Git Product home page Git Product logo

ingress-nginx's Introduction

NGINX Ingress Controller

Go Report Card GitHub license GitHub stars GitHub stars FOSSA Status

Overview

ingress-nginx is an Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer.

Learn more about Ingress on the main Kubernetes documentation site.

Get started

See the Getting Started document.

Troubleshooting

If you encounter issues, review the troubleshooting docs, file an issue, or talk to us on the #ingress-nginx channel on the Kubernetes Slack server.

Contributing

Thanks for taking the time to join our community and start contributing!

  • This project adheres to the Kubernetes Community Code of Conduct. By participating in this project, you agree to abide by its terms.
  • See CONTRIBUTING.md for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.
  • Check out the open issues.
  • Join our Kubernetes Slack channel for developer discussion : #ingress-nginx-dev.

Changelog

See the list of releases to find out about feature changes. For detailed changes for each release; please check the Changelog.md file. For detailed changes on the ingress-nginx helm chart, please check the following CHANGELOG.md file.

Support Versions table

Ingress-nginx version k8s supported version Alpine Version Nginx Version
v1.0.0-alpha.2 1.22, 1.21, 1.20, 1.19 3.13.5 1.20.1
v1.0.0-alpha.1 1.21, 1.20, 1.19 3.13.5 1.20.1
v0.47.0 1.21, 1.20, 1.19 3.13.5 1.20.1
v0.46.0 1.21, 1.20, 1.19 3.13.2 1.19.6
v0.45.0 1.21, 1.20, 1.19 3.13.2 1.19.6

Get Involved

  • Contributing: Pull requests are welcome!
    • Read CONTRIBUTING.md and check out help-wanted issues.
    • Submit github issues for any feature enhancements, bugs or documentation problems.
  • Support: Join to Kubernetes Slack in the #ingress-nginx-users channel to ask questions to get support from the maintainers and other users.
    • The github issues in the repository are exclusively for bug reports and feature requests.
  • Discuss: Tweet using the #IngressNginx hashtag.

Issues

Please make sure to read the Issue Reporting Checklist before opening an issue. Issues not conforming to the guidelines may be closed immediately.

License

Apache License 2.0

ingress-nginx's People

Contributors

adamdang avatar agile6v avatar akx avatar aledbf avatar antoineco avatar aramase avatar asifdxtreme avatar bprashanth avatar caiyixiang avatar chentao11596 avatar danielqsj avatar electroma avatar elvinefendi avatar gianrubio avatar hzxuzhonghu avatar jcmoraisjr avatar k8s-ci-robot avatar kundan2707 avatar maxlaverse avatar mbssaiakhil avatar nicksardo avatar oilbeater avatar porridge avatar rikatz avatar stono avatar strongjz avatar szekeresb avatar szombi avatar tonglil avatar wayt avatar

Stargazers

avatar

Watchers

avatar

ingress-nginx's Issues

CVE-2020-26160 (High) detected in github.com/dgrijalva/jwt-go-v3.2.0

CVE-2020-26160 - High Severity Vulnerability

Vulnerable Library - github.com/dgrijalva/jwt-go-v3.2.0

Golang implementation of JSON Web Tokens (JWT)

Dependency Hierarchy:

  • github.com/pulumi/pulumi/pkg/testing/integration-v1.14.1 (Root Library)
    • github.com/pulumi/pulumi/pkg/engine-v1.14.1
      • github.com/pulumi/pulumi/pkg/resource/deploy-v1.14.1
        • github.com/pulumi/pulumi/pkg/secrets-v1.14.1
          • gocloud.dev/secrets/azurekeyvault-d0064f57fbb8c64899fa95749734413f5b8e98e1
            • github.com/azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault-85ead70fb48cbffaafe92fab0a044a8d153d2701
              • github.com/azure/go-autorest/autorest/validation-v14.2.0
                • github.com/azure/go-autorest/autorest-v14.2.0
                  • github.com/azure/go-autorest/autorest/adal-v14.2.0
                    • github.com/dgrijalva/jwt-go-v3.2.0 (Vulnerable Library)

