I have bumped into problems after update of our nginx ingress from version 1.11.5 (helm chart version 4.11.5) to 1.12.2 (helm chart version 4.12.2).
Basically I have ingress that is working with nginx 1.11.5 and prior versions without any problems (see template bellow), but when I upgrade it, I am only getting 404s from ingress.
When I remove configuration-snippet annotation from ingress template entirely, the webpage is displayed, but it has wrong ContentSecurityPolicy header because this header is also specified globally via controller.addHeaders.
I know that there were signifficant changes in order to fix these CVEs: CVE-2025-1097 CVE-2025-1098 CVE-2025-1974 CVE-2025-24513 and CVE-2025-24514 (https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1) so this is probably related to that
In order to upgrade to 1.11.5 previously I had to enable controller.allowSnippetAnnotations so for 1.12.2 upgrade this value is also set up: controller.allowSnippetAnnotations: true
How can I enable the *-snippet annotations again? Is it even possible due to the security related changes? Or is there any better way how to specify headers?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers ContentSecurityPolicy "default-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.pendo.io https://*.storage.googleapis.com; img-src 'self' https://*.pendo.io data:;frame-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.pendo.io https://*.storage.googleapis.com blob: data:;object-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.pendo.io https://*.storage.googleapis.com blob: data:;"
more_set_headers "Cache-Control: no-store";
nginx.ingress.kubernetes.io/cors-allow-credentials: "false"
nginx.ingress.kubernetes.io/cors-allow-headers: Authorization, Content-Type
nginx.ingress.kubernetes.io/cors-allow-methods: GET, POST, PUT, DELETE, OPTIONS
nginx.ingress.kubernetes.io/cors-allow-origin: https://<host>,http://localhost:3000
nginx.ingress.kubernetes.io/cors-max-age: "3600"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.org/proxy-pass-headers: IDAM_USER,IDAM-USER
nginx.org/server-tokens: "False"
labels:
app: <release-name>
app.kubernetes.io/managed-by: Helm
name: <release-name>
namespace: <namespace>
spec:
ingressClassName: <ingressclass-name>
rules:
- host: <host>
http:
paths:
- backend:
service:
name: <release-name>
port:
number: 80
path: /(.*)
pathType: Prefix
tls:
- hosts:
- <host>
secretName: <secret-name>
There's a new feature in ingress-nginx 1.12 that allows you to filter annotations by risk using annotations-risk-level. Use annotations-risk-level: Critical to allow allow-snippet-annotations: true.
For further reference you can check this blog and discussion.