The validating webhook does not prevent resource creation with invalid annotations

[volver-13]

What happened:

Create the below bad-ingress with nginx.ingress.kubernetes.io/whitelist-source-range annotation set to invalid value 1.1.1.1 2.2.2.2 . Ingress object gets created even though the whitelist-source-range value is incorrect (missing comma between IP addresses)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1 2.2.2.2
  name: bad-ingress.com
  namespace: default
spec:
  ingressClassName: nginx-public
  rules:
  - host: memoapp.com
    http:
      paths:
      - backend:
          service:
            name: memoapp
            port:
              name: http
        path: /
        pathType: ImplementationSpecific

The behavior is the same regardless of the enableAnnotationValidations value.

Ingress controller fails with the following errors once the resource is created:

ingress-nginx-public-controller-68969c4b6f-xxd8c controller W0912 13:55:00.658197       7 validators.go:237] validation error on ingress default/bad-ingress.com: annotation allowlist-source-range contains invalid value 1.1.1.1 2.2.2.2
ingress-nginx-public-controller-68969c4b6f-xxd8c controller E0912 13:55:00.658231       7 annotations.go:213] "error reading Ingress annotation" err="annotation nginx.ingress.kubernetes.io/whitelist-source-range contains invalid value" name="Allowlist" ingress="default/bad-ingress.com"

What you expected to happen:

Ideally, the validating webhook should reject the creation of this ingress object."

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller
Release: v1.10.0
Build: 71f78d4
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.25.3

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.5", GitCommit:"804d6167111f6858541cef440ccc53887fbbc96a", GitTreeState:"clean", BuildDate:"2022-12-08T10:15:02Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"28", GitVersion:"v1.28.10", GitCommit:"21be1d76a90bc00e2b0f6676a664bdf097224155", GitTreeState:"clean", BuildDate:"2024-05-22T15:00:24Z", GoVersion:"go1.21.9", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: Azure AKS

• How was the ingress-nginx-controller installed: ArgoCD deployment (helm chart 4.10.0)

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[longwuyuan]

Its not creating the location block

% k create deploy httpd --image httpd:alpine --port 80
deployment.apps/httpd created
[~] 
% k expose deploy httpd --port 80
service/httpd exposed
[~] 
% k create ing httpd --class nginx --rule httpd.local/"*"=httpd:80 --annotation nginx.ingress.kubernetes.io/whitelist-source-range="1.1.1.1 2.2.2.2"
ingress.networking.k8s.io/httpd created
[~] 
% k describe ing httpd 
Name:             httpd
Labels:           <none>
Namespace:        default
Address:          192.168.49.2
Ingress Class:    nginx
Default backend:  <default>
Rules:
  Host         Path  Backends
  ----         ----  --------
  httpd.local  
               /   httpd:80 (10.244.0.104:80)
Annotations:   nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1 2.2.2.2
Events:
  Type    Reason  Age              From                      Message
  ----    ------  ----             ----                      -------
  Normal  Sync    1s (x2 over 6s)  nginx-ingress-controller  Scheduled for sync

$ kubectl -n ingress-nginx exec ingress-nginx-controller-6494fbd8fb-25r7f -- cat /etc/nginx/nginx.conf | grep -i 1.1.1.1
# Location denied. Reason: "the annotation does not contain a valid IP address or network: invalid CIDR address: 1.1.1.1 2.2.2.2"

[longwuyuan]

log message ;

E0912 17:31:03.025233 7 annotations.go:216] "error reading Ingress annotation" err="the annotation does not contain a valid IP address or network: invalid CIDR address: 1.1.1.1 2.2.2.2" name="Allowlist" ingress="default/httpd"

[chengjoey]

/assign