The Kubernetes community recently discovered the ingress-nginx vulnerability CVE-2021-25748. Attackers can obtain the credentials of the NGINX Ingress controller by configuring specific parameters in the configuration of an Ingress. The credentials can be used to gain access to all Secrets in the cluster.

CVE-2021-25748 is rated as high severity and its Common Vulnerability Scoring System (CVSS) score is 7.6.

Affected versions

ingress-nginx versions earlier than 1.2.1 are affected by this vulnerability.

This vulnerability is fixed in ingress-nginx 1.2.1.

For more information about this vulnerability, see #8686.

Impacts

Users that have the permissions to create or modify Ingresses can use the metadata.annotations parameter of an Ingress in the networking.k8s.io or extensions API group to obtain the credentials of the NGINX Ingress controller. The credentials can be used to access the API server of the cluster and gain access to all Secrets in the cluster.

Mitigation

Solution 1

  1. Run the following command to modify the nginx-configuration ConfigMap in the kube-system namespace:
    kubectl edit configmap -n kube-system nginx-configuration
  2. Add the annotation-value-word-blocklist annotation in the ConfigMap.
    For more information, see annotation-value-word-blocklist.
    data:
      annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""
  3. Restart the pods that are provisioned for the NGINX Ingress controller.

Solution 2

Use the policy governance feature of Container Service for Kubernetes (ACK) to deploy the ACKCheckNginxAnnotation policy. This allows you to deny Ingress modification requests that contain risky configurations. For more information, see Configure and enforce ACK pod security policies and Predefined security policies of ACK.

Solution 3

Revoke the permissions to create and modify Ingresses from Alibaba Cloud accounts other than administrator accounts.

Fixes

You can take note of the release notes of the NGINX Ingress controller and update the NGINX Ingress controller at the earliest opportunity. For more information about the release notes of the NGINX Ingress controller, see Nginx Ingress Controller.