Prevent NGINX Ingress annotation snippets which contain alias statements
Error: NGINX Ingress has annotation snippets which contain alias statements
Bridgecrew Policy ID: BC_K8S_110
Checkov Check ID: CKV_K8S_154
Severity: LOW
NGINX Ingress has annotation snippets which contain alias statements
Description
Allowing custom snippet annotations in ingress-nginx enables a user, who can create or update ingress objects, to obtain all secrets in the cluster. To still allow users leveraging the snippet feature it is recommend to remove any usage of alias.
Learn more around CVE-2021-25742
Fix - Buildtime
Kubernetes
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
namespace: developer
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/server-snippet: |
location ^~ "/test" {
default_type 'text/plain';
- alias /var/run;
}
spec:
rules:
- http:
paths:
- path: /test
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
Updated 8 months ago