Some critical annotations cause issues now, since nginx-ingress v1.12.0 enabled
security by default: kubernetes/ingress-nginx/pull/11819.
@shafeeqes shafeeqes mentioned this pull request Jan 6, 2025
Merged
1 task
dixneuf19 pushed a commit to dixneuf19/brassberry-gitops that referenced this pull request Jan 8, 2025
fix(ingress-nginx): accept cross secret read for basic-auth
bc8c2f5 
Breaking change introduced in 1.12.0 with kubernetes/ingress-nginx#11819
@dixneuf19 dixneuf19 mentioned this pull request Jan 8, 2025
Merged
@brennerm brennerm mentioned this pull request Jan 29, 2025
Closed
@samip5
Copy link

samip5 commented Feb 5, 2025

Please in the future, could you not introduce breaking changes in a minor version bump? :(

samip5 added a commit to samip5/k8s-cluster that referenced this pull request Feb 5, 2025
@samip5
Fixes for nginx breaking things again behind "security"
4527d6f 
kubernetes/ingress-nginx#11819
@strongjz
Copy link
Member

strongjz commented Feb 6, 2025

Please in the future, could you not introduce breaking changes in a minor version bump? :(

We have operated like this in the past: We create a new feature, disable it by default, and then, after another minor release, enable it by default. This is all in service of securing the ingress controller by default. We discuss these types of changes in our community meetings, in Slack in #ingress-dev, and in the release notes.

@samip5
Copy link

samip5 commented Feb 6, 2025
edited
Loading

Please in the future, could you not introduce breaking changes in a minor version bump? :(

We have operated like this in the past: We create a new feature, disable it by default, and then, after another minor release, enable it by default. This is all in service of securing the ingress controller by default. We discuss these types of changes in our community meetings, in Slack in #ingress-dev, and in the release notes.

That may be true, but according to semver (https://semver.org/), this is considered a breaking change and should have been a major as such.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gacko Gacko Gacko left review comments

@strongjz strongjz strongjz left review comments

@puerco puerco Awaiting requested review from puerco

@ubergesundheit ubergesundheit Awaiting requested review from ubergesundheit

@robscott robscott Awaiting requested review from robscott

Assignees

@longwuyuan longwuyuan

@aojea aojea

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/docs area/helm Issues or PRs related to helm charts cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@rikatz @aojea @k8s-ci-robot @Gacko @longwuyuan @samip5 @strongjz