Prevent NGINX Ingress annotation snippets which contain alias statements

Error: NGINX Ingress annotation snippets contain alias statements

Bridgecrew Policy ID: BC_K8S_110
Checkov Check ID: CKV_K8S_154
Severity: LOW

NGINX Ingress annotation snippets contain alias statements

Description

Allowing custom snippet annotations in ingress-nginx enables a user, who can create or update ingress objects, to obtain all secrets in the cluster. To still allow users leveraging the snippet feature it is recommend to remove any usage of alias.

Learn more around CVE-2021-25742

Fix - Buildtime

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  namespace: developer
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/server-snippet: |
      location ^~ "/test" {
        default_type 'text/plain';
-       alias /var/run;
      }
spec:
  rules:
  - http:
      paths:
        - path: /test
          pathType: Prefix
          backend:
            service:
              name: web
              port:
                number: 8080