Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Link configuration snippet to allow-snippet-annotations #10456

Merged
merged 1 commit into from
Sep 28, 2023
Merged

Link configuration snippet to allow-snippet-annotations #10456

merged 1 commit into from
Sep 28, 2023

Conversation

StefanLobbenmeierObjego
Copy link
Contributor

@StefanLobbenmeierObjego StefanLobbenmeierObjego commented Sep 28, 2023
edited
Loading

What this PR does / why we need it:

Reduces confusion caused by breaking change in #10393

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • CVE Report (Scanner found CVE and adding report)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have added unit and/or e2e tests to cover my changes.
  • All new and existing tests passed.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Sep 28, 2023
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: StefanLobbenmeierObjego / name: Stefan Lobbenmeier (03fbf16)

@netlify
Copy link

netlify bot commented Sep 28, 2023
edited
Loading

Deploy Preview for kubernetes-ingress-nginx ready!

Name Link
🔨 Latest commit 03fbf16
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/65153fb688bbaf0008755708
😎 Deploy Preview https://deploy-preview-10456--kubernetes-ingress-nginx.netlify.app/user-guide/nginx-configuration/annotations
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@k8s-ci-robot k8s-ci-robot added area/docs needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 28, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot
Copy link
Contributor

Welcome @StefanLobbenmeierObjego!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Sep 28, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @StefanLobbenmeierObjego. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Sep 28, 2023
strongjz
strongjz approved these changes Sep 28, 2023
View reviewed changes
Copy link
Member

@strongjz strongjz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 28, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: StefanLobbenmeierObjego, strongjz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 28, 2023
@k8s-ci-robot k8s-ci-robot merged commit e2ee334 into kubernetes:main Sep 28, 2023
8 checks passed
@StefanLobbenmeierObjego
Copy link
Contributor Author

For some reason the link worked fine in the preview but seems to be broken now in the documentation. Not sure if something else broke it or I messed up the syntax?

StefanLobbenmeierObjego added a commit to StefanLobbenmeierObjego/ingress-nginx that referenced this pull request Sep 28, 2023
@StefanLobbenmeierObjego
Fix link from kubernetes#10456
2e82d75
@StefanLobbenmeierObjego
Copy link
Contributor Author

I am guessing it was the extra /, removed it now. Sorry for the hassle.

k8s-ci-robot pushed a commit that referenced this pull request Sep 28, 2023
@StefanLobbenmeierObjego
Fix link from #10456 (#10458)
ae86c07
@smanghi1
Copy link

hi @strongjz
i have a query regarding this change #10393, we recently did a big jump from v1.5.1 to v1.10.0.. don't see any issues till now. We added allow-snippet-annotations: true in our config map.. can we expect any vulnerability or security risk if we enable this flag?

@StefanLobbenmeierObjego
Copy link
Contributor Author

StefanLobbenmeierObjego commented Apr 3, 2024
edited
Loading

can we expect any vulnerability or security risk if we enable this flag?

if you accept an inofficial answer - here is my take. allow-snippet-annotations is security relevant for multi tenant clusters

Basically if you know everyone that changes deployments to the cluster or have an approval process for it, you should be good. If you have random people changing the deployments, then they can change more via the snippet annotation that you might want. Not sure how much we are talking about, but I would expect that they can change the whole config file via this annotation.

in other words, it can give you more access to the cluster if you can already deploy and you can get more permissions. But for single tenant cluster if someone can deploy to your cluster that you do not trust you are pwned anyway.

That being said, take a look at the snippet annotations you currently have. It might be easy to migrate them away from snippets by replacing it with dedicated annotations. If you have snippets that you cannot migrate away from, I suggest you open an issue with those snippets to get further support.

(e.g. in our case we had this snippet which is trivial to replace but we did not replace it because it is not in this list: https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/)

     nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Script-Name /pgadmin;

@strongjz
Copy link
Member

strongjz commented Apr 3, 2024
edited
Loading

The reason we implemented this kubernetes/kubernetes#126811

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@strongjz strongjz strongjz approved these changes

@puerco puerco Awaiting requested review from puerco

@tao12345666333 tao12345666333 Awaiting requested review from tao12345666333

Assignees

@strongjz strongjz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/docs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@StefanLobbenmeierObjego @k8s-ci-robot @smanghi1 @strongjz