Security: Follow-up on recent changes. (#11874)
This commit is contained in:
Marco Ebert
GitHub
parent
bde6a6bc3e
commit
e9f6c8e8f2
8 changed files with 19 additions and 27 deletions
|
|
@ -29,9 +29,9 @@ The following table shows a configuration option's name, type, and the default v
|
|||
|:--------------------------------------------------------------------------------|:-------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------|
|
||||
| [add-headers](#add-headers) | string | "" | |
|
||||
| [allow-backend-server-header](#allow-backend-server-header) | bool | "false" | |
|
||||
| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "true" | |
|
||||
| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "false" | |
|
||||
| [allow-snippet-annotations](#allow-snippet-annotations) | bool | "false" | |
|
||||
| [annotations-risk-level](#annotations-risk-level) | string | Critical | |
|
||||
| [annotations-risk-level](#annotations-risk-level) | string | High | |
|
||||
| [annotation-value-word-blocklist](#annotation-value-word-blocklist) | string array | "" | |
|
||||
| [hide-headers](#hide-headers) | string array | empty | |
|
||||
| [access-log-params](#access-log-params) | string | "" | |
|
||||
|
|
@ -221,7 +221,7 @@ The following table shows a configuration option's name, type, and the default v
|
|||
| [service-upstream](#service-upstream) | bool | "false" | |
|
||||
| [ssl-reject-handshake](#ssl-reject-handshake) | bool | "false" | |
|
||||
| [debug-connections](#debug-connections) | []string | "127.0.0.1,1.1.1.1/24" | |
|
||||
| [strict-validate-path-type](#strict-validate-path-type) | bool | "false" (v1.7.x) | |
|
||||
| [strict-validate-path-type](#strict-validate-path-type) | bool | "true" | |
|
||||
| [grpc-buffer-size-kb](#grpc-buffer-size-kb) | int | 0 | |
|
||||
|
||||
## add-headers
|
||||
|
|
@ -234,18 +234,16 @@ Enables the return of the header Server from the backend instead of the generic
|
|||
|
||||
## allow-cross-namespace-resources
|
||||
|
||||
Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true
|
||||
Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ false
|
||||
|
||||
**Annotations that may be impacted with this change**:
|
||||
|
||||
* `auth-secret`
|
||||
* `auth-proxy-set-header`
|
||||
* `auth-tls-secret`
|
||||
* `fastcgi-params-configmap`
|
||||
* `proxy-ssl-secret`
|
||||
|
||||
|
||||
**This option will be defaulted to false in the next major release**
|
||||
|
||||
## allow-snippet-annotations
|
||||
|
||||
Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `false`
|
||||
|
|
@ -253,15 +251,13 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the
|
|||
Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this
|
||||
may allow a user to add restricted configurations to the final nginx.conf file
|
||||
|
||||
**This option will be defaulted to false in the next major release**
|
||||
|
||||
## annotations-risk-level
|
||||
|
||||
Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted.
|
||||
|
||||
Accepted values are `Critical`, `High`, `Medium` and `Low`.
|
||||
|
||||
Defaults to `Critical` but will be changed to `High` on the next minor release
|
||||
_**default:**_ `High`
|
||||
|
||||
## annotation-value-word-blocklist
|
||||
|
||||
|
|
@ -1364,6 +1360,7 @@ _References:_
|
|||
[http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection)
|
||||
|
||||
## strict-validate-path-type
|
||||
|
||||
Ingress objects contains a field called pathType that defines the proxy behavior. It can be `Exact`, `Prefix` and `ImplementationSpecific`.
|
||||
|
||||
When pathType is configured as `Exact` or `Prefix`, there should be a more strict validation, allowing only paths starting with "/" and
|
||||
|
|
@ -1377,6 +1374,8 @@ This means that Ingress objects that rely on paths containing regex characters s
|
|||
The cluster admin should establish validation rules using mechanisms like [Open Policy Agent](https://www.openpolicyagent.org/) to
|
||||
validate that only authorized users can use `ImplementationSpecific` pathType and that only the authorized characters can be used.
|
||||
|
||||
_**default:**_ "true"
|
||||
|
||||
## grpc-buffer-size-kb
|
||||
|
||||
Sets the configuration for the GRPC Buffer Size parameter. If not set it will use the default from NGINX.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue