Hello Kubernetes Community,
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25742.
This bug affects ingress-nginx.
Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
This issue cannot be fixed solely by upgrading ingress-nginx. It can be mitigated in the following versions:
To mitigate this vulnerability:
Upgrade to a version that allows mitigation, (>= v0.49.1 or >= v1.0.1)
Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx:
Static Deploy Files
Edit the ConfigMap for ingress-nginx after deployment
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
More information on the ConfigMap here
Deploying Via Helm
Set controller.allowSnippetAnnotations to false in the Values.yaml or add the directive to the helm deploy:
helm install [RELEASE_NAME] --set controller.allowSnippetAnnotations=false ingress-nginx/ingress-nginx
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
See ingress-nginx Issue #7837 for more details.
This vulnerability was reported by Mitch Hulscher.
CJ Cullen on behalf of the Kubernetes Security Response Committee