fix: deny locations with invalid auth-url annotation #8256
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
k8s-ci-robot
added
cncf-cla: yes
|
Hi @nabokihms. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-priority
needs-ok-to-test
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
k8s-ci-robot
added
lgtm
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
k8s-ci-robot
removed
the
lgtm
|
I've deleted the failed test because it is duplicated by another test (I overlooked it working on the fix). Everything should be fine now. |
|
/test pull-ingress-nginx-test |
|
@nabokihms: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/test pull-ingress-nginx-test |
|
/approve |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: iamNoah1, nabokihms, strongjz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kundan2707
added a commit
to kundan2707/ingress-nginx
that referenced
this pull request
Mar 17, 2022
remove 0.46.0 from supported versions table (kubernetes#8258) Minor fix for missing pathType property (kubernetes#8244) Updated confusing error (kubernetes#8262) Add a certificate info metric (kubernetes#8253) When the ingress controller loads certificates (new ones or following a secret update), it performs a series of check to ensure its validity. In our systems, we detected a case where, when the secret object is compromised, for example when the certificate does not match the secret key, different pods of the ingress controller are serving a different version of the certificate. This behaviour is due to the cache mechanism of the ingress controller, keeping the last known certificate in case of corruption. When this happens, old ingress-controller pods will keep serving the old one, while new pods, by failing to load the corrupted certificates, would use the default certificate, causing invalid certificates for its clients. This generates a random error on the client side, depending on the actual pod instance it reaches. In order to allow detecting occurences of those situations, add a metric to expose, for all ingress controlller pods, detailed informations of the currently loaded certificate. This will, for example, allow setting an alert when there is a certificate discrepency across all ingress controller pods using a query similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)` This also allows to catch other exceptions loading certificates (failing to load the certificate from the k8s API, ... Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com> Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com> Issue#8241 (kubernetes#8273) * replace daemon set for deployment manifest * nit Start Release process for v1.1.2 (kubernetes#8275) Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> Add fsGroup value to admission-webhooks/job-patch charts (kubernetes#8267) * added fsGroup to admission createSecret and patchWebhook job * added fsGroup to admission createSecret and patchWebhook job * modified helm/README.md to add value for fsGroup * fixed patch job values ordering * remove manually edited README for replacement with helm-docs generated version * re-adding charts/README.md generated by helm-docs Add OpenSSF Best practices badge (kubernetes#8277) fix: deny locations with invalid auth-url annotation (kubernetes#8256) * fix: deny locations with invalid auth-url annotation Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> * Delete duplicate test Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> force prow job by changing something in images/ot dir (kubernetes#8281) Images dir was merged in before the test-infra prow job, so the image was never built. kubernetes#8013 Jan 16 https://github.com/kubernetes/test-infra/pull/25344/files Prow job 4 days ago. Fix OpenTelemetry sidecar image build (kubernetes#8286) * fix wrong checksum for nginx image * fix wrong platform. Arm64 has grpc, when arm doesn't update tag for image (kubernetes#8290) remove git tag env from cloud build the latest git tag is from helm, so force the make file use of TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) release-v1.1.2-continued (kubernetes#8294) * v1.1.2 release Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> * release-v1.1.2-continued Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com> docs: fix changelog formatting (kubernetes#8302) leaving it the git tag (kubernetes#8311) fixing the git tag for the image version, it is what it is . Missing annotations (kubernetes#8288) Not quite sure but It seems that `nginx.ingress.kubernetes.io/canary-by-header` is missing. Names cannot contain _ (underscore)! So I changed it to -. (kubernetes#8300) * The name can't use _(underscore)! So fix it! The name can't use _(underscore)! So fix it! * Fix configMap name can't use _(underscore) Fix configMap name can't use _(underscore) Pinned GitHub workflows by SHA (kubernetes#8334) - Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - Included permissions for some of the actions. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Dependabot can upgrade pinned version of actions. Update monitoring.md (kubernetes#8324) Added missing repo on "helm upgrade" command Add the shareProcessNamespace as a configurable setting. (kubernetes#8287) Nginx v1.19.10 (kubernetes#8307) kubectl code overview info
9 tasks
rchshld
pushed a commit
to joomcode/ingress-nginx
that referenced
this pull request
May 19, 2023
* fix: deny locations with invalid auth-url annotation Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> * Delete duplicate test Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: m.nabokikh maksim.nabokikh@flant.com
What this PR does / why we need it:
There is a problem, that when you set an invalid URL as a value for the nginx.ingress.kubernetes.io/auth-url annotation, the ingress controller allows accessing upstreams without authentication.
Thus, this is considered a security hole. Users can accidentally set an invalid URL by hand or because of an error in helm templates.
For example, the following template
nginx.ingress.kubernetes.io/auth-url: "https://auth.{{ .Value.namespace }}.cluster.local"in case if the.Value.namespacevariable is empty, will generate the invalid domain - https://auth..cluster.local.It may lead to the disclosure of sensitive data protected by the
https://auth.{{ .Value.namespace }}.cluster.local.Instead of allowing access if auth-url is invalid, let's deny the server location completely.Types of changes
Which issue/s this PR fixes
No issues. I decided to go with PR because it is easier to present my idea.
How Has This Been Tested?
I added an integration test. Without changes from this PR, I see the following log:
This means, that location is not protected, and everyone can access it without authentication.
Checklist: