Merge "Mitigate CVE-2022-4886 and CVE-2023-5044"

2023-11-16 21:55:59 +00:00 · 2023-11-16 21:55:59 +00:00 · d90689df7f
commit d90689df7f
parent 556c6a09e2 462d728eb8
1 changed files with 4 additions and 0 deletions
--- a/stx-nginx-ingress-controller-helm/stx-nginx-ingress-controller-helm/fluxcd-manifests/ingress-nginx/ingress-nginx-static-overrides.yaml
+++ b/stx-nginx-ingress-controller-helm/stx-nginx-ingress-controller-helm/fluxcd-manifests/ingress-nginx/ingress-nginx-static-overrides.yaml
@ -6,6 +6,8 @@

 imagePullSecrets: [{"name": "default-registry-key"}]
 controller:
+  # This fixes CVE-2023-5044: https://github.com/kubernetes/ingress-nginx/issues/10572
+  enableAnnotationValidations: true
  kind: DaemonSet
  image:
    # cleans the default digest value since sysinv changes the digest when pushing the image to the local registry
@ -23,6 +25,8 @@ controller:
    # See https://bugs.launchpad.net/starlingx/+bug/1823803
    # Note quotes are necessary.
    worker-processes: '1'
+    # This fixes CVE-2022-4886: https://github.com/kubernetes/ingress-nginx/issues/10570
+    strict-validate-path-type: true
  scope:
    enabled: false
  service: