Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add patch to remove root and alias directives #8624

Merged
merged 1 commit into from
May 24, 2022
Merged

Add patch to remove root and alias directives #8624

merged 1 commit into from
May 24, 2022

Conversation

rikatz
Copy link
Contributor

@rikatz rikatz commented May 24, 2022

Adds a patch to remove root and alias directives.

This directives are not required by Ingress and has been used to explore some reading of sensitive files

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 24, 2022
@k8s-ci-robot
Copy link
Contributor

@rikatz: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 24, 2022
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 24, 2022
tao12345666333
tao12345666333 approved these changes May 24, 2022
View reviewed changes
Copy link
Member

@tao12345666333 tao12345666333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz, tao12345666333

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 24, 2022
@k8s-ci-robot k8s-ci-robot merged commit cd6f88a into kubernetes:main May 24, 2022
@nhinze23
Copy link

nhinze23 commented Jun 1, 2022

Hey @rikatz,
we extend the ingress nginx image with custom pages (e.g. error page in /var/www/html) and used this root directive to point to those files.
Now this feature is a breaking change for us and we don't know a alternative way for doing such things. Can you give us a hint?
Is this maybe the complete wrong way we are doing?

With best regards

@rikatz
Copy link
Contributor Author

rikatz commented Jun 1, 2022

Can you point me (in Slack) how you've been doing it? Iirc custom errors has its own directives @longwuyuan may know

@longwuyuan
Copy link
Contributor

@nhinze23 , thanks for your update. As @rikatz said, I too feel it will help a lot to see precise details of your extensions. As suggested, you could copy/paste start a thread at https://kubernetes.slack.com in the ingress-nginx-dev channel. Thank you

@bmv126 bmv126 mentioned this pull request Jun 27, 2022
Closed
@JeffParkes JeffParkes mentioned this pull request Jan 13, 2023
Closed
rchshld pushed a commit to joomcode/ingress-nginx that referenced this pull request May 19, 2023
@rikatz @rchshld
Add patch to remove root and alias directives (kubernetes#8624)
6140742
@chapsuk chapsuk mentioned this pull request Aug 18, 2023
Closed
@MatthewKennedy
Copy link

Trying to follow the Nginx guide for service static assets and getting this error when trying to set the root:

`-------------------------------------------------------------------------------
Error: exit status 1
2024/04/30 19:06:40 [emerg] 4403#4403: unknown directive "root" in /tmp/nginx/nginx-cfg4123983271:708
nginx: [emerg] unknown directive "root" in /tmp/nginx/nginx-cfg4123983271:708
nginx: configuration file /tmp/nginx/nginx-cfg4123983271 test failed

-------------------------------------------------------------------------------`

Can anyone point me in the right direction to add that root as suggested by Nginx?

Many thanks.

@rikatz
Copy link
Contributor Author

rikatz commented Apr 30, 2024

We don't support root directive on ingress-nginx :) you are not supposed to serve static files from there.

Instead you should create a backend containing it, and do ingress point to that backend

@longwuyuan longwuyuan mentioned this pull request May 1, 2024
Closed
@zengyuxing007 zengyuxing007 mentioned this pull request Jul 5, 2024
Closed
@clywm520
Copy link

How to instead resolve root or alias

@rikatz
Copy link
Contributor Author

rikatz commented Aug 23, 2024

you don't. These directives assume you want ingress nginx to provide files that are stored locally, which is not the case. ingress-nginx is a proxy and not a webserver on your Kubernetes cluster :)

@lots0logs
Copy link

lots0logs commented Oct 21, 2024
edited
Loading

you don't. These directives assume you want ingress nginx to provide files that are stored locally, which is not the case. ingress-nginx is a proxy and not a webserver on your Kubernetes cluster :)

We actually do serve some files locally from the controller on our cluster. Our cluster consists of just three worker nodes. It has worked well for our use case. Now, we can't update the controller anymore due to this breaking change.

@longwuyuan
Copy link
Contributor

We actually do serve some files locally from the controller on our cluster. Our cluster consists of just three worker nodes. It has worked well for our use case. Now, we can't update the controller anymore due to this breaking change.

@lots0logs unfortunate that you landed in this situation. Ack that it has worked well for you. Hope you can get the full spectrum view of what really is going on. What you expect is helpful but a security flaw. The project is required to ship a controller that is secure out of the box. The choice that the project needs to make is between a relatively secure & stable controller out-of-the-box or a useful-but-insecure-unstable controller.

Hope this clarifies. Regards,

@lots0logs
Copy link

lots0logs commented Oct 21, 2024
edited
Loading

Whether or not it's a security flaw depends on the use case really. The directive didn't have to be completely removed in order to address the security concern. It could have just been disallowed in configuration snippets. That way anyone using a custom nginx config template for the controller could still make use of the directive if they needed.

@rikatz
Copy link
Contributor Author

rikatz commented Oct 21, 2024

Let me try to make it really clear:

Ingress-NGINX is not supposed to be used as a webserver. It is intended to be used as a proxy server. While disabling a directive seems extreme, parsing every configuration snippet to check if a directive is being used or not, and if it is being correctly used or not is expensive, from a perspective of development, time testing, etc.

We cannot afford spending time on every use case where the controller should not be used as it is because it was possible before.

I understand the pain of deprecating such kind of thing, but have in mind that while we are suffering for constant CVEs because of different misusage of ingress controller, we need to focus on the main goal of the project, that is to provide a simple to use (and yet feature complete) Ingress/Proxy for your workloads.

People are more than welcome to fork and build their own ingress-nginx not removing these directives, but this is not going to make us go back and re-add a directive that has no role on proxying connections.

@Falven
Copy link

Falven commented Nov 16, 2024

Whether or not it's a security flaw depends on the use case really. The directive didn't have to be completely removed in order to address the security concern. It could have just been disallowed in configuration snippets. That way anyone using a custom nginx config template for the controller could still make use of the directive if they needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tao12345666333 tao12345666333 tao12345666333 approved these changes

@bowei bowei Awaiting requested review from bowei

Assignees

@tao12345666333 tao12345666333

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@rikatz @k8s-ci-robot @nhinze23 @longwuyuan @MatthewKennedy @clywm520 @lots0logs @Falven @tao12345666333