Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable security features by default #11819

Merged
merged 1 commit into from
Aug 23, 2024

Conversation

rikatz
Copy link
Contributor

@rikatz rikatz commented Aug 18, 2024

What this PR does / why we need it:

This PR:

  • Lowers the acceptable annotation risk from Critical to High
  • Disables cross namespace consumption
  • Enables strict path validation

Also makes validation enabled by default

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • CVE Report (Scanner found CVE and adding report)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

@k8s-ci-robot k8s-ci-robot requested a review from puerco August 18, 2024 19:06
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/helm Issues or PRs related to helm charts approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority labels Aug 18, 2024
Copy link

netlify bot commented Aug 18, 2024

Deploy Preview for kubernetes-ingress-nginx canceled.

Name Link
🔨 Latest commit 771614f
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/66c29aafb403c10008db347a

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 18, 2024
@rikatz rikatz force-pushed the breaking-changes-for-112 branch from 3de00d7 to df1a115 Compare August 18, 2024 20:23
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 18, 2024
@aojea
Copy link
Member

aojea commented Aug 18, 2024

/priority critical-important
/assign @aojea
/cc @robscott

@k8s-ci-robot
Copy link
Contributor

@aojea: The label(s) priority/critical-important cannot be applied, because the repository doesn't have them.

In response to this:

/priority critical-important
/assign @aojea
/cc @robscott

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot requested a review from robscott August 18, 2024 21:25
@rikatz rikatz force-pushed the breaking-changes-for-112 branch 4 times, most recently from dc9222b to 427baf8 Compare August 18, 2024 23:28
@aojea
Copy link
Member

aojea commented Aug 19, 2024

/priority critical-urgent

for context kubernetes/kubernetes#126744 and

https://www.cvedetails.com/vulnerability-list/vendor_id-15867/product_id-94170/Kubernetes-Ingress-nginx.html

The proliferation of annotations and the complexity to sanitize the inputs is causing a lot of damage to the security reputation of the project. We should aim for a secure by default setup that does not put on risk the non-advanced users

@k8s-ci-robot k8s-ci-robot added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. and removed needs-priority labels Aug 19, 2024
@Gacko
Copy link
Member

Gacko commented Aug 20, 2024

Actually there might be more to enable by default, like strict path type checking. I'm currently on vacation, but I'll try to contribute here in the next days.

@longwuyuan
Copy link
Contributor

/triage accepted
/kind bug

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. kind/bug Categorizes issue or PR as related to a bug. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Aug 20, 2024
@aojea
Copy link
Member

aojea commented Aug 20, 2024

/assign @kubernetes/ingress-nginx-maintainers

@rikatz
Copy link
Contributor Author

rikatz commented Aug 20, 2024 via email

@longwuyuan
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 23, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: longwuyuan, rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 7b4e4e2 into kubernetes:main Aug 23, 2024
27 checks passed
@Gacko
Copy link
Member

Gacko commented Aug 24, 2024

The changes in the chart in conjunction with those in the controller effectively break the flag. Before you could opt-in for annotation validation by enabling the flag in the chart, now, if you disable it, nothing happens as we do not pass false to the controller in the deployment.

I'll create a follow-up PR to fix this.

@Gacko
Copy link
Member

Gacko commented Aug 24, 2024

Also we forgot to update the help text in flags.go.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/docs area/helm Issues or PRs related to helm charts cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants