logo

Life of a CVE with Ingress-Nginx; Understanding the Project's Release Cycle

2023-04-20

Authors:   Dylen Turnbull, James Strong


Summary

The presentation discusses the process of validating vulnerabilities and implementing remediation in Kubernetes Ingress and nginx core.
  • The process of validating vulnerabilities involves a lot of back and forth conversations to determine if it is an actual vulnerability and if the fix works.
  • Allowing users to run arbitrary code is a valid configuration option, but protections need to be put in place to prevent nefarious actions.
  • The Kubernetes Ingress team is working on validating user input to prevent mounting tokens or accessing unauthorized namespaces.
  • The process of implementing remediation in nginx core involves qualifying the vulnerability, determining the threat level, and deciding on a fix.
  • The remediation process takes around two weeks and involves careful consideration to prevent any mistakes that could affect millions of websites.
The presenter discussed the importance of validating user input to prevent unauthorized access to namespaces. They mentioned a case where a user could inject Lua code, making it difficult to ensure users are doing the right thing. The team is working on implementing protections to prevent nefarious actions.

Abstract

In 7 years, Ingress-nginx has had 221 releases, with over 6800 commits. To ensure stability and to test this highly configurable controller, the project has grown to over 400 e2e tests and helm chart tests across various kubernetes versions and deployment landscapes. We were 3/4 through our stabilization project in the last maintainer track we presented. The ironic thing about OSS and software, in general, is that it is never really completed, nor should the stabilization and security of the project. In this talk, we discuss how we work to improve the release process of ingress-nginx to keep Ingress-nginx CVE-free with real-world examples. We will discuss the current release process and how we are working with sig-release and sig-security to increase release velocity, reduce complexity and increase the security of ingress-nginx. Please join us for this presentation if you want to hear about the ingress-nginx controller getting released & how we continue to improve it.

Materials:

Post a comment

Related work

Authors: Ricardo Katz, James Strong
2022-10-28




Authors: Alona Paz, Kim Wuestkamp, Dinesh Majrekar, Ryan Hallisey, Peter Salanki
2023-04-20

Authors: Michelle Shepardson, Antonio Ojea Garcia, Chao Dai, Benjamin Elder
2022-10-27