|
I have bumped into problems after update of our nginx ingress from version 1.11.5 (helm chart version 4.11.5) to 1.12.2 (helm chart version 4.12.2). Basically I have ingress that is working with nginx 1.11.5 and prior versions without any problems (see template bellow), but when I upgrade it, I am only getting 404s from ingress. When I remove configuration-snippet annotation from ingress template entirely, the webpage is displayed, but it has wrong ContentSecurityPolicy header because this header is also specified globally via controller.addHeaders. I know that there were signifficant changes in order to fix these CVEs: CVE-2025-1097 CVE-2025-1098 CVE-2025-1974 CVE-2025-24513 and CVE-2025-24514 (https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1) so this is probably related to that In order to upgrade to 1.11.5 previously I had to enable controller.allowSnippetAnnotations so for 1.12.2 upgrade this value is also set up: controller.allowSnippetAnnotations: true How can I enable the *-snippet annotations again? Is it even possible due to the security related changes? Or is there any better way how to specify headers? apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers ContentSecurityPolicy "default-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.pendo.io https://*.storage.googleapis.com; img-src 'self' https://*.pendo.io data:;frame-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.pendo.io https://*.storage.googleapis.com blob: data:;object-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.pendo.io https://*.storage.googleapis.com blob: data:;" more_set_headers "Cache-Control: no-store"; nginx.ingress.kubernetes.io/cors-allow-credentials: "false" nginx.ingress.kubernetes.io/cors-allow-headers: Authorization, Content-Type nginx.ingress.kubernetes.io/cors-allow-methods: GET, POST, PUT, DELETE, OPTIONS nginx.ingress.kubernetes.io/cors-allow-origin: https://<host>,:3000 nginx.ingress.kubernetes.io/cors-max-age: "3600" nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-buffer-size: 64k nginx.ingress.kubernetes.io/proxy-buffers-number: "8" nginx.ingress.kubernetes.io/proxy-read-timeout: "300" nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.org/proxy-pass-headers: IDAM_USER,IDAM-USER nginx.org/server-tokens: "False" labels: app: <release-name> app.kubernetes.io/managed-by: Helm name: <release-name> namespace: <namespace> spec: ingressClassName: <ingressclass-name> rules: - host: <host> http: paths: - backend: service: name: <release-name> port: number: 80 path: /(.*) pathType: Prefix tls: - hosts: - <host> secretName: <secret-name> (责任编辑:) |