Comments (5)
@jkroepke thanks for this issue (and all of the other reports ;) )
Anything we can use to improve security on this case is acceptable. That said, can we work on something with https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ so we don't need to rely on any external webhook?
from ingress-nginx.
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from ingress-nginx.
- AFAIK, normal regex lib is PCRE but K8S uses RE2 https://kubernetes.github.io/ingress-nginx/user-guide/ingress-path-matching/#regular-expression-support
- An admin has to explicitly allow characters https://kubernetes.github.io/ingress-nginx/faq/#validation-of-path as per spec
from ingress-nginx.
AFAIK, normal regex lib is PCRE but K8S uses RE2 kubernetes.github.io/ingress-nginx/user-guide/ingress-path-matching/#regular-expression-support
Okay, if Kubernetes already does a regex validation, the idea could be drop.
- An admin has to explicitly allow characters kubernetes.github.io/ingress-nginx/faq/#validation-of-path as per spec
I'm I have a built-in solution in mind. Not everyone has the power or capability to setup Open Policy Agent
or Kyverno
. Before someone is going deeper with REGO, I would more recommend to take an alternative ingress controller.
I'm coming from https://kubernetes.github.io/ingress-nginx/faq/#validation-of-path, so I'm aware of the bullet points.
from ingress-nginx.
While I was writing the issue, I had more in my mind to improve the validate inside ingress-nginx:
ingress-nginx/internal/ingress/inspector/rules.go
Lines 25 to 29 in e78af97
ingress-nginx/internal/ingress/inspector/inspector.go
Lines 45 to 65 in e78af97
and toggle them behind validate-strict-path
, to have an opt-in unless we are on 2.0.0.
https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ may fits, too. But its would be a strategy design, we future validation should done by Kubernetes it-self or nginx.
While ValidatingAdmissionPolicy
sound great first, it my not work, if ingress-nginx runs on a namespace scope. ValidatingAdmissionWebhook
, doesn't work on namespace scope, too. But ingress-nginx will reject invalid ingress objects without ValidatingAdmissionWebhook
, too.
from ingress-nginx.
Related Issues (20)
- Is it possible to dynamically add backend service to ingress with Kubernetes? HOT 2
- Custom-error-pages image does not work with media content HOT 3
- Permanent Issue - Documentation improvements HOT 1
- SSL Certificate Error: Authentication URL Works, upstream-vhost Returns 400 HOT 5
- GKE Load Balancer - Proxy protocol with whitelist-source-range HOT 8
- Unable to remove or update the NGINX added X-Forwarded-Proto header using `charts/ingress-nginx` HOT 12
- Tag controller-1.10.0 is pointing to 1.9.6 HOT 7
- Remove deprecated & unsupported components related content from docs HOT 9
- How to protect the private keys stored in nginx ingress controller HOT 2
- OpenTelemetry reported "unknown variable" before first Ingress HOT 5
- Remove old ingress-rules metrics for prometheus scraping HOT 4
- NetworkPolicies are missing from static deployment YAMLs HOT 14
- Fcgi validation error for values specified with if_not_empty. HOT 5
- Bug: Helm chart doesn't have replicas exposed HOT 3
- ArgoCD installation results in "Failed to unmarshal "values.yaml": <nil>" HOT 4
- TLS certificate lookup fails for server aliases unless specified host is loaded at least once HOT 5
- helm chart: upgrade with the same value (ipFamilyPolicy=RequireDualStack) not possible HOT 13
- Could not disable Opentelemetry. HOT 2
- location priority with rewrite-target HOT 7
- Updating GeoIP2 data outputs many logs of "File changed detected. Reloading NGINX" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-nginx.