Prevent NGINX Ingress annotation snippets which contain LUA code execution
Error: NGINX Ingress annotation snippets contain LUA code execution
Bridgecrew Policy ID: BC_K8S_108
Checkov Check ID: CKV_K8S_152
Severity: LOW
NGINX Ingress annotation snippets contain LUA code execution
Description
Allowing custom snippet annotations in ingress-nginx enables a user, who can create or update ingress objects, to obtain all secrets in the cluster. To still allow users leveraging the snippet feature it is recommend to remove any usage of LUA code.
Learn more around CVE-2021-25742
Fix - Buildtime
Kubernetes
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
- lua_package_path "/etc/nginx/lua/?.lua;;";
location / {
return 200 'OK';
}
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- http:
paths:
- path: /exp
pathType: Prefix
backend:
service:
name: some-service
port:
number: 1234
Updated 8 months ago