nginx.ingress.kubernetes.io/configuration-snippet annotation contains invalid word proxy_pass

Question

I am trying to write the nginx ingress config for my k8s cluster.

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: blabla-data-api-ingress
  annotations:
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "360"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "360"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "360"
    nginx.ingress.kubernetes.io/proxy-body-size: 256m
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Authorization $http_authorization;
      proxy_pass_header  Authorization;
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  tls:
    - hosts:
        - blabla-data.api.staging.20-74-47-80.nip.io
      secretName: blabla-data-api-certification-staging
  rules:
    - host: blabla-data.api.staging.20-74-47-80.nip.io
      http:
        paths:
          - backend:
              serviceName: blabla-data-api
              servicePort: 80
            path: /
          - backend:
              serviceName: blabla-data-api
              servicePort: 443
            path: /

When I apply this config, I get this error:

for: "kubernetes/staging/blabla-data-api-ingress.staging.yaml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: nginx.ingress.kubernetes.io/configuration-snippet annotation contains invalid word proxy_pass

In fact, this piece of code used to work in the past.

I tried to add --set controller.admissionWebhooks.enabled=false in my helm install nginx-ingress ingress-nginx/ingress-nginx like that:

helm install nginx-ingress ingress-nginx/ingress-nginx \
    --namespace ingress \
    --set controller.replicaCount=2 \
    --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set controller.admissionWebhooks.enabled=false

In this case, I don't get any error while applying this ingress config but then I get a 404 from nginx when I try to access my server through the external API.

Answer 1

OP has confirmed, that the issue was solved in this github topic

it was exactly the issue you mentioned, thanks for your help

This problem is related to CVE-2021-25742. Problem is solved based on this message:

Hi folks we just released Ingress NGINX v1.0.5. Thanks to @rikatz who helped implement
#7874 which added the option to sanitize annotation inputs

annotation-value-word-blocklist defaults are "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"

Users from mod_security and other features should be aware that some blocked values may be used by those features and must be manually unblocked by the Ingress Administrator.

For more details please check https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist

If you have any issues with this new feature or the release please open a new issue so we can track it there.