Found in HEAD commit: 4ac109d34260a16421b49fb9d2dd2bc37fbca9a9

Found in base branch: pipeline/skip-integration-tests-for-renovate-insiders

Vulnerability Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Publish Date: 2020-09-30

URL: CVE-2020-26160

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2022-41721 (High) detected in github.com/golang/net/http2-v0.1.0

CVE-2022-41721 - High Severity Vulnerability

Vulnerable Library - github.com/golang/net/http2-v0.1.0

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl-abf22b201400bca168de1d5cc647a149a0f58cbc (Root Library)
    • k8s.io/ingress-nginx/internal/ingress/annotations/parser-abf22b201400bca168de1d5cc647a149a0f58cbc
      • k8s.io/api/networking/v1
        • k8s.io/api/core/v1
          • k8s.io/apimachinery/pkg/apis/meta/v1
            • k8s.io/apimachinery/pkg/watch-0ff29d3f16e420836b02e5f0133a2393b9bb1a1a
              • k8s.io/apimachinery/pkg/util/net-0ff29d3f16e420836b02e5f0133a2393b9bb1a1a
                • github.com/golang/net/http2-v0.1.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Publish Date: 2023-01-13

URL: CVE-2022-41721

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-13

Fix Resolution: v0.2.0

Step up your Open Source Security Game with Mend here

CVE-2022-28948 (High) detected in github.com/go-yaml/yaml-v3.0.0 - autoclosed

CVE-2022-28948 - High Severity Vulnerability

Vulnerable Library - github.com/go-yaml/yaml-v3.0.0

YAML support for the Go language.

Dependency Hierarchy:

  • github.com/gavv/httpexpect/v2-4f7ac589a166b4be61b91d1c2c5d39b9b734d205 (Root Library)
    • github.com/stretchr/testify/require-v1.7.1
      • github.com/stretchr/testify/assert-v1.7.1
        • github.com/go-yaml/yaml-v3.0.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hp87-p4gw-j4gq

Release Date: 2022-05-19

Fix Resolution: 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-39325 (High) detected in github.com/golang/net/http2-v0.1.0

CVE-2023-39325 - High Severity Vulnerability

Vulnerable Library - github.com/golang/net/http2-v0.1.0

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl-abf22b201400bca168de1d5cc647a149a0f58cbc (Root Library)
    • k8s.io/ingress-nginx/internal/ingress/annotations/parser-abf22b201400bca168de1d5cc647a149a0f58cbc
      • k8s.io/api/networking/v1
        • k8s.io/api/core/v1
          • k8s.io/apimachinery/pkg/apis/meta/v1
            • k8s.io/apimachinery/pkg/watch-0ff29d3f16e420836b02e5f0133a2393b9bb1a1a
              • k8s.io/apimachinery/pkg/util/net-0ff29d3f16e420836b02e5f0133a2393b9bb1a1a
                • github.com/golang/net/http2-v0.1.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Publish Date: 2023-10-11

URL: CVE-2023-39325

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2023-2102

Release Date: 2023-10-11

Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0

Step up your Open Source Security Game with Mend here

CVE-2022-41723 (High) detected in github.com/golang/net/http2/hpack-v0.1.0

CVE-2022-41723 - High Severity Vulnerability

Vulnerable Library - github.com/golang/net/http2/hpack-v0.1.0

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl-abf22b201400bca168de1d5cc647a149a0f58cbc (Root Library)
    • k8s.io/ingress-nginx/internal/ingress/annotations/parser-abf22b201400bca168de1d5cc647a149a0f58cbc
      • k8s.io/api/networking/v1
        • k8s.io/api/core/v1
          • k8s.io/apimachinery/pkg/apis/meta/v1
            • k8s.io/apimachinery/pkg/watch-0ff29d3f16e420836b02e5f0133a2393b9bb1a1a
              • k8s.io/apimachinery/pkg/util/net-0ff29d3f16e420836b02e5f0133a2393b9bb1a1a
                • github.com/golang/net/http2-v0.1.0
                  • github.com/golang/net/http2/hpack-v0.1.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

Publish Date: 2023-02-28

URL: CVE-2022-41723

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2023-1568

Release Date: 2022-09-29

Fix Resolution: v0.7.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.