-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curly brace in ingress path breaks NGINX template #3579
Comments
This should have been fixed here: #3182 which was released in 0.20.0. Are you sure that you're running this version or later? |
Thanks for the hint, I somehow missed that. Version should be 0.21.0, but now I'm a bit concerned if it really is. |
We're definitly using version 0.21.0 of nginx-ingress-controller, see details below:
Image name is a bit confusing, it's just a simple pull-through our artifactory instance from quay.io, that's why the image name is different. Hash of the image matches the one from quay.io for version 0.21.0: I ran the reproduction on two different installations (one with version 0.20.0 and the other with version 0.21.0), the behaviour is the same as described in my first post. Looks like #3182 doesn't fix the problem. I'll have a look at the code and try to understand why this happens. |
Looks like I did a small, but important mistake....
I used a bool in the following form:
A simple The only thing which is probably worth a discousion, is that a "normal" user with permissions to create an ingress, can possibly break the ingress of an entire cluster by simply putting a curly brace in the path field either
I can handle all those cases by writing a simple validating admission controller but probably it's worth to go the safe way and handle this for all users in the nginx ingress directly. I don't know if this is the "way to go" if so, please let me know, I'm happy to help out here with a PR and some opinions on how to do that, if not I'll close this issue. |
@ghouscht this is a known issue and it sucks. I'll create a Github issue to make it explicit and discuss possible solutions. Here's another report of this: #3435 |
Sounds good. I'll close this issue. |
#3155 describes the same issue, but is closed without a soultion. I hope it's ok to open a new issue.
Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG
NGINX Ingress controller version: 0.21.0
Kubernetes version (use
kubectl version
):Environment:
uname -a
): 3.10.0-862.11.6.el7.x86_64What happened:
Nginx config is broken if someone uses curly braces in the
path
directive, resulting in the following error:rendered config:
What you expected to happen:
Not to break the ingress of a whole cluster simply by using curly braces in the path.
How to reproduce it (as minimally and precisely as possible):
Apply the following ingress definition and watch the logs of your ingress:
Reloading of the ingress now fails forever (or at least until the created ingress is removed), which will sooner or later disturbe other things running in the same cluster.
Anything else we need to know:
Putting single quotes around the location directive in the nginx template L1016 seems to solve the problem.
Nginx docs quote:
I'm happy to help out with a PR here, for either putting quotes around the directives in the nginx template or to handle this somewhere in the code (maybe also with proper escaping of special chars to handle this kind of problems better).
The text was updated successfully, but these errors were encountered: