Prevent All NGINX Ingress annotation snippets

Error: NGINX Ingress has annotation snippets

Bridgecrew Policy ID: BC_K8S_109
Checkov Check ID: CKV_K8S_153
Severity: LOW

NGINX Ingress has annotation snippets

Description

Allowing custom snippet annotations in ingress-nginx enables a user, who can create or update ingress objects, to obtain all secrets in the cluster. The safest way is to disallow any usage of annotation snippets.

Learn more around CVE-2021-25742

Fix - Buildtime

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  annotations:  
-   nginx.ingress.kubernetes.io/server-snippet: |
-     location / {
-       return 200 'OK';
-     }
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - http:    
    paths:      
      - path: /exp        
        pathType: Prefix        
        backend:          
          service:            
            name: some-service            
            port:              
              number: 1234