Prevent NGINX Ingress annotation snippets which contain LUA code execution

Error: NGINX Ingress annotation snippets contain LUA code execution

Bridgecrew Policy ID: BC_K8S_108
Checkov Check ID: CKV_K8S_152
Severity: LOW

NGINX Ingress annotation snippets contain LUA code execution

Description

Allowing custom snippet annotations in ingress-nginx enables a user, who can create or update ingress objects, to obtain all secrets in the cluster. To still allow users leveraging the snippet feature it is recommend to remove any usage of LUA code.

Learn more around CVE-2021-25742

Fix - Buildtime

Kubernetes

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |
-     lua_package_path  "/etc/nginx/lua/?.lua;;";
      location / {
        return 200 'OK';
      }
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - http:    
    paths:      
      - path: /exp        
        pathType: Prefix        
        backend:          
          service:            
            name: some-service            
            port:              
              number: 1234

Updated 2 months ago