A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
This vulnerability has a high impact on clusters where there are strict RBAC rules in place to restrict access for K8s users. For example: A developer with limited K8s access, say access to create ingress in a development namespace, could extract production secrets this way.
The way that ingress-nginx works today however this feature can’t be patched unfortunately. The feature that causes this vulnerability can only be disabled.
Actions to take
We have disabled the allow-snippet-annotations by default and disabled it on the clusters that we know that they are not using snippets.
For existing customers, we have not actively disabled this feature as we don’t want to break any existing functionality.
Please reach out to us if you want to disable this on your cluster(s). However it is important to verify if you don’t have any of the following ingress-nginx snippets in place (we can help with figuring that out with you):
- nginx.ingress.kubernetes.io/auth-snippet
- nginx.ingress.kubernetes.io/configuration-snippet
- nginx.ingress.kubernetes.io/modsecurity-snippet
- nginx.ingress.kubernetes.io/server-snippet
- nginx.ingress.kubernetes.io/stream-snippet