starlingx/nginx-ingress-controller-armada-app
Code Issues Proposed changes

Mitigate CVE-2022-4886 and CVE-2023-5044

Browse Source 
This commit adds the flags and config options recommended by the
community in:

https://github.com/kubernetes/ingress-nginx/issues/10570
https://github.com/kubernetes/ingress-nginx/issues/10572

CVE-2023-5044 is mitigated with enableAnnotationValidations
CVE-2022-4886 is mitigated with strict-validate-path-type

Test cases:

PASS: Full build, system install, bootstrap and unlock.
PASS: system application-update to this new version
PASS: Create Ingress resource with special character in path /apple$,
      Verify it's possible to curl localhost/apple$.
      Apply strict-validate-path-type override and verify creating the
      same Ingress object is not possible anymore, neither curl works.
PASS: Create Ingress resource with special characters and verify that
      it creates successfully.

      annotations:

      nginx.ingress.kubernetes.io/permanent-redirect: |
        https://www.google.com$HOST

      Apply enableAnnotationValidations override and verify creating the
      same Ingress object is not possible anymore and a validation error
      is now returned.
PASS: stx-openstack applies without error.

Closes-Bug: 2042977

Change-Id: I2f2279ebb34094d0a21d4440e48ef890f09a6133
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
This commit is contained in:
Rei Oliveira 2023-11-07 12:53:27 -03:00
parent aaac53a74a
commit 462d728eb8
1 changed files with 4 additions and 0 deletions

4
stx-nginx-ingress-controller-helm/stx-nginx-ingress-controller-helm/fluxcd-manifests/ingress-nginx/ingress-nginx-static-overrides.yaml

@ -6,6 +6,8 @@
imagePullSecrets: [{"name": "default-registry-key"}]
controller:
# This fixes CVE-2023-5044: https://github.com/kubernetes/ingress-nginx/issues/10572
enableAnnotationValidations: true
kind: DaemonSet
image:
# cleans the default digest value since sysinv changes the digest when pushing the image to the local registry
@ -22,6 +24,8 @@ controller:
# See https://bugs.launchpad.net/starlingx/+bug/1823803
# Note quotes are necessary.
worker-processes: '1'
# This fixes CVE-2022-4886: https://github.com/kubernetes/ingress-nginx/issues/10570
strict-validate-path-type: true
scope:
enabled: false
service: