Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The validating webhook does not prevent resource creation with invalid annotations #11967

Open
volver-13 opened this issue Sep 12, 2024 · 5 comments · May be fixed by #11968
Open

The validating webhook does not prevent resource creation with invalid annotations #11967

volver-13 opened this issue Sep 12, 2024 · 5 comments · May be fixed by #11968
Assignees
@chengjoey
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@volver-13
Copy link

volver-13 commented Sep 12, 2024
edited
Loading

What happened:

Create the below bad-ingress with nginx.ingress.kubernetes.io/whitelist-source-range annotation set to invalid value 1.1.1.1 2.2.2.2 . Ingress object gets created even though the whitelist-source-range value is incorrect (missing comma between IP addresses)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1 2.2.2.2
  name: bad-ingress.com
  namespace: default
spec:
  ingressClassName: nginx-public
  rules:
  - host: memoapp.com
    http:
      paths:
      - backend:
          service:
            name: memoapp
            port:
              name: http
        path: /
        pathType: ImplementationSpecific

The behavior is the same regardless of the enableAnnotationValidations value.

Ingress controller fails with the following errors once the resource is created:

ingress-nginx-public-controller-68969c4b6f-xxd8c controller W0912 13:55:00.658197       7 validators.go:237] validation error on ingress default/bad-ingress.com: annotation allowlist-source-range contains invalid value 1.1.1.1 2.2.2.2
ingress-nginx-public-controller-68969c4b6f-xxd8c controller E0912 13:55:00.658231       7 annotations.go:213] "error reading Ingress annotation" err="annotation nginx.ingress.kubernetes.io/whitelist-source-range contains invalid value" name="Allowlist" ingress="default/bad-ingress.com"

What you expected to happen:

Ideally, the validating webhook should reject the creation of this ingress object."

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller
Release: v1.10.0
Build: 71f78d4
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.25.3

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.5", GitCommit:"804d6167111f6858541cef440ccc53887fbbc96a", GitTreeState:"clean", BuildDate:"2022-12-08T10:15:02Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"28", GitVersion:"v1.28.10", GitCommit:"21be1d76a90bc00e2b0f6676a664bdf097224155", GitTreeState:"clean", BuildDate:"2024-05-22T15:00:24Z", GoVersion:"go1.21.9", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: Azure AKS

  • How was the ingress-nginx-controller installed: ArgoCD deployment (helm chart 4.10.0)
@volver-13 volver-13 added the kind/bug Categorizes issue or PR as related to a bug. label Sep 12, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 12, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@longwuyuan
Copy link
Contributor

longwuyuan commented Sep 12, 2024
edited
Loading

Its not creating the location block

% k create deploy httpd --image httpd:alpine --port 80
deployment.apps/httpd created
[~] 
% k expose deploy httpd --port 80
service/httpd exposed
[~] 
% k create ing httpd --class nginx --rule httpd.local/"*"=httpd:80 --annotation nginx.ingress.kubernetes.io/whitelist-source-range="1.1.1.1 2.2.2.2"
ingress.networking.k8s.io/httpd created
[~] 
% k describe ing httpd 
Name:             httpd
Labels:           <none>
Namespace:        default
Address:          192.168.49.2
Ingress Class:    nginx
Default backend:  <default>
Rules:
  Host         Path  Backends
  ----         ----  --------
  httpd.local  
               /   httpd:80 (10.244.0.104:80)
Annotations:   nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1 2.2.2.2
Events:
  Type    Reason  Age              From                      Message
  ----    ------  ----             ----                      -------
  Normal  Sync    1s (x2 over 6s)  nginx-ingress-controller  Scheduled for sync

$ kubectl -n ingress-nginx exec ingress-nginx-controller-6494fbd8fb-25r7f -- cat /etc/nginx/nginx.conf | grep -i 1.1.1.1
# Location denied. Reason: "the annotation does not contain a valid IP address or network: invalid CIDR address: 1.1.1.1 2.2.2.2"

@longwuyuan
Copy link
Contributor

longwuyuan commented Sep 12, 2024
edited
Loading

log message ;

E0912 17:31:03.025233 7 annotations.go:216] "error reading Ingress annotation" err="the annotation does not contain a valid IP address or network: invalid CIDR address: 1.1.1.1 2.2.2.2" name="Allowlist" ingress="default/httpd"

@chengjoey
Copy link
Contributor

/assign

@chengjoey chengjoey linked a pull request Sep 13, 2024 that will close this issue
Open
10 tasks
@github-actions GitHub Actions
Copy link

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

@github-actions github-actions bot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chengjoey chengjoey

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[SIG Network] Ingress NGINX
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix ipallowlist parser not handling validation type errors chengjoey/ingress-nginx
4 participants
@volver-13 @longwuyuan @k8s-ci-robot @chengjoey