Prevent All NGINX Ingress annotation snippets
Error: NGINX Ingress has annotation snippets
Bridgecrew Policy ID: BC_K8S_109
Checkov Check ID: CKV_K8S_153
Severity: LOW
NGINX Ingress has annotation snippets
Description
Allowing custom snippet annotations in ingress-nginx enables a user, who can create or update ingress objects, to obtain all secrets in the cluster. The safest way is to disallow any usage of annotation snippets.
Learn more around CVE-2021-25742
Fix - Buildtime
Kubernetes
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
- nginx.ingress.kubernetes.io/server-snippet: |
- location / {
- return 200 'OK';
- }
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- http:
paths:
- path: /exp
pathType: Prefix
backend:
service:
name: some-service
port:
number: 1234
Updated 8 months ago