-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Predefined custom snippets #12222
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
@tylermichael completely agree on the useful of your suggestion. It is actually a demand by many other users as well. But the flip side is that contributions like your suggestions & other features that are also super useful need maintenance. Relevance being the resource crunch of developers dedicated to supporting & maintaining is so bad that we are actually deprecating useful functioning popular features. So I would not expect any traction on this feature request. |
@longwuyuan Understood. I wouldn't mind creating a PR to add support for this as it's a bit of a blocker in my org. |
|
@longwuyuan That The way I view this feature is, it could actually reduce dev workload because as mentioned in many other issues, there are a lot of NGINX features that are not configurable via annotations. And now that custom snippets are informally deprecated (there are even talks to formally deprecate and remove them), this provides a more secure escape hatch, removing the need to add explicit support for functionality that can be accomplished via snippets. AFAICT, the CVE exists because arbitrary code can be added on any ingress, breaking isolation principles, but this proposal moves the definition of snippets to a trusted configuration file. But I will wait for others to comment before starting a PR. I appreciate you and the other maintainers continued support of the project! |
What do you want to happen?
A lot of NGINX functionality is locked behind using the custom snippet feature, but it is associated with a CVE. This means that in many environments, you cannot enable it.
To bridge this divide, I think a feature somewhat similar to what's discussed in #11259 should be added that allows the admin operator to predefine custom snippets, and then opt-in an ingress to use them. AFAICT, this is an improvement on the current custom snippets because it limits the surface area where arbitrary code could be introduced to the ingress controller config.
The admin operator could then add the config files that define these snippets to CODEOWNERS to prevent malicious changes.
This comment describes how I think it could work:
Related issue
#11667
The text was updated successfully, but these errors were encountered